macOS

macOS Yara Rules

rule app_camera_mic_permissions {

meta:

description = "Application Requires Access to Camera and Microphone"

author = "RET"

reference = "https://objective-see.com/blog/blog_0x61.html"

date = "2022/01/18"

strings:

$s1 = /(NSCameraUsageDescription|NSMicrophoneUsageDescription)/ nocase

condition:

$s1

}

macOS osquery Daemon Configuration

{

"options": {

"config_plugin": "filesystem",

"logger_plugin": "filesystem",

"utc": "true",

"enable_file_events":"true",

"disable_events":"false"

},

"file_paths": {

"dir_system_app_support": [

"/Library/Application Support/%"

],

"dir_user_app_support": [

"/Users/%/Application Support/%"

],

"dir_shared": [

"/Users/Shared/%"

],

"dir_private_tmp": [

"/private/tmp/%"

],

"dir_user_downloads": [

"/Users/%/Downloads/%"

],

"dir_native_launchd": [

"/System/Library/LaunchDaemons/%"

],

"dir_third_party_launchd": [

"/Library/LaunchDaemons/%"

],

"dir_macos_launcha": [

"/System/Library/LaunchAgents/%"

],

"dir_all_users_launcha": [

"/Library/LaunchAgents/%"

],

"dir_apps": [

"/Applications/%%"

]

},

"yara": {

"signatures": {

"sig_group_1": [ "/var/run/cisco/orbital/config/yara_sigs/suspicious_app.yar" ]

},

"file_paths": {

"dir_apps": [ "sig_group_1" ]

}

}

}

macOS osquery Client Configuration

{

"config_path": "${CONFIGDIR}/osquery.conf",

"flagfile": "",

"extensions_autoload": "",

"force": "true",

"events_expiry": "3600",

"events_max": "50000",

"disable_tables": "augeas,carves,curl,curl_certificate,mdfind,ntfs_journal_events,powershell_events,wifi_survey,windows_events,ycloud_instance_metadata",

"disable_watchdog": "true",

"disable_events": "true",

"augeas_lenses": "",

"pidfile": "${WORKDIR}/osqueryd.pid",

"logger_path": "${WORKDIR}/osqueryd_log",

"database_path": "${WORKDIR}/osqueryd_db",

"extensions_socket": "${WORKDIR}/orbital-osquery.em"

}