eric-forte-elastic
42 lines
1.1 KiB
Python
42 lines
1.1 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
import os
|
|
import platform
|
|
|
|
from . import common
|
|
from . import RtaMetadata
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
uuid="e1ff47b2-af5d-4cfc-bd94-e0b86828b241",
|
|
platforms=["macos"],
|
|
endpoint=[
|
|
{"rule_name": "Potential Code Injection via Remote Thread", "rule_id": "458f0b4b-be9a-45bc-8f19-a26dac267250"}
|
|
],
|
|
siem=[],
|
|
techniques=["T1055"],
|
|
)
|
|
|
|
|
|
@common.requires_os(*metadata.platforms)
|
|
def main():
|
|
|
|
if platform.processor() == "arm":
|
|
name = "thread_injector_arm"
|
|
sleep_name = "com.apple.sleep_arm"
|
|
else:
|
|
name = "thread_injector_intel"
|
|
sleep_name = "com.apple.sleep_intel"
|
|
sleep_path = common.get_path("bin", sleep_name)
|
|
os.system(f"{sleep_path} 5000 &")
|
|
|
|
path = common.get_path("bin", name)
|
|
os.system(f"{path} `pgrep {sleep_name}`")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
exit(main())
|