-
Notifications
You must be signed in to change notification settings - Fork 26
/
SUSP_Macho_ConventionEngine.yar
146 lines (133 loc) · 4.82 KB
/
SUSP_Macho_ConventionEngine.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
rule SUSP_Macho_ConventionEngine_Base64
{
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string "
strings:
$ = "base64" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and
1 of them
}
rule SUSP_Macho_ConventionEngine_Hook {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Hook"
strings:
$ = "Hook" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Shellcode {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Shellcode"
strings:
$ = "Shellcode" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Rootkit {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Rootkit"
strings:
$ = "Rootkit" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Trojan {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Trojan"
strings:
$ = "Trojan" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Dropper {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Dropper"
strings:
$ = "Dropper" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Backdoor {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Backdoor"
strings:
$ = "Backdoor" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Spreader {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Spreader"
strings:
$ = "Spreader" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Loader {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Loader"
strings:
$ = "Loader" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Inject {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Inject"
strings:
$ = "Inject" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}
rule SUSP_Macho_ConventionEngine_Reflect {
meta:
author = "Greg Lesnewich"
date = "2023-01-31"
version = "1.0"
description = "using ConventionEngine Style Rules Checking for Macho Files that share some potential functionality via the string Reflect"
strings:
$ = "Reflect" nocase ascii wide
condition:
(uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE)
and all of them
}