MacOS.Sys.Automator :: Velociraptor

MacOS.Sys.Automator
This artifact collects information about Automator actions and workflows.
It can be used to identify malicious actions inserted into common/default workflows, or non-standard workflows.

name: MacOS.Sys.Automator
description: |
  This artifact collects information about Automator actions and workflows. 
  
  It can be used to identify malicious actions inserted into common/default workflows, or non-standard workflows.
  
reference:
  - https://support.apple.com/en-ae/guide/automator/welcome/mac
  
type: CLIENT

author: Wes Lambert - @therealwlambert

precondition: SELECT OS FROM info() WHERE OS =~ 'darwin'

parameters:
  - name: ActionGlob
    default: /System/Library/Automator/*/Contents/Info.plist 
  - name: WorkflowGlob
    default: /Library/Application Support/Apple/Automator/Workflows/*/Contents/*.wflow
  - name: UploadActions
    default: N
    type: bool
  - name: UploadWorkflows
    default: N
    type: bool
    
sources:
  - name: Actions
    query: 
      LET ActionLocation = SELECT * from glob(globs=ActionGlob)
      LET Actions = SELECT OSPath, Mtime, Atime, Ctime, Btime, plist(file=OSPath) AS AMAction FROM ActionLocation
      SELECT * from foreach(
            row=Actions,
            query={
               SELECT Mtime AS Timestamp,
                      get(field="AMName") AS Name,
                      get(field="AMApplication") AS Application,
                      get(field="AMIconName") AS IconName,
                      get(field="CFBundleExecutable") AS ExecutableName,
                      get(field="NSPrincipalClass") AS PrincipalClass,
                      get(field="CFBundleIdentifier") AS BundleIdentifier,
                      get(field="AMDefaultParameters") AS DefaultParameters,
                      get(field="NSHumanReadableCopyright") AS Copyright,
                      get(field="AMDescription") AS Description,
                      if(condition=UploadActions,
                          then=upload(file=OSPath,
                          mtime=Mtime,
                          atime=Atime,
                          ctime=Ctime,
                          btime=Btime)) AS Upload,
                      AMAction AS _Content
               FROM AMAction
          }
      )
     
  - name: Workflows
    query: |
      LET WorkflowLocation = SELECT * from glob(globs=WorkflowGlob)
      LET Workflows = SELECT OSPath, Mtime, Atime, Ctime, Btime, plist(file=OSPath) AS AMWorkflow FROM WorkflowLocation
      SELECT * from foreach(
            row=Workflows,
            query={
               SELECT
                    Mtime AS Timestamp, 
                    OSPath AS Name,
                    get(member="actions.action.ActionName") AS Actions, 
                    get(field="state") AS State,
                    get(field="WorkflowIsShared") AS Shared,
                    get(field="workflowMetaData") AS WorkflowMetadata,
                    get(field="connectors") AS Connectors,
                    if(condition=UploadWorkflows,
                          then=upload(file=OSPath,
                          mtime=Mtime,
                          atime=Atime,
                          ctime=Ctime,
                          btime=Btime)) AS Upload,
                    AMWorkflow AS _Content
               FROM AMWorkflow
          }
      )