{
  "platform": "darwin",
  "version": "1.4.5",
  "queries": {
    "WireLurker": {
      "query" : "select * from launchd where name = 'com.apple.machook_damon.plist' or name = 'com.apple.globalupdate.plist' or name = 'com.apple.appstore.plughelper.plist' or name = 'com.apple.MailServiceAgentHelper.plist' or name = 'com.apple.systemkeychain-helper.plist' or name = 'com.apple.periodic-dd-mm-yy.plist';",
      "interval" : "86400",
      "description" : "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_1": {
      "query" : "select * from launchd where path like '%UserEvent.System.plist';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Leverage-A_2": {
      "query" : "select * from file where path = '/Users/Shared/UserEvent.app';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/)",
      "value" : "Artifact used by this malware"
    },
    "Tibet.D": {
      "query" : "select * from launchd where path like '%com.apple.AudioService.plist';",
      "interval" : "86400",
      "description" : "(http://www.intego.com/mac-security-blog/os-x-malware-tibet-variant-found/)",
      "value" : "Artifact used by this malware"
    },
    "DevilRobber": {
      "query" : "select * from launchd where name = 'com.apple.legion.plist' or name = 'com.apple.pixel.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_devilrobber_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "XSLCmd": {
      "query" : "select * from launchd where name = 'com.apple.service.clipboardd.plist';",
      "interval" : "86400",
      "description" : "(https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)",
      "value" : "Artifact used by this malware"
    },
    "Olyx": {
      "query" : "select * from launchd where name = 'com.apple.DockActions.plist' or name like '%www. google.com.tstart.plist%';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_olyx_c.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Imuler": {
      "query" : "select * from launchd where name = 'checkflr.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_imuler_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "iWorkServ": {
      "query" : "select * from startup_items where path like '%iWorkServices%';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_iworkserv_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Morcut": {
      "query" : "select * from launchd where name = 'com.apple.mdworker.plist';",
      "interval" : "86400",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_morcut.a)",
      "value" : "Artifact used by this malware"
    },
    "BlazingKeylogger": {
      "query" : "select * from launchd where name = 'com.BT.BPK.plist';",
      "interval" : "86400",
      "description" : "(http://www.blazingtools.com/mac_keylogger.html)",
      "value" : "Artifact used by this malware"
    },
    "Icefog": {
      "query" : "select * from launchd where name = 'apple.launchd.plist' or name = 'com.apple.launchport.plist';",
      "interval" : "86400",
      "description" : "(http://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/)",
      "value" : "Artifact used by this malware"
    },
    "Careto": {
      "query" : "select * from launchd where path like '%com.apple.launchport.plist';",
      "interval" : "86400",
      "description" : "(http://blog.kaspersky.com/the-mask-unveiling-the-worlds-most-sophisticated-apt-campaign/)",
      "value" : "Artifact used by this malware"
    },
    "Inqtana": {
      "query" : "select * from launchd where name = 'com.pwned.plist' or name = 'com.openbundle.plist' or name = 'com.adobe.reader.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/inqtana_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "MacKontrol": {
      "query" : "select * from launchd where name = 'com.apple.FolderActionsxl.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_mackontrol_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "PubSab": {
      "query" : "select * from launchd where name = 'com.apple.PubSabAgent.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/v-descs/backdoor_osx_sabpab_a.shtml)",
      "value" : "Artifact used by this malware"
    },
    "Dockster": {
      "query" : "select * from launchd where name = 'mac.Dockset.deman.plist';",
      "interval" : "86400",
      "description" : "(http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/osx_dockster.a)",
      "value" : "Artifact used by this malware"
    },
    "CallMe": {
      "query" : "select * from launchd where name = 'realPlayerUpdate.plist';",
      "interval" : "86400",
      "description" : "(https://www.f-secure.com/weblog/archives/00002546.html)",
      "value" : "Artifact used by this malware"
    },
    "Whitesmoke": {
      "query" : "select * from launchd where name = 'com.whitesmoke.uploader.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/ )",
      "value" : "Artifact used by this malware"
    },
    "Codecm": {
      "query" : "select * from launchd where name = 'com.codecm.uploader.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/osxfkcodec-a-in-action/)",
      "value" : "Artifact used by this malware"
    },
    "iWorm": {
      "query" : "select * from launchd where name = 'com.JavaW.plist';",
      "interval" : "86400",
      "description" : "(https://www.virusbtn.com/virusbulletin/archive/2014/10/vb201410-iWorm)",
      "value" : "Artifact used by this malware"
    },
    "SniperSpy": {
      "query" : "select * from launchd where name = 'com.rxs.syslogagent.plist';",
      "interval" : "86400",
      "description" : "(http://www.symantec.com/security_response/writeup.jsp?docid=2010-081606-4034-99&tabid=2)",
      "value" : "Artifact used by this malware"
    },
    "Vsearch": {
      "query" : "select * from launchd where name = 'com.vsearch.agent.plist' or name = 'com.vsearch.daemon.plist' or name = 'com.vsearch.helper.plist' or name = 'Jack.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-downlite/)",
      "value" : "Artifact used by this malware"
    },
    "Buca": {
      "query" : "select * from launchd where name = 'com.webhelper.plist' or name = 'com.webtools.update.agent.plist' or name = 'com.webtools.uninstaller.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-buca-apps/)",
      "value" : "Artifact used by this malware"
    },
    "Conduit": {
      "query" : "select * from launchd where path like '%com.conduit.loader.agent.plist' or name = 'com.conduit.loader.agent.plist' or path like '%com.perion.searchprotectd.plist' or name = 'com.perion.searchprotectd.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-conduit/)",
      "value" : "Artifact used by this malware"
    },
    "Genieo": {
      "query" : "select * from launchd where name = 'com.genieo.completer.download.plist' or name = 'com.genieo.completer.update.plist' or name = 'com.genieo.completer.ltvbit.plist' or name = 'com.installer.completer.download.plist' or name = 'com.installer.completer.update.plist' or name = 'com.installer.completer.ltvbit.plist' or name = 'com.genieoinnovation.macextension.plist' or name = 'com.genieoinnovation.macextension.client.plist' or name = 'com.genieo.engine.plist';",
      "interval" : "86400",
      "description" : "(http://www.thesafemac.com/arg-genieo/)",
      "value" : "Artifact used by this malware"
    },
    "KeychainACLCollisions": {
      "query" : "select label, description, authorizations, path, count(path) as collisions from keychain_acls where label != '' and path != '' group by label having collisions > 1;",
      "interval" : "86400",
      "description" : "Detect OS X keychain items with ACLs permitting multiple application access.",
      "value" : "Potential information stealing/leakage."
    },
    "HackingTeam_Mac_RAT1": {
      "query" : "select * from file where path = '/dev/ptmx0';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT2": {
      "query" : "select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_package_type like 'OSAX';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    },
    "HackingTeam_Mac_RAT3": {
      "query" : "select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';",
      "interval" : "86400",
      "description" : "Detect RAT used by Hacking Team",
      "value" : "Artifact used by this malware"
    }
  }
}