osquery-1/packs/osx-attacks.conf

346 lines
17 KiB
Plaintext
Raw Normal View History

2015-07-17 21:42:05 +00:00
{
"platform": "darwin",
"version": "1.4.5",
"queries": {
"WireLurker": {
"query" : "select * from launchd where \
name = 'com.apple.machook_damon.plist' OR \
name = 'com.apple.globalupdate.plist' OR \
name = 'com.apple.appstore.plughelper.plist' OR \
name = 'com.apple.MailServiceAgentHelper.plist' OR \
name = 'com.apple.systemkeychain-helper.plist' OR \
name = 'com.apple.periodic-dd-mm-yy.plist';",
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"description" : "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",
"value" : "Artifact used by this malware"
},
"Leverage-A_1": {
"query" : "select * from launchd where path like '%UserEvent.System.plist';",
"interval" : "86400",
"description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
"value" : "Artifact used by this malware"
},
"Leverage-A_2": {
"query" : "select * from file where path = '/Users/Shared/UserEvent.app';",
"interval" : "86400",
"description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
"value" : "Artifact used by this malware"
},
"Tibet.D": {
"query" : "select * from launchd where path like '%com.apple.AudioService.plist';",
"interval" : "86400",
"description" : "(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)",
"value" : "Artifact used by this malware"
},
"DevilRobber": {
"query" : "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)",
"value" : "Artifact used by this malware"
},
"XSLCmd": {
"query" : "select * from launchd where name = 'com.apple.service.clipboardd.plist';",
"interval" : "86400",
"description" : "(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)",
"value" : "Artifact used by this malware"
},
"Olyx": {
"query" : "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)",
"value" : "Artifact used by this malware"
},
"Imuler": {
"query" : "select * from launchd where name = 'checkflr.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)",
"value" : "Artifact used by this malware"
},
"iWorkServ": {
"query" : "select * from startup_items where path like '%iWorkServices%';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)",
"value" : "Artifact used by this malware"
},
"Morcut": {
"query" : "select * from launchd where name = 'com.apple.mdworker.plist';",
"interval" : "86400",
"description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)",
"value" : "Artifact used by this malware"
},
"BlazingKeylogger": {
"query" : "select * from launchd where name = 'com.BT.BPK.plist';",
"interval" : "86400",
"description" : "(http://www.blazingtools.com/mac_keylogger.html)",
"value" : "Artifact used by this malware"
},
"Icefog": {
"query" : "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';",
"interval" : "86400",
"description" : "(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)",
"value" : "Artifact used by this malware"
},
"Careto": {
"query" : "select * from launchd where path like '%com.apple.launchport.plist';",
"interval" : "86400",
"description" : "(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)",
"value" : "Artifact used by this malware"
},
"Inqtana": {
"query" : "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/inqtana_a.shtml)",
"value" : "Artifact used by this malware"
},
"MacKontrol": {
"query" : "select * from launchd where name = 'com.apple.FolderActionsxl.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)",
"value" : "Artifact used by this malware"
},
"PubSab": {
"query" : "select * from launchd where name = 'com.apple.PubSabAgent.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)",
"value" : "Artifact used by this malware"
},
"Dockster": {
"query" : "select * from launchd where name = 'mac.Dockset.deman.plist';",
"interval" : "86400",
"description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)",
"value" : "Artifact used by this malware"
},
"CallMe": {
"query" : "select * from launchd where name = 'realPlayerUpdate.plist';",
"interval" : "86400",
"description" : "(https://www.f-secure.com/weblog/archives/00002546.html)",
"value" : "Artifact used by this malware"
},
"Whitesmoke": {
"query" : "select * from launchd where name = 'com.whitesmoke.uploader.plist';",
"interval" : "86400",
"description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/ )",
"value" : "Artifact used by this malware"
},
"Codecm": {
"query" : "select * from launchd where name = 'com.codecm.uploader.plist';",
"interval" : "86400",
"description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/)",
"value" : "Artifact used by this malware"
},
"iWorm": {
"query" : "select * from launchd where name = 'com.JavaW.plist';",
"interval" : "86400",
"description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
"value" : "Artifact used by this malware"
},
"iWorm_1": {
"query" : "select * from file where path like '/Library/Application Support/JavaW%';",
"interval" : "86400",
"description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
"value" : "Artifact used by this malware"
},
2015-07-17 21:42:05 +00:00
"SniperSpy": {
"query" : "select * from launchd where name = 'com.rxs.syslogagent.plist';",
"interval" : "86400",
"description" : "(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)",
"value" : "Artifact used by this malware"
},
"Vsearch": {
"query" : "select * from launchd where \
name = 'com.vsearch.agent.plist' OR \
name = 'com.vsearch.daemon.plist' OR \
name = 'com.vsearch.helper.plist' OR \
name = 'Jack.plist' OR \
program_arguments = '/etc/run_upd.sh' OR \
program_arguments LIKE '/Library/Application Support/%/Agent/agent.app/Contents/MacOS/agent%';",
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"description" : "(http://www.thesafemac.com/arg-downlite/)",
"value" : "Artifact used by this malware"
},
"Buca": {
"query" : "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';",
"interval" : "86400",
"description" : "(http://www.thesafemac.com/arg-buca-apps/)",
"value" : "Artifact used by this malware"
},
"Conduit": {
"query" : "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';",
"interval" : "86400",
"description" : "(http://www.thesafemac.com/arg-conduit/)",
"value" : "Artifact used by this malware"
},
"Genieo": {
"query" : "select * from launchd where \
name = 'com.genieo.completer.download.plist' OR \
name = 'com.genieo.completer.update.plist' OR \
name = 'com.genieo.completer.ltvbit.plist' OR \
name = 'com.installer.completer.download.plist' OR \
name = 'com.installer.completer.update.plist' OR \
name = 'com.installer.completer.ltvbit.plist' OR \
name = 'com.genieoinnovation.macextension.plist' OR \
name = 'com.genieoinnovation.macextension.client.plist' OR \
name = 'com.genieo.engine.plist';",
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"description" : "(http://www.thesafemac.com/arg-genieo/)",
"value" : "Artifact used by this malware"
},
2015-11-21 22:32:07 +00:00
"GenieoPart2": {
"query" : "select * from launchd where program_arguments like '/Users/%/Library/Application Support/%/%.app/Contents/MacOS/App% -trigger download -isDev % -installVersion % -firstAppId % -identity %';",
2015-11-21 22:32:07 +00:00
"interval" : "86400",
"description" : "New version of Genieo",
"value" : "Artifact used by this malware"
},
2015-07-17 21:42:05 +00:00
"HackingTeam_Mac_RAT1": {
"query" : "select * from file where path = '/dev/ptmx0';",
"interval" : "86400",
"description" : "Detect RAT used by Hacking Team",
"value" : "Artifact used by this malware"
},
"HackingTeam_Mac_RAT2": {
"query" : "select * from apps where bundle_identifier = 'com.ht.RCSMac';",
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"description" : "Detect RAT used by Hacking Team",
"value" : "Artifact used by this malware"
},
"HackingTeam_Mac_RAT3": {
"query" : "select * from launchd where \
label = 'com.ht.RCSMac' OR \
name = 'com.apple.loginStoreagent.plist' OR \
name = 'com.apple.mdworker.plist' OR \
name = 'com.apple.UIServerLogin.plist';",
2015-07-17 21:42:05 +00:00
"interval" : "86400",
"description" : "Detect RAT used by Hacking Team",
"value" : "Artifact used by this malware"
},
2016-03-07 00:40:03 +00:00
"HackingTeam_Mac_Persistence": {
"query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';",
2016-03-07 00:40:03 +00:00
"interval": "86400",
"description": "Detection persistency by Hacking Team",
"value": "Artifact used by Hacking Team"
},
"xprotect_reports": {
"query": "select * from xprotect_reports;",
"interval": 1200,
"removed": false,
"description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",
"value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."
2016-03-07 00:40:03 +00:00
},
"Keranger_1": {
"query": "select * from processes where name = 'kernel_service';",
"interval": "86400",
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
"value": "Artifact used by this malware"
},
"Keranger_2": {
"query": "select * from file where \
path LIKE '/Users/%/Library/.kernel_%' OR \
path LIKE '/Users/%/Library/kernel_service';",
2016-03-07 00:40:03 +00:00
"interval": "86400",
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
"value": "Artifact used by this malware"
},
"PremierOpinion": {
"query": "select * from launchd where name = 'PremierOpinion.plist' or name = 'PremierOpinionAgent.plist';",
"interval": "86400",
"description": "(http://www.thesafemac.com/arg-premier-opinion/)",
"value": "Artifact used by this malware"
},
"Bundlore": {
2016-03-27 05:10:27 +00:00
"query": "select * from launchd where name like 'com.WebShoppy.%.plist' or name like 'com.SoftwareUpdater.%.plist' or name like 'cinema-plus%.plist' or name like 'com.WebTools.%.plist' or name like 'com.crossrider.%.plist' or name like 'shopy-mate_%.plist' or name like 'com.WebShopper.%.plist';",
"interval": "86400",
"description": "(http://www.thesafemac.com/arg-bundlore/)",
"value": "Artifact used by this malware"
},
"Spigot": {
2016-03-27 05:10:27 +00:00
"query": "select * from launchd where name like 'com.spigot.%.plist';",
"interval": "86400",
"description": "(http://www.thesafemac.com/arg-spigot/)",
"value": "Artifact used by this malware"
},
"SearchInstUpdater": {
2016-03-27 05:10:27 +00:00
"query": "select * from launchd where name like 'com.updater.mc%.plist' or name like 'com.updater.watch.mc%.plist';",
"interval": "86400",
"description": "(https://www.virustotal.com/en/file/9530d481f7bb07aac98a46357bfcff96e2936a90571b4629ae865a2ce63e5c8e/analysis/1458973247/)",
"value": "Artifact used by this malware"
},
"OSX_Pirrit": {
"query": "select * from preferences where path = '/Library/Preferences/com.common.plist' and key = 'net_pref';",
"interval": "86400",
"description": "(https://threatpost.com/mac-adware-osx-pirrit-unleashes-ad-overload-for-now/117273/)",
"value": "Artifact used by this malware"
},
"Backdoor_MAC_Eleanor": {
"query": "SELECT * FROM launchd WHERE name IN ('com.getdropbox.dropbox.integritycheck.plist','com.getdropbox.dropbox.timegrabber.plist','com.getdropbox.dropbox.usercontent.plist');",
"interval": "86400",
"description": "(https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/)",
"value": "Artifact used by this malware"
},
"EliteKeylogger": {
"query": "select * from launchd where name = 'com.apple.fonts.plist' and label = 'unknown';",
"interval": "86400",
"description": "(https://www.elitekeyloggers.com/elite-keylogger-mac)",
"value": "Artifact used by this malware"
},
"Aobo_Keylogger": {
"query": "select * from launchd where name like 'com.ab.kl%.plist';",
"interval": "86400",
"description": "(http://aobo.cc/aobo-mac-os-x-keylogger.html)",
"value": "Artifact used by this malware"
},
"OSX_Keydnap": {
"query": "select * from launchd where name = 'com.apple.iCloud.sync.daemon';",
"interval": "86400",
"description": "(http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials)",
"value": "Artifact used by this malware"
},
"Java_Adwind_Trojan": {
"query": "select * from launchd where name like 'org.%.plist' and program_arguments like '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -Dapple.awt.UIElement=true -jar /Users/%/.%';",
"interval": "86400",
"description": "(https://blog.malwarebytes.com/threat-analysis/2016/07/cross-platform-malware-adwind-infects-mac/)",
"value": "Artifact used by this malware"
},
"OSX_Backdoor_Mokes": {
"query": "select * from file where \
path LIKE '/Users/%/Library/App Store/storeuserd' OR \
path LIKE '/Users/%/Library/com.apple.spotlight/SpotlightHelper' OR \
path LIKE '/Users/%/Library/Dock/com.apple.dock.cache' OR \
path LIKE '/Users/%/Library/Dropbox/DropboxCache' OR \
path LIKE '/Users/%/Library/Skype/SkypeHelper' OR \
path LIKE '/Users/%/Library/Google/Chrome/nacld' OR \
path LIKE '/Users/%/Library/Firefox/Profiles/profiled';",
"interval": "86400",
"description": "(https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/)",
"value": "Artifact used by this malware"
},
"OSX_Komplex": {
"query": "select * from file where path = '/Users/Shared/.local/kext' or path = '/Users/Shared/com.apple.updates.plist' or path = '/Users/Shared/start.sh';",
"interval": "86400",
"description": "(http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/)",
"value": "Artifact used by this malware"
2016-11-18 20:03:57 +00:00
},
"OceanLotus_launchagent": {
"query" : "select * from launchd where name = 'com.google.plugins.plist';",
"interval" : "86400",
"description" : "OceanLotus Launch Agent (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
"value" : "Artifact used by this malware"
},
"OceanLotus_dropped_file_1": {
"query" : "select * from file, ( \
select '/Library/Logs/.Logs/corevideosd' ioc union \
select '/Library/.SystemPreferences/.prev/.ver.txt' ioc union \
select '/Library/Parallels/.cfg' ioc union \
select '/Library/Preferences/.fDTYuRs' ioc union \
select '/Library/Hash/.Hashtag/.hash' ioc union \
select '/Library/Hash/.hash' ioc \
) iocs where \
file.path LIKE '/Users/%/' || ioc OR \
file.path = iocs.ioc OR \
file.path LIKE '/tmp/crunzip.temp.%';",
2016-11-18 20:03:57 +00:00
"interval" : "86400",
"description" : "OceanLotus dropped file (https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update)",
"value" : "Artifact used by this malware"
2015-07-17 21:42:05 +00:00
}
}
}