13 lines
525 B
Text
13 lines
525 B
Text
rule hacktool_macos_n0fate_chainbreaker
|
|
{
|
|
meta:
|
|
description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner."
|
|
reference = "https://github.com/n0fate/chainbreaker"
|
|
author = "@mimeframe"
|
|
strings:
|
|
$a1 = "[!] Private Key Table is not available" wide ascii
|
|
$a2 = "[!] Public Key Table is not available" wide ascii
|
|
$a3 = "[-] Decrypted Private Key" wide ascii
|
|
condition:
|
|
all of ($a*)
|
|
}
|