25 lines
937 B
Text
25 lines
937 B
Text
|
rule malware_macos_neoneggplant_eggshell
|
||
|
{
|
||
|
meta:
|
||
|
description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python."
|
||
|
reference = "https://github.com/neoneggplant/EggShell"
|
||
|
author = "@mimeframe"
|
||
|
strings:
|
||
|
// eggshell.py
|
||
|
$a1 = "Created By Lucas Jackson (@neoneggplant)" wide ascii
|
||
|
$a2 = "SET LHOST (Leave blank for" wide ascii
|
||
|
$a3 = "SET LPORT (Leave blank for" wide ascii
|
||
|
// esplios
|
||
|
$b1 = "/tmp/.esplog" wide ascii
|
||
|
$b2 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
|
||
|
$b3 = "keylogclear" wide ascii
|
||
|
$b4 = "getpasscode" wide ascii
|
||
|
// esplosx
|
||
|
$c1 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
|
||
|
$c2 = "getfacebook" wide ascii
|
||
|
$c3 = "type is eggsu" wide ascii
|
||
|
$c4 = "rmpersistence" wide ascii
|
||
|
condition:
|
||
|
all of ($a*) or 3 of ($b*) or 3 of ($c*)
|
||
|
}
|