rule Exploit_MacOS_LimeRain_D_MTB{
	meta:
		description = "Exploit:MacOS/LimeRain.D!MTB,SIGNATURE_TYPE_MACHOHSTR_EXT,06 00 06 00 06 00 00 01 00 "
		
	strings :
		$a_01_0 = {53 65 6e 64 69 6e 67 20 66 61 6b 65 20 64 61 74 61 } //01 00  Sending fake data
		$a_01_1 = {64 65 76 69 63 65 5f 69 6e 66 6f 5f 66 72 6f 6d 5f 64 65 76 69 63 65 5f 72 65 63 6f 72 64 } //01 00  device_info_from_device_record
		$a_01_2 = {6c 69 6d 65 72 61 31 6e 5f 65 78 70 6c 6f 69 74 } //01 00  limera1n_exploit
		$a_01_3 = {69 64 65 76 69 63 65 72 65 73 74 6f 72 65 2d 6c 69 6d 65 72 61 31 6e } //01 00  idevicerestore-limera1n
		$a_01_4 = {6c 69 6d 65 72 61 31 6e 5f 70 61 79 6c 6f 61 64 } //01 00  limera1n_payload
		$a_01_5 = {69 72 65 63 76 5f 74 72 69 67 67 65 72 5f 6c 69 6d 65 72 61 31 6e 5f 65 78 70 6c 6f 69 74 } //00 00  irecv_trigger_limera1n_exploit
	condition:
		any of ($a_*)
 
}