valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 09:58:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1898 from javuto/osx_keranger

Browse Source 
Adding detectiong for OSX Keranger
This commit is contained in:
Javier Marcos 2016-03-06 17:03:38 -08:00
commit 6afd1a29cf
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
packs/osx-attacks.conf
View File

@ -194,6 +194,18 @@
"removed": false,
"description": "Report on Apple/OS X XProtect 'report' generation. Reports are generated when OS X matches an item in xprotect_entries.",
"value": "Although XProtect reports are rare, they may be worth collecting and aggregating internally."
},
"Keranger_1": {
"query": "select * from processes where name = 'kernel_service';",
"interval": "86400",
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
"value": "Artifact used by this malware"
},
"Keranger_2": {
"query": "select * from file where path like '/Users/%/Library/.kernel_%' or path like '/Users/%/Library/kernel_service';",
"interval": "86400",
"description": "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/",
"value": "Artifact used by this malware"
}
}
}