HackingTeam Mac RAT3

OSquery

Detect RAT used by Hacking Team:

Query

select * from launchd where \\
        label = 'com.ht.RCSMac' OR \\
        name = 'com.apple.loginStoreagent.plist' OR \\
        name = 'com.apple.mdworker.plist' OR \\
        name = 'com.apple.UIServerLogin.plist';

Additional Query Info

  • Version: 1.4.5
  • Interval: 3600

JSON

{
  "queries": {
    "HackingTeam Mac RAT3": {
      "query": "select * from launchd where \\
        label = 'com.ht.RCSMac' OR \\
        name = 'com.apple.loginStoreagent.plist' OR \\
        name = 'com.apple.mdworker.plist' OR \\
        name = 'com.apple.UIServerLogin.plist';",
      "interval": "3600",
      "platform": "",
      "version": "1.4.5",
      "description": "Detect RAT used by Hacking Team",
      "value": ""
    }
  }
}