WireLurker

OSquery

(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector):

Query

select * from launchd where \\
        name = 'com.apple.machook_damon.plist' OR \\
        name = 'com.apple.globalupdate.plist' OR \\
        name = 'com.apple.appstore.plughelper.plist' OR \\
        name = 'com.apple.MailServiceAgentHelper.plist' OR \\
        name = 'com.apple.systemkeychain-helper.plist' OR \\
        name = 'com.apple.periodic-dd-mm-yy.plist';

Additional Query Info

  • Version: 1.4.5
  • Interval: 3600

JSON

{
  "queries": {
    "WireLurker": {
      "query": "select * from launchd where \\
        name = 'com.apple.machook_damon.plist' OR \\
        name = 'com.apple.globalupdate.plist' OR \\
        name = 'com.apple.appstore.plughelper.plist' OR \\
        name = 'com.apple.MailServiceAgentHelper.plist' OR \\
        name = 'com.apple.systemkeychain-helper.plist' OR \\
        name = 'com.apple.periodic-dd-mm-yy.plist';",
      "interval": "3600",
      "platform": "",
      "version": "1.4.5",
      "description": "(https://github.com/PaloAltoNetworks-BD/WireLurkerDetector)",
      "value": ""
    }
  }
}