Skip to content

Commit

Permalink
Update third-party rules as of 2024-11-11 (#614)
Browse files Browse the repository at this point in the history 
Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@octo-sts @github-actions
octo-sts[bot] and github-actions[bot] authored Nov 11, 2024
1 parent 297b82e commit 59daaa2
Show file tree
Hide file tree
Showing 8 changed files with 13,020 additions and 12,907 deletions.
Binary file modified tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
View file
Binary file not shown.
6 changes: 3 additions & 3 deletions tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@

| RISK | KEY | DESCRIPTION | EVIDENCE |
|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/43c9d899b5195f67a1ea52db0b28a84fc230365a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | $op1<br>$op2<br>[%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/43c9d899b5195f67a1ea52db0b28a84fc230365a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | $xc1<br>$xc2<br>$xc3 |
| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/43c9d899b5195f67a1ea52db0b28a84fc230365a/yara/gen_xor_hunting.yar#L2-L20)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | $xo1 |
| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/30b0714fb761a364da49a1759fa36a61dbcd4908/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | $op1<br>$op2<br>[%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/30b0714fb761a364da49a1759fa36a61dbcd4908/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | $xc1<br>$xc2<br>$xc3 |
| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/30b0714fb761a364da49a1759fa36a61dbcd4908/yara/gen_xor_hunting.yar#L2-L20)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | $xo1 |
| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/f5ecc7bce2475e6bd1038a807bca3e313640fdf3/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by [email protected] | $str1<br>$str2<br>$str3 |
| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [7UOTJ::$Mozilla_5_0](https://github.com/search?q=7%15%00%13%16%16%1BUOTJ%3A%3A%24Mozilla_5_0&type=code) |
| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[rand](https://github.com/search?q=rand&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code) |
Expand Down
Binary file modified tests/macOS/2023.3CX/libffmpeg.decrease.mdiff
View file
Binary file not shown.
Loading

0 comments on commit 59daaa2

Please sign in to comment.