mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-07 09:58:54 +00:00
Merge pull request #1898 from javuto/osx_keranger
Adding detectiong for OSX Keranger
This commit is contained in:
commit
6afd1a29cf
@ -194,6 +194,18 @@
|
||||
"removed": false,
|
||||
"description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",
|
||||
"value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."
|
||||
},
|
||||
"Keranger_1": {
|
||||
"query": "select * from processes where name = 'kernel_service';",
|
||||
"interval": "86400",
|
||||
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
|
||||
"value": "Artifact used by this malware"
|
||||
},
|
||||
"Keranger_2": {
|
||||
"query": "select * from file where path like '/Users/%/Library/.kernel_%' or path like '/Users/%/Library/kernel_service';",
|
||||
"interval": "86400",
|
||||
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
|
||||
"value": "Artifact used by this malware"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user