nuclei-templates/file/malware/osx-leverage-malware.yaml

26 lines
1.0 KiB
YAML

id: osx-leverage-malware
info:
name: OSX Leverage Malware - Detect
author: daffainfo
severity: info
reference: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_OSX_Leverage.yar
tags: malware,file
file:
- extensions:
- all
matchers:
- type: word
part: raw
words:
- "ioreg -l | grep \"IOPlatformSerialNumber\" | awk -F"
- "+:Users:Shared:UserEvent.app:Contents:MacOS:"
- "rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'"
- "osascript -e 'tell application \"System Events\" to get the hidden of every login item'"
- "osascript -e 'tell application \"System Events\" to get the name of every login item'"
- "osascript -e 'tell application \"System Events\" to get the path of every login item'"
- "serverVisible \0"
condition: and
# digest: 490a004630440220190e234b6d0f00657ae8e6f2d79b342fccf9e1dcb9c49de77781fa21e662da7302203dbf070c64970b142d6edbcb95b55be91252dff5ef95487e3a5ce7d106aafe5a:922c64590222798bb761d5b6d8e72950