From 49d2451b6a85d22123a70c0b6f1d870fe3a5e48f Mon Sep 17 00:00:00 2001
From: Samson <66468924+SamsonIdowu@users.noreply.github.com>
Date: Fri, 27 Jun 2025 11:33:12 +0100
Subject: [PATCH 1/2] conflict checker

---
 rules/demo_rule2.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 rules/demo_rule2.xml

diff --git a/rules/demo_rule2.xml b/rules/demo_rule2.xml
new file mode 100644
index 0000000..62d4cb5
--- /dev/null
+++ b/rules/demo_rule2.xml
@@ -0,0 +1,60 @@
+<group name="malware,frigidstealer,">
+
+<!-- Initial execution -->
+  <rule id="100101" level="11">
+    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
+    <match type="pcre2">(?i)app being registered is:(".*ddaolimaki-daunito")</match>
+    <description>Possible FrigidStealer malware detected at $(executable_path)</description>
+    <mitre>
+      <id>T1204</id>
+    </mitre>
+  </rule>
+
+<!-- DNS query -->
+  <rule id="100102" level="11" frequency="2" ignore="60">
+    <decoded_as>macOS_mDNSResponder</decoded_as>
+    <field name="program_type" type="pcre2">DNSServiceQueryRecord</field>
+    <field name="process_name" type="pcre2">ddaolimaki.*</field>
+    <description>FrigidStealer malware is making a suspicious DNS query to $(hash). Possible data exfiltration to C2 server.</description>
+    <mitre>
+      <id>T1105</id>
+      <id>T1041</id>
+      <id>T1071.004</id>
+    </mitre>
+  </rule>
+
+<!-- Data exfiltration -->
+  <rule id="100103" level="11">
+    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
+    <field name="executable_url" type="pcre2">.*Finder</field>
+    <field name="sender_identity" type="pcre2">.*</field>
+    <description>FrigidStealer malware (ddaolimaki-daunito) is attempting to use Apple Events, potentially for unauthorized inter-process communication or data exfiltration.</description>
+    <mitre>
+      <id>T1543</id>
+      <id>T1055</id>
+      <id>T1559</id>
+    </mitre>
+  </rule>
+
+<!-- Process termination -->
+  <rule id="100104" level="11">
+    <match type="pcre2">(?i)Removed job for.*ddaolimaki.*</match>
+    <description>FrigidStealer malware process terminated after data exfiltration.</description>
+    <mitre>
+      <id>T1489</id>
+    </mitre>
+  </rule>
+
+<!-- Persistence -->
+  <rule id="100105" level="11">
+    <decoded_as>macOS_launchservicesd</decoded_as>
+    <match type="pcre2">(?i)(?i)"LSBundlePath"="(.*Safari Updater.app)"</match>
+    <field name="application_type" type="pcre2">Foreground</field>
+    <field name="bundle_id" type="pcre2">com.wails.ddaolimaki-daunito</field>
+    <description>Possible FrigidStealer malware running in $(application_type)</description>
+    <mitre>
+      <id>T1541</id>
+    </mitre>
+  </rule>
+
+</group>
\ No newline at end of file

From bbe5d0f452a848737b356fc5e3bb592b3e8ddf0b Mon Sep 17 00:00:00 2001
From: Samson <66468924+SamsonIdowu@users.noreply.github.com>
Date: Fri, 27 Jun 2025 12:02:26 +0100
Subject: [PATCH 2/2] Purge repo

---
 decoders/demo_decoder.xml | 59 --------------------------------------
 rules/demo_rule.xml       | 60 ---------------------------------------
 rules/demo_rule2.xml      | 60 ---------------------------------------
 3 files changed, 179 deletions(-)
 delete mode 100644 decoders/demo_decoder.xml
 delete mode 100644 rules/demo_rule.xml
 delete mode 100644 rules/demo_rule2.xml

diff --git a/decoders/demo_decoder.xml b/decoders/demo_decoder.xml
deleted file mode 100644
index d2c710d..0000000
--- a/decoders/demo_decoder.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-<decoder name="macOS_launchservicesd">
-  <program_name>^launchservicesd</program_name>
-</decoder>
-
-<decoder name="macOS_ddaolimaki-daunito">
-  <program_name>^ddaolimaki</program_name>
-</decoder>
-
-<decoder name="macOS_mDNSResponder">
-  <program_name>^mDNSResponder</program_name>
-</decoder>
-
-<decoder name="macOS_launchservicesd_child">
-  <parent>macOS_launchservicesd</parent>
-  <regex type="pcre2">\[com\.apple\.launchservices:(\w+)\]\s*DEATH: Removing app App:"ddaolimaki-daunito"\s*asn:([0-9a-fx-]+)\s*pid:(\d+)</regex>
-  <order>subsystem_category,asn,pid</order>
-</decoder>
-
-<decoder name="macOS_launchservicesd_child">
-  <parent>macOS_launchservicesd</parent>
-  <regex type="pcre2">\[com\.apple\.launchservices:(\w+)\]\s*ADDING { "CFBundleExecutablePath"="([^"]+)", "CFBundleVersion"=[^,]+, "LSBundlePath"="([^"]+)", "ApplicationType"="(\w+)"[^}]+?"pid"=(\d+), "CFBundleIdentifier"="([^"]+)"</regex>  
-  <order>subsystem_category,executable_path,bundle_path,application_type,pid,bundle_id</order>
-</decoder>
-
-<decoder name="macOS_ddaolimaki-daunito_child">
-  <parent>macOS_ddaolimaki-daunito</parent>
-  <regex type="pcre2">\(LaunchServices\)\s*\[com\.apple\.launchservices:(\w+)\]\s*LSApplicationCheckIn\(\)\s*,\s*app\s+being\s+registered\s+is:"([^"]+)"</regex>
-  <order>category,executable_path</order>
-</decoder>
-
-<decoder name="macOS_ddaolimaki-daunito_child">
-  <parent>macOS_ddaolimaki-daunito</parent>
-  <regex type="pcre2">\(AE\)\s*\[com\.apple\.appleevents:(\w+)\]\s*eEntitlements\s*,\s*token\s*(\d+\/\d+), designatedCodeReq = {[^}]+, "kTCCCodeIdentityCanSendToAnyTarget"=(\w+), "kTCCCodeIdentityCSFlags"=(\d+), "kTCCCodeIdentityDesignatedRequirementData"=\$[A-F0-9]+, "kTCCCodeIdentityExecutableURL"="([^"]+)", "kTCCCodeIdentityIdentifier"="([^"]+)", "kTCCCodeIdentityIdentifierType"=\d+, "kTCCCodeIdentityPlatformType"=\d+, "kTCCCodeIdentityPromptPolicy"=(\d+)</regex>
-  <order>subsystem_category,token,can_send_to_any_target,cs_flags,executable_url,sender_identity,prompt_policy</order>
-</decoder>
-
-<decoder name="macOS_ddaolimaki_daunito_child">
-  <parent>macOS_ddaolimaki-daunito</parent>
-  <regex type="pcre2">\(LaunchServices\)\s*\[com\.apple\.launchservices:(\w+)\]\s*CFDictionaryRef copyApplicationInformationDictionaryGivenASNUsingLocalCache\(LSSharedMemoryPageConstRef, LSASNRef\)\(\), information in shared memory with seed \d+ was still valid, so using cached info {[^}]+?"CFBundleExecutablePath"="([^"]+)"[^}]+?"LSBundlePath"="([^"]+)"[^}]+?"ApplicationType"="(\w+)"[^}]+?"LSASN"=([A-Za-z0-9:.-]+)[^}]+?"LSLaunchedWithLaunchD"=(\w+)</regex>
-  <order>subsystem_category,executable_path,bundle_path,application_type,asn,launched_with_launchd</order>
-</decoder>
-
-<decoder name="macOS_ddaolimaki_daunito_child">
-  <parent>macOS_ddaolimaki-daunito</parent>
-  <regex type="pcre2">\(RunningBoardServices\)\s*\[com\.apple\.runningboard:(\w+)\]\s*Identity resolved as app\<application\.(com\.wails\.ddaolimaki-daunito)\.\d+\.\d+\((\d+)\)\></regex>
-  <order>subsystem_category,bundle_id,uid</order>
-</decoder>
-
-<decoder name="macOS_loginwindow">
-  <parent>macOS_loginwindow</parent>
-  <regex type="pcre2">\[com\.apple\.loginwindow\.logging:(\w+)\]\s*-\[PersistentAppsSupport saveLogoutPersistentState:finalSnapshot:\]\s*\|\s*previouslyRunningApps:\s*\(\s*{\s*BackgroundState\s*=\s*(\d+);\s*BundleID\s*=\s*"([^"]+)";\s*Hide\s*=\s*\d+;\s*Path\s*=\s*"([^"]+)";\s*</regex>
-  <order>subsystem_category,background_state,bundle_id,path</order>
-</decoder>
-
-<decoder name="macOS_mDNSResponder_child">
-  <parent>macOS_mDNSResponder</parent>
-  <regex type="pcre2">(?i)(DNSServiceQueryRecord).*mask\.hash: '(\S+)'.*PID\[(\d+)\].(\S+)\)</regex>
-  <order>program_type,hash,pid,process_name</order>
-</decoder>
\ No newline at end of file
diff --git a/rules/demo_rule.xml b/rules/demo_rule.xml
deleted file mode 100644
index 62d4cb5..0000000
--- a/rules/demo_rule.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<group name="malware,frigidstealer,">
-
-<!-- Initial execution -->
-  <rule id="100101" level="11">
-    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
-    <match type="pcre2">(?i)app being registered is:(".*ddaolimaki-daunito")</match>
-    <description>Possible FrigidStealer malware detected at $(executable_path)</description>
-    <mitre>
-      <id>T1204</id>
-    </mitre>
-  </rule>
-
-<!-- DNS query -->
-  <rule id="100102" level="11" frequency="2" ignore="60">
-    <decoded_as>macOS_mDNSResponder</decoded_as>
-    <field name="program_type" type="pcre2">DNSServiceQueryRecord</field>
-    <field name="process_name" type="pcre2">ddaolimaki.*</field>
-    <description>FrigidStealer malware is making a suspicious DNS query to $(hash). Possible data exfiltration to C2 server.</description>
-    <mitre>
-      <id>T1105</id>
-      <id>T1041</id>
-      <id>T1071.004</id>
-    </mitre>
-  </rule>
-
-<!-- Data exfiltration -->
-  <rule id="100103" level="11">
-    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
-    <field name="executable_url" type="pcre2">.*Finder</field>
-    <field name="sender_identity" type="pcre2">.*</field>
-    <description>FrigidStealer malware (ddaolimaki-daunito) is attempting to use Apple Events, potentially for unauthorized inter-process communication or data exfiltration.</description>
-    <mitre>
-      <id>T1543</id>
-      <id>T1055</id>
-      <id>T1559</id>
-    </mitre>
-  </rule>
-
-<!-- Process termination -->
-  <rule id="100104" level="11">
-    <match type="pcre2">(?i)Removed job for.*ddaolimaki.*</match>
-    <description>FrigidStealer malware process terminated after data exfiltration.</description>
-    <mitre>
-      <id>T1489</id>
-    </mitre>
-  </rule>
-
-<!-- Persistence -->
-  <rule id="100105" level="11">
-    <decoded_as>macOS_launchservicesd</decoded_as>
-    <match type="pcre2">(?i)(?i)"LSBundlePath"="(.*Safari Updater.app)"</match>
-    <field name="application_type" type="pcre2">Foreground</field>
-    <field name="bundle_id" type="pcre2">com.wails.ddaolimaki-daunito</field>
-    <description>Possible FrigidStealer malware running in $(application_type)</description>
-    <mitre>
-      <id>T1541</id>
-    </mitre>
-  </rule>
-
-</group>
\ No newline at end of file
diff --git a/rules/demo_rule2.xml b/rules/demo_rule2.xml
deleted file mode 100644
index 62d4cb5..0000000
--- a/rules/demo_rule2.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<group name="malware,frigidstealer,">
-
-<!-- Initial execution -->
-  <rule id="100101" level="11">
-    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
-    <match type="pcre2">(?i)app being registered is:(".*ddaolimaki-daunito")</match>
-    <description>Possible FrigidStealer malware detected at $(executable_path)</description>
-    <mitre>
-      <id>T1204</id>
-    </mitre>
-  </rule>
-
-<!-- DNS query -->
-  <rule id="100102" level="11" frequency="2" ignore="60">
-    <decoded_as>macOS_mDNSResponder</decoded_as>
-    <field name="program_type" type="pcre2">DNSServiceQueryRecord</field>
-    <field name="process_name" type="pcre2">ddaolimaki.*</field>
-    <description>FrigidStealer malware is making a suspicious DNS query to $(hash). Possible data exfiltration to C2 server.</description>
-    <mitre>
-      <id>T1105</id>
-      <id>T1041</id>
-      <id>T1071.004</id>
-    </mitre>
-  </rule>
-
-<!-- Data exfiltration -->
-  <rule id="100103" level="11">
-    <decoded_as>macOS_ddaolimaki-daunito</decoded_as>
-    <field name="executable_url" type="pcre2">.*Finder</field>
-    <field name="sender_identity" type="pcre2">.*</field>
-    <description>FrigidStealer malware (ddaolimaki-daunito) is attempting to use Apple Events, potentially for unauthorized inter-process communication or data exfiltration.</description>
-    <mitre>
-      <id>T1543</id>
-      <id>T1055</id>
-      <id>T1559</id>
-    </mitre>
-  </rule>
-
-<!-- Process termination -->
-  <rule id="100104" level="11">
-    <match type="pcre2">(?i)Removed job for.*ddaolimaki.*</match>
-    <description>FrigidStealer malware process terminated after data exfiltration.</description>
-    <mitre>
-      <id>T1489</id>
-    </mitre>
-  </rule>
-
-<!-- Persistence -->
-  <rule id="100105" level="11">
-    <decoded_as>macOS_launchservicesd</decoded_as>
-    <match type="pcre2">(?i)(?i)"LSBundlePath"="(.*Safari Updater.app)"</match>
-    <field name="application_type" type="pcre2">Foreground</field>
-    <field name="bundle_id" type="pcre2">com.wails.ddaolimaki-daunito</field>
-    <description>Possible FrigidStealer malware running in $(application_type)</description>
-    <mitre>
-      <id>T1541</id>
-    </mitre>
-  </rule>
-
-</group>
\ No newline at end of file