security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ca746c4b40f7cf192560ef70e41b02fc0b286dd
sigma-rules/rta/plist_creation.py
T
eric-forte-elastic bba8cd3b57 Updated common.requires_os calls (#3109)
2023-10-03 10:47:58 -04:00

75 lines
2.2 KiB
Python
Raw Blame History

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from . import common
from . import RtaMetadata
from pathlib import Path
metadata = RtaMetadata(
uuid="12e70377-e24e-4374-8aec-42064614d706",
platforms=["macos"],
endpoint=[
{
"rule_name": "Suspicious Property List File Creation or Modification",
"rule_id": "901f0c30-a7c5-40a5-80e3-a50c6714432f",
}
],
siem=[],
techniques=["T1547", "T1543"],
)
@common.requires_os(*metadata.platforms)
def main():
launch_agents_dir = Path.home() / "Library" / "Launchagents"
plistbuddy_bin = "/usr/libexec/PlistBuddy"
plist_file = Path.home() / "Library" / "Launchagents" / "init_verx.plist"
# Create launch agents dir if it doesn't exist
if not launch_agents_dir.exists():
common.log(f"Creating directory {launch_agents_dir}")
launch_agents_dir.mkdir()
# Create plist file using Plistbuddy
common.log("Executing PlistBuddy commands to create plist file")
common.execute(
[f"{plistbuddy_bin}", "-c", "Add :Label string init_verx", f"{plist_file}"],
shell=True,
)
common.pause()
common.execute([f"{plistbuddy_bin}", "-c", "Add :RunAtLoad bool true", f"{plist_file}"])
common.pause()
common.execute([f"{plistbuddy_bin}", "-c", "Add :StartInterval integer 3600", f"{plist_file}"])
common.pause()
common.execute([f"{plistbuddy_bin}", "-c", "Add :ProgramArguments array", f"{plist_file}"])
common.pause()
common.execute(
[
f"{plistbuddy_bin}",
"-c",
"Add :ProgramArguments:0 string '/bin/sh'",
f"{plist_file}",
]
)
common.pause()
common.execute(
[
f"{plistbuddy_bin}",
"-c",
"Add :ProgramArguments:1 string -c",
f"{plist_file}",
]
)
# Delete the plist file if it exists
if plist_file.exists():
common.log(f"Deleting plist file {plist_file}")
plist_file.unlink()
if __name__ == "__main__":
exit(main())
Reference in New Issue View Git Blame Copy Permalink