DefenderYara/Exploit/MacOS/CVE-2022-46689/Exploit_MacOS_CVE-2022-46689.yar

rule Exploit_MacOS_CVE-2022-46689{
	meta:
		description = "Exploit:MacOS/CVE-2022-46689,SIGNATURE_TYPE_MACHOHSTR_EXT,05 00 04 00 04 00 00 02 00 "
		
	strings :
		$a_00_0 = {4c 89 ee 31 c9 41 b8 00 40 00 00 6a 01 41 5c 41 54 6a 03 58 } //02 00 
		$a_00_1 = {4c 89 ee 31 c9 41 b8 00 40 00 00 41 54 41 54 41 54 6a 00 6a 00 } //01 00 
		$a_00_2 = {52 4f 20 6d 61 70 70 69 6e 67 20 77 61 73 20 6d 6f 64 69 66 69 65 64 } //01 00  RO mapping was modified
		$a_00_3 = {2f 75 73 72 2f 62 69 6e 2f 73 65 64 20 2d 65 20 22 73 2f 72 6f 6f 74 6f 6b 2f 70 65 72 6d 69 74 2f 67 22 20 2f 65 74 63 2f 70 61 6d 2e 64 2f 73 75 } //00 00  /usr/bin/sed -e "s/rootok/permit/g" /etc/pam.d/su
	condition:
		any of ($a_*)
 
}