2023-02-01 21:17:36 +00:00
|
|
|
-- Find launchd entries which purport to be by Apple, but point to binaries that are not signed by Apple.
|
2022-10-12 01:53:36 +00:00
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
|
2022-10-14 18:19:13 +00:00
|
|
|
-- * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa
|
|
|
|
|
--
|
|
|
|
|
-- false positives:
|
|
|
|
|
-- * none have been observed
|
2022-10-12 01:53:36 +00:00
|
|
|
--
|
|
|
|
|
-- platform: darwin
|
2022-10-14 18:19:13 +00:00
|
|
|
-- tags: persistent launchd state
|
2023-02-02 22:58:19 +00:00
|
|
|
SELECT
|
|
|
|
|
*
|
|
|
|
|
FROM
|
|
|
|
|
launchd
|
2023-02-01 21:17:36 +00:00
|
|
|
LEFT JOIN file ON launchd.path = file.path
|
|
|
|
|
LEFT JOIN signature ON launchd.program_arguments = signature.path
|
2023-02-02 22:58:19 +00:00
|
|
|
WHERE
|
|
|
|
|
launchd.name LIKE 'com.apple.%'
|
2023-02-01 21:17:36 +00:00
|
|
|
-- Optimization, assumes SIP
|
|
|
|
|
AND file.directory NOT IN (
|
|
|
|
|
'/System/Library/LaunchAgents',
|
|
|
|
|
'/System/Library/LaunchDaemons',
|
|
|
|
|
'/Library/Apple/System/Library/LaunchDaemons',
|
|
|
|
|
'/Library/Apple/System/Library/LaunchAgents'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2023-02-01 21:17:36 +00:00
|
|
|
AND launchd.run_at_load = 1
|
2023-02-02 22:58:19 +00:00
|
|
|
AND signature.authority != 'Software Signing'
|
