Add more public YARA rules

rules/public/hacktool/macos/hacktool_macos_exploit_cve_2015_5889.yara

@@ -0,0 +1,16 @@
+rule hacktool_macos_exploit_cve_5889
+{
+    meta:
+        description = "http://www.cvedetails.com/cve/cve-2015-5889"
+        reference = "https://www.exploit-db.com/exploits/38371/"
+        author = "@mimeframe"
+    strings:
+        $a1 = "/etc/sudoers" fullword wide ascii
+        $a2 = "/etc/crontab" fullword wide ascii
+        $a3 = "* * * * * root echo" wide ascii
+        $a4 = "ALL ALL=(ALL) NOPASSWD: ALL" wide ascii
+        $a5 = "/usr/bin/rsh" fullword wide ascii
+        $a6 = "localhost" fullword wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_juuso_keychaindump.yara

@@ -0,0 +1,16 @@
+rule hacktool_macos_juuso_keychaindump
+{
+    meta:
+        description = "For reading OS X keychain passwords as root."
+        reference = "https://github.com/juuso/keychaindump"
+        author = "@mimeframe"
+    strings:
+        $a1 = "[-] Too many candidate keys to fit in memory" wide ascii
+        $a2 = "[-] Could not allocate memory for key search" wide ascii
+        $a3 = "[-] Too many credentials to fit in memory" wide ascii
+        $a4 = "[-] The target file is not a keychain file" wide ascii
+        $a5 = "[-] Could not find the securityd process" wide ascii
+        $a6 = "[-] No root privileges, please run with sudo" wide ascii
+    condition:
+        4 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_b4rsby_swiftlog.yara

@@ -0,0 +1,11 @@
+rule hacktool_macos_keylogger_b4rsby_swiftlog
+{
+    meta:
+        description = "Dirty user level command line keylogger hacked together in Swift."
+        reference = "https://github.com/b4rsby/SwiftLog"
+        author = "@mimeframe"
+    strings:
+        $a1 = "You need to enable the keylogger in the System Prefrences" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_caseyscarborough.yara

@@ -0,0 +1,14 @@
+rule hacktool_macos_keylogger_caseyscarborough
+{
+    meta:
+        description = "A simple and easy to use keylogger for macOS."
+        reference = "https://github.com/caseyscarborough/keylogger"
+        author = "@mimeframe"
+    strings:
+        $a1 = "/var/log/keystroke.log" wide ascii
+        $a2 = "ERROR: Unable to create event tap." wide ascii
+        $a3 = "Keylogging has begun." wide ascii
+        $a4 = "ERROR: Unable to open log file. Ensure that you have the proper permissions." wide ascii
+    condition:
+        2 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_dannvix.yara

@@ -0,0 +1,13 @@
+rule hacktool_macos_keylogger_dannvix
+{
+    meta:
+        description = "A simple keylogger for macOS."
+        reference = "https://github.com/dannvix/keylogger-osx"
+        author = "@mimeframe"
+    strings:
+        $a1 = "/var/log/keystroke.log" wide ascii
+        $a2 = "<forward-delete>" wide ascii
+        $a3 = "<unknown>" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_eldeveloper_keystats.yara

@@ -0,0 +1,13 @@
+rule hacktool_macos_keylogger_eldeveloper_keystats
+{
+    meta:
+        description = "A simple keylogger for macOS."
+        reference = "https://github.com/ElDeveloper/keystats"
+        author = "@mimeframe"
+    strings:
+        $a1 = "YVBKeyLoggerPerishedNotification" wide ascii
+        $a2 = "YVBKeyLoggerPerishedByLackOfResponseNotification" wide ascii
+        $a3 = "YVBKeyLoggerPerishedByUserChangeNotification" wide ascii
+    condition:
+        2 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_giacomolaw.yara

@@ -0,0 +1,13 @@
+rule hacktool_macos_keylogger_giacomolaw
+{
+    meta:
+        description = "A simple keylogger for macOS."
+        reference = "https://github.com/GiacomoLaw/Keylogger"
+        author = "@mimeframe"
+    strings:
+        $a1 = "ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions." wide ascii
+        $a2 = "ERROR: Unable to create event tap." wide ascii
+        $a3 = "Keystrokes are now being recorded" wide ascii
+    condition:
+        2 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_logkext.yara

@@ -0,0 +1,25 @@
+rule hacktool_macos_keylogger_logkext
+{
+    meta:
+        description = "LogKext is an open source keylogger for Mac OS X, a product of FSB software."
+        reference = "https://github.com/SlEePlEs5/logKext"
+        author = "@mimeframe"
+    strings:
+        // daemon
+        $a1 = "logKextPassKey" wide ascii
+        $a2 = "Couldn't get system keychain:" wide ascii
+        $a3 = "Error finding secret in keychain" wide ascii
+        $a4 = "com_fsb_iokit_logKext" wide ascii
+        // client
+        $b1 = "logKext Password:" wide ascii
+        $b2 = "Logging controls whether the daemon is logging keystrokes (default is on)." wide ascii
+        // logkextkeygen
+        $c1 = "logKextPassKey" wide ascii
+        $c2 = "Error: couldn't create secAccess" wide ascii
+        // logkext
+        $d1 = "IOHIKeyboard" wide ascii
+        $d2 = "Clear keyboards called with kextkeys" wide ascii
+        $d3 = "Added notification for keyboard" wide ascii
+    condition:
+        3 of ($a*) or all of ($b*) or all of ($c*) or all of ($d*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_roxlu_ofxkeylogger.yara

@@ -0,0 +1,13 @@
+rule hacktool_macos_keylogger_roxlu_ofxkeylogger
+{
+    meta:
+        description = "ofxKeylogger keylogger."
+        reference = "https://github.com/roxlu/ofxKeylogger"
+        author = "@mimeframe"
+    strings:
+        $a1 = "keylogger_init" wide ascii
+        $a2 = "install_keylogger_hook function not found in dll." wide ascii
+        $a3 = "keylogger_set_callback" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_keylogger_skreweverything_swift.yara

@@ -0,0 +1,15 @@
+rule hacktool_macos_keylogger_skreweverything_swift
+{
+    meta:
+        description = "It is a simple and easy to use keylogger for macOS written in Swift."
+        reference = "https://github.com/SkrewEverything/Swift-Keylogger"
+        author = "@mimeframe"
+    strings:
+        $a1 = "Can't create directories!" wide ascii
+        $a2 = "Can't create manager" wide ascii
+        $a3 = "Can't open HID!" wide ascii
+        $a4 = "PRINTSCREEN" wide ascii
+        $a5 = "LEFTARROW" wide ascii
+    condition:
+        4 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_manwhoami_icloudcontacts.yara

@@ -0,0 +1,14 @@
+rule hacktool_macos_manwhoami_icloudcontacts
+{
+    meta:
+        description = "Pulls iCloud Contacts for an account. No dependencies. No user notification."
+        reference = "https://github.com/manwhoami/iCloudContacts"
+        author = "@mimeframe"
+    strings:
+        $a1 = "https://setup.icloud.com/setup/authenticate/" wide ascii
+        $a2 = "https://p04-contacts.icloud.com/" wide ascii
+        $a3 = "HTTP Error 401: Unauthorized. Are you sure the credentials are correct?" wide ascii
+        $a4 = "HTTP Error 404: URL not found. Did you enter a username?" wide ascii
+    condition:
+        3 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_manwhoami_mmetokendecrypt.yara

@@ -0,0 +1,15 @@
+rule hacktool_macos_manwhoami_mmetokendecrypt
+{
+    meta:
+        description = "This program decrypts / extracts all authorization tokens on macOS / OS X / OSX."
+        reference = "https://github.com/manwhoami/MMeTokenDecrypt"
+        author = "@mimeframe"
+    strings:
+        $a1 = "security find-generic-password -ws 'iCloud'" wide ascii
+        $a2 = "ERROR getting iCloud Decryption Key" wide ascii
+        $a3 = "Could not find MMeTokenFile. You can specify the file manually." wide ascii
+        $a4 = "Decrypting token plist ->" wide ascii
+        $a5 = "Successfully decrypted token plist!" wide ascii
+    condition:
+        3 of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_manwhoami_osxchromedecrypt.yara

@@ -0,0 +1,16 @@
+rule hacktool_macos_manwhoami_osxchromedecrypt
+{
+    meta:
+        description = "Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X."
+        reference = "https://github.com/manwhoami/OSXChromeDecrypt"
+        author = "@mimeframe"
+    strings:
+        $a1 = "Credit Cards for Chrome Profile" wide ascii
+        $a2 = "Passwords for Chrome Profile" wide ascii
+        $a3 = "Unknown Card Issuer" wide ascii
+        $a4 = "ERROR getting Chrome Safe Storage Key" wide ascii
+        $b1 = "select name_on_card, card_number_encrypted, expiration_month, expiration_year from credit_cards" wide ascii
+        $b2 = "select username_value, password_value, origin_url, submit_element from logins" wide ascii
+    condition:
+        3 of ($a*) or all of ($b*)
+}

rules/public/hacktool/macos/hacktool_macos_n0fate_chainbreaker.yara

@@ -0,0 +1,13 @@
+rule hacktool_macos_n0fate_chainbreaker
+{
+    meta:
+        description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner."
+        reference = "https://github.com/n0fate/chainbreaker"
+        author = "@mimeframe"
+    strings:
+        $a1 = "[!] Private Key Table is not available" wide ascii
+        $a2 = "[!] Public Key Table is not available" wide ascii
+        $a3 = "[-] Decrypted Private Key" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/macos/hacktool_macos_ptoomey3_keychain_dumper.yara

@@ -0,0 +1,15 @@
+rule hacktool_macos_ptoomey3_keychain_dumper
+{
+    meta:
+        description = "Keychain dumping utility."
+        reference = "https://github.com/ptoomey3/Keychain-Dumper"
+        author = "@mimeframe"
+    strings:
+        $a1 = "keychain_dumper" wide ascii
+        $a2 = "/var/Keychains/keychain-2.db" wide ascii
+        $a3 = "<key>keychain-access-groups</key>" wide ascii
+        $a4 = "SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet" wide ascii
+        $a5 = "dumpEntitlements" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/hacktool/windows/hacktool_windows_moyix_creddump.yara

@@ -0,0 +1,16 @@
+rule hacktool_windows_moyix_creddump
+{
+    meta:
+        description = "creddump is a python tool to extract credentials and secrets from Windows registry hives."
+        reference = "https://github.com/moyix/creddump"
+        author = "@mimeframe"
+    strings:
+        $a1 = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%" wide ascii
+        $a2 = "0123456789012345678901234567890123456789" wide ascii
+        $a3 = "NTPASSWORD" wide ascii
+        $a4 = "LMPASSWORD" wide ascii
+        $a5 = "aad3b435b51404eeaad3b435b51404ee" wide ascii
+        $a6 = "31d6cfe0d16ae931b73c59d7e0c089c0" wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/malware/macos/apt_macos_sofacy_xagent.yara → rules/public/malware/macos/malware_macos_apt_sofacy_xagent.yara

@@ -1,6 +1,6 @@
 include "../../MachO.yara"
 
-rule apt_macos_sofacy_xagent
+rule malware_macos_apt_sofacy_xagent
 {
     meta:
         description = "sofacy xagent for macOS"

rules/public/malware/macos/malware_macos_bella.yara

@@ -0,0 +1,22 @@
+rule malware_macos_bella
+{
+    meta:
+        description = "Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS."
+        reference = "https://github.com/Trietptm-on-Security/Bella"
+        author = "@mimeframe"
+    strings:
+        // Bella.py
+        $a1 = "Verified! [2FV Enabled] Account ->" wide ascii
+        $a2 = "There is no root shell to perform this command. See [rooter] manual entry." wide ascii
+        $a3 = "Attempt to escalate Bella to root through a variety of attack vectors." wide ascii
+        $a4 = "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER." wide ascii
+        // Control Center.py
+        $b1 = "user_pass_phish" fullword wide ascii
+        $b2 = "bella_info" fullword wide ascii
+        $b3 = "get_root" fullword wide ascii
+        // Builder
+        $c1 = "Please specify a bella server." wide ascii
+        $c2 = "What port should Bella connect on [Default is 4545]:" wide ascii
+    condition:
+        any of ($a*) or all of ($b*) or all of ($c*)
+}

rules/public/malware/macos/malware_macos_marten4n6_evilosx.yara

@@ -0,0 +1,16 @@
+rule malware_macos_marten4n6_evilosx
+{
+    meta:
+        description = "EvilOSX is a pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX."
+        reference = "https://github.com/Marten4n6/EvilOSX"
+        author = "@mimeframe"
+    strings:
+        // EvilOSX.py commands
+        $a1 = "icloud_phish_stop" fullword wide ascii
+        $a2 = "icloud_contacts" fullword wide ascii
+        $a3 = "itunes_backups" fullword wide ascii
+        $a4 = "chrome_passwords" fullword wide ascii
+        $a5 = "Starting EvilOSX..." wide ascii
+    condition:
+        4 of ($a*)
+}

rules/public/malware/macos/malware_macos_neoneggplant_eggshell.yara

@@ -0,0 +1,24 @@
+rule malware_macos_neoneggplant_eggshell
+{
+    meta:
+        description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python."
+        reference = "https://github.com/neoneggplant/EggShell"
+        author = "@mimeframe"
+    strings:
+        // eggshell.py
+        $a1 = "Created By Lucas Jackson (@neoneggplant)" wide ascii
+        $a2 = "SET LHOST (Leave blank for" wide ascii
+        $a3 = "SET LPORT (Leave blank for" wide ascii
+        // esplios
+        $b1 = "/tmp/.esplog" wide ascii
+        $b2 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
+        $b3 = "keylogclear" wide ascii
+        $b4 = "getpasscode" wide ascii
+        // esplosx
+        $c1 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
+        $c2 = "getfacebook" wide ascii
+        $c3 = "type is eggsu" wide ascii
+        $c4 = "rmpersistence" wide ascii
+    condition:
+        all of ($a*) or 3 of ($b*) or 3 of ($c*)
+}

rules/public/malware/multi/malware_multi_pupy_rat.yara

@@ -1,5 +1,3 @@
-import "pe"
-
 rule malware_multi_pupy_rat
 {
     meta:
@@ -14,5 +12,5 @@ rule malware_multi_pupy_rat
         $a5 = "pupwinutils.security" wide ascii
         $a6 = "-PUPY_CONFIG_COMES_HERE-" wide ascii
     condition:
-        2 of ($a*)
+        3 of ($a*)
 }

rules/public/malware/multi/malware_multi_vesche_basicrat.yara

@@ -0,0 +1,15 @@
+rule malware_multi_vesche_basicrat
+{
+    meta:
+        description = "cross-platform Python 2.x Remote Access Trojan (RAT)"
+        reference = "https://github.com/vesche/basicRAT"
+        author = "@mimeframe"
+    strings:
+        $a1 = "HKCU Run registry key applied" wide ascii
+        $a2 = "HKCU Run registry key failed" wide ascii
+        $a3 = "Error, platform unsupported." wide ascii
+        $a4 = "Persistence successful," wide ascii
+        $a5 = "Persistence unsuccessful," wide ascii
+    condition:
+        all of ($a*)
+}

rules/public/malware/windows/apt_windows_red_leaves_generic.yara → rules/public/malware/windows/malware_windows_apt_red_leaves_generic.yara

@@ -1,4 +1,4 @@
-rule apt_windows_red_leaves_generic
+rule malware_windows_apt_red_leaves_generic
 {
     meta:
         description = "Red Leaves malware, related to APT10"

rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_1.yara

@@ -0,0 +1,22 @@
+rule malware_windows_apt_whitebear_binary_loader_1
+{
+    meta:
+        description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts"
+        reference = "https://securelist.com/introducing-whitebear/81638/"
+        author = "@fusionrace"
+        md5 = "b099b82acb860d9a9a571515024b35f0"
+    strings:
+        // Output messages
+        $a1 = "### PE STORAGE ###" wide ascii
+        $a2 = "### CRYPTO 0 ###" wide ascii
+        $a3 = "### EXTERNAL STORAGE ###" wide ascii
+        $a4 = "### CRYPTO 1 ###" wide ascii
+        $a5 = "### QUEUES ###" wide ascii
+        $a6 = "### TRANSPORT ###" wide ascii
+        $a7 = "### EXECUTION SUBSYSTEM ###" wide ascii
+        $a8 = "### AUTORUN MANAGER ###" wide ascii
+        $a9 = "### INJECT MANAGER ###" wide ascii
+        $a10 = "### LOCAL TRANSPORT MANAGER ###" wide ascii
+    condition:
+        6 of ($a*)
+}