osquery-1/packs/osx-attacks.conf

{
  "platform": "darwin",
  "version": "1.4.5",
  "queries": {
    "WireLurker": {
      "query" : "select * from launchd where name = 'com.apple.machook_damon.plist' or name = 'com.apple.globalupdate.plist' or name = 'com.apple.appstore.plughelper.plist' or name = 'com.apple.MailServiceAgentHelper.plist' or name = 'com.apple.systemkeychain-helper.plist' or name = 'com.apple.periodic-dd-mm-yy.plist';",
      "interval" : "86400",
      "description" : "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_1": {
      "query" : "select * from launchd where path like '%UserEvent.System.plist';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_2": {
      "query" : "select * from file where path = '/Users/Shared/UserEvent.app';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Tibet.D": {
      "query" : "select * from launchd where path like '%com.apple.AudioService.plist';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)",
      "value" : "Artifact used by this malware"
    },
    "DevilRobber": {
      "query" : "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "XSLCmd": {
      "query" : "select * from launchd where name = 'com.apple.service.clipboardd.plist';",
      "interval" : "86400",
      "description" : "(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)",
      "value" : "Artifact used by this malware"
    },
    "Olyx": {
      "query" : "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Imuler": {
      "query" : "select * from launchd where name = 'checkflr.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "iWorkServ": {
      "query" : "select * from startup_items where path like '%iWorkServices%';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Morcut": {
      "query" : "select * from launchd where name = 'com.apple.mdworker.plist';",
      "interval" : "86400",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)",
      "value" : "Artifact used by this malware"
    },
    "BlazingKeylogger": {
      "query" : "select * from launchd where name = 'com.BT.BPK.plist';",
      "interval" : "86400",
      "description" : "(http://www.blazingtools.com/mac_keylogger.html)",
      "value" : "Artifact used by this malware"
    },
    "Icefog": {
      "query" : "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';",
      "interval" : "86400",
      "description" : "(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)",
      "value" : "Artifact used by this malware"
    },
    "Careto": {
      "query" : "select * from launchd where path like '%com.apple.launchport.plist';",
      "interval" : "86400",
      "description" : "(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)",
      "value" : "Artifact used by this malware"
    },
    "Inqtana": {
      "query" : "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/inqtana_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "MacKontrol": {
      "query" : "select * from launchd where name = 'com.apple.FolderActionsxl.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "PubSab": {
      "query" : "select * from launchd where name = 'com.apple.PubSabAgent.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Dockster": {
      "query" : "select * from launchd where name = 'mac.Dockset.deman.plist';",
      "interval" : "86400",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)",
      "value" : "Artifact used by this malware"
    },
    "CallMe": {
      "query" : "select * from launchd where name = 'realPlayerUpdate.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/weblog/archives/00002546.html)",
      "value" : "Artifact used by this malware"
    },
    "Whitesmoke": {
      "query" : "select * from launchd where name = 'com.whitesmoke.uploader.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/ )",
      "value" : "Artifact used by this malware"
    },
    "Codecm": {
      "query" : "select * from launchd where name = 'com.codecm.uploader.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/)",
      "value" : "Artifact used by this malware"
    },
    "iWorm": {
      "query" : "select * from launchd where name = 'com.JavaW.plist';",
      "interval" : "86400",
      "description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
      "value" : "Artifact used by this malware"
    },
    "iWorm_1": {
      "query" : "select * from file where path like '/Library/Application Support/JavaW%';",
      "interval" : "86400",
      "description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
      "value" : "Artifact used by this malware"
    },
    "SniperSpy": {
      "query" : "select * from launchd where name = 'com.rxs.syslogagent.plist';",
      "interval" : "86400",
      "description" : "(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)",
      "value" : "Artifact used by this malware"
    },
    "Vsearch": {
      "query" : "select * from launchd where name = 'com.vsearch.agent.plist' or name = 'com.vsearch.daemon.plist' or name = 'com.vsearch.helper.plist' or name = 'Jack.plist' or program_arguments = '/etc/run_upd.sh' or program_arguments like '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-downlite/)",
      "value" : "Artifact used by this malware"
    },
    "Buca": {
      "query" : "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-buca-apps/)",
      "value" : "Artifact used by this malware"
    },
    "Conduit": {
      "query" : "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-conduit/)",
      "value" : "Artifact used by this malware"
    },
    "Genieo": {
      "query" : "select * from launchd where name = 'com.genieo.completer.download.plist' or name = 'com.genieo.completer.update.plist' or name = 'com.genieo.completer.ltvbit.plist' or name = 'com.installer.completer.download.plist' or name = 'com.installer.completer.update.plist' or name = 'com.installer.completer.ltvbit.plist' or name = 'com.genieoinnovation.macextension.plist' or name = 'com.genieoinnovation.macextension.client.plist' or name = 'com.genieo.engine.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-genieo/)",
      "value" : "Artifact used by this malware"
    },
    "GenieoPart2": {
      "query" : "select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';",
      "interval" : "86400",
      "description" : "New version of Genieo",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT1": {
      "query" : "select * from file where path = '/dev/ptmx0';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT2": {
      "query" : "select * from apps where bundle_identifier = 'com.ht.RCSMac';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT3": {
      "query" : "select * from launchd where label = 'com.ht.RCSMac' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_Persistence": {
      "query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';",
      "interval": "86400",
      "description": "Detection persistency by Hacking Team",
      "value": "Artifact used by Hacking Team"
    },
    "xprotect_reports": {
      "query": "select * from xprotect_reports;",
      "interval": 1200,
      "removed": false,
      "description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",
      "value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."
    },
    "Keranger_1": {
      "query": "select * from processes where name = 'kernel_service';",
      "interval": "86400",
      "description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
      "value": "Artifact used by this malware"
    },
    "Keranger_2": {
      "query": "select * from file where path like '/Users/%/Library/.kernel_%' union select * from file where path like '/Users/%/Library/kernel_service';",
      "interval": "86400",
      "description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
      "value": "Artifact used by this malware"
    },
    "PremierOpinion": {
      "query": "select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';",
      "interval": "86400",
      "description": "(http://www.thesafemac.com/arg-premier-opinion/)",
      "value": "Artifact used by this malware"
    },
    "Bundlore": {
      "query": "select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';",
      "interval": "86400",
      "description": "(http://www.thesafemac.com/arg-bundlore/)",
      "value": "Artifact used by this malware"
    },
    "Spigot": {
      "query": "select * from launchd where name like 'com.spigot.%.plist';",
      "interval": "86400",
      "description": "(http://www.thesafemac.com/arg-spigot/)",
      "value": "Artifact used by this malware"
    },
    "SearchInstUpdater": {
      "query": "select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';",
      "interval": "86400",
      "description": "(https://www.virustotal.com/en/file/9530d481f7bb07aac98a46357bfcff96e2936a90571b4629ae865a2ce63e5c8e/analysis/1458973247/)",
      "value": "Artifact used by this malware"
    },
    "OSX_Pirrit": {
      "query": "select * from preferences where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';",
      "interval": "86400",
      "description": "(https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/)",
      "value": "Artifact used by this malware"
    },
    "Backdoor_MAC_Eleanor": {
      "query": "SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');",
      "interval": "86400",
      "description": "(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)",
      "value": "Artifact used by this malware"
    },
    "EliteKeylogger": {
      "query": "select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';",
      "interval": "86400",
      "description": "(https://www.elitekeyloggers.com/elite-keylogger-mac)",
      "value": "Artifact used by this malware"
    },
    "Aobo_Keylogger": {
      "query": "select * from launchd where name like 'com.ab.kl%.plist';",
      "interval": "86400",
      "description": "(http://aobo.cc/aobo-mac-os-x-keylogger.html)",
      "value": "Artifact used by this malware"
    },
    "OSX_Keydnap": {
      "query": "select * from launchd where name = 'com.apple.iCloud.sync.daemon';",
      "interval": "86400",
      "description": "(http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials)",
      "value": "Artifact used by this malware"
    },
    "Java_Adwind_Trojan": {
      "query": "select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';",
      "interval": "86400",
      "description": "(https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/)",
      "value": "Artifact used by this malware"
    }
  }
}
Query packs files 2015-07-17 21:42:05 +00:00			`{`
			`"platform": "darwin",`
			`"version": "1.4.5",`
			`"queries": {`
			`"WireLurker": {`
			`"query" : "select * from launchd where name = 'com.apple.machook_damon.plist' or name = 'com.apple.globalupdate.plist' or name = 'com.apple.appstore.plughelper.plist' or name = 'com.apple.MailServiceAgentHelper.plist' or name = 'com.apple.systemkeychain-helper.plist' or name = 'com.apple.periodic-dd-mm-yy.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Leverage-A_1": {`
			`"query" : "select * from launchd where path like '%UserEvent.System.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Leverage-A_2": {`
			`"query" : "select * from file where path = '/Users/Shared/UserEvent.app';",`
			`"interval" : "86400",`
			`"description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Tibet.D": {`
			`"query" : "select * from launchd where path like '%com.apple.AudioService.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"DevilRobber": {`
			`"query" : "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"XSLCmd": {`
			`"query" : "select * from launchd where name = 'com.apple.service.clipboardd.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Olyx": {`
			`"query" : "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Imuler": {`
			`"query" : "select * from launchd where name = 'checkflr.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"iWorkServ": {`
			`"query" : "select * from startup_items where path like '%iWorkServices%';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Morcut": {`
			`"query" : "select * from launchd where name = 'com.apple.mdworker.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"BlazingKeylogger": {`
			`"query" : "select * from launchd where name = 'com.BT.BPK.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.blazingtools.com/mac_keylogger.html)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Icefog": {`
			`"query" : "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Careto": {`
			`"query" : "select * from launchd where path like '%com.apple.launchport.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Inqtana": {`
			`"query" : "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/inqtana_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"MacKontrol": {`
			`"query" : "select * from launchd where name = 'com.apple.FolderActionsxl.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"PubSab": {`
			`"query" : "select * from launchd where name = 'com.apple.PubSabAgent.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Dockster": {`
			`"query" : "select * from launchd where name = 'mac.Dockset.deman.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"CallMe": {`
			`"query" : "select * from launchd where name = 'realPlayerUpdate.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.f-secure.com/weblog/archives/00002546.html)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Whitesmoke": {`
			`"query" : "select * from launchd where name = 'com.whitesmoke.uploader.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/ )",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Codecm": {`
			`"query" : "select * from launchd where name = 'com.codecm.uploader.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"iWorm": {`
			`"query" : "select * from launchd where name = 'com.JavaW.plist';",`
			`"interval" : "86400",`
			`"description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",`
			`"value" : "Artifact used by this malware"`
			`},`
Adding folder signature for iWorm OSX malware (#2231) 2016-07-07 22:14:01 +00:00			`"iWorm_1": {`
			`"query" : "select * from file where path like '/Library/Application Support/JavaW%';",`
			`"interval" : "86400",`
			`"description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",`
			`"value" : "Artifact used by this malware"`
			`},`
Query packs files 2015-07-17 21:42:05 +00:00			`"SniperSpy": {`
			`"query" : "select * from launchd where name = 'com.rxs.syslogagent.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Vsearch": {`
Adding detection for new adware variants to osx-attacks 2016-03-26 15:47:44 +00:00			`"query" : "select * from launchd where name = 'com.vsearch.agent.plist' or name = 'com.vsearch.daemon.plist' or name = 'com.vsearch.helper.plist' or name = 'Jack.plist' or program_arguments = '/etc/run_upd.sh' or program_arguments like '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/arg-downlite/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Buca": {`
			`"query" : "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/arg-buca-apps/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Conduit": {`
			`"query" : "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/arg-conduit/)",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"Genieo": {`
			`"query" : "select * from launchd where name = 'com.genieo.completer.download.plist' or name = 'com.genieo.completer.update.plist' or name = 'com.genieo.completer.ltvbit.plist' or name = 'com.installer.completer.download.plist' or name = 'com.installer.completer.update.plist' or name = 'com.installer.completer.ltvbit.plist' or name = 'com.genieoinnovation.macextension.plist' or name = 'com.genieoinnovation.macextension.client.plist' or name = 'com.genieo.engine.plist';",`
			`"interval" : "86400",`
			`"description" : "(http://www.thesafemac.com/arg-genieo/)",`
			`"value" : "Artifact used by this malware"`
			`},`
adding genieo query 2015-11-21 22:32:07 +00:00			`"GenieoPart2": {`
Update osx-attacks.conf Make Genieo query use 'like' instead of '=' 2015-12-11 00:01:31 +00:00			`"query" : "select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';",`
adding genieo query 2015-11-21 22:32:07 +00:00			`"interval" : "86400",`
			`"description" : "New version of Genieo",`
			`"value" : "Artifact used by this malware"`
			`},`
Query packs files 2015-07-17 21:42:05 +00:00			`"HackingTeam_Mac_RAT1": {`
			`"query" : "select * from file where path = '/dev/ptmx0';",`
			`"interval" : "86400",`
			`"description" : "Detect RAT used by Hacking Team",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"HackingTeam_Mac_RAT2": {`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`"query" : "select * from apps where bundle_identifier = 'com.ht.RCSMac';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"description" : "Detect RAT used by Hacking Team",`
			`"value" : "Artifact used by this malware"`
			`},`
			`"HackingTeam_Mac_RAT3": {`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`"query" : "select * from launchd where label = 'com.ht.RCSMac' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';",`
Query packs files 2015-07-17 21:42:05 +00:00			`"interval" : "86400",`
			`"description" : "Detect RAT used by Hacking Team",`
			`"value" : "Artifact used by this malware"`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`},`
Adding detectiong for OSX Keranger 2016-03-07 00:40:03 +00:00			`"HackingTeam_Mac_Persistence": {`
Added new detection for hacking team Detect persistency binary from hacking team (ref: https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) 2016-03-01 07:28:18 +00:00			`"query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';",`
Adding detectiong for OSX Keranger 2016-03-07 00:40:03 +00:00			`"interval": "86400",`
Added new detection for hacking team Detect persistency binary from hacking team (ref: https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) 2016-03-01 07:28:18 +00:00			`"description": "Detection persistency by Hacking Team",`
			`"value": "Artifact used by Hacking Team"`
			`},`
Add hardware/internal (monitoring) packs and reduce FPs, duplicate queries 2015-11-25 18:22:41 +00:00			`"xprotect_reports": {`
			`"query": "select * from xprotect_reports;",`
			`"interval": 1200,`
			`"removed": false,`
			`"description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",`
			`"value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."`
Adding detectiong for OSX Keranger 2016-03-07 00:40:03 +00:00			`},`
			`"Keranger_1": {`
			`"query": "select * from processes where name = 'kernel_service';",`
			`"interval": "86400",`
			`"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",`
			`"value": "Artifact used by this malware"`
			`},`
			`"Keranger_2": {`
OSX Keranger detection fix 2016-03-07 17:25:32 +00:00			`"query": "select * from file where path like '/Users/%/Library/.kernel_%' union select * from file where path like '/Users/%/Library/kernel_service';",`
Adding detectiong for OSX Keranger 2016-03-07 00:40:03 +00:00			`"interval": "86400",`
			`"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",`
			`"value": "Artifact used by this malware"`
Adding detection for new adware variants to osx-attacks 2016-03-26 15:47:44 +00:00			`},`
			`"PremierOpinion": {`
			`"query": "select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';",`
			`"interval": "86400",`
			`"description": "(http://www.thesafemac.com/arg-premier-opinion/)",`
			`"value": "Artifact used by this malware"`
			`},`
			`"Bundlore": {`
Adding wildcards 2016-03-27 05:10:27 +00:00			`"query": "select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';",`
Adding detection for new adware variants to osx-attacks 2016-03-26 15:47:44 +00:00			`"interval": "86400",`
			`"description": "(http://www.thesafemac.com/arg-bundlore/)",`
			`"value": "Artifact used by this malware"`
			`},`
			`"Spigot": {`
Adding wildcards 2016-03-27 05:10:27 +00:00			`"query": "select * from launchd where name like 'com.spigot.%.plist';",`
Adding detection for new adware variants to osx-attacks 2016-03-26 15:47:44 +00:00			`"interval": "86400",`
			`"description": "(http://www.thesafemac.com/arg-spigot/)",`
			`"value": "Artifact used by this malware"`
			`},`
			`"SearchInstUpdater": {`
Adding wildcards 2016-03-27 05:10:27 +00:00			`"query": "select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';",`
Adding detection for new adware variants to osx-attacks 2016-03-26 15:47:44 +00:00			`"interval": "86400",`
			`"description": "(https://www.virustotal.com/en/file/9530d481f7bb07aac98a46357bfcff96e2936a90571b4629ae865a2ce63e5c8e/analysis/1458973247/)",`
			`"value": "Artifact used by this malware"`
Add detection for OSX Pirrit (#2029) See: https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/ Someone also wrote a removal for it: https://github.com/aserper/osx.pirrit_removal/blob/master/remove_pirrit.sh 2016-04-08 18:29:44 +00:00			`},`
			`"OSX_Pirrit": {`
			`"query": "select * from preferences where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';",`
			`"interval": "86400",`
			`"description": "(https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/)",`
			`"value": "Artifact used by this malware"`
Adding Elite Keylogger Detection to osx-attacks (#2031) 2016-04-09 20:54:15 +00:00			`},`
update osx_attacks with Backdoor.MAC.Eleanor with fixes (#2226) 2016-07-07 22:14:27 +00:00			`"Backdoor_MAC_Eleanor": {`
			`"query": "SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');",`
			`"interval": "86400",`
			`"description": "(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)",`
			`"value": "Artifact used by this malware"`
			`},`
Adding Elite Keylogger Detection to osx-attacks (#2031) 2016-04-09 20:54:15 +00:00			`"EliteKeylogger": {`
			`"query": "select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';",`
			`"interval": "86400",`
			`"description": "(https://www.elitekeyloggers.com/elite-keylogger-mac)",`
			`"value": "Artifact used by this malware"`
Adding Aobo Keylogger and OSX_Keydnap to osx-attacks (#2230) 2016-07-07 21:04:05 +00:00			`},`
			`"Aobo_Keylogger": {`
			`"query": "select * from launchd where name like 'com.ab.kl%.plist';",`
			`"interval": "86400",`
			`"description": "(http://aobo.cc/aobo-mac-os-x-keylogger.html)",`
			`"value": "Artifact used by this malware"`
			`},`
			`"OSX_Keydnap": {`
			`"query": "select * from launchd where name = 'com.apple.iCloud.sync.daemon';",`
			`"interval": "86400",`
			`"description": "(http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials)",`
			`"value": "Artifact used by this malware"`
Adding detection query for Java_Adwind Trojan (#2284) 2016-08-03 17:46:14 +00:00			`},`
			`"Java_Adwind_Trojan": {`
			`"query": "select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';",`
			`"interval": "86400",`
			`"description": "(https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/)",`
			`"value": "Artifact used by this malware"`
Query packs files 2015-07-17 21:42:05 +00:00			`}`
			`}`
			`}`