Added new detection for hacking team

Detect persistency binary from hacking team (ref: https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/)
rklabs · Mar 1, 2016 · 7b77288 · 7b77288
1 parent 58635e3
commit 7b77288
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/packs/osx-attacks.conf b/packs/osx-attacks.conf
@@ -182,6 +182,12 @@
       "description" : "Detect RAT used by Hacking Team",
       "value" : "Artifact used by this malware"
     },
+    "HackingTeam_Mac_Persistence": { 
+      "query": "select * from file where directory like '/Users/%/Library/Preferences/8pHbqThW%';",
+      "interval": "86400", 
+      "description": "Detection persistency by Hacking Team",
+      "value": "Artifact used by Hacking Team"
+    },
     "xprotect_reports": {
       "query": "select * from xprotect_reports;",
       "interval": 1200,