Seems like people enjoyed reading Microsoft's 8-K filing (https://www.sec.gov/ix?doc=/Archives/edgar/data/789019/000119312524011295/d708866d8k.htm) on their Material Cybersecurity Incident and related blog post on Friday. If you want to stay in the loop, schedule this JavaScript in Cloudflare Workers, then send yourself webhooks/emails to know before your friends 🫡

https://gist.github.com/shellcromancer/2f0a5b400aaadf097f32226f9a6c0bc8

Excited to watch others journey and rules for #100DaysofYARA this year! Last year was a lot of learning fun, but this year I'm targeting a different learning goal (中文)! To kick off the repo for others this year I added a SwearEngine variant in Chinese

https://github.com/shellcromancer/Days-of-YARA-2024/commit/19a29b2c9759b30b93d19dfe3b886bcb8071dba1

New *OS releases (see https://support.apple.com/en-us/HT213814) from today include a mention of the Kaspersky team for CVE-2023-32434 so it seems like there was some level of 0-day with the Triangulation attack

https://infosec.exchange/@shellcromancer/110475554526797410

https://developer.apple.com/wwdc23/10266

MacOS environment constraints 👀

> The expanded Lockdown Mode increases security to help protect against sophisticated cyber attacks. Turn it on across all your Apple devices, now including Apple Watch.
(https://www.apple.com/ios/ios-17-preview/)

Nice, wonder what exactly is expanded in iOS 17... new devices and new restrictions per device?

I was going to write a signature for Kotlin native executables this morning but this language is madness:

- instructions assume IntelliJ workflow ❌
- kotlin package doesn't include kotlinc-native compiler ❌
- requires JDK to compile (without using already installed openjdk) ❌
- building hello world chokes on xcode dependenies (xcode & xcode cli tools are installed) ❌

Not really sure why people choose this in 2023 😂 Are the votes in the 2022 Stack Overflow survey purchased? Objective-C and Swift are delight in comparison

Day 9️⃣8️⃣ of #100DaysofYARA: The macOS Spotlight search service on macOS tracks metadata like kMDItemWhereFroms to track where files come from and clever adware like OSX.GENIEO will verify where they are downloaded from to evade analysis in sandboxes/virtual machines. 💡

Wrote up a rule for the "mdls" command being used to call the get this data from Spotlight API as seen in Genieo which flags a few GENIEO samples and helps hunt for more files using this technique. 👀

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/info_macos_file_metadata.yar

Day 9️⃣6️⃣ of #100DaysofYARA: On macOS the built-in AppleScript editor comes with a feature to save scripts as an application bundle.. let's look for theses! 🤔

Turns out they're incredibly simple stubs that open the AppleScript component and dispatch to it. With a quick rule targeting the imports used for opening/dispatching we can see that these are used by both the OSAMiner and XCSSET malware families 👾

When you encounter these, look at the AppleScript instead at Contents/Resources/Scripts/*.scpt

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/info_macos_scpt_applet.yar

Day 9️⃣5️⃣ of #100DaysofYARA: Wrote a rule for @zhuowei's MacDirtyCowDemo based on the APIs it uses in the exploit and with some of then logging strings it uses. I was surprised how reliable it was at finding only genuine CVE-2022-46689 exploitation across a VT retrohunt 🎉

YARA: https://github.com/shellcromancer/DaysOfYARA-2023/blob/main/shellcromancer/exploit-cve-2022-46689.yar