Drop user blocklist rule to high; add additional Bandit rules as well (#1037)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

rules/anti-behavior/blocklist/ip.yara

@@ -0,0 +1,70 @@
+rule common_ip_blocklist: high {
+  meta:
+    description = "avoids execution if host has particular IP address"
+    ref         = "https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer"
+
+  strings:
+    $ = "109.145.173.169" fullword
+    $ = "109.74.154.90" fullword
+    $ = "109.74.154.91" fullword
+    $ = "109.74.154.91" fullword
+    $ = "109.74.154.92" fullword
+    $ = "178.239.165.70" fullword
+    $ = "188.105.91.116" fullword
+    $ = "188.105.91.143" fullword
+    $ = "188.105.91.173" fullword
+    $ = "192.211.110.74" fullword
+    $ = "192.40.57.234" fullword
+    $ = "192.87.28.103" fullword
+    $ = "193.128.114.45" fullword
+    $ = "193.225.193.201" fullword
+    $ = "194.154.78.160" fullword
+    $ = "195.181.175.105" fullword
+    $ = "195.239.51.3" fullword
+    $ = "195.239.51.59" fullword
+    $ = "195.74.76.222" fullword
+    $ = "20.99.160.173" fullword
+    $ = "212.119.227.151" fullword
+    $ = "212.119.227.167" fullword
+    $ = "213.33.142.50" fullword
+    $ = "23.128.248.46" fullword
+    $ = "34.105.0.27" fullword
+    $ = "34.105.183.68" fullword
+    $ = "34.105.72.241" fullword
+    $ = "34.138.96.23" fullword
+    $ = "34.141.146.114" fullword
+    $ = "34.141.245.25" fullword
+    $ = "34.142.74.220" fullword
+    $ = "34.145.195.58" fullword
+    $ = "34.145.89.174" fullword
+    $ = "34.253.248.228" fullword
+    $ = "34.83.46.130" fullword
+    $ = "34.85.243.241" fullword
+    $ = "34.85.253.170" fullword
+    $ = "35.192.93.107" fullword
+    $ = "35.199.6.13" fullword
+    $ = "35.229.69.227" fullword
+    $ = "35.237.47.12" fullword
+    $ = "64.124.12.162" fullword
+    $ = "78.139.8.50" fullword
+    $ = "79.104.209.33" fullword
+    $ = "80.211.0.97" fullword
+    $ = "84.147.54.113" fullword
+    $ = "84.147.62.12" fullword
+    $ = "87.166.50.213" fullword
+    $ = "88.132.225.100" fullword
+    $ = "88.132.226.203" fullword
+    $ = "88.132.227.238" fullword
+    $ = "88.132.231.71" fullword
+    $ = "88.153.199.169" fullword
+    $ = "92.211.109.160" fullword
+    $ = "92.211.192.144" fullword
+    $ = "92.211.52.62" fullword
+    $ = "92.211.55.199" fullword
+    $ = "93.216.75.209" fullword
+    $ = "95.25.204.90" fullword
+    $ = "95.25.81.24" fullword
+
+  condition:
+    2 of them
+}

rules/anti-behavior/blocklist/mac_addr.yara

@@ -152,3 +152,111 @@ rule common_mac_addr_blocklist: critical {
   condition:
     2 of them
 }
+
+rule common_hardware_id_blocklist: high {
+  meta:
+    description = "avoids execution if host has particular hardware ID"
+    ref         = "https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer"
+
+  strings:
+    $ = "00000000-0000-0000-0000-000000000000" fullword
+    $ = "00000000-0000-0000-0000-50E5493391EF" fullword
+    $ = "00000000-0000-0000-0000-AC1F6BD048FE" fullword
+    $ = "00000000-0000-0000-0000-AC1F6BD04972" fullword
+    $ = "00000000-0000-0000-0000-AC1F6BD04986" fullword
+    $ = "00000000-0000-0000-0000-AC1F6BD04D98" fullword
+    $ = "02AD9898-FA37-11EB-AC55-1D0C0A67EA8A" fullword
+    $ = "032E02B4-0499-05C3-0806-3C0700080009" fullword
+    $ = "03DE0294-0480-05DE-1A06-350700080009" fullword
+    $ = "050C3342-FADD-AEDF-EF24-C6454E1A73C9" fullword
+    $ = "05790C00-3B21-11EA-8000-3CECEF4400D0" fullword
+    $ = "07E42E42-F43D-3E1C-1C6B-9C7AC120F3B9" fullword
+    $ = "08C1E400-3C56-11EA-8000-3CECEF43FEDE" fullword
+    $ = "0934E336-72E4-4E6A-B3E5-383BD8E938C3" fullword
+    $ = "11111111-2222-3333-4444-555555555555" fullword
+    $ = "119602E8-92F9-BD4B-8979-DA682276D385" fullword
+    $ = "12204D56-28C0-AB03-51B7-44A8B7525250" fullword
+    $ = "12EE3342-87A2-32DE-A390-4C2DA4D512E9" fullword
+    $ = "1D4D3342-D6C4-710C-98A3-9CC6571234D5" fullword
+    $ = "2DD1B176-C043-49A4-830F-C623FFB88F3C" fullword
+    $ = "2E6FB594-9D55-4424-8E74-CE25A25E36B0" fullword
+    $ = "365B4000-3B25-11EA-8000-3CECEF44010C" fullword
+    $ = "38813342-D7D0-DFC8-C56F-7FC9DFE5C972" fullword
+    $ = "38AB3342-66B0-7175-0B23-F390B3728B78" fullword
+    $ = "3A9F3342-D1F2-DF37-68AE-C10F60BFB462" fullword
+    $ = "3F284CA4-8BDF-489B-A273-41B44D668F6D" fullword
+    $ = "3F3C58D1-B4F2-4019-B2A2-2A500E96AF2E" fullword
+    $ = "42A82042-3F13-512F-5E3D-6BF4FFFD8518" fullword
+    $ = "44B94D56-65AB-DC02-86A0-98143A7423BF" fullword
+    $ = "4729AEB0-FC07-11E3-9673-CE39E79C8A00" fullword
+    $ = "48941AE9-D52F-11DF-BBDA-503734826431" fullword
+    $ = "49434D53-0200-9036-2500-369025000C65" fullword
+    $ = "49434D53-0200-9036-2500-369025003865" fullword
+    $ = "49434D53-0200-9036-2500-369025003AF0" fullword
+    $ = "49434D53-0200-9036-2500-36902500F022" fullword
+    $ = "49434D53-0200-9065-2500-65902500E439" fullword
+    $ = "4C4C4544-0050-3710-8058-CAC04F59344A" fullword
+    $ = "4CB82042-BA8F-1748-C941-363C391CA7F3" fullword
+    $ = "4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27" fullword
+    $ = "4DC32042-E601-F329-21C1-03F27564FD6C" fullword
+    $ = "5BD24D56-789F-8468-7CDC-CAA7222CC121" fullword
+    $ = "5E3E7FE0-2636-4CB7-84F5-8D2650FFEC0E" fullword
+    $ = "5EBD2E42-1DB8-78A6-0EC3-031B661D5C57" fullword
+    $ = "60C83342-0A97-928D-7316-5F1080A78E72" fullword
+    $ = "63203342-0EB0-AA1A-4DF5-3FB37DBB0670" fullword
+    $ = "63FA3342-31C7-4E8E-8089-DAFF6CE5E967" fullword
+    $ = "6608003F-ECE4-494E-B07E-1C4615D1D93C" fullword
+    $ = "67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3" fullword
+    $ = "6ECEAF72-3548-476C-BD8D-73134A9182C8" fullword
+    $ = "6F3CA5EC-BEC9-4A4D-8274-11168F640058" fullword
+    $ = "777D84B3-88D1-451C-93E4-D235177420A7" fullword
+    $ = "79AF5279-16CF-4094-9758-F88A616D81B4" fullword
+    $ = "7AB5C494-39F5-4941-9163-47F54D6D5016" fullword
+    $ = "84FE3342-6C67-5FC6-5639-9B3CA3D775A1" fullword
+    $ = "88DC3342-12E6-7D62-B0AE-C80E578E7B07" fullword
+    $ = "8B4E8278-525C-7343-B825-280AEBCD3BCB" fullword
+    $ = "8DA62042-8B59-B4E3-D232-38B29A10964A" fullword
+    $ = "907A2A79-7116-4CB6-9FA5-E5A58C4587CD" fullword
+    $ = "921E2042-70D3-F9F1-8CBD-B398A21F89C6" fullword
+    $ = "96BB3342-6335-0FA8-BA29-E1BA5D8FEFBE" fullword
+    $ = "9921DE3A-5C1A-DF11-9078-563412000026" fullword
+    $ = "9C6D1742-046D-BC94-ED09-C36F70CC9A91" fullword
+    $ = "A15A930C-8251-9645-AF63-E45AD728C20C" fullword
+    $ = "A7721742-BE24-8A1C-B859-D7F8251A83D3" fullword
+    $ = "A9C83342-4800-0578-1EE8-BA26D2A678D2" fullword
+    $ = "ACA69200-3C4C-11EA-8000-3CECEF4401AA" fullword
+    $ = "ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548" fullword
+    $ = "AF1B2042-4B90-0000-A4E4-632A1C8C7EB1" fullword
+    $ = "B1112042-52E8-E25B-3655-6A4F54155DBF" fullword
+    $ = "B6464A2B-92C7-4B95-A2D0-E5410081B812" fullword
+    $ = "BB233342-2E01-718F-D4A1-E7F69D026428" fullword
+    $ = "BB64E044-87BA-C847-BC0A-C797D1A16A50" fullword
+    $ = "BE784D56-81F5-2C8D-9D4B-5AB56F05D86E" fullword
+    $ = "C249957A-AA08-4B21-933F-9271BEC63C85" fullword
+    $ = "C6B32042-4EC3-6FDF-C725-6F63914DA7C7" fullword
+    $ = "C7D23342-A5D4-68A1-59AC-CF40F735B363" fullword
+    $ = "CC5B3F62-2A04-4D2E-A46C-AA41B7050712" fullword
+    $ = "CE352E42-9339-8484-293A-BD50CDC639A5" fullword
+    $ = "CEFC836C-8CB1-45A6-ADD7-209085EE2A57" fullword
+    $ = "CF1BE00F-4AAF-455E-8DCD-B5B09B6BFA8F" fullword
+    $ = "D2DC3342-396C-6737-A8F6-0C6673C1DE08" fullword
+    $ = "D7382042-00A0-A6F0-1E51-FD1BBF06CD71" fullword
+    $ = "D8C30328-1B06-4611-8E3C-E433F4F9794E" fullword
+    $ = "D9142042-8F51-5EFF-D5F8-EE9AE3D1602A" fullword
+    $ = "DBC22E42-59F7-1329-D9F2-E78A2EE5BD0D" fullword
+    $ = "DBCC3514-FA57-477D-9D1F-1CAF4CC92D0F" fullword
+    $ = "DD9C3342-FB80-9A31-EB04-5794E5AE2B4C" fullword
+    $ = "DEAEB8CE-A573-9F48-BD40-62ED6C223F20" fullword
+    $ = "E08DE9AA-C704-4261-B32D-57B2A3993518" fullword
+    $ = "EADD1742-4807-00A0-F92E-CCD933E9D8C1" fullword
+    $ = "EB16924B-FB6D-4FA1-8666-17B91F62FB37" fullword
+    $ = "F5744000-3C78-11EA-8000-3CECEF43FEFE" fullword
+    $ = "FA8C2042-205D-13B0-FCB5-C5CC55577A35" fullword
+    $ = "FCE23342-91F1-EAFC-BA97-5AAE4509E173" fullword
+    $ = "FE455D1A-BE27-4BA4-96C8-967A6D3A9661" fullword
+    $ = "FED63342-E0D6-C669-D53F-253D696D74DA" fullword
+    $ = "FF577B79-782E-0A4D-8568-B35A9B7EB76B" fullword
+
+  condition:
+    2 of them
+}

rules/anti-behavior/blocklist/user.yara

@@ -1,4 +1,4 @@
-rule common_username_block_list: critical {
+rule common_username_block_list: high {
   meta:
     description = "avoids execution if user has a particular name"
     ref         = "https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer"
@@ -37,21 +37,6 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
-    $not_grafana1   = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
-    $not_grafana2   = "The Grafana LLM plugin is not installed."
-    $not_grafana3   = "grafana.debug.scenes"
-    $not_jitsu      = "jitsu.com"
-    $not_redpanda   = "redpanda"
-    $not_sqlmetal1  = "sqlmetal"
-    $not_sqlmetal2  = "asqlmetal_test_net_2_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
-    $not_sqlmetal3  = "asqlmetal_test_net_4_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
-    $not_wireshark  = "wireshark.org"
-    $gpt_tokenizer1 = "GPTTokenizer"
-    $gpt_tokenizer2 = "GPT-4"
-    $gpt_tokenizer3 = "const bpe = c0.concat();"
-    $gpt_tokenizer4 = "const bpe = c0.concat(c1);"
-    $gpt_tokenizer5 = "export default bpe;"
-
   condition:
-    8 of them and none of ($not*) and none of ($gpt_tokenizer*)
+    12 of them
 }

rules/false_positives/faker.yara

@@ -1,5 +1,4 @@
 # javascript/clean/faker.js: medium
-anti-behavior/blocklist/user: low
 anti-behavior/random_behavior: low
 anti-static/obfuscation/js: medium
 anti-static/obfuscation/math: medium

tests/javascript/clean/faker.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/faker.min.js: medium
-anti-behavior/blocklist/user: low
 anti-behavior/random_behavior: low
 anti-static/obfuscation/js: medium
 anti-static/obfuscation/obfuscate: low

tests/javascript/clean/faker.min.js.simple

@@ -2,7 +2,7 @@
 3P/elastic/infostealer_wallets: critical
 anti-behavior/blocklist/hostname: critical
 anti-behavior/blocklist/mac_addr: critical
-anti-behavior/blocklist/user: critical
+anti-behavior/blocklist/user: high
 anti-behavior/random_behavior: low
 c2/addr/discord: medium
 c2/addr/telegram: medium