-
Notifications
You must be signed in to change notification settings - Fork 26
/
SUSP_MacOS_CommandRef_networksetup.yar
63 lines (55 loc) · 1.75 KB
/
SUSP_MacOS_CommandRef_networksetup.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
rule SUSP_MacOS_CommandRef_networksetup
{
meta:
author = "Greg Lesnewich"
date = "2023-01-23"
version = "1.0"
description = "check for references to networksetup utility"
strings:
$ = "networksetup" ascii wide
condition:
all of them
}
rule SUSP_MacOS_CommandRef_networksetup_b64
{
meta:
author = "Greg Lesnewich"
date = "2023-01-23"
version = "1.0"
description = "check for references to networksetup utility"
strings:
$ = "networksetup" base64 base64wide
condition:
all of them
}
rule SUSP_MacOS_CommandRef_networksetup_xor
{
meta:
author = "Greg Lesnewich"
date = "2023-01-23"
version = "1.0"
description = "check for references to networksetup utility"
strings:
$ = "networksetup" xor(0x01-0xff) ascii wide
condition:
all of them
}
rule SUSP_MacOS_CommandRef_networksetup_mutation
{
meta:
author = "Greg Lesnewich"
date = "2023-01-23"
version = "1.0"
description = "check for references to networksetup utility"
strings:
$networksetup_flipflop = "enwtrosktepu" nocase ascii wide
$networksetup_reverse = "puteskrowten" nocase ascii wide
$networksetup_hex_enc_str = "6e6574776f726b7365747570" nocase ascii wide
$networksetup_decimal = "110 101 116 119 111 114 107 115 101 116 117 112" nocase ascii wide
$networksetup_fallchill = "mvgdliphvgfk" nocase ascii wide
$networksetup_stackpush = "hetuphorkshnetw" nocase ascii wide
$networksetup_stackpushnull = "hetup\x00horkshnetw" ascii wide
$networksetup_stackpushdoublenull = "hetup\x00\x00horkshnetw" ascii wide
condition:
all of them
}