As of last night not detected by antivirus, but an easy indicator is to check which DNS servers your clients are using.
Here’s the relevance for the property I added to my Mac Security analysis this morning
exists lines whose (it contains "82.163.143.135" OR it contains "82.163.142.137") of file "/etc/resolv.conf"
I added that here as well: FYI new MacOS 0 day exploit
exists (it as trimmed string) whose(it contains "82.163.143.135" OR it contains "82.163.142.137") of following texts of firsts "nameserver " of lines containing "nameserver " of files "/etc/resolv.conf"
I was trying to figure out if there was another way to read the Mac’s DNS server settings, but I didn’t take the time to go diving into the IORegistry Explorer.
Off topic, but I didn’t know about lines containing
. Is that just another way to do lines whose (it contains <string>)
or is there something special about it?
Essentially yes, but it should be slightly faster, but I think it might be case sensitive.
I often do something like this:
lines containing "merica" whose(it as lowercase starts with "america") of files "whatever.txt"
If I want a line that starts with america
or America
but not aMerica
An alternative would be:
lines whose(it as lowercase starts with "america") of files "whatever.txt"
BUT this would match on aMerica
which I may or may not want. Also, in this case, all lines of the file get processed by the whose
clause, which isn’t the case with lines containing