Mac Security

Extension Attribute to Detect WindShift in macOS

Patrick Wardle has been researching WindShift and done an extensive writeup at https://objective-see.com/blog/blog_0x3B.html on the emerging malware threat. Based on his research, this extension attribute will check lsregister for usrnode.

It’s pretty basic and variants will obviously change their behavior. For example, openurl2622007 has already changed, which is why I didn’t check for that. And the file name, path, and signature are changing of course. But it does seem checking lsregister for the name of the binary appears consistent. Ergo, ymmv with how effective this is en masse, but a good early warning system since this doesn’t seem to get picked up properly by antivirus yet.