This artifact will run Knocknock to collect autorun output.
name: MacOS.Forensics.KnockKnock
author: Matt Green - @mgreen27
description: |
This artifact will run Knocknock to collect autorun output.
reference:
- https://objective-see.org/products/knockknock.html
required_permissions:
- EXECVE
tools:
- name: KnockKnock
url: https://github.com/objective-see/KnockKnock/releases/download/v2.5.0/KnockKnock_2.5.0.zip
expected_hash: 1ba31195a8312b97c40955db3c554947b261a82c319d29cface4619fa50f3daa
version: 2.5.0
serve_locally: true
precondition: SELECT OS From info() where OS = 'darwin'
parameters:
- name: IncludeAppleItems
description: Include apple/system items.
type: bool
- name: QueryVT
description: If Selected will query VirusTotal. Using this switch is not reccomended - enrich server side instead.
type: bool
sources:
- name: Authorization Plugins
query: |
LET tool <= SELECT *
FROM Artifact.Generic.Utils.FetchBinary(ToolName="KnockKnock", IsExecutable='N')
LET tempfolder <= tempdir()
LET bin <= SELECT * FROM unzip(filename=tool.OSPath[0],output_directory=tempfolder)
LET other_commands = if(condition=IncludeAppleItems AND QueryVT,
then= ['-apple'],
else = if(condition=IncludeAppleItems AND NOT QueryVT,
then= ['-apple','-skipVT'],
else = if(condition= NOT IncludeAppleItems AND NOT QueryVT,
then= ['-skipVT'],
else= '')))
LET results <= SELECT parse_json(data=Stdout) as KnockKnockResults
FROM execve(argv=[tempfolder + '/KnockKnock.app/Contents/MacOS/KnockKnock','-whosthere',other_commands],length=10000000)
SELECT * FROM foreach(
row=results.KnockKnockResults.`Authorization Plugins`,
query={SELECT * FROM foreach(row=_value)} )
- name: Browser Extensions
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Browser Extensions`,
query={SELECT * FROM foreach(row=_value)} )
- name: Background Managed Tasks
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Background Managed Tasks`,
query={SELECT * FROM foreach(row=_value)} )
- name: Cron Jobs
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Cron Jobs`,
query={SELECT * FROM foreach(row=_value)} )
- name: Dir. Services Plugins
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Dir. Services Plugins`,
query={SELECT * FROM foreach(row=_value)} )
- name: Dock Tiles Plugins
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Dock Tiles Plugins`,
query={SELECT * FROM foreach(row=_value)} )
- name: Event Rules
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Event Rules`,
query={SELECT * FROM foreach(row=_value)} )
- name: Extensions and Widgets
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Extensions and Widgets`,
query={SELECT * FROM foreach(row=_value)} )
- name: Kernel Extensions
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Kernel Extensions`,
query={SELECT * FROM foreach(row=_value)} )
- name: Launch Items
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Launch Items`,
query={SELECT * FROM foreach(row=_value)} )
- name: Library Inserts
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Library Inserts`,
query={SELECT * FROM foreach(row=_value)} )
- name: Library Proxies
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Library Proxies`,
query={SELECT * FROM foreach(row=_value)} )
- name: Login Items
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Login Items`,
query={SELECT * FROM foreach(row=_value)} )
- name: Login/Logout Hooks
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Login/Logout Hooks`,
query={SELECT * FROM foreach(row=_value)} )
- name: Periodic Scripts
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Periodic Scripts`,
query={SELECT * FROM foreach(row=_value)} )
- name: Quicklook Plugins
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Quicklook Plugins`,
query={SELECT * FROM foreach(row=_value)} )
- name: Library Inserts
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Library Inserts`,
query={SELECT * FROM foreach(row=_value)} )
- name: Spotlight Importers
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Spotlight Importers`,
query={SELECT * FROM foreach(row=_value)} )
- name: Startup Scripts
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`Startup Scripts`,
query={SELECT * FROM foreach(row=_value)} )
- name: System Extensions
query: |
SELECT * FROM foreach(
row=results.KnockKnockResults.`System Extensions`,
query={SELECT * FROM foreach(row=_value)} )