Description: Finding specific indicators of compromise (IOCs) in memory or on disk
What The Data Shows: Facebook has provided the queries below which detect Hacking Team’s OSX backdoor by querying for specific persistent mechanisms and file system activity on OSX.
select * from file where path = '/dev/ptmx0';
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';