The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Finding specific indicators of compromise (IOCs) for Mac in memory or on disk

Description: Finding specific indicators of compromise (IOCs) in memory or on disk

What The Data Shows: Facebook has provided the queries below which detect Hacking Team’s OSX backdoor by querying for specific persistent mechanisms and file system activity on OSX.

SQL:

select * from file where path = '/dev/ptmx0';

select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';

select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';

5 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@alpopov Can you please edit the description to add they need to change "yourcompany" to their company name. At least, I am assuming that is what is supposed to happen...

Magneto
New Contributor II

No!

'com.yourcompany' is the exact intended string. This is a query for the specific detection of Hacking Team malware, see eg https://blog.rapid7.com/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/ for this query explanation.

(com.yourcompany is the default string in Xcode, and is often unchanged in malware.)

alpopov
Carbon Black Employee

@Magneto Thank you.

jnelson
Carbon Black Employee
Status changed to: Approved

@Magneto OOPS! My bad.

jemiddle18
New Contributor

@alpopov thank you! By any chance, would you have the Windows version of this query?