24 lines
937 B
Text
24 lines
937 B
Text
rule malware_macos_neoneggplant_eggshell
|
|
{
|
|
meta:
|
|
description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python."
|
|
reference = "https://github.com/neoneggplant/EggShell"
|
|
author = "@mimeframe"
|
|
strings:
|
|
// eggshell.py
|
|
$a1 = "Created By Lucas Jackson (@neoneggplant)" wide ascii
|
|
$a2 = "SET LHOST (Leave blank for" wide ascii
|
|
$a3 = "SET LPORT (Leave blank for" wide ascii
|
|
// esplios
|
|
$b1 = "/tmp/.esplog" wide ascii
|
|
$b2 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
|
|
$b3 = "keylogclear" wide ascii
|
|
$b4 = "getpasscode" wide ascii
|
|
// esplosx
|
|
$c1 = "spGHbigdxMBJpbOCAr3rnS3inCdYQyZV" wide ascii
|
|
$c2 = "getfacebook" wide ascii
|
|
$c3 = "type is eggsu" wide ascii
|
|
$c4 = "rmpersistence" wide ascii
|
|
condition:
|
|
all of ($a*) or 3 of ($b*) or 3 of ($c*)
|
|
}
|