2025/06/04 false positive reduction

egibs · egibs · commit f22018b2ce09 · 2025-06-04T07:31:48.000-05:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/anti-behavior/blocklist/user.yara b/rules/anti-behavior/blocklist/user.yara
@@ -37,13 +37,18 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
-    $not_grafana1  = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
-    $not_grafana2  = "The Grafana LLM plugin is not installed."
-    $not_grafana3  = "grafana.debug.scenes"
-    $not_jitsu     = "jitsu.com"
-    $not_redpanda  = "redpanda"
-    $not_wireshark = "wireshark.org"
+    $not_grafana1   = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]"
+    $not_grafana2   = "The Grafana LLM plugin is not installed."
+    $not_grafana3   = "grafana.debug.scenes"
+    $not_jitsu      = "jitsu.com"
+    $not_redpanda   = "redpanda"
+    $not_sqlmetal1  = "sqlmetal"
+    $not_sqlmetal2  = "asqlmetal_test_net_2_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
+    $not_sqlmetal3  = "asqlmetal_test_net_4_0, PublicKey=0024000004800000940000000602000000240000525341310004000001000100c5753d8c47f40083f549016a5711238ac8ec297605abccd3dc4b6d0f280b4764eb2cc58ec4e37831edad7e7a07b8fe4a9cbb059374c0cc047aa28839fed7176761813caf6a2ffa0bff9afb50ead56dd3f56186a663962a12b830c2a70eb70ec77823eb5750e5bdef9e01d097c30b5c5463c3d07d3472b58e4c02f2792309259f"
+    $not_wireshark  = "wireshark.org"
+    $gpt_tokenizer1 = "GPTTokenizer"
+    $gpt_tokenizer2 = "GPT-4"
 
   condition:
-    8 of them and none of ($not*)
+    8 of them and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
 }
diff --git a/rules/anti-static/obfuscation/padding.yara b/rules/anti-static/obfuscation/padding.yara
@@ -5,6 +5,8 @@ rule msxml2_http: critical {
   strings:
     $a = /M.{0,48}S.{0,48}X.{0,48}M.{0,48}L.{0,48}2.{0,48}\.X.{0,48}M.{0,48}L.{0,48}H.{0,48}T.{0,48}T.{0,48}P.{0,48}/
 
+    // https://github.com/mailru/FileAPI/blob/5b50e8ed012e089eb578e586d860a6fd035e16d8/lib/FileAPI.core.js#L298
+    $not_fileapi  = "MSXML2.XMLHttp.3.0\")}catch(c){b=new ActiveXObject(\"Microsoft.XMLHTTP\")}return b},isArray:l,support:{dnd:s&&\"ondrop\"i"
     $not_i18next1 = "i18nextHttpBackend"
     $not_i18next2 = "u[\"User-Agent\"]=\"i18next-http-backend (node/\".concat(S.process.version,\"; \")"
 
diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara
@@ -542,7 +542,10 @@ rule import_manipulator: critical {
   condition:
     // a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6 is the sha256 hash
     // for https://github.com/pypy/pypy/blob/main/lib-python/2.7/pickle.py
-    filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them
+    // 44cdd1503ae0b1d7c9e5eb79fd624a7e51780b7a8fc6cfbc68b49ef7c6e63abc is the sha256 hash
+    // https://github.com/jython/jython/blob/v2.7.4/Lib/pickle.py
+    filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and
+    (hash.sha256(0, filesize) != "44cdd1503ae0b1d7c9e5eb79fd624a7e51780b7a8fc6cfbc68b49ef7c6e63abc") and all of them
 }
 
 rule bloated_hex_python: high {
diff --git a/rules/data/base64/external.yara b/rules/data/base64/external.yara
@@ -35,6 +35,9 @@ rule base64_shell_double_encode: critical {
   strings:
     $ref = /base64[\s>].{0,32}\|\s{0,2}base64/
 
+    $not_gpgme   = "if (!base64 || base64 == -1) /* Make sure that we really have a string.  */"
+    $not_unix_rb = "echo '%<base64>s' | base64 --decode > %<file>s"
+
   condition:
-    any of them
+    any of them and none of ($not*)
 }
diff --git a/rules/evasion/mimicry/fake-process.yara b/rules/evasion/mimicry/fake-process.yara
@@ -6,7 +6,10 @@ rule fake_kworker: critical linux {
     $kworker1 = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/
     $kworker2 = "[kworker"
 
-    $not_rescue = "kworker/R-%s"
+    $not_rescue          = "kworker/R-%s"
+    $not_psutil_comment1 = "root           4   0.0    0.0B    0.0B   -20   idle  Mar27  00:00  kworker/0:0H"
+    $not_psutil_comment2 = "root       20414   0.0    0.0B    0.0B         idle  Apr04  00:00  kworker/4:2"
+    $not_psutil_comment3 = "root       22338   0.0    0.0B    0.0B         idle  02:04  00:00  kworker/1:2"
 
   condition:
     filesize < 100MB and any of ($kworker*) and none of ($not*)
diff --git a/rules/exfil/stealer/wallet.yara b/rules/exfil/stealer/wallet.yara
@@ -33,9 +33,11 @@ rule crypto_stealer_names: critical {
     $not_clef1       = "These data types are defined in the channel between clef and the UILedger"
     $not_clef2       = "The `transaction` (on input into clef) can have either `data` or `input`"
     $not_geth_site   = "https://geth.ethereum.org"
+    $gpt_tokenizer1  = "GPTTokenizer"
+    $gpt_tokenizer2  = "GPT-4"
 
   condition:
-    filesize < 100MB and $http and 2 of ($w*) and none of ($not*)
+    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
 }
 
 rule crypto_extension_stealer: critical {
diff --git a/rules/false_positives/arangodb.yara b/rules/false_positives/arangodb.yara
@@ -0,0 +1,13 @@
+rule arangodb_override: override {
+  meta:
+    R3C0NST_Shellcode_Apihashing_FIN8 = "low"
+
+  strings:
+    $ = "https://github.com/arangodb-helper/arangodb"
+    $ = "/home/build/arangod"
+    $ = "application/x-arango-dump"
+    $ = "arangodb"
+
+  condition:
+    all of them
+}
diff --git a/rules/impact/degrade/win_defender.yara b/rules/impact/degrade/win_defender.yara
@@ -5,8 +5,12 @@ rule win_defender_configure: high {
   strings:
     $exclusion = /[\w \'\:\\\"\-]{0,32}Add-MpPreference[\w \'\:\\\"\-]/
 
+    // https://help.eclipse.org/latest/nftopic/org.eclipse.platform.doc.isv/reference/api/org/eclipse/ui/internal/WindowsDefenderConfigurator.html
+    $not_configurator1 = "WindowsDefenderConfigurator_"
+    $not_configurator2 = "org/eclipse/ui/internal/WindowsDefenderConfigurator"
+
   condition:
-    $exclusion
+    $exclusion and none of ($not*)
 }
 
 rule win_defender_exclusion: critical {
@@ -16,6 +20,10 @@ rule win_defender_exclusion: critical {
   strings:
     $exclusion = /[\w \'\:\\\"\-]{0,32}Add-MpPreference.{0,32}Exclusion[\w \'\:\\\"]{0,32}/
 
+    // https://help.eclipse.org/latest/nftopic/org.eclipse.platform.doc.isv/reference/api/org/eclipse/ui/internal/WindowsDefenderConfigurator.html
+    $not_configurator1 = "WindowsDefenderConfigurator_"
+    $not_configurator2 = "org/eclipse/ui/internal/WindowsDefenderConfigurator"
+
   condition:
-    $exclusion
+    $exclusion and none of ($not*)
 }
