26 lines
1.0 KiB
YAML
26 lines
1.0 KiB
YAML
id: osx-leverage-malware
|
|
|
|
info:
|
|
name: OSX Leverage Malware - Detect
|
|
author: daffainfo
|
|
severity: info
|
|
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
|
|
tags: malware,file
|
|
file:
|
|
- extensions:
|
|
- all
|
|
matchers:
|
|
- type: word
|
|
part: raw
|
|
words:
|
|
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
|
|
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
|
|
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
|
|
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
|
|
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
|
|
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
|
|
- "serverVisible \0"
|
|
condition: and
|
|
|
|
# digest: 490a004630440220190e234b6d0f00657ae8e6f2d79b342fccf9e1dcb9c49de77781fa21e662da7302203dbf070c64970b142d6edbcb95b55be91252dff5ef95487e3a5ce7d106aafe5a:922c64590222798bb761d5b6d8e72950
|