-
Notifications
You must be signed in to change notification settings - Fork 26
/
SUSP_Macho_Evasion_AntiDebug.yar
63 lines (56 loc) · 2.13 KB
/
SUSP_Macho_Evasion_AntiDebug.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
rule SUSP_Macho_Evasion_AntiDebug_sysctl
{
meta:
author = "Greg Lesnewich"
date = "2023-02-02"
version = "1.0"
description = "check Macho files for likely anti-debugging related strings like sysctl"
reference = "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/"
strings:
$ = "sysctl" nocase ascii wide
condition:
(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and
all of them
}
rule SUSP_Macho_Evasion_AntiDebug_ptrace
{
meta:
author = "Greg Lesnewich"
date = "2023-02-02"
version = "1.0"
description = "check Macho files for likely anti-debugging related strings like ptrace"
reference = "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/"
strings:
$ = "ptrace" nocase ascii wide
condition:
(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and
all of them
}
rule SUSP_Macho_Evasion_AntiDebug_sysctlbyname
{
meta:
author = "Greg Lesnewich"
date = "2023-02-02"
version = "1.0"
description = "check Macho files for likely anti-debugging related strings like sysctlbyname"
reference = "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/"
strings:
$ = "sysctlbyname" nocase ascii wide
condition:
(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and
all of them
}
rule SUSP_Macho_Evasion_AntiDebug_sysctlnametomib
{
meta:
author = "Greg Lesnewich"
date = "2023-02-02"
version = "1.0"
description = "check Macho files for likely anti-debugging related strings like sysctlnametomib"
reference = "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/"
strings:
$ = "sysctlnametomib" nocase ascii wide
condition:
(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and
all of them
}