19 lines
1002 B
Plaintext
19 lines
1002 B
Plaintext
|
|
rule HackTool_MacOS_SuspSocatCmd_A_BindShell{
|
|
meta:
|
|
description = "HackTool:MacOS/SuspSocatCmd.A!BindShell,SIGNATURE_TYPE_CMDHSTR_EXT,ffffffc8 00 29 00 09 00 00 "
|
|
|
|
strings :
|
|
$a_00_0 = {73 00 6f 00 63 00 61 00 74 00 } //10 socat
|
|
$a_00_1 = {65 00 78 00 65 00 63 00 3a 00 } //20 exec:
|
|
$a_00_2 = {62 00 61 00 73 00 68 00 } //5 bash
|
|
$a_00_3 = {70 00 74 00 79 00 } //5 pty
|
|
$a_00_4 = {74 00 63 00 70 00 2d 00 6c 00 69 00 73 00 74 00 65 00 6e 00 3a 00 } //1 tcp-listen:
|
|
$a_00_5 = {75 00 64 00 70 00 2d 00 6c 00 69 00 73 00 74 00 65 00 6e 00 3a 00 } //1 udp-listen:
|
|
$a_00_6 = {6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 } //-50 localhost
|
|
$a_00_7 = {31 00 32 00 37 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 } //-50 127.0.0.1
|
|
$a_00_8 = {30 00 2e 00 30 00 2e 00 30 00 2e 00 30 00 } //-50 0.0.0.0
|
|
condition:
|
|
((#a_00_0 & 1)*10+(#a_00_1 & 1)*20+(#a_00_2 & 1)*5+(#a_00_3 & 1)*5+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1+(#a_00_6 & 1)*-50+(#a_00_7 & 1)*-50+(#a_00_8 & 1)*-50) >=41
|
|
|
|
} |