valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 17:45:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

packs: Adding ColdRoot RAT to osx-attacks detection list (#4377)

Browse Source
This commit is contained in:
Howard Griffith 2018-05-10 15:14:47 -07:00 committed by Mitchell Grenier
parent 8c22b59538
commit 78e039fbf0
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
packs/osx-attacks.conf
View File

@ -552,6 +552,22 @@
"version" : "2.8.0",
"description" : "Find shell processes that have open sockets and no open files or TTY (https://clo.ng/blog/osquery_reverse_shell/)",
"value" : "Behavioral detection for potential reverse shells"
},
"OSX_ColdRoot_RAT_Launchd": {
"query" : "select * from launchd where name = 'com.apple.audio.driver.plist';",
"interval" : "3600",
"version" : "1.4.5",
"description" : "ColdRoot OSX Malware (https://objective-see.com/blog/blog_0x2A.html)",
"value" : "Artifacts created by this malware"
},
"OSX_ColdRoot_RAT_Files": {
"query" : "select * from file \
where path in ('/private/var/tmp/com.apple.audio.driver.app/', \
'/private/var/tmp/com.apple.audio.driver.app/Contents/MacOS/conx.wol');",
"interval" : "3600",
"version" : "1.4.5",
"description" : "ColdRoot OSX Malware (https://objective-see.com/blog/blog_0x2A.html)",
"value" : "Artifacts created by this malware"
}
}
}