Created
January 3, 2023 21:12
-
-
Save paralax/9dcf5f4b4e55c0be8a7b66ede9014f4a to your computer and use it in GitHub Desktop.
OSX plist marrying WatchPaths and Canarytokens to monitor for persistence attempts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <!-- "https://malware.news/t/20-common-tools-techniques-used-by-macos-threat-actors-malware/46801" --> | |
| <!-- "https://objective-see.org/blog/blog_0x71.html" --> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>com.mylaptop.watchhostconfig</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <!-- get your own canarytoken here https://canarytokens.org/ --> | |
| <string>curl</string> | |
| <string>http://canarytokens.com/tags/articles/about/f69fdacdbe026cee6f2c5a63eeb03e6d/post.jsp</string> | |
| </array> | |
| <key>WatchPaths</key> | |
| <array> | |
| <string>/usr/bin</string> | |
| <string>/bin</string> | |
| <string>/etc/hostconfig</string> | |
| <string>/Library/LaunchAgents</string> | |
| <string>/Library/LaunchDaemons</string> | |
| <string>/System/Library/DriverExtensions/</string> | |
| <string>/System/Library/Extensions/</string> | |
| <string>/System/Library/ServiceDefinitions/</string> | |
| <string>/System/Library/StartupItems</string> | |
| <string>/System/Library/SystemConfiguration</string> | |
| <string>/Users/USERNAME/Library/Application Scripts</string> | |
| <string>/Users/USERNAME/Library/LaunchAgents</string> | |
| </array> | |
| </dict> | |
| </plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment