From 48f65694af77f6c96e8147726d5ca547ed06373f Mon Sep 17 00:00:00 2001
From: Update third-party rules
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Sun, 7 Jun 2026 00:41:25 +0000
Subject: [PATCH] Update third-party rules as of 2026-06-07
---
...f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple | 1 +
.../elastic/Linux_Exploit_CVE_2017_17215.yar | 27 +
.../elastic/Linux_Exploit_CVE_2018_10562.yar | 23 +
.../elastic/Linux_Exploit_CVE_2018_12613.yar | 23 +
.../elastic/Linux_Exploit_CVE_2020_10987.yar | 22 +
.../elastic/Linux_Exploit_CVE_2020_25506.yar | 22 +
.../elastic/Linux_Exploit_CVE_2020_7209.yar | 22 +
.../elastic/Linux_Exploit_CVE_2021_35395.yar | 23 +
.../elastic/Linux_Exploit_CVE_2021_36260.yar | 23 +
.../elastic/Linux_Exploit_CVE_2021_46422.yar | 22 +
.../elastic/Linux_Exploit_CVE_2022_01388.yar | 25 +
.../elastic/Linux_Exploit_CVE_2022_0847.yar | 21 +
.../elastic/Linux_Exploit_CVE_2022_22965.yar | 33 ++
.../elastic/Linux_Exploit_CVE_2022_25075.yar | 24 +
.../elastic/Linux_Exploit_CVE_2022_26186.yar | 23 +
.../elastic/Linux_Exploit_CVE_2022_26210.yar | 27 +
.../elastic/Linux_Exploit_CVE_2022_30525.yar | 23 +
.../elastic/Linux_Exploit_CVE_2022_37061.yar | 23 +
.../elastic/Linux_Exploit_CVE_2024_1086.yar | 31 +
.../yara/elastic/Linux_Exploit_Zero_32906.yar | 27 +
.../yara/elastic/Linux_Generic_Threat.yar | 200 +++++++
.../yara/elastic/Linux_Hacktool_Flooder.yar | 20 -
.../yara/elastic/Linux_Ransomware_Lockbit.yar | 20 +
.../yara/elastic/Linux_Rootkit_Flipswitch.yar | 22 +-
.../yara/elastic/Linux_Rootkit_VoidLink.yar | 32 +
.../yara/elastic/Linux_Trojan_Gafgyt.yar | 20 -
.../yara/elastic/Linux_Trojan_VoidLink.yar | 56 ++
.../elastic/Multi_Hacktool_LinPEAS_ng.yar | 546 ++++++++++++++++++
third_party/yara/elastic/RELEASE | 2 +-
29 files changed, 1333 insertions(+), 50 deletions(-)
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2017_17215.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2018_10562.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2018_12613.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2020_10987.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2020_25506.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2020_7209.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2021_35395.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2021_36260.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2021_46422.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_01388.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_22965.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_25075.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_26186.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_26210.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_30525.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2022_37061.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_CVE_2024_1086.yar
create mode 100644 third_party/yara/elastic/Linux_Exploit_Zero_32906.yar
create mode 100644 third_party/yara/elastic/Linux_Rootkit_VoidLink.yar
create mode 100644 third_party/yara/elastic/Linux_Trojan_VoidLink.yar
create mode 100644 third_party/yara/elastic/Multi_Hacktool_LinPEAS_ng.yar
diff --git a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple
index 89f164c7e..1b7db4731 100644
--- a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple
+++ b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple
@@ -1,4 +1,5 @@
# linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf: critical
+3P/elastic/threat: high
anti-behavior/random_behavior: low
c2/addr/ip: medium
c2/addr/url: low
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2017_17215.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2017_17215.yar
new file mode 100644
index 000000000..a7f081b36
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2017_17215.yar
@@ -0,0 +1,27 @@
+rule Linux_Exploit_CVE_2017_17215_8b78a857 {
+ meta:
+ author = "Elastic Security"
+ id = "8b78a857-05bd-46b2-9de7-b1e169e3c49f"
+ fingerprint = "95f4716832c7d3ef26deac18ce841a9d6c2b6375f87e1ad984e4bf7ee5ef1f8f"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2017-17215"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = ""
+ $bot_b = ""
+ $bot_c = ""
+ $bot_d = "HUAWEIUPNP"
+ $bot_e = ""
+ $bot_f = "dslf-config"
+ $bot_g = "ctrlt/DeviceUpgrade_1"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2018_10562.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2018_10562.yar
new file mode 100644
index 000000000..a02c8d677
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2018_10562.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2018_10562_badc0676 {
+ meta:
+ author = "Elastic Security"
+ id = "badc0676-72aa-4087-80a1-998c4af8ef1f"
+ fingerprint = "c58ed5c3f6eac8529017255504d40b21fc85a8d2b81389179a81f52eb90443a1"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2018-10562"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host="
+ $bot_b = "GponForm/diag_Form?images"
+ $bot_c = "&ipv=0"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2018_12613.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2018_12613.yar
new file mode 100644
index 000000000..52c9e997c
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2018_12613.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2018_12613_97ccd724 {
+ meta:
+ author = "Elastic Security"
+ id = "97ccd724-0873-414c-b13c-09bbe1ad86ba"
+ fingerprint = "ffc47d8251b6bc270df10dc11efd758aada3e3bdd92a367669688c6a76e68a07"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2018-12613"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash"
+ $bot_b = "cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash"
+ $bot_c = "POST" nocase
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2020_10987.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2020_10987.yar
new file mode 100644
index 000000000..1b6e869a9
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2020_10987.yar
@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_10987_15e9f5be {
+ meta:
+ author = "Elastic Security"
+ id = "15e9f5be-ba3e-4d71-918b-e67667a9ed77"
+ fingerprint = "4bf3b6a4b5cf379082aafc8f0eb395a91df6741e9c4f495794e46b5d7a81c22d"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2020-10987"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "goform/setUsbUnload/.js?deviceName="
+ $bot_b = "GET" nocase
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2020_25506.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2020_25506.yar
new file mode 100644
index 000000000..de460a3f9
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2020_25506.yar
@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_25506_ac99289a {
+ meta:
+ author = "Elastic Security"
+ id = "ac99289a-aecf-4378-8a8f-acd4e7068374"
+ fingerprint = "6718908e59601e8fb9f2c291d5244f8516a5709e9bf06889220fdca38298a58a"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2020-25506"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`"
+ $bot_b = "POST" nocase
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2020_7209.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2020_7209.yar
new file mode 100644
index 000000000..8c7db90b4
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2020_7209.yar
@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_7209_bcc33886 {
+ meta:
+ author = "Elastic Security"
+ id = "bcc33886-f3ea-4534-a66a-5bd31fd35659"
+ fingerprint = "5041efc2f9da2dc1f123dd55cb08eb23ee61483ca8f24abe8256e3aa0993ace8"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2020-7209"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a = "linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN"
+ $b = "echo END"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2021_35395.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2021_35395.yar
new file mode 100644
index 000000000..adcc187cd
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2021_35395.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2021_35395_e3d541a3 {
+ meta:
+ author = "Elastic Security"
+ id = "e3d541a3-b690-4847-b96c-870eb62f5a7b"
+ fingerprint = "748a864a72258e75ec8bcced462f21f6852b9ecb69c775060036f4d7cf41c17c"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2021-35395"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = ";&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin="
+ $bot_b = "submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;"
+ $bot_c = "application/x-www-form-urlencoded"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2021_36260.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2021_36260.yar
new file mode 100644
index 000000000..d74bea683
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2021_36260.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2021_36260_43fd3a87 {
+ meta:
+ author = "Elastic Security"
+ id = "43fd3a87-04be-4b7e-af7d-a5c40e841150"
+ fingerprint = "135d021cc767b0fc6075447c685b8db661d2cd9956da0c6387381b19793c00be"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2021-36260"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "$("
+ $bot_b = ")"
+ $bot_c = "POST" nocase
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2021_46422.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2021_46422.yar
new file mode 100644
index 000000000..037a3dacb
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2021_46422.yar
@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2021_46422_69af1b79 {
+ meta:
+ author = "Elastic Security"
+ id = "69af1b79-d4f4-44f3-a47b-bf90ddf5a03b"
+ fingerprint = "5fc6dce83b6cb565a16c1a71338e7300be1cbcdafbdfa60a3963be2cb7518768"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2021-46422"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "cgi-bin/admin.cgi?Command=sysCommand&Cmd="
+ $bot_b = "GET" nocase
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_01388.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_01388.yar
new file mode 100644
index 000000000..81ca4335c
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_01388.yar
@@ -0,0 +1,25 @@
+rule Linux_Exploit_CVE_2022_01388_ceb513f4 {
+ meta:
+ author = "Elastic Security"
+ id = "ceb513f4-8f74-4f1f-9e5a-06a022cb9ac2"
+ fingerprint = "284329949a30687418c86c05939c743f2227ea69a7e4710a813851472ef13b1f"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-01388"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "mgmt/tm/util/bash"
+ $bot_b = "X-F5-Auth-Token"
+ $bot_c = "utilCmdArgs"
+ $bod_d = "Basic YWRtaW46"
+ $bot_e = "commandResult"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_0847.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_0847.yar
index 83b6e09b5..960500bc5 100644
--- a/third_party/yara/elastic/Linux_Exploit_CVE_2022_0847.yar
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_0847.yar
@@ -26,3 +26,24 @@ rule Linux_Exploit_CVE_2022_0847_e831c285 {
($pp and 2 of ($s*)) or (all of ($bs*))
}
+rule Linux_Exploit_CVE_2022_0847_7ea8d784 {
+ meta:
+ author = "Elastic Security"
+ id = "7ea8d784-055f-4ed8-814a-ec8dc323924a"
+ fingerprint = "68682e92769895d0457fe8cef3a0b0bdc832e7e8b31dd5424c8c7410e93ae4de"
+ creation_date = "2023-08-30"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Exploit.CVE-2022-0847"
+ reference_sample = "fbb5387ca61db0ce27f8b4663f86c1c228afebaf8f7199da5780fc95480c4ff8"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = "Usage: %s TARGETFILE OFFSET DATA" fullword
+ $a2 = "splice failed" fullword
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_22965.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_22965.yar
new file mode 100644
index 000000000..ee5dd177e
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_22965.yar
@@ -0,0 +1,33 @@
+rule Linux_Exploit_CVE_2022_22965_32d3fcd0 {
+ meta:
+ author = "Elastic Security"
+ id = "32d3fcd0-ef4f-4fa3-8d4a-02791d7d8ff8"
+ fingerprint = "11865042f9bd5a88e1bcdaa149b10e02725afb7335b4c7255c9f0e1faaf5b46c"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Exploit.CVE-2022-22965"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a_1 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if"
+ $bot_b_1 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if"
+ $bot_a_2 = "(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = %2"
+ $bot_b_2 = "(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%2"
+ $bot_a_3 = "5{c1}i.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int "
+ $bot_b_3 = "5%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20"
+ $bot_a_4 = "a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!"
+ $bot_b_4 = "a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!"
+ $bot_a_5 = "%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.cl"
+ $bot_b_5 = "=-1){ out.println(new String(b)); } } %{suffix}i&class.module.cl"
+ $bot_c_6 = "assLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.res"
+ $bot_c_7 = "ources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resou"
+ $bot_c_8 = "rces.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.con"
+ $bot_c_9 = "text.parent.pipeline.first.fileDateFormat="
+ condition:
+ 3 of ($bot_c_*) and (3 of ($bot_a_*) or 3 of ($bot_b_*))
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_25075.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_25075.yar
new file mode 100644
index 000000000..24f3209ee
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_25075.yar
@@ -0,0 +1,24 @@
+rule Linux_Exploit_CVE_2022_25075_4dc28b4f {
+ meta:
+ author = "Elastic Security"
+ id = "4dc28b4f-921d-4b68-918f-a43f7bfe0b72"
+ fingerprint = "f90c8ea6e4d2523699b877825766e1414798215ca16ae59df0dadd6c1f472008"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-25075"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "cgi-bin/downloadFlile.cgi?payload="
+ $bot_b = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5"
+ $bot_c = "Upgrade-Insecure-Requests"
+ $bod_d = "max-age=0m"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_26186.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_26186.yar
new file mode 100644
index 000000000..043768b9e
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_26186.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2022_26186_e73c43db {
+ meta:
+ author = "Elastic Security"
+ id = "e73c43db-60c3-435d-9789-2117cbcb43f6"
+ fingerprint = "092b0dc5109d3d72a477b7028131170f0c67acdfcd89ec4e7ae68f7ca25c156b"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-26186"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;"
+ $bot_b = ";&filetype=sh"
+ $bot_c = "SESSION_ID=2:1"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_26210.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_26210.yar
new file mode 100644
index 000000000..b113e5958
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_26210.yar
@@ -0,0 +1,27 @@
+rule Linux_Exploit_CVE_2022_26210_f56def34 {
+ meta:
+ author = "Elastic Security"
+ id = "f56def34-eef0-4ed5-bcbb-076a2898ce0c"
+ fingerprint = "11b5e292651aa6cb414032a19e8e0c873e09f99708b5675ce6529deafd35d049"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-26210"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a = "topicurl"
+ $bot_b = "setting/setUpgradeFW"
+ $bot_c = "Flags"
+ $bot_d = "FileName"
+ $bot_e = "cgi-bin/cstecgi.cgi"
+ $bot_f = "XMLHttpRequest"
+ $bot_g = "SESSION_ID=2:1"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_30525.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_30525.yar
new file mode 100644
index 000000000..782d0725b
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_30525.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2022_30525_d01356ed {
+ meta:
+ author = "Elastic Security"
+ id = "d01356ed-abd6-4457-96b3-9fb66b2d0029"
+ fingerprint = "e40a3fdfda8fe5f32680407692a150c9c53cb856742a953ed6bc1e8b446a86d5"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-30525"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "setWanPortStshadowservershadowstreamsharp-server"
+ $bot_b = "dota?"
+ $bot_c = "ztp/cgi-bin/handler"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2022_37061.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2022_37061.yar
new file mode 100644
index 000000000..0421f69de
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2022_37061.yar
@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2022_37061_217e5071 {
+ meta:
+ author = "Elastic Security"
+ id = "217e5071-41d6-47fc-b9e4-c051c2f9dedd"
+ fingerprint = "128e7e6d9282080345d8a6d3695e6f5e715395982a1dd40958a5ec36c7506aba"
+ creation_date = "2022-12-15"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.CVE-2022-37061"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "res.php"
+ $bot_b = "action=alarm&id="
+ $bot_c = "application/x-www-form-urlencoded; charset=UTF-8"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_CVE_2024_1086.yar b/third_party/yara/elastic/Linux_Exploit_CVE_2024_1086.yar
new file mode 100644
index 000000000..a18db44d0
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_CVE_2024_1086.yar
@@ -0,0 +1,31 @@
+rule Linux_Exploit_CVE_2024_1086_fc4e57fd {
+ meta:
+ author = "Elastic Security"
+ id = "fc4e57fd-e830-461e-ad49-e6858e504b41"
+ fingerprint = "c3873781bffb5d204131ad4ad138a3be7fa75905c31eab6f6422d62f55c1f94f"
+ creation_date = "2024-03-26"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Exploit.CVE-2024-1086"
+ reference_sample = "d8dd09b01eb4e363d88ff53c0aace04c39dbea822b7adba7a883970abbf72a77"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $s1 = "nftnl_chain_alloc"
+ $s2 = "/proc/sys/kernel/modprobe"
+ $s3 = "echo -n 1 1>/proc/%u/fd/%u"
+ $s4 = "/proc/self/uid_map"
+ $s5 = "/proc/self/setgroups"
+ $s6 = "unshare(CLONE_NEWUSER)"
+ $s7 = "unshare(CLONE_NEWNET)"
+ $s8 = "/sbin/nft delete table ip filter"
+ $s9 = "/proc/sys/net/ipv4/conf/%s/rp_filter"
+ $fs1 = "confirmed double alloc PMD/PTE"
+ $fs2 = "spraying %d pte's..."
+ $fs3 = "verified modprobe_path/usermodehelper_path"
+ condition:
+ all of ($fs*) or all of ($s*)
+}
+
diff --git a/third_party/yara/elastic/Linux_Exploit_Zero_32906.yar b/third_party/yara/elastic/Linux_Exploit_Zero_32906.yar
new file mode 100644
index 000000000..4da1a92a4
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Exploit_Zero_32906.yar
@@ -0,0 +1,27 @@
+rule Linux_Exploit_Zero_32906_1c5e089e {
+ meta:
+ author = "Elastic Security"
+ id = "1c5e089e-60a4-44ae-b324-38f9e6405b11"
+ fingerprint = "ad0a84dd9af3f3a8369accdc78e1acdf56f7422d8ba9f36396807f65d9b88cbd"
+ creation_date = "2022-12-16"
+ last_modified = "2026-05-22"
+ description = "Exploit code used in the ZeroBot malware"
+ threat_name = "Linux.Exploit.Zero-32906"
+ reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $bot_a = "sysCmd"
+ $bot_b = "apply"
+ $bot_c = "Apply"
+ $bot_d = "submit-url"
+ $bot_e = "asyscmd.asp"
+ $bot_f = "msg"
+ $bot_g = "goform/formSysCmd"
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Generic_Threat.yar b/third_party/yara/elastic/Linux_Generic_Threat.yar
index 9a98b7d99..328b8a474 100644
--- a/third_party/yara/elastic/Linux_Generic_Threat.yar
+++ b/third_party/yara/elastic/Linux_Generic_Threat.yar
@@ -1232,3 +1232,203 @@ rule Linux_Generic_Threat_be02b1c9 {
all of them
}
+rule Linux_Generic_Threat_c19ca8e5 {
+ meta:
+ author = "Elastic Security"
+ id = "c19ca8e5-eed0-4c92-abb3-2ff800e68c99"
+ fingerprint = "1fb27f4b77439494bda58a2d805208f1953ea03aead4aafd04513cf76f490d45"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "e2c06dfd108cd48e6f3a9bd18c0812fa3e7b03fc422a4756a281aeb410116c5d"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 01 60 A0 E1 01 30 D5 E4 09 00 53 E3 20 00 53 13 03 40 A0 E1 FA FF FF 0A 0A 00 53 E3 F8 FF FF 0A 2D 00 53 E3 39 00 00 0A 2B 00 53 E3 01 40 D5 04 02 71 E0 E3 00 A0 A0 E3 07 00 A0 E1 06 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_f0a0ecd5 {
+ meta:
+ author = "Elastic Security"
+ id = "f0a0ecd5-1faf-4a26-8797-dfb78c2169e9"
+ fingerprint = "c9f1e03fe68df3e6919a771f90214e94ddd5b4d4a396ed0f817c1a220d6a00fd"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "8af6520884b12350097cea5e452e0515d5ad83d23d0e4623266afa1f2c0c85cb"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 04 10 8D E2 04 00 00 EB 01 00 70 E2 00 00 A0 33 44 D0 8D E2 04 E0 9D E4 1E FF 2F E1 70 40 2D E9 28 D0 4D E2 04 60 8D E2 01 40 A0 E1 06 20 A0 E1 5C 10 9F E5 62 01 00 EB 00 50 50 E2 10 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_0ea505fa {
+ meta:
+ author = "Elastic Security"
+ id = "0ea505fa-53d3-4c3a-9d24-ef6d9c371aa0"
+ fingerprint = "c986e6284bda5cb30b9b3aba141cee27b735e4831d0b9384daeb4bf542d5ded1"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "2bf1a80e2aab544c3c9df7b36bc9df18371091019804602ded43a0b795d082cb"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 00 30 E0 E3 02 00 00 EB 04 D0 8D E2 04 E0 9D E4 1E FF 2F E1 F0 41 2D E9 00 C0 D1 E5 1C 84 9F E5 72 00 5C E3 08 80 8F E0 10 D0 4D E2 00 70 A0 E1 02 50 A0 E1 03 60 A0 E1 12 00 00 0A 77 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_60848c61 {
+ meta:
+ author = "Elastic Security"
+ id = "60848c61-dd2f-470e-b1e0-3f644c41da40"
+ fingerprint = "c4e40bb31057990d07374803c7a76d437b101d9f48de4e324dd85cd51dc03970"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "1efa902359668980af91dd25fc6c0dedee94758dcdc1ea580dceeb616dafa37f"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 01 00 A0 E3 AD 00 00 EB 04 D0 8D E2 04 E0 9D E4 1E FF 2F E1 04 E0 2D E5 00 10 A0 E1 04 D0 4D E2 06 00 A0 E3 A5 00 00 EB 04 D0 8D E2 04 E0 9D E4 1E FF 2F E1 04 E0 2D E5 01 C0 A0 E1 02 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_af48ca6a {
+ meta:
+ author = "Elastic Security"
+ id = "af48ca6a-f632-4a14-80ee-1b201273653d"
+ fingerprint = "ffd2b7e7d2777ee12f59d6f243e4868bc72b81cc9a05091a91944bfd29a4d636"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "0f25e70efca8d0a5c88b70b19a6eaab0e3edae075130c129c1cb1c1ddeeb87a8"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 01 50 A0 E1 00 40 A0 E1 02 00 00 9A 04 00 51 E3 00 A0 90 E5 01 00 00 1A 1C D0 8D E2 F0 8F BD E8 05 00 51 E3 04 10 D0 E5 08 10 8D E5 F9 FF FF 0A 05 70 D0 E5 00 00 57 E3 F6 FF FF 0A 07 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_80dd1c5b {
+ meta:
+ author = "Elastic Security"
+ id = "80dd1c5b-33a0-4689-aee4-c3e1e40b8826"
+ fingerprint = "bcf593839e8855658f4084f16583f4d5425843b6a170be3b9add94bb54092138"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "97632ef95b4bf4bd4c7e7c7f72e530dccc50f52055fa8cea6deeb489bf55bf09"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 28 00 0B E5 2C 10 0B E5 34 30 0B E5 BE 22 4B E1 2C 30 1B E5 20 30 0B E5 28 30 1B E5 0C 30 93 E5 1C 30 0B E5 28 30 1B E5 10 30 93 E5 18 30 0B E5 00 30 A0 E3 14 30 0B E5 34 30 1B E5 10 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_661c9789 {
+ meta:
+ author = "Elastic Security"
+ id = "661c9789-2509-4cdc-83b5-0fe7795c19f9"
+ fingerprint = "408b14366612e2e765252a0b7b72dffb528f4205dd911b2980393c65e6e04052"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "9beae633892a4072df6c972f02ec50bd75dfa4f266abc768d5b5c6e083a02f43"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 18 00 0B E5 1C 10 0B E5 18 30 1B E5 83 31 A0 E1 03 20 A0 E1 3C 30 9F E5 03 30 82 E0 10 30 0B E5 1C 30 1B E5 00 00 53 E3 04 00 00 0A 10 30 1B E5 B4 30 D3 E1 03 20 A0 E1 1C 30 1B E5 00 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_b222ff86 {
+ meta:
+ author = "Elastic Security"
+ id = "b222ff86-a2d7-408a-bd0c-4115d4b2608f"
+ fingerprint = "59780aa71d89de15d1c8c81711dd1ade24b317ccff1de142cf69612f0813aa69"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "71aca5f24011f9b6cd7d82ce50e47ce99b16cc0c454fbd1e54f6f5739ec43e71"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 01 80 A0 E1 00 10 A0 E3 00 60 A0 E1 01 00 A0 E1 00 30 E0 E3 01 20 A0 E3 30 30 8D E5 F8 22 CD E1 00 40 A0 E3 34 30 8D E5 40 30 8D E5 44 30 8D E5 FB 1F 00 EB 44 5D 9F E5 44 7D 9F E5 14 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_d2f8e898 {
+ meta:
+ author = "Elastic Security"
+ id = "d2f8e898-a128-4733-86d9-ec5470974007"
+ fingerprint = "5d2b7f5c1025f7b3a0bb200ccad4274bfc1f3d99351a0b01fa4793388e70bbad"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "517e06dbc22185b97a345e1298067c40baf8643f4b0e135f9b90e34b55ed25a9"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { D0 4D E2 14 00 0B E5 18 10 0B E5 14 30 1B E5 83 31 A0 E1 03 20 A0 E1 44 30 9F E5 03 30 82 E0 10 30 0B E5 18 30 1B E5 00 00 53 E3 07 00 00 0A 10 30 1B E5 04 30 83 E2 00 20 D3 E5 01 30 D3 E5 03 }
+ condition:
+ all of them
+}
+
+rule Linux_Generic_Threat_12952cf5 {
+ meta:
+ author = "Elastic Security"
+ id = "12952cf5-70f8-4978-bc38-ba9d366930e2"
+ fingerprint = "28656bd69aac25ab024c25b552ac00d0b0f90b7d997b63e0e74128c566447b2e"
+ creation_date = "2025-01-08"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Generic.Threat"
+ reference_sample = "96b52820b8694c1392025d06f8d4ca2d8dce2370bd13d24691d8d2b143ed6a56"
+ severity = 50
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a1 = { 48 81 EC B8 00 00 00 48 89 FE 48 89 E7 64 48 8B 04 25 28 00 00 00 48 89 84 24 A8 00 00 00 31 C0 ?? ?? ?? ?? ?? 85 C0 0F 94 C0 48 8B 94 24 A8 00 00 00 64 48 33 14 25 28 00 00 00 75 08 }
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Hacktool_Flooder.yar b/third_party/yara/elastic/Linux_Hacktool_Flooder.yar
index 9895b9995..534c556bc 100644
--- a/third_party/yara/elastic/Linux_Hacktool_Flooder.yar
+++ b/third_party/yara/elastic/Linux_Hacktool_Flooder.yar
@@ -197,26 +197,6 @@ rule Linux_Hacktool_Flooder_a2795a4c {
all of them
}
-rule Linux_Hacktool_Flooder_678c1145 {
- meta:
- author = "Elastic Security"
- id = "678c1145-cc41-4e83-bc88-30f64da46dd3"
- fingerprint = "f4f66668b45f520bc107b7f671f8c7f42073d7ff28863e846a74fbd6cac03e87"
- creation_date = "2021-01-12"
- last_modified = "2021-09-16"
- threat_name = "Linux.Hacktool.Flooder"
- reference_sample = "559793b9cb5340478f76aaf5f81c8dbfbcfa826657713d5257dac3c496b243a6"
- severity = 100
- arch_context = "x86"
- scan_context = "file, memory"
- license = "Elastic License v2"
- os = "linux"
- strings:
- $a = { C8 48 BA AB AA AA AA AA AA AA AA 48 89 C8 48 F7 E2 48 C1 EA 05 48 }
- condition:
- all of them
-}
-
rule Linux_Hacktool_Flooder_3cbdfb1f {
meta:
author = "Elastic Security"
diff --git a/third_party/yara/elastic/Linux_Ransomware_Lockbit.yar b/third_party/yara/elastic/Linux_Ransomware_Lockbit.yar
index 946306076..ff36918d4 100644
--- a/third_party/yara/elastic/Linux_Ransomware_Lockbit.yar
+++ b/third_party/yara/elastic/Linux_Ransomware_Lockbit.yar
@@ -45,3 +45,23 @@ rule Linux_Ransomware_Lockbit_5b30a04b {
all of them
}
+rule Linux_Ransomware_Lockbit_4a497d53 {
+ meta:
+ author = "Elastic Security"
+ id = "4a497d53-3e96-49b2-abb3-098c4a87267e"
+ fingerprint = "f0f55b9fc3f46724a96d90db45346fb104227480b902ed3054e002f725475d69"
+ creation_date = "2025-01-09"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Ransomware.Lockbit"
+ reference_sample = "a60acd0adeccbe29ff8402db0e974eba25c9acf98a3af98940e518d465fb1bbe"
+ severity = 100
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $a = { 24 B3 A0 E1 40 70 8D E5 44 50 8D E5 40 80 89 E2 00 70 A0 E3 50 50 8D E2 0B 00 57 E1 }
+ condition:
+ all of them
+}
+
diff --git a/third_party/yara/elastic/Linux_Rootkit_Flipswitch.yar b/third_party/yara/elastic/Linux_Rootkit_Flipswitch.yar
index 1c9476b42..c3359bcba 100644
--- a/third_party/yara/elastic/Linux_Rootkit_Flipswitch.yar
+++ b/third_party/yara/elastic/Linux_Rootkit_Flipswitch.yar
@@ -2,9 +2,9 @@ rule Linux_Rootkit_Flipswitch_821f3c9e {
meta:
author = "Elastic Security"
id = "821f3c9e-ffce-4df1-903c-4ad898009388"
- fingerprint = "ea27ee70f3af34c20bcde6e9a0ab04d8011d1ca7f79c4537ea0a152da0789261"
+ fingerprint = "40c10edaeed31be37f5b90e7838926174fbb9970fd809fe1ad80210cea338ce6"
creation_date = "2025-09-05"
- last_modified = "2025-09-17"
+ last_modified = "2026-05-22"
description = "Yara rule to detect the FlipSwitch rootkit PoC"
threat_name = "Linux.Rootkit.Flipswitch"
severity = 100
@@ -13,14 +13,18 @@ rule Linux_Rootkit_Flipswitch_821f3c9e {
license = "Elastic License v2"
os = "linux"
strings:
- $all_a = { FF FF 48 89 45 E8 F0 80 ?? ?? ?? 31 C0 48 89 45 F0 48 8B 45 E8 0F 22 C0 }
- $obf_b = { BA AA 00 00 00 BE 0D 00 00 00 48 C7 ?? ?? ?? ?? ?? 49 89 C4 E8 }
- $obf_c = { BA AA 00 00 00 BE 15 00 00 00 48 89 C3 E8 ?? ?? ?? ?? 48 89 DF 48 89 43 30 E8 ?? ?? ?? ?? 85 C0 74 0D 48 89 DF E8 }
- $main_b = { 41 54 53 E8 ?? ?? ?? ?? 48 C7 C7 ?? ?? ?? ?? 49 89 C4 E8 ?? ?? ?? ?? 4D 85 E4 74 2D 48 89 C3 48 85 }
- $main_c = { 48 85 C0 74 1F 48 C7 ?? ?? ?? ?? ?? ?? 48 89 C7 48 89 C3 E8 ?? ?? ?? ?? 85 C0 74 0D 48 89 DF E8 ?? ?? ?? ?? 45 31 E4 EB 14 }
+ $all_a = { FF FF 48 89 45 E8 F0 80 [3] 31 C0 48 89 45 F0 48 8B 45 E8 0F 22 C0 }
+ $all_b = { FF FF 48 89 04 24 F0 80 [3] 31 C0 48 89 44 24 08 48 8B 04 24 0F 22 C0 }
+ $obf_b_1 = { BA AA 00 00 00 BE 0D 00 00 00 48 C7 [5] 49 89 C4 E8 }
+ $obf_b_2 = { BA AA 00 00 00 BE 0D 00 00 00 48 C7 [5] 48 89 C5 E8 [4] 48 89 C7 E8 [4] 48 85 ED 74 32 }
+ $obf_c = { BA AA 00 00 00 BE 15 00 00 00 48 89 C3 E8 [4] 48 89 DF 48 89 43 30 E8 [4] 85 C0 74 0D 48 89 DF E8 }
+ $main_b = { 41 54 53 E8 [4] 48 C7 C7 [4] 49 89 C4 E8 [4] 4D 85 E4 74 2D 48 89 C3 48 85 }
+ $main_c = { 48 85 C0 74 1F 48 C7 [6] 48 89 C7 48 89 C3 E8 [4] 85 C0 74 0D 48 89 DF E8 [4] 45 31 E4 EB 14 }
+ $main_d = { 48 85 ED 74 32 48 89 C3 48 85 C0 74 2A E8 [4] 48 89 C7 48 85 C0 74 1D 31 C0 48 89 47 08 48 89 47 10 48 89 47 18 48 89 47 20 }
$debug_b = { 48 89 E5 41 54 53 48 85 C0 0F 84 ?? ?? 00 00 48 C7 }
- $debug_c = { 48 85 C0 74 45 48 C7 ?? ?? ?? ?? ?? ?? 48 89 C7 48 89 C3 E8 ?? ?? ?? ?? 85 C0 75 26 48 89 DF 4C 8B 63 28 E8 ?? ?? ?? ?? 48 89 DF E8 }
+ $debug_c = { 48 85 C0 74 45 48 C7 [6] 48 89 C7 48 89 C3 E8 [4] 85 C0 75 26 48 89 DF 4C 8B 63 28 E8 [4] 48 89 DF E8 }
+ $debug_d = { 55 53 48 85 C0 0F 84 [4] 48 C7 C7 00 00 00 00 E8 [4] 48 89 C3 48 [4] 00 00 48 85 C0 }
condition:
- #all_a >= 2 and (1 of ($obf_*) or 1 of ($main_*) or 1 of ($debug_*))
+ (#all_a >= 2 or #all_b >= 2) and (1 of ($obf_*) or 1 of ($main_*) or 1 of ($debug_*))
}
diff --git a/third_party/yara/elastic/Linux_Rootkit_VoidLink.yar b/third_party/yara/elastic/Linux_Rootkit_VoidLink.yar
new file mode 100644
index 000000000..927bc64e8
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Rootkit_VoidLink.yar
@@ -0,0 +1,32 @@
+rule Linux_Rootkit_VoidLink_243306b5 {
+ meta:
+ author = "Elastic Security"
+ id = "243306b5-4c63-4bba-adfb-8b054f2b712b"
+ fingerprint = "a159e2089fa61f45af10a1ebca4e9d02dd287e9dfa04f518d630083b9da22e21"
+ creation_date = "2026-03-13"
+ last_modified = "2026-05-22"
+ threat_name = "Linux.Rootkit.VoidLink"
+ reference_sample = "8bce8daacaaa546a8fc77f484d776560a28dfb024e3b7aa7c6b322c7c5716ac5"
+ severity = 100
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $mod1 = "AMD Memory Encryption Support"
+ $mod2 = "AMD Memory Encryption Driver"
+ $mod3 = "Advanced Micro Devices, Inc."
+ $func1 = "vl_stealth"
+ $func2 = "g_data"
+ $func3 = "icmp_cmd"
+ $func4 = "chk_pid"
+ $func5 = "chk_port"
+ $func6 = "mod_hide"
+ $func7 = "amd_mem_encrypt"
+ $ebpf1 = "hidden_ports"
+ $ebpf2 = "recvmsg_ctx"
+ $ebpf3 = "SOCK_DIAG_BY_FAMILY"
+ condition:
+ (2 of ($mod*) and 3 of ($func*)) or (1 of ($mod*) and 2 of ($ebpf*)) or (4 of ($func*))
+}
+
diff --git a/third_party/yara/elastic/Linux_Trojan_Gafgyt.yar b/third_party/yara/elastic/Linux_Trojan_Gafgyt.yar
index 914dc0551..d09a1218a 100644
--- a/third_party/yara/elastic/Linux_Trojan_Gafgyt.yar
+++ b/third_party/yara/elastic/Linux_Trojan_Gafgyt.yar
@@ -889,26 +889,6 @@ rule Linux_Trojan_Gafgyt_779e142f {
all of them
}
-rule Linux_Trojan_Gafgyt_cf84c9f2 {
- meta:
- author = "Elastic Security"
- id = "cf84c9f2-7435-4faf-8c5f-d14945ffad7a"
- fingerprint = "bb766b356c3e8706740e3bb9b4a7171d8eb5137e09fc7ab6952412fa55e2dcfc"
- creation_date = "2021-01-12"
- last_modified = "2021-09-16"
- threat_name = "Linux.Trojan.Gafgyt"
- reference_sample = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df"
- severity = 100
- arch_context = "x86"
- scan_context = "file, memory"
- license = "Elastic License v2"
- os = "linux"
- strings:
- $a = { 55 48 89 E5 48 83 EC 30 48 89 7D E8 89 75 E4 89 55 E0 C7 45 F8 01 00 }
- condition:
- all of them
-}
-
rule Linux_Trojan_Gafgyt_0cd591cd {
meta:
author = "Elastic Security"
diff --git a/third_party/yara/elastic/Linux_Trojan_VoidLink.yar b/third_party/yara/elastic/Linux_Trojan_VoidLink.yar
new file mode 100644
index 000000000..b7f38530c
--- /dev/null
+++ b/third_party/yara/elastic/Linux_Trojan_VoidLink.yar
@@ -0,0 +1,56 @@
+rule Linux_Trojan_VoidLink_0868fa9d {
+ meta:
+ author = "Elastic Security"
+ id = "0868fa9d-e89d-402d-b865-010903a54bab"
+ fingerprint = "975eb15ea5558cbd2eb55f201310123447ab1284954818498b6596fae5dc0f68"
+ creation_date = "2026-01-15"
+ last_modified = "2026-03-10"
+ description = "Detects the VoidLink Beacon"
+ threat_name = "Linux.Trojan.VoidLink"
+ reference_sample = "05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69"
+ severity = 100
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $str_vl_a = "vl_stealth.ko"
+ $str_vl_b = "vl_ss_loader"
+ $str_vl_c = "sd_ss_loader"
+ $str_beacon_1 = "beacon_truncate"
+ $str_beacon_2 = "beacon_exec"
+ $str_beacon_3 = "beacon_readlink"
+ $str_beacon_4 = "beacon_file_read"
+ $str_f = "VoidLink"
+ condition:
+ 1 of ($str_vl_*) or 2 of ($str_beacon_*) and $str_f
+}
+
+rule Linux_Trojan_VoidLink_e4c13c2c {
+ meta:
+ author = "Elastic Security"
+ id = "e4c13c2c-2813-4942-93a1-1bed72ad3c7d"
+ fingerprint = "246e070f045575cf044eb20607001cac3f8a1704ee71bd052ac9d2bc231fd406"
+ creation_date = "2026-01-15"
+ last_modified = "2026-03-10"
+ description = "Detects the VoidLink Plugins"
+ threat_name = "Linux.Trojan.VoidLink"
+ severity = 100
+ arch_context = "x86, arm64"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "linux"
+ strings:
+ $name = "VoidLink"
+ $str_b = "BeaconAPI_v3"
+ $str_c = "[PLUGIN_EXEC]"
+ $str_d = "parallel_executed"
+ $str_e = "[ChainExecutor]"
+ $str_f = "[PARSE_SHDR]"
+ $str_g = "ShellcodeTimeout"
+ $str_h = "camouflage executor"
+ $str_i = "anti-reverse executor"
+ condition:
+ $name and 5 of ($str_*)
+}
+
diff --git a/third_party/yara/elastic/Multi_Hacktool_LinPEAS_ng.yar b/third_party/yara/elastic/Multi_Hacktool_LinPEAS_ng.yar
new file mode 100644
index 000000000..6f4d3c440
--- /dev/null
+++ b/third_party/yara/elastic/Multi_Hacktool_LinPEAS_ng.yar
@@ -0,0 +1,546 @@
+rule Multi_Hacktool_LinPEAS_ng_19e3957f {
+ meta:
+ author = "Elastic Security"
+ id = "19e3957f-8f44-47e1-abf8-a40de645594e"
+ fingerprint = "c2e952348ce89a802cedcb089bb1306d3f8f077262753133a35b7a18f8711ba8"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the systen information module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cve_0 = "CVEs Check" base64
+ $cve_1 = "Vulnerable to CVE-2021-4034" base64
+ $cve_2 = "Vulnerable to CVE-2021-3560" base64
+ $cve_3 = "Potentially Vulnerable to CVE-2022-0847" base64
+ $cve_4 = "Potentially Vulnerable to CVE-2022-2588" base64
+ $cpu_0 = "Any sd*/disk* disk in /dev?" base64
+ $cpu_1 = "$(command -v diskutil)" base64
+ $cpu_2 = "Mounted disks information" base64
+ $cpu_3 = "$(command -v smbutil)" base64
+ $protections_0 = "grsecurity present?" base64
+ $protections_1 = "AppArmor enabled?" base64
+ $protections_2 = "User namespace?" base64
+ $protections_3 = "XProtectPlistConfigData" base64
+ condition:
+ (2 of ($cve_*) and 2 of ($cpu_*) and 2 of ($protections_*))
+}
+
+rule Multi_Hacktool_LinPEAS_ng_f3ab706d {
+ meta:
+ author = "Elastic Security"
+ id = "f3ab706d-1ad4-4ff2-a461-f877c7990dbb"
+ fingerprint = "a41a8ff83d1c94b63fb1ecbeded1e54b7d93fb4698ed8dda01b122d1f328de36"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the systen information module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cve_0 = "CVEs Check"
+ $cve_1 = "Vulnerable to CVE-2021-4034"
+ $cve_2 = "Vulnerable to CVE-2021-3560"
+ $cve_3 = "Potentially Vulnerable to CVE-2022-0847"
+ $cve_4 = "Potentially Vulnerable to CVE-2022-2588"
+ $cpu_0 = "Any sd*/disk* disk in /dev?"
+ $cpu_1 = "$(command -v diskutil)"
+ $cpu_2 = "Mounted disks information"
+ $cpu_3 = "$(command -v smbutil)"
+ $protections_0 = "grsecurity present?"
+ $protections_1 = "AppArmor enabled?"
+ $protections_2 = "User namespace?"
+ $protections_3 = "XProtectPlistConfigData"
+ condition:
+ (2 of ($cve_*) and 2 of ($cpu_*) and 2 of ($protections_*))
+}
+
+rule Multi_Hacktool_LinPEAS_ng_25b07260 {
+ meta:
+ author = "Elastic Security"
+ id = "25b07260-68ab-4b69-a6bb-a4056014329b"
+ fingerprint = "0ec6241c4dba1e806c654056257fce7ddd67a4b2cd36d3e19a2c486b5befb7aa"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the container module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $container_0 = "find / -maxdepth 3 -name '*dockerenv*'" base64
+ $container_1 = "/kubepod" base64
+ $container_2 = "container=podman" base64
+ $container_3 = "$(grep -a 'container=' /proc/1/environ" base64
+ $container_4 = "You have write permissions over interesting socket" base64
+ $container_5 = "Am I Containered?" base64
+ $container_6 = "release_agent breakout" base64
+ $container_7 = "DoS via panic_" base64
+ $container_8 = "Container Capabilities" base64
+ $container_9 = "$(command -v capsh)" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_fd5b32cf {
+ meta:
+ author = "Elastic Security"
+ id = "fd5b32cf-b96c-41a1-8119-5a688a1e2ebf"
+ fingerprint = "d19f8c7ed050f6c45e613aa70aa5ddd1dc0b7a7d1309d31bc2b5eb969fff6868"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the container module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $container_0 = "find / -maxdepth 3 -name '*dockerenv*'"
+ $container_1 = "/kubepod"
+ $container_2 = "container=podman"
+ $container_3 = "$(grep -a 'container=' /proc/1/environ"
+ $container_4 = "You have write permissions over interesting socket"
+ $container_5 = "Am I Containered?"
+ $container_6 = "release_agent breakout"
+ $container_7 = "DoS via panic_"
+ $container_8 = "Container Capabilities"
+ $container_9 = "$(command -v capsh)"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_d233c491 {
+ meta:
+ author = "Elastic Security"
+ id = "d233c491-d506-49d4-958d-a13ef77fcc71"
+ fingerprint = "b6a805f34fb1b7847c1d1180f8c43742aadfa4f9667ad590d3266b69cfde7419"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the cloud module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cloud_0 = "/devstorage.read_only|/logging.write"
+ $cloud_1 = "/monitoring|/servicecontrol|/service.management.readonly"
+ $cloud_2 = "grep -q metadata.google.internal /etc/hosts"
+ $cloud_3 = "Google Cloud Platform?"
+ $cloud_4 = "AWS ECS?"
+ $cloud_5 = "Project-ID:"
+ $cloud_6 = "OSLogin users:"
+ $cloud_7 = "Instance Image:"
+ $cloud_8 = "X-aws-ec2-metadata-token:"
+ $cloud_9 = "AWS Lambda Enumeration"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_1eb10406 {
+ meta:
+ author = "Elastic Security"
+ id = "1eb10406-aed8-4411-9b6a-5e9cada72c29"
+ fingerprint = "d48658714fdab4127535a91ee883e9d0443ed46b6d4c9ff88543cb9f5e940462"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the cloud module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cloud_0 = "/devstorage.read_only|/logging.write" base64
+ $cloud_1 = "/monitoring|/servicecontrol|/service.management.readonly" base64
+ $cloud_2 = "grep -q metadata.google.internal /etc/hosts" base64
+ $cloud_3 = "Google Cloud Platform?" base64
+ $cloud_4 = "AWS ECS?" base64
+ $cloud_5 = "Project-ID:" base64
+ $cloud_6 = "OSLogin users:" base64
+ $cloud_7 = "Instance Image:" base64
+ $cloud_8 = "X-aws-ec2-metadata-token:" base64
+ $cloud_9 = "AWS Lambda Enumeration" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_46488ab2 {
+ meta:
+ author = "Elastic Security"
+ id = "46488ab2-093f-4371-b806-00e1df5c144e"
+ fingerprint = "d12007aa8b6ad1dea30a46fb2b3d39b3a77ef18f6a2ecf6756a6a997e22ccb05"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Processes & Cron & Services & Timers module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cron_0 = "Looks like ps is not finding processes"
+ $cron_1 = "(ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v \"\\[\" | grep -v \"%CPU\""
+ $cron_2 = "/dev/null | grep CapEff | awk"
+ $cron_3 = "awk '!x[$0]++' 2>/dev/null | grep -v \" root root \""
+ $cron_4 = "Files opened by processes belonging to other users"
+ $cron_5 = "gdm-password process found (dump creds from memory as root)"
+ $cron_6 = "-name \"cron*\" -or -name \"anacron\" -or -name \"anacrontab\""
+ $cron_7 = "/Library/LaunchDaemons/MonitorHelper.plist ProgramArguments"
+ $cron_8 = "SPStartupItemDataType"
+ $cron_9 = "Unix Sockets Listening"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_709a480d {
+ meta:
+ author = "Elastic Security"
+ id = "709a480d-f797-4ad0-a67b-6e4b814ffc18"
+ fingerprint = "06af5a1d00998d44113c69b5bcf494bbda52ffc63b1013681d46d2122545cded"
+ creation_date = "2022-12-21"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Processes & Cron & Services & Timers module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $cron_0 = "Looks like ps is not finding processes" base64
+ $cron_1 = "(ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v \"\\[\" | grep -v \"%CPU\"" base64
+ $cron_2 = "/dev/null | grep CapEff | awk" base64
+ $cron_3 = "awk '!x[$0]++' 2>/dev/null | grep -v \" root root \"" base64
+ $cron_4 = "Files opened by processes belonging to other users" base64
+ $cron_5 = "gdm-password process found (dump creds from memory as root)" base64
+ $cron_6 = "-name \"cron*\" -or -name \"anacron\" -or -name \"anacrontab\"" base64
+ $cron_7 = "/Library/LaunchDaemons/MonitorHelper.plist ProgramArguments" base64
+ $cron_8 = "SPStartupItemDataType" base64
+ $cron_9 = "Unix Sockets Listening" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_f9a55fb7 {
+ meta:
+ author = "Elastic Security"
+ id = "f9a55fb7-e457-4b39-943d-a4f99d3a93bf"
+ fingerprint = "ffbb559253e242fed1881027e59519a5debe1095237d6efcac5604dd4ac2d2c5"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Network info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $network_0 = "Hostname, hosts and DNS"
+ $network_1 = "Networks and neighbours"
+ $network_2 = "(route || ip n || cat /proc/net/route)"
+ $network_3 = "networksetup -listallhardwareports"
+ $network_4 = "timeout 1 tcpdump >/dev/null"
+ $network_5 = "[-] No ifconfig or ip commands"
+ $network_6 = "$(netstat -na | grep LISTEN | grep tcp46 | grep \"*.3283\" | wc -l);"
+ $network_7 = "The following services are OFF if"
+ $network_8 = "s,Password|Authorization Name.*"
+ $network_9 = "host.docker.internal"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_4c86542f {
+ meta:
+ author = "Elastic Security"
+ id = "4c86542f-ca54-4bdb-a91a-faee83a0e7ac"
+ fingerprint = "b2d75cc3f187a00b85c092dc683e9efee6f116f02e1cbc5296402f42fd328436"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Network info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $network_0 = "Hostname, hosts and DNS" base64
+ $network_1 = "Networks and neighbours" base64
+ $network_2 = "(route || ip n || cat /proc/net/route)" base64
+ $network_3 = "networksetup -listallhardwareports" base64
+ $network_4 = "timeout 1 tcpdump >/dev/null" base64
+ $network_5 = "[-] No ifconfig or ip commands" base64
+ $network_6 = "$(netstat -na | grep LISTEN | grep tcp46 | grep \"*.3283\" | wc -l);" base64
+ $network_7 = "The following services are OFF if" base64
+ $network_8 = "s,Password|Authorization Name.*" base64
+ $network_9 = "host.docker.internal" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_62eff03d {
+ meta:
+ author = "Elastic Security"
+ id = "62eff03d-146c-411d-9ee4-418ef94e4003"
+ fingerprint = "784fa26c75dbb9deecfacf2098147554706b1c40ab84aa625bc8c8df84fc7cf5"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the User info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $user_0 = "Current user Login and Logout hooks"
+ $user_1 = "/var/db/SystemKey"
+ $user_2 = "Do I have PGP keys?"
+ $user_3 = "$(xclip -o -selection clipboard"
+ $user_4 = "timeout 1 sudo -S -l"
+ $user_5 = "You can create a file in /etc/sudoers.d/"
+ $user_6 = "The escalation didn't work..."
+ $user_7 = "$(command -v doas)"
+ $user_8 = "UserShell RealName RecordName Password NFSHomeDirectory"
+ $user_9 = "^PASS_MAX_DAYS\\|^PASS_MIN_DAYS\\|^PASS_WARN_AGE\\|^ENCRYPT_METHOD"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_3ca885bf {
+ meta:
+ author = "Elastic Security"
+ id = "3ca885bf-c737-4df7-a818-9cdeb49560a4"
+ fingerprint = "1817bb75c9ce29ef72a6cdd2fd1d2c568b59f5d180ae7197a00d30f8af070bd4"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the User info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $user_0 = "Current user Login and Logout hooks" base64
+ $user_1 = "/var/db/SystemKey" base64
+ $user_2 = "Do I have PGP keys?" base64
+ $user_3 = "$(xclip -o -selection clipboard" base64
+ $user_4 = "timeout 1 sudo -S -l" base64
+ $user_5 = "You can create a file in /etc/sudoers.d/" base64
+ $user_6 = "The escalation didn't work..." base64
+ $user_7 = "$(command -v doas)" base64
+ $user_8 = "UserShell RealName RecordName Password NFSHomeDirectory" base64
+ $user_9 = "^PASS_MAX_DAYS\\|^PASS_MIN_DAYS\\|^PASS_WARN_AGE\\|^ENCRYPT_METHOD" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_1aa3948b {
+ meta:
+ author = "Elastic Security"
+ id = "1aa3948b-a742-40d1-9f06-7f33260206a7"
+ fingerprint = "4b2367262369a0dfe1320e9d4f60a7736c47ef6cefab3966561d8746605ee14f"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Software info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $software_0 = "Installed Compilers"
+ $software_1 = "$(command -v pkg 2>/dev/null)"
+ $software_2 = "$(command -v mysqladmin)"
+ $software_3 = "MySQL version"
+ $software_4 = "SELECT User,Host,authentication_string FROM"
+ $software_5 = "Some certificates were found (out limited):"
+ $software_6 = "keyinfo --list"
+ $software_7 = "You could use SSSDKCMExtractor to"
+ $software_8 = "LS_USER\\|LS_GROUP"
+ $software_9 = "Searching tmux sessions"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_3e7102db {
+ meta:
+ author = "Elastic Security"
+ id = "3e7102db-69e1-45f1-8258-7a1a40e95e45"
+ fingerprint = "098396bdcd0b0f83d8064ec4bd26974abdcf5b1d5bb2abd0ef748cf788c5526e"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Software info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $software_0 = "Installed Compilers" base64
+ $software_1 = "$(command -v pkg 2>/dev/null)" base64
+ $software_2 = "$(command -v mysqladmin)" base64
+ $software_3 = "MySQL version" base64
+ $software_4 = "SELECT User,Host,authentication_string FROM" base64
+ $software_5 = "Some certificates were found (out limited):" base64
+ $software_6 = "keyinfo --list" base64
+ $software_7 = "You could use SSSDKCMExtractor to" base64
+ $software_8 = "LS_USER\\|LS_GROUP" base64
+ $software_9 = "Searching tmux sessions" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_a5688824 {
+ meta:
+ author = "Elastic Security"
+ id = "a5688824-9b13-4497-bce7-80362d68a4d5"
+ fingerprint = "ae86f4b5040f667b0801ef771a20ffe89543d26935e0ed00f4e8827a7ad2b95a"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Files info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $files_0 = "You have write privileges over"
+ $files_1 = "-perm -4000 -type f ! -path"
+ $files_2 = "You own the SUID file:"
+ $files_3 = "(Unknown SUID binary!)"
+ $files_4 = "open|access|no such file"
+ $files_5 = "Checking misconfigurations of"
+ $files_6 = "$(command -v capsh)"
+ $files_7 = "Current env capabilities:"
+ $files_8 = "find $HOMESEARCH -user root 2>/dev/null"
+ $files_9 = "find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_ad70184f {
+ meta:
+ author = "Elastic Security"
+ id = "ad70184f-4f91-4eb4-9efc-6afd4058e432"
+ fingerprint = "3ee469f99797ad0de08abd89fa6634a464b26894023a45abf8d7f8f0e758e7f3"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Files info module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $files_0 = "You have write privileges over" base64
+ $files_1 = "-perm -4000 -type f ! -path" base64
+ $files_2 = "You own the SUID file:" base64
+ $files_3 = "(Unknown SUID binary!)" base64
+ $files_4 = "open|access|no such file" base64
+ $files_5 = "Checking misconfigurations of" base64
+ $files_6 = "$(command -v capsh)" base64
+ $files_7 = "Current env capabilities:" base64
+ $files_8 = "find $HOMESEARCH -user root 2>/dev/null" base64
+ $files_9 = "find /var/mail/ /var/spool/mail/ /private/var/mail -type f -ls" base64
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_acc02df3 {
+ meta:
+ author = "Elastic Security"
+ id = "acc02df3-8a22-4fe7-83ec-6810b7933d7a"
+ fingerprint = "f55005da8a884e05627a511d8aa065ffdac40a947293a95bd754eda268e407c6"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Base module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "cc3e69418622499a21248c762373642eb2a2b1073767f22f0dd0f65d0def94a5"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $base_0 = "$(printf '\\033')"
+ $base_1 = "Enumerate and search Privilege Escalation vectors."
+ $base_2 = "grep -c processor /proc/cpuinfo"
+ $base_3 = "Do you like PEASS?"
+ $base_4 = "RED/YELLOW: 95% a PE vector"
+ $base_5 = "\\(root\\)|\\(shadow\\)|\\(admin\\)|\\(video\\)|\\(adm\\)|\\(wheel\\)|\\(auth\\)"
+ $base_6 = "peass{SUIDVB1_HERE}"
+ $base_7 = "file|free|main|more|read|split|write"
+ $base_8 = "cap_sys_admin:mount|python"
+ $base_9 = "timeout 1 su $(whoami) -c whoami"
+ condition:
+ 5 of them
+}
+
+rule Multi_Hacktool_LinPEAS_ng_02c12676 {
+ meta:
+ author = "Elastic Security"
+ id = "02c12676-4101-44ae-be7c-d93717d04b0a"
+ fingerprint = "e2e1233f5c9f24da37e1abf2c216c31505fd3f061bd0228c2c6da9036f3c863b"
+ creation_date = "2022-12-22"
+ last_modified = "2026-05-22"
+ description = "LinPEAS detection based on the Base module"
+ threat_name = "Multi.Hacktool.LinPEAS-ng"
+ reference_sample = "593333df3a1e109c73e8823e3929d52a7fc79a3064eb62004f33f11daca10d0b"
+ severity = 100
+ arch_context = "x86"
+ scan_context = "file, memory"
+ license = "Elastic License v2"
+ os = "multi"
+ strings:
+ $base_0 = "$(printf '\\033')" base64
+ $base_1 = "Enumerate and search Privilege Escalation vectors." base64
+ $base_2 = "grep -c processor /proc/cpuinfo" base64
+ $base_3 = "Do you like PEASS?" base64
+ $base_4 = "RED/YELLOW: 95% a PE vector" base64
+ $base_5 = "\\(root\\)|\\(shadow\\)|\\(admin\\)|\\(video\\)|\\(adm\\)|\\(wheel\\)|\\(auth\\)" base64
+ $base_6 = "peass{SUIDVB1_HERE}" base64
+ $base_7 = "file|free|main|more|read|split|write" base64
+ $base_8 = "cap_sys_admin:mount|python" base64
+ $base_9 = "timeout 1 su $(whoami) -c whoami" base64
+ condition:
+ 5 of them
+}
+
diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE
index 67dc061ef..f1e39de34 100644
--- a/third_party/yara/elastic/RELEASE
+++ b/third_party/yara/elastic/RELEASE
@@ -1 +1 @@
-8dd3363633f825b355e11db413240b52944f63bc
+323562618d717a38a12a48449138f0750538eb32