Skip to content

Instantly share code, notes, and snippets.

@lctrcl

lctrcl/absolute_persistent_strings

Created June 6, 2016 07:23
Show Gist options
  • Save lctrcl/71ac63c61e5346d9a6db9f83e66b44b9 to your computer and use it in GitHub Desktop.
Save lctrcl/71ac63c61e5346d9a6db9f83e66b44b9 to your computer and use it in GitHub Desktop.
Download ZIP
absolute lojack / persistence osx rat strings/locations
Raw
absolute_persistent_strings
__cstring:00012376 00000019 C /tmp/.ctesservice.server
/tmp/rpcnet.pid __cstring:00012D05 00000005 C .rpc
__cstring:00012D0A 00000031 C /Library/LaunchDaemons/com.absolute.rpcnet.plist
__cstring:00012D3B 0000001C C /Library/.rpcnet/rpcstartup
__cstring:00012D57 00000015 C /usr/sbin/rpcstartup
__cstring:00012D6C 00000019 C /Library/.rpcnet/rpc.net
__cstring:00012D85 0000001B C /Users/Shared/.rpc/rpc.net
__cstring:00012DA0 00000018 C /Library/.rpcnet/rpcset
__cstring:00012DB8 0000001A C /Users/Shared/.rpc/rpcset
__cstring:00012DD2 00000012 C /usr/sbin/rpc.net
__cstring:00012DE4 00000011 C /usr/sbin/rpcset
__cstring:00012E4A 00000009 C %[^:]:%d
__cstring:00012E53 0000001D C /Library/.rpcnet/proxyhelper
__cstring:00012E9E 00000027 C /usr/sbin/proxyhelper %s http://%s/ %s
__cstring:00012F6C 00000020 C com.absolute.ctesservice.server
__cstring:00012FA7 00000016 C com.absolute.settings
__const:00014295 00000022 C /Library/Preferences/.com.273.reg
sudo crontab
/Library/.rpcnet
/Users/Shared/.rpc
/tmp/.ctesservice.server
/usr/sbin/rpc.net
/Users/Shared/.rpc/rpc.net
/usr/sbin/rpcstartup
/usr/sbin/rpc.net
/usr/sbin/rpcset
/usr/sbin/proxyhelper
/Library/LaunchDaemons/com.absolute.rpcnet.plist
/Library/LaunchDaemons/com.absolute.abtsvcd.plist
/Library/LaunchDaemons/com.absolute.rpcgeo.plist
/Library/Preferences/com.absolute.settings
/Library/Frameworks/geo.framework
/Library/Preferences/.com.273.reg
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment