25 lines
908 B
YAML
25 lines
908 B
YAML
id: osx-leverage-malware
|
|
|
|
info:
|
|
name: OSX Leverage Malware - Detect
|
|
author: daffainfo
|
|
severity: info
|
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
|
|
tags: malware,file
|
|
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
|
|
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
|
|
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
|
|
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
|
|
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
|
|
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
|
|
- "serverVisible \x00"
|
|
condition: and |