-
Notifications
You must be signed in to change notification settings - Fork 26
/
keychain.yara
83 lines (76 loc) · 2.95 KB
/
keychain.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
rule keychain : medium macos {
meta:
description = "May access the macOS keychain"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c"
hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0"
strings:
$ref = "Keychain"
$ref2 = "keychain"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
any of ($ref*) and none of ($not*)
}
rule macos_library_keychains : medium macos {
meta:
description = "access system keychain via files"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0"
hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
strings:
$ref = "/Library/Keychains"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$ref and none of ($not*)
}
rule find_generic_password : high macos {
meta:
description = "Looks up a password from the Keychain"
strings:
$ref = /find-generic-passsword[ \-\w\']{0,32}/
$not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$ref and none of ($not*)
}
rule find_internet_password : high macos {
meta:
description = "Looks up an internet password from the Keychain"
strings:
$ref = /find-internet-passsword[ \-\w\']{0,32}/
$not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
$not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
$not_elastic_license = "\"license\": \"Elastic License v2\""
condition:
$ref and none of ($not*)
}
rule login_keychain : high macos {
meta:
description = "may steal login keychain"
strings:
$ref = "/Library/Keychains/login.keychain-db"
condition:
filesize < 200MB and $ref
}
rule adobe_sam_login_keychain : override macos {
meta:
description = "Adobe SAM"
login_keychain = "medium"
strings:
$ref = "com.adobe.acc.sam-v2.dylib"
condition:
filesize > 50MB and filesize < 100MB and $ref
}
rule login_keychain_eager_beaver : critical macos {
meta:
description = "steals login keychain"
ref = "https://www.group-ib.com/blog/apt-lazarus-python-scripts/"
strings:
$ref = "logkc_db" fullword
$ref2 = "Keychains" fullword
condition:
filesize < 200MB and all of them
}