MCPcopy
hub / github.com/jipegit/OSXAuditor / ParseLaunchAgents

Function ParseLaunchAgents

osxauditor.py:446–481  ·  view source on GitHub ↗

Parse a LanchAgent plist and hash its program argument. Also look for suspicious keywords in the plist itself

(AgentsPath)

Source from the content-addressed store, hash-verified

444 PrintAndLog(StartupItemsPath.decode('utf-8') + u' is empty', 'INFO')
445
446def ParseLaunchAgents(AgentsPath):
447 ''' Parse a LanchAgent plist and hash its program argument. Also look for suspicious keywords in the plist itself '''
448
449 SuspiciousPlist = ['exec', 'socket' ,'open', 'connect', '/dev/tcp/', '/bin/sh']
450 LaunchAgentPlist = False
451
452 NbLaunchAgents = 0
453 for LaunchAgent in os.listdir(AgentsPath):
454 LaunchAgentPlistpath = os.path.join(AgentsPath, LaunchAgent)
455
456 PrintAndLog(LaunchAgentPlistpath, 'DEBUG')
457 LaunchAgentPlist = UniversalReadPlist(LaunchAgentPlistpath)
458
459 if LaunchAgentPlist:
460 if 'Program' in LaunchAgentPlist and 'Label' in LaunchAgentPlist:
461 FilePath = LaunchAgentPlist['Program']
462 Md5 = BigFileMd5(FilePath)
463 if Md5:
464 if Md5 not in HASHES:
465 HASHES.append(Md5)
466 PrintAndLog(Md5 + u' '+ FilePath.decode('utf-8') + u' - ' + time.ctime(os.path.getmtime(FilePath)) + u' - ' + time.ctime(os.path.getctime(FilePath)) + u'\n', 'INFO')
467 continue
468 if 'ProgramArguments' in LaunchAgentPlist and 'Label' in LaunchAgentPlist:
469 FilePath = LaunchAgentPlist['ProgramArguments'][0]
470 Md5 = BigFileMd5(FilePath)
471 if Md5:
472 if Md5 not in HASHES:
473 HASHES.append(Md5)
474 PrintAndLog(Md5 + u' '+ FilePath.decode('utf-8') + u' - ' + time.ctime(os.path.getctime(FilePath)) + u' - ' + time.ctime(os.path.getmtime(FilePath)) + u'\n', 'INFO')
475 if len(LaunchAgentPlist['ProgramArguments']) >= 3:
476 if any(x in LaunchAgentPlist['ProgramArguments'][2] for x in SuspiciousPlist):
477 PrintAndLog(LaunchAgentPlist['ProgramArguments'][2].decode('utf-8')+ u' in ' + LaunchAgentPlistpath.decode('utf-8') + u' looks suspicious', 'WARNING')
478 NbLaunchAgents += 1
479
480 if NbLaunchAgents == 0:
481 PrintAndLog(AgentsPath.decode('utf-8') + u' is empty', 'INFO')
482
483def ParseStartup():
484 ''' Parse the different LauchAgents and LaunchDaemons '''

Callers 1

ParseStartupFunction · 0.85

Calls 3

PrintAndLogFunction · 0.85
UniversalReadPlistFunction · 0.85
BigFileMd5Function · 0.85

Tested by

no test coverage detected