diff --git a/rules/anti-static/obfuscation/padding.yara b/rules/anti-static/obfuscation/padding.yara index 13fd07113..82f21b1db 100644 --- a/rules/anti-static/obfuscation/padding.yara +++ b/rules/anti-static/obfuscation/padding.yara @@ -14,6 +14,8 @@ rule msxml2_http: critical { $not_yui3 = "version: 2.6.0" $not_yui4 = "YAHOO.util.Connect={_msxml_progid:[\"Microsoft.XMLHTTP\",\"MSXML2.XMLHTTP.3.0\",\"MSXML2.XMLHTTP\"]" $not_yui5 = "if(typeof YAHOO==\"undefined\"||!YAHOO){var YAHOO={};}YAHOO.namespace=function()" + $not_dojo1 = "dojotoolkit.org" + $not_dojo2 = "dojo.xd.js" condition: filesize < 128KB and $a and !a > 32 and none of ($not*) diff --git a/rules/evasion/mimicry/fake-process.yara b/rules/evasion/mimicry/fake-process.yara index 866b42395..d25711573 100644 --- a/rules/evasion/mimicry/fake-process.yara +++ b/rules/evasion/mimicry/fake-process.yara @@ -7,6 +7,7 @@ rule fake_kworker: critical linux { $kworker2 = "[kworker" $not_bpftrace_comment1 = " * 03:14:49 496 kworker/1:0H md0" + $not_bpftrace_script = "bpftrace" fullword $not_dockworker = "dockworker/MS" $not_f2fs_h1 = "* fs/f2fs/f2fs.h" $not_f2fs_h2 = "#ifndef _LINUX_F2FS_H" diff --git a/rules/exfil/stealer/wallet.yara b/rules/exfil/stealer/wallet.yara index 1e60dbe4a..55328aa1b 100644 --- a/rules/exfil/stealer/wallet.yara +++ b/rules/exfil/stealer/wallet.yara @@ -38,9 +38,12 @@ rule crypto_stealer_names: critical { $gpt_tokenizer3 = "const bpe = c0.concat();" $gpt_tokenizer4 = "const bpe = c0.concat(c1);" $gpt_tokenizer5 = "export default bpe;" + $bpe_tokenizer1 = "cl100k_base" + $bpe_tokenizer2 = "o200k_base" + $bpe_tokenizer3 = "p50k_base" condition: - filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*) + filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*) and none of ($bpe_tokenizer*) } rule crypto_extension_stealer: critical { diff --git a/rules/false_positives/adminer.yara b/rules/false_positives/adminer.yara new file mode 100644 index 000000000..d73de1e6c --- /dev/null +++ b/rules/false_positives/adminer.yara @@ -0,0 +1,13 @@ +rule adminer_php: override { + meta: + description = "adminer.php - legitimate database management tool" + webshell_adminer_4_7 = "harmless" + + strings: + $adminer_header = "Adminer - Compact database management" + $adminer_org = "https://www.adminer.org/" + $adminer_author = "Jakub Vrana" + + condition: + filesize < 1MB and all of them +} diff --git a/rules/false_positives/crossplane.yara b/rules/false_positives/crossplane.yara new file mode 100644 index 000000000..49baef2e4 --- /dev/null +++ b/rules/false_positives/crossplane.yara @@ -0,0 +1,12 @@ +rule crossplane_aws_provider: override { + meta: + description = "provider-aws-* crossplane-contrib/provider-upjet-aws Go binary" + RUSSIANPANDA_Mintsloader = "harmless" + + strings: + $upjet_build = "crossplane-contrib/provider-upjet-aws/internal/version" + $upbound = "github.com/upbound/provider-aws/v2" + + condition: + filesize > 100MB and filesize < 1500MB and all of them +} diff --git a/rules/false_positives/datadog.yara b/rules/false_positives/datadog.yara index 46d8562e9..0a17f4684 100644 --- a/rules/false_positives/datadog.yara +++ b/rules/false_positives/datadog.yara @@ -12,3 +12,21 @@ rule default_policy: override { condition: filesize < 256KB and all of them } + +rule datadog_agent_binary: override { + meta: + description = "datadog-agent binary" + binary_url_with_question = "medium" + iplookup_website = "medium" + etc_ld_preload_not_ld = "medium" + ipinfo_and_bash = "medium" + linux_network_filter_exec = "medium" + go_memfd_create = "medium" + + strings: + $datadog_module = "github.com/DataDog/datadog-agent" + $datadoghq = "datadoghq.com" + + condition: + filesize < 500MB and all of them +} diff --git a/rules/false_positives/gemini_cli.yara b/rules/false_positives/gemini_cli.yara new file mode 100644 index 000000000..37eeda761 --- /dev/null +++ b/rules/false_positives/gemini_cli.yara @@ -0,0 +1,17 @@ +rule gemini_cli_third_party: override { + meta: + description = "gemini-cli bundled third-party npm dependencies" + exotic_tld = "low" + iplookup_website = "low" + browser_extension_installer = "low" + obfuscated_payload = "low" + bash_persist = "low" + bash_persist_persistent = "low" + + strings: + $gemini_module = "@google/gemini-cli" + $gemini_core = "gemini-cli-core" + + condition: + filesize < 100MB and all of them +} diff --git a/rules/false_positives/grub.yara b/rules/false_positives/grub.yara new file mode 100644 index 000000000..2df56b1fa --- /dev/null +++ b/rules/false_positives/grub.yara @@ -0,0 +1,11 @@ +rule grub_boot_images: override { + meta: + description = "GRUB i386-pc boot images" + single_load_rwe = "medium" + + strings: + $grub = "GRUB" + + condition: + filesize < 64KB and $grub +} diff --git a/rules/false_positives/kuma.yara b/rules/false_positives/kuma.yara new file mode 100644 index 000000000..0147e3c9c --- /dev/null +++ b/rules/false_positives/kuma.yara @@ -0,0 +1,12 @@ +rule kuma_cp: override { + meta: + description = "kuma-cp - Kuma service mesh control plane" + ESET_Kobalos = "harmless" + + strings: + $kuma_module = "github.com/kumahq/kuma" + $kuma_io = "kuma.io" + + condition: + filesize < 250MB and all of them +} diff --git a/rules/false_positives/nltk.yara b/rules/false_positives/nltk.yara new file mode 100644 index 000000000..1e9e9a810 --- /dev/null +++ b/rules/false_positives/nltk.yara @@ -0,0 +1,13 @@ +rule nltk_test_pathsec: override { + meta: + description = "nltk/test/unit/test_pathsec.py" + ELCEEF_Obfuscated_IP_Address_In_URL = "harmless" + + strings: + $test_pathsec = "test_pathsec" + $nltk_pathsec = "nltk.pathsec" + $nltk_downloader = "nltk.downloader" + + condition: + filesize < 64KB and all of them +} diff --git a/rules/false_positives/stress_ng.yara b/rules/false_positives/stress_ng.yara new file mode 100644 index 000000000..b0e8e084a --- /dev/null +++ b/rules/false_positives/stress_ng.yara @@ -0,0 +1,17 @@ +rule stress_ng: override { + meta: + description = "/usr/bin/stress-ng" + dev_shm_file = "medium" + bpfdoor_alike = "medium" + kmem = "medium" + multiple_gcc = "harmless" + multiple_gcc_high = "medium" + + strings: + $stress_version = "stress-ng-version" + $stress_dev_shm = "/dev/shm/stress-dev-shm-" + $stressor = "stressor" fullword + + condition: + filesize < 25MB and all of them +} diff --git a/rules/false_positives/tigera_operator.yara b/rules/false_positives/tigera_operator.yara new file mode 100644 index 000000000..8a4d19085 --- /dev/null +++ b/rules/false_positives/tigera_operator.yara @@ -0,0 +1,19 @@ +rule tigera_operator: override { + meta: + description = "tigera-operator (Calico networking) Go binary" + SIGNATURE_BASE_WEBSHELL_H4Ntu_Shell_Powered_Tsoi = "harmless" + SIGNATURE_BASE_Ironshell_Php = "harmless" + SIGNATURE_BASE_Lamashell_Php = "harmless" + SIGNATURE_BASE_Safe0Ver_Shell__Safe_Mod_Bypass_By_Evilc0Der_Php = "harmless" + SIGNATURE_BASE_Ru24_Post_Sh_Php_Php = "harmless" + SIGNATURE_BASE_Simple_Cmd_Html = "harmless" + SIGNATURE_BASE_Webshell_Ru24_Post_Sh = "harmless" + SIGNATURE_BASE_Webshell_Simple_Cmd = "harmless" + + strings: + $tigera_module = "github.com/tigera/operator" + $calico_api = "github.com/tigera/api/pkg/apis/projectcalico" + + condition: + filesize < 250MB and all of them +} diff --git a/rules/false_positives/torch_C.yara b/rules/false_positives/torch_C.yara new file mode 100644 index 000000000..3ce89477b --- /dev/null +++ b/rules/false_positives/torch_C.yara @@ -0,0 +1,12 @@ +rule torch_C_cpython: override { + meta: + description = "torch/_C.cpython-*-linux-gnu.so" + upx_elf_tampered = "medium" + + strings: + $pytorch = "PyTorch" + $torch_c = "torch._C" + + condition: + filesize < 500MB and all of them +} diff --git a/rules/false_positives/wazuh.yara b/rules/false_positives/wazuh.yara new file mode 100644 index 000000000..1ad8cfd04 --- /dev/null +++ b/rules/false_positives/wazuh.yara @@ -0,0 +1,14 @@ +rule wazuh_policy_monitoring: override { + meta: + description = "wazuh-dashboard policy-monitoring.js sample data" + hidden_short_path_system = "low" + hidden_short_path_temp = "low" + rootkit = "low" + + strings: + $wazuh_dashboard = "wazuh-dashboard" + $policy_monitoring = "policy-monitoring" + + condition: + filesize < 5MB and all of them +} diff --git a/third_party/yara/elastic/MacOS_Trojan_XScreen.yar b/third_party/yara/elastic/MacOS_Trojan_XScreen.yar index 000f35235..5365a5f18 100644 --- a/third_party/yara/elastic/MacOS_Trojan_XScreen.yar +++ b/third_party/yara/elastic/MacOS_Trojan_XScreen.yar @@ -13,11 +13,11 @@ rule MacOS_Trojan_XScreen_7837ad6c { license = "Elastic License v2" os = "macos" strings: - $a1 = "/Users/Shared/._cfg" ascii fullword - $a2 = "base64EncodedStringWithOptions:" ascii fullword - $a3 = "/private/tmp/google_cache.db" ascii fullword - $a4 = "[hyphen]" ascii fullword - $a5 = "generalPasteboard" ascii fullword + $a1 = { 2F 55 73 65 72 73 2F 53 68 61 72 65 64 2F 2E 5F 63 66 67 } + $a2 = { 62 61 73 65 36 34 45 6E 63 6F 64 65 64 53 74 72 69 6E 67 57 69 74 68 4F 70 74 69 6F 6E 73 3A } + $a3 = { 2F 70 72 69 76 61 74 65 2F 74 6D 70 2F 67 6F 6F 67 6C 65 5F 63 61 63 68 65 2E 64 62 } + $a4 = { 5B 68 79 70 68 65 6E 5D } + $a5 = { 67 65 6E 65 72 61 6C 50 61 73 74 65 62 6F 61 72 64 } condition: all of them } diff --git a/third_party/yara/elastic/Macos_Infostealer_Wallets.yar b/third_party/yara/elastic/Macos_Infostealer_Wallets.yar index c2bd75398..225e3f02a 100644 --- a/third_party/yara/elastic/Macos_Infostealer_Wallets.yar +++ b/third_party/yara/elastic/Macos_Infostealer_Wallets.yar @@ -13,99 +13,99 @@ rule Macos_Infostealer_Wallets_8e469ea0 { license = "Elastic License v2" os = "macos" strings: - $s1 = "ibnejdfjmmkpcnlpebklmnkoeoihofec" ascii wide - $s2 = "fhbohimaelbohpjbbldcngcnapndodjp" ascii wide - $s3 = "ffnbelfdoeiohenkjibnmadjiehjhajb" ascii wide - $s4 = "jbdaocneiiinmjbjlgalhcelgbejmnid" ascii wide - $s5 = "afbcbjpbpfadlkmhmclhkeeodmamcflc" ascii wide - $s6 = "hnfanknocfeofbddgcijnmhnfnkdnaad" ascii wide - $s7 = "hpglfhgfnhbgpjdenjgmdgoeiappafln" ascii wide - $s8 = "blnieiiffboillknjnepogjhkgnoapac" ascii wide - $s9 = "cjelfplplebdjjenllpjcblmjkfcffne" ascii wide - $s10 = "fihkakfobkmkjojpchpfgcmhfjnmnfpi" ascii wide - $s11 = "kncchdigobghenbbaddojjnnaogfppfj" ascii wide - $s12 = "amkmjjmmflddogmhpjloimipbofnfjih" ascii wide - $s13 = "nlbmnnijcnlegkjjpcfjclmcfggfefdm" ascii wide - $s14 = "nanjmdknhkinifnkgdcggcfnhdaammmj" ascii wide - $s15 = "nkddgncdjgjfcddamfgcmfnlhccnimig" ascii wide - $s16 = "fnjhmkhhmkbjkkabndcnnogagogbneec" ascii wide - $s17 = "cphhlgmgameodnhkjdmkpanlelnlohao" ascii wide - $s18 = "nhnkbkgjikgcigadomkphalanndcapjk" ascii wide - $s19 = "kpfopkelmapcoipemfendmdcghnegimn" ascii wide - $s20 = "aiifbnbfobpmeekipheeijimdpnlpgpp" ascii wide - $s21 = "dmkamcknogkgcdfhhbddcghachkejeap" ascii wide - $s22 = "fhmfendgdocmcbmfikdcogofphimnkno" ascii wide - $s23 = "cnmamaachppnkjgnildpdmkaakejnhae" ascii wide - $s24 = "jojhfeoedkpkglbfimdfabpdfjaoolaf" ascii wide - $s25 = "flpiciilemghbmfalicajoolhkkenfel" ascii wide - $s26 = "nknhiehlklippafakaeklbeglecifhad" ascii wide - $s27 = "hcflpincpppdclinealmandijcmnkbgn" ascii wide - $s28 = "ookjlbkiijinhpmnjffcofjonbfbgaoc" ascii wide - $s29 = "mnfifefkajgofkcjkemidiaecocnkjeh" ascii wide - $s30 = "lodccjjbdhfakaekdiahmedfbieldgik" ascii wide - $s31 = "ijmpgkjfkbfhoebgogflfebnmejmfbml" ascii wide - $s32 = "lkcjlnjfpbikmcmbachjpdbijejflpcm" ascii wide - $s33 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii wide - $s34 = "bcopgchhojmggmffilplmbdicgaihlkp" ascii wide - $s35 = "klnaejjgbibmhlephnhpmaofohgkpgkd" ascii wide - $s36 = "aeachknmefphepccionboohckonoeemg" ascii wide - $s37 = "dkdedlpgdmmkkfjabffeganieamfklkm" ascii wide - $s38 = "nlgbhdfgdhgbiamfdfmbikcdghidoadd" ascii wide - $s39 = "onofpnbbkehpmmoabgpcpmigafmmnjhl" ascii wide - $s40 = "cihmoadaighcejopammfbmddcmdekcje" ascii wide - $s41 = "cgeeodpfagjceefieflmdfphplkenlfk" ascii wide - $s42 = "pdadjkfkgcafgbceimcpbkalnfnepbnk" ascii wide - $s43 = "acmacodkjbdgmoleebolmdjonilkdbch" ascii wide - $s44 = "bfnaelmomeimhlpmgjnjophhpkkoljpa" ascii wide - $s45 = "fhilaheimglignddkjgofkcbgekhenbh" ascii wide - $s46 = "mgffkfbidihjpoaomajlbgchddlicgpn" ascii wide - $s47 = "hmeobnfnfcmdkdcmlblgagmfpfboieaf" ascii wide - $s48 = "lpfcbjknijpeeillifnkikgncikgfhdo" ascii wide - $s49 = "dngmlblcodfobpdpecaadgfbcggfjfnm" ascii wide - $s50 = "bhhhlbepdkbapadjdnnojkbgioiodbic" ascii wide - $s51 = "jnkelfanjkeadonecabehalmbgpfodjm" ascii wide - $s52 = "jhgnbkkipaallpehbohjmkbjofjdmeid" ascii wide - $s53 = "jnlgamecbpmbajjfhmmmlhejkemejdma" ascii wide - $s54 = "kkpllkodjeloidieedojogacfhpaihoh" ascii wide - $s55 = "mcohilncbfahbmgdjkbpemcciiolgcge" ascii wide - $s56 = "gjagmgiddbbciopjhllkdnddhcglnemk" ascii wide - $s57 = "kmhcihpebfmpgmihbkipmjlmmioameka" ascii wide - $s58 = "phkbamefinggmakgklpkljjmgibohnba" ascii wide - $s59 = "lpilbniiabackdjcionkobglmddfbcjo" ascii wide - $s60 = "cjmkndjhnagcfbpiemnkdpomccnjblmj" ascii wide - $s61 = "aijcbedoijmgnlmjeegjaglmepbmpkpi" ascii wide - $s62 = "efbglgofoippbgcjepnhiblaibcnclgk" ascii wide - $s63 = "odbfpeeihdkbihmopkbjmoonfanlbfcl" ascii wide - $s64 = "fnnegphlobjdpkhecapkijjdkgcjhkib" ascii wide - $s65 = "aodkkagnadcbobfpggfnjeongemjbjca" ascii wide - $s66 = "akoiaibnepcedcplijmiamnaigbepmcb" ascii wide - $s67 = "ejbalbakoplchlghecdalmeeeajnimhm" ascii wide - $s68 = "dfeccadlilpndjjohbjdblepmjeahlmm" ascii wide - $s69 = "kjmoohlgokccodicjjfebfomlbljgfhk" ascii wide - $s70 = "ajkhoeiiokighlmdnlakpjfoobnjinie" ascii wide - $s71 = "fplfipmamcjaknpgnipjeaeeidnjooao" ascii wide - $s72 = "niihfokdlimbddhfmngnplgfcgpmlido" ascii wide - $s73 = "obffkkagpmohennipjokmpllocnlndac" ascii wide - $s74 = "kfocnlddfahihoalinnfbnfmopjokmhl" ascii wide - $s75 = "infeboajgfhgbjpjbeppbkgnabfdkdaf" ascii wide - $s76 = "{530f7c6c-6077-4703-8f71-cb368c663e35}.xpi" ascii wide - $s77 = "ronin-wallet@axieinfinity.com.xpi" ascii wide - $s78 = "webextension@metamask.io.xpi" ascii wide - $s79 = "{5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi" ascii wide - $s80 = "{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi" ascii wide - $s81 = "{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi" ascii wide - $s82 = "{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi" ascii wide - $s83 = "{7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi" ascii wide - $s84 = "{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi" ascii wide - $s85 = "{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi" ascii wide - $s86 = "{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi" ascii wide - $s87 = "ejjladinnckdgjemekebdpeokbikhfci" ascii wide - $s88 = "bgpipimickeadkjlklgciifhnalhdjhe" ascii wide - $s89 = "epapihdplajcdnnkdeiahlgigofloibg" ascii wide - $s90 = "aholpfdialjgjfhomihkjbmgjidlcdno" ascii wide - $s91 = "egjidjbpglichdcondbcbdnbeeppgdph" ascii wide - $s92 = "pnndplcbkakcplkjnolgbkdgjikjednm" ascii wide - $s93 = "gojhcdgcpbpfigcaejpfhfegekdgiblk" ascii wide + $s1 = { 69 62 6E 65 6A 64 66 6A 6D 6D 6B 70 63 6E 6C 70 65 62 6B 6C 6D 6E 6B 6F 65 6F 69 68 6F 66 65 63 } + $s2 = { 66 68 62 6F 68 69 6D 61 65 6C 62 6F 68 70 6A 62 62 6C 64 63 6E 67 63 6E 61 70 6E 64 6F 64 6A 70 } + $s3 = { 66 66 6E 62 65 6C 66 64 6F 65 69 6F 68 65 6E 6B 6A 69 62 6E 6D 61 64 6A 69 65 68 6A 68 61 6A 62 } + $s4 = { 6A 62 64 61 6F 63 6E 65 69 69 69 6E 6D 6A 62 6A 6C 67 61 6C 68 63 65 6C 67 62 65 6A 6D 6E 69 64 } + $s5 = { 61 66 62 63 62 6A 70 62 70 66 61 64 6C 6B 6D 68 6D 63 6C 68 6B 65 65 6F 64 6D 61 6D 63 66 6C 63 } + $s6 = { 68 6E 66 61 6E 6B 6E 6F 63 66 65 6F 66 62 64 64 67 63 69 6A 6E 6D 68 6E 66 6E 6B 64 6E 61 61 64 } + $s7 = { 68 70 67 6C 66 68 67 66 6E 68 62 67 70 6A 64 65 6E 6A 67 6D 64 67 6F 65 69 61 70 70 61 66 6C 6E } + $s8 = { 62 6C 6E 69 65 69 69 66 66 62 6F 69 6C 6C 6B 6E 6A 6E 65 70 6F 67 6A 68 6B 67 6E 6F 61 70 61 63 } + $s9 = { 63 6A 65 6C 66 70 6C 70 6C 65 62 64 6A 6A 65 6E 6C 6C 70 6A 63 62 6C 6D 6A 6B 66 63 66 66 6E 65 } + $s10 = { 66 69 68 6B 61 6B 66 6F 62 6B 6D 6B 6A 6F 6A 70 63 68 70 66 67 63 6D 68 66 6A 6E 6D 6E 66 70 69 } + $s11 = { 6B 6E 63 63 68 64 69 67 6F 62 67 68 65 6E 62 62 61 64 64 6F 6A 6A 6E 6E 61 6F 67 66 70 70 66 6A } + $s12 = { 61 6D 6B 6D 6A 6A 6D 6D 66 6C 64 64 6F 67 6D 68 70 6A 6C 6F 69 6D 69 70 62 6F 66 6E 66 6A 69 68 } + $s13 = { 6E 6C 62 6D 6E 6E 69 6A 63 6E 6C 65 67 6B 6A 6A 70 63 66 6A 63 6C 6D 63 66 67 67 66 65 66 64 6D } + $s14 = { 6E 61 6E 6A 6D 64 6B 6E 68 6B 69 6E 69 66 6E 6B 67 64 63 67 67 63 66 6E 68 64 61 61 6D 6D 6D 6A } + $s15 = { 6E 6B 64 64 67 6E 63 64 6A 67 6A 66 63 64 64 61 6D 66 67 63 6D 66 6E 6C 68 63 63 6E 69 6D 69 67 } + $s16 = { 66 6E 6A 68 6D 6B 68 68 6D 6B 62 6A 6B 6B 61 62 6E 64 63 6E 6E 6F 67 61 67 6F 67 62 6E 65 65 63 } + $s17 = { 63 70 68 68 6C 67 6D 67 61 6D 65 6F 64 6E 68 6B 6A 64 6D 6B 70 61 6E 6C 65 6C 6E 6C 6F 68 61 6F } + $s18 = { 6E 68 6E 6B 62 6B 67 6A 69 6B 67 63 69 67 61 64 6F 6D 6B 70 68 61 6C 61 6E 6E 64 63 61 70 6A 6B } + $s19 = { 6B 70 66 6F 70 6B 65 6C 6D 61 70 63 6F 69 70 65 6D 66 65 6E 64 6D 64 63 67 68 6E 65 67 69 6D 6E } + $s20 = { 61 69 69 66 62 6E 62 66 6F 62 70 6D 65 65 6B 69 70 68 65 65 69 6A 69 6D 64 70 6E 6C 70 67 70 70 } + $s21 = { 64 6D 6B 61 6D 63 6B 6E 6F 67 6B 67 63 64 66 68 68 62 64 64 63 67 68 61 63 68 6B 65 6A 65 61 70 } + $s22 = { 66 68 6D 66 65 6E 64 67 64 6F 63 6D 63 62 6D 66 69 6B 64 63 6F 67 6F 66 70 68 69 6D 6E 6B 6E 6F } + $s23 = { 63 6E 6D 61 6D 61 61 63 68 70 70 6E 6B 6A 67 6E 69 6C 64 70 64 6D 6B 61 61 6B 65 6A 6E 68 61 65 } + $s24 = { 6A 6F 6A 68 66 65 6F 65 64 6B 70 6B 67 6C 62 66 69 6D 64 66 61 62 70 64 66 6A 61 6F 6F 6C 61 66 } + $s25 = { 66 6C 70 69 63 69 69 6C 65 6D 67 68 62 6D 66 61 6C 69 63 61 6A 6F 6F 6C 68 6B 6B 65 6E 66 65 6C } + $s26 = { 6E 6B 6E 68 69 65 68 6C 6B 6C 69 70 70 61 66 61 6B 61 65 6B 6C 62 65 67 6C 65 63 69 66 68 61 64 } + $s27 = { 68 63 66 6C 70 69 6E 63 70 70 70 64 63 6C 69 6E 65 61 6C 6D 61 6E 64 69 6A 63 6D 6E 6B 62 67 6E } + $s28 = { 6F 6F 6B 6A 6C 62 6B 69 69 6A 69 6E 68 70 6D 6E 6A 66 66 63 6F 66 6A 6F 6E 62 66 62 67 61 6F 63 } + $s29 = { 6D 6E 66 69 66 65 66 6B 61 6A 67 6F 66 6B 63 6A 6B 65 6D 69 64 69 61 65 63 6F 63 6E 6B 6A 65 68 } + $s30 = { 6C 6F 64 63 63 6A 6A 62 64 68 66 61 6B 61 65 6B 64 69 61 68 6D 65 64 66 62 69 65 6C 64 67 69 6B } + $s31 = { 69 6A 6D 70 67 6B 6A 66 6B 62 66 68 6F 65 62 67 6F 67 66 6C 66 65 62 6E 6D 65 6A 6D 66 62 6D 6C } + $s32 = { 6C 6B 63 6A 6C 6E 6A 66 70 62 69 6B 6D 63 6D 62 61 63 68 6A 70 64 62 69 6A 65 6A 66 6C 70 63 6D } + $s33 = { 6E 6B 62 69 68 66 62 65 6F 67 61 65 61 6F 65 68 6C 65 66 6E 6B 6F 64 62 65 66 67 70 67 6B 6E 6E } + $s34 = { 62 63 6F 70 67 63 68 68 6F 6A 6D 67 67 6D 66 66 69 6C 70 6C 6D 62 64 69 63 67 61 69 68 6C 6B 70 } + $s35 = { 6B 6C 6E 61 65 6A 6A 67 62 69 62 6D 68 6C 65 70 68 6E 68 70 6D 61 6F 66 6F 68 67 6B 70 67 6B 64 } + $s36 = { 61 65 61 63 68 6B 6E 6D 65 66 70 68 65 70 63 63 69 6F 6E 62 6F 6F 68 63 6B 6F 6E 6F 65 65 6D 67 } + $s37 = { 64 6B 64 65 64 6C 70 67 64 6D 6D 6B 6B 66 6A 61 62 66 66 65 67 61 6E 69 65 61 6D 66 6B 6C 6B 6D } + $s38 = { 6E 6C 67 62 68 64 66 67 64 68 67 62 69 61 6D 66 64 66 6D 62 69 6B 63 64 67 68 69 64 6F 61 64 64 } + $s39 = { 6F 6E 6F 66 70 6E 62 62 6B 65 68 70 6D 6D 6F 61 62 67 70 63 70 6D 69 67 61 66 6D 6D 6E 6A 68 6C } + $s40 = { 63 69 68 6D 6F 61 64 61 69 67 68 63 65 6A 6F 70 61 6D 6D 66 62 6D 64 64 63 6D 64 65 6B 63 6A 65 } + $s41 = { 63 67 65 65 6F 64 70 66 61 67 6A 63 65 65 66 69 65 66 6C 6D 64 66 70 68 70 6C 6B 65 6E 6C 66 6B } + $s42 = { 70 64 61 64 6A 6B 66 6B 67 63 61 66 67 62 63 65 69 6D 63 70 62 6B 61 6C 6E 66 6E 65 70 62 6E 6B } + $s43 = { 61 63 6D 61 63 6F 64 6B 6A 62 64 67 6D 6F 6C 65 65 62 6F 6C 6D 64 6A 6F 6E 69 6C 6B 64 62 63 68 } + $s44 = { 62 66 6E 61 65 6C 6D 6F 6D 65 69 6D 68 6C 70 6D 67 6A 6E 6A 6F 70 68 68 70 6B 6B 6F 6C 6A 70 61 } + $s45 = { 66 68 69 6C 61 68 65 69 6D 67 6C 69 67 6E 64 64 6B 6A 67 6F 66 6B 63 62 67 65 6B 68 65 6E 62 68 } + $s46 = { 6D 67 66 66 6B 66 62 69 64 69 68 6A 70 6F 61 6F 6D 61 6A 6C 62 67 63 68 64 64 6C 69 63 67 70 6E } + $s47 = { 68 6D 65 6F 62 6E 66 6E 66 63 6D 64 6B 64 63 6D 6C 62 6C 67 61 67 6D 66 70 66 62 6F 69 65 61 66 } + $s48 = { 6C 70 66 63 62 6A 6B 6E 69 6A 70 65 65 69 6C 6C 69 66 6E 6B 69 6B 67 6E 63 69 6B 67 66 68 64 6F } + $s49 = { 64 6E 67 6D 6C 62 6C 63 6F 64 66 6F 62 70 64 70 65 63 61 61 64 67 66 62 63 67 67 66 6A 66 6E 6D } + $s50 = { 62 68 68 68 6C 62 65 70 64 6B 62 61 70 61 64 6A 64 6E 6E 6F 6A 6B 62 67 69 6F 69 6F 64 62 69 63 } + $s51 = { 6A 6E 6B 65 6C 66 61 6E 6A 6B 65 61 64 6F 6E 65 63 61 62 65 68 61 6C 6D 62 67 70 66 6F 64 6A 6D } + $s52 = { 6A 68 67 6E 62 6B 6B 69 70 61 61 6C 6C 70 65 68 62 6F 68 6A 6D 6B 62 6A 6F 66 6A 64 6D 65 69 64 } + $s53 = { 6A 6E 6C 67 61 6D 65 63 62 70 6D 62 61 6A 6A 66 68 6D 6D 6D 6C 68 65 6A 6B 65 6D 65 6A 64 6D 61 } + $s54 = { 6B 6B 70 6C 6C 6B 6F 64 6A 65 6C 6F 69 64 69 65 65 64 6F 6A 6F 67 61 63 66 68 70 61 69 68 6F 68 } + $s55 = { 6D 63 6F 68 69 6C 6E 63 62 66 61 68 62 6D 67 64 6A 6B 62 70 65 6D 63 63 69 69 6F 6C 67 63 67 65 } + $s56 = { 67 6A 61 67 6D 67 69 64 64 62 62 63 69 6F 70 6A 68 6C 6C 6B 64 6E 64 64 68 63 67 6C 6E 65 6D 6B } + $s57 = { 6B 6D 68 63 69 68 70 65 62 66 6D 70 67 6D 69 68 62 6B 69 70 6D 6A 6C 6D 6D 69 6F 61 6D 65 6B 61 } + $s58 = { 70 68 6B 62 61 6D 65 66 69 6E 67 67 6D 61 6B 67 6B 6C 70 6B 6C 6A 6A 6D 67 69 62 6F 68 6E 62 61 } + $s59 = { 6C 70 69 6C 62 6E 69 69 61 62 61 63 6B 64 6A 63 69 6F 6E 6B 6F 62 67 6C 6D 64 64 66 62 63 6A 6F } + $s60 = { 63 6A 6D 6B 6E 64 6A 68 6E 61 67 63 66 62 70 69 65 6D 6E 6B 64 70 6F 6D 63 63 6E 6A 62 6C 6D 6A } + $s61 = { 61 69 6A 63 62 65 64 6F 69 6A 6D 67 6E 6C 6D 6A 65 65 67 6A 61 67 6C 6D 65 70 62 6D 70 6B 70 69 } + $s62 = { 65 66 62 67 6C 67 6F 66 6F 69 70 70 62 67 63 6A 65 70 6E 68 69 62 6C 61 69 62 63 6E 63 6C 67 6B } + $s63 = { 6F 64 62 66 70 65 65 69 68 64 6B 62 69 68 6D 6F 70 6B 62 6A 6D 6F 6F 6E 66 61 6E 6C 62 66 63 6C } + $s64 = { 66 6E 6E 65 67 70 68 6C 6F 62 6A 64 70 6B 68 65 63 61 70 6B 69 6A 6A 64 6B 67 63 6A 68 6B 69 62 } + $s65 = { 61 6F 64 6B 6B 61 67 6E 61 64 63 62 6F 62 66 70 67 67 66 6E 6A 65 6F 6E 67 65 6D 6A 62 6A 63 61 } + $s66 = { 61 6B 6F 69 61 69 62 6E 65 70 63 65 64 63 70 6C 69 6A 6D 69 61 6D 6E 61 69 67 62 65 70 6D 63 62 } + $s67 = { 65 6A 62 61 6C 62 61 6B 6F 70 6C 63 68 6C 67 68 65 63 64 61 6C 6D 65 65 65 61 6A 6E 69 6D 68 6D } + $s68 = { 64 66 65 63 63 61 64 6C 69 6C 70 6E 64 6A 6A 6F 68 62 6A 64 62 6C 65 70 6D 6A 65 61 68 6C 6D 6D } + $s69 = { 6B 6A 6D 6F 6F 68 6C 67 6F 6B 63 63 6F 64 69 63 6A 6A 66 65 62 66 6F 6D 6C 62 6C 6A 67 66 68 6B } + $s70 = { 61 6A 6B 68 6F 65 69 69 6F 6B 69 67 68 6C 6D 64 6E 6C 61 6B 70 6A 66 6F 6F 62 6E 6A 69 6E 69 65 } + $s71 = { 66 70 6C 66 69 70 6D 61 6D 63 6A 61 6B 6E 70 67 6E 69 70 6A 65 61 65 65 69 64 6E 6A 6F 6F 61 6F } + $s72 = { 6E 69 69 68 66 6F 6B 64 6C 69 6D 62 64 64 68 66 6D 6E 67 6E 70 6C 67 66 63 67 70 6D 6C 69 64 6F } + $s73 = { 6F 62 66 66 6B 6B 61 67 70 6D 6F 68 65 6E 6E 69 70 6A 6F 6B 6D 70 6C 6C 6F 63 6E 6C 6E 64 61 63 } + $s74 = { 6B 66 6F 63 6E 6C 64 64 66 61 68 69 68 6F 61 6C 69 6E 6E 66 62 6E 66 6D 6F 70 6A 6F 6B 6D 68 6C } + $s75 = { 69 6E 66 65 62 6F 61 6A 67 66 68 67 62 6A 70 6A 62 65 70 70 62 6B 67 6E 61 62 66 64 6B 64 61 66 } + $s76 = { 7B 35 33 30 66 37 63 36 63 2D 36 30 37 37 2D 34 37 30 33 2D 38 66 37 31 2D 63 62 33 36 38 63 36 36 33 65 33 35 7D 2E 78 70 69 } + $s77 = { 72 6F 6E 69 6E 2D 77 61 6C 6C 65 74 40 61 78 69 65 69 6E 66 69 6E 69 74 79 2E 63 6F 6D 2E 78 70 69 } + $s78 = { 77 65 62 65 78 74 65 6E 73 69 6F 6E 40 6D 65 74 61 6D 61 73 6B 2E 69 6F 2E 78 70 69 } + $s79 = { 7B 35 37 39 39 64 39 62 36 2D 38 33 34 33 2D 34 63 32 36 2D 39 61 62 36 2D 35 64 32 61 64 33 39 38 38 34 63 65 7D 2E 78 70 69 } + $s80 = { 7B 61 61 38 31 32 62 65 65 2D 39 65 39 32 2D 34 38 62 61 2D 39 35 37 30 2D 35 66 61 66 30 63 66 65 32 35 37 38 7D 2E 78 70 69 } + $s81 = { 7B 35 39 65 61 35 66 32 39 2D 36 65 61 39 2D 34 30 62 35 2D 38 33 63 64 2D 39 33 37 32 34 39 62 30 30 31 65 31 7D 2E 78 70 69 } + $s82 = { 7B 64 38 64 64 66 63 32 61 2D 39 37 64 39 2D 34 63 36 30 2D 38 62 35 33 2D 35 65 64 64 32 39 39 62 36 36 37 34 7D 2E 78 70 69 } + $s83 = { 7B 37 63 34 32 65 65 61 31 2D 62 33 65 34 2D 34 62 65 34 2D 61 35 36 66 2D 38 32 61 35 38 35 32 62 31 32 64 63 7D 2E 78 70 69 } + $s84 = { 7B 62 33 65 39 36 62 35 66 2D 62 35 62 66 2D 38 62 34 38 2D 38 34 36 62 2D 35 32 66 34 33 30 33 36 35 65 38 30 7D 2E 78 70 69 } + $s85 = { 7B 65 62 31 66 62 35 37 62 2D 63 61 33 64 2D 34 36 32 34 2D 61 38 34 31 2D 37 32 38 66 64 62 32 38 34 35 35 66 7D 2E 78 70 69 } + $s86 = { 7B 37 36 35 39 36 65 33 30 2D 65 63 64 62 2D 34 37 37 61 2D 39 31 66 64 2D 63 30 38 66 32 30 31 38 64 66 31 61 7D 2E 78 70 69 } + $s87 = { 65 6A 6A 6C 61 64 69 6E 6E 63 6B 64 67 6A 65 6D 65 6B 65 62 64 70 65 6F 6B 62 69 6B 68 66 63 69 } + $s88 = { 62 67 70 69 70 69 6D 69 63 6B 65 61 64 6B 6A 6C 6B 6C 67 63 69 69 66 68 6E 61 6C 68 64 6A 68 65 } + $s89 = { 65 70 61 70 69 68 64 70 6C 61 6A 63 64 6E 6E 6B 64 65 69 61 68 6C 67 69 67 6F 66 6C 6F 69 62 67 } + $s90 = { 61 68 6F 6C 70 66 64 69 61 6C 6A 67 6A 66 68 6F 6D 69 68 6B 6A 62 6D 67 6A 69 64 6C 63 64 6E 6F } + $s91 = { 65 67 6A 69 64 6A 62 70 67 6C 69 63 68 64 63 6F 6E 64 62 63 62 64 6E 62 65 65 70 70 67 64 70 68 } + $s92 = { 70 6E 6E 64 70 6C 63 62 6B 61 6B 63 70 6C 6B 6A 6E 6F 6C 67 62 6B 64 67 6A 69 6B 6A 65 64 6E 6D } + $s93 = { 67 6F 6A 68 63 64 67 63 70 62 70 66 69 67 63 61 65 6A 70 66 68 66 65 67 65 6B 64 67 69 62 6C 6B } condition: 6 of them } diff --git a/third_party/yara/update.sh b/third_party/yara/update.sh index 7fac4c2a2..c972abe41 100755 --- a/third_party/yara/update.sh +++ b/third_party/yara/update.sh @@ -26,7 +26,7 @@ git_clone() { popd >/dev/null || exit 1 } -# fixup_rules fixes rules up, including lightly obfuscating them to avoid XProtect from matching malcontent +# fixup_rules fixes rules up, including lightly obfuscating them to avoid CrowdStrike/XProtect from matching malcontent function fixup_rules() { perl -p -i -e 's#"/Library/Application Support\/Google/Chrome/Default/History"#/\\/Library\\/Application Support\\/Google\\/Chrome\\/Default\\/History\/#' "$@" perl -p -i -e 's#\/([a-z]{31})([a-z])\/#\/$1\[$2\]\/#;' "$@" @@ -34,17 +34,22 @@ function fixup_rules() { perl -p -i -e 's/ +$//;' "$@" # VirusTotal-specific YARA perl -p -i -e 's#and file_type contains \"\w+\"##;' "$@" - # Convert problematic string literals + # Convert text strings to hex in rules that trigger CrowdStrike/XProtect on macOS. + # These rules contain malware signature strings that, when embedded in the mal binary + # via go:embed, cause endpoint protection to kill the process or delete the binary. + local edr_flagged_rules=( + "Macos_Infostealer_Wallets.yar" + "MacOS_Trojan_XScreen.yar" + ) for file in "$@"; do - if [[ "$(basename "$file")" == "Macos_Infostealer_Wallets.yar" ]]; then - perl -p -i -e 'if (/^(\s*)(\$s\d+)\s*=\s*"([^"]+)"\s+ascii wide nocase$/) { - my $indent = $1; - my $var = $2; - my $str = $3; - my $hex = join(" ", map { sprintf "%02X", ord($_) } split(//, $str)); - $_ = "$indent$var = {$hex}\n"; - }' "$file" - fi + local base + base="$(basename "$file")" + for flagged in "${edr_flagged_rules[@]}"; do + if [[ "$base" == "$flagged" ]]; then + perl -i -pe 's/^(\s*)(\$\w+)\s*=\s*"([^"]+)"\s+ascii\s+\w+\s*$/sprintf("%s%s = { %s }\n", $1, $2, join(" ", map { sprintf "%02X", ord($_) } split(m{}, $3)))/e' "$file" + break + fi + done done }