Update third-party rules as of 2026-06-07

tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple

@@ -1,4 +1,5 @@
 # linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf: critical
+3P/elastic/threat: high
 anti-behavior/random_behavior: low
 c2/addr/ip: medium
 c2/addr/url: low

third_party/yara/elastic/Linux_Exploit_CVE_2017_17215.yar

@@ -0,0 +1,27 @@
+rule Linux_Exploit_CVE_2017_17215_8b78a857 {
+    meta:
+        author = "Elastic Security"
+        id = "8b78a857-05bd-46b2-9de7-b1e169e3c49f"
+        fingerprint = "95f4716832c7d3ef26deac18ce841a9d6c2b6375f87e1ad984e4bf7ee5ef1f8f"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2017-17215"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "<NewStatusURL>"
+        $bot_b = "</NewStatusURL>"
+        $bot_c = "<NewDownloadURL>"
+        $bot_d = "HUAWEIUPNP"
+        $bot_e = "</NewDownloadURL>"
+        $bot_f = "dslf-config"
+        $bot_g = "ctrlt/DeviceUpgrade_1"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2018_10562.yar

@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2018_10562_badc0676 {
+    meta:
+        author = "Elastic Security"
+        id = "badc0676-72aa-4087-80a1-998c4af8ef1f"
+        fingerprint = "c58ed5c3f6eac8529017255504d40b21fc85a8d2b81389179a81f52eb90443a1"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2018-10562"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host="
+        $bot_b = "GponForm/diag_Form?images"
+        $bot_c = "&ipv=0"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2018_12613.yar

@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2018_12613_97ccd724 {
+    meta:
+        author = "Elastic Security"
+        id = "97ccd724-0873-414c-b13c-09bbe1ad86ba"
+        fingerprint = "ffc47d8251b6bc270df10dc11efd758aada3e3bdd92a367669688c6a76e68a07"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2018-12613"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash"
+        $bot_b = "cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash"
+        $bot_c = "POST" nocase
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2020_10987.yar

@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_10987_15e9f5be {
+    meta:
+        author = "Elastic Security"
+        id = "15e9f5be-ba3e-4d71-918b-e67667a9ed77"
+        fingerprint = "4bf3b6a4b5cf379082aafc8f0eb395a91df6741e9c4f495794e46b5d7a81c22d"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2020-10987"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "goform/setUsbUnload/.js?deviceName="
+        $bot_b = "GET" nocase
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2020_25506.yar

@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_25506_ac99289a {
+    meta:
+        author = "Elastic Security"
+        id = "ac99289a-aecf-4378-8a8f-acd4e7068374"
+        fingerprint = "6718908e59601e8fb9f2c291d5244f8516a5709e9bf06889220fdca38298a58a"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2020-25506"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "cgi-bin/system_mgr.cgi?C1=ON&cmd=cgi_ntp_time&f_ntp_server=`"
+        $bot_b = "POST" nocase
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2020_7209.yar

@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2020_7209_bcc33886 {
+    meta:
+        author = "Elastic Security"
+        id = "bcc33886-f3ea-4534-a66a-5bd31fd35659"
+        fingerprint = "5041efc2f9da2dc1f123dd55cb08eb23ee61483ca8f24abe8256e3aa0993ace8"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2020-7209"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $a = "linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN"
+        $b = "echo END"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2021_35395.yar

@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2021_35395_e3d541a3 {
+    meta:
+        author = "Elastic Security"
+        id = "e3d541a3-b690-4847-b96c-870eb62f5a7b"
+        fingerprint = "748a864a72258e75ec8bcced462f21f6852b9ecb69c775060036f4d7cf41c17c"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2021-35395"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = ";&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin="
+        $bot_b = "submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;"
+        $bot_c = "application/x-www-form-urlencoded"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2021_36260.yar

@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2021_36260_43fd3a87 {
+    meta:
+        author = "Elastic Security"
+        id = "43fd3a87-04be-4b7e-af7d-a5c40e841150"
+        fingerprint = "135d021cc767b0fc6075447c685b8db661d2cd9956da0c6387381b19793c00be"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2021-36260"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "<xml><language>$("
+        $bot_b = ")</language></xml>"
+        $bot_c = "POST" nocase
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2021_46422.yar

@@ -0,0 +1,22 @@
+rule Linux_Exploit_CVE_2021_46422_69af1b79 {
+    meta:
+        author = "Elastic Security"
+        id = "69af1b79-d4f4-44f3-a47b-bf90ddf5a03b"
+        fingerprint = "5fc6dce83b6cb565a16c1a71338e7300be1cbcdafbdfa60a3963be2cb7518768"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2021-46422"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "cgi-bin/admin.cgi?Command=sysCommand&Cmd="
+        $bot_b = "GET" nocase
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_01388.yar

@@ -0,0 +1,25 @@
+rule Linux_Exploit_CVE_2022_01388_ceb513f4 {
+    meta:
+        author = "Elastic Security"
+        id = "ceb513f4-8f74-4f1f-9e5a-06a022cb9ac2"
+        fingerprint = "284329949a30687418c86c05939c743f2227ea69a7e4710a813851472ef13b1f"
+        creation_date = "2022-12-16"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2022-01388"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "mgmt/tm/util/bash"
+        $bot_b = "X-F5-Auth-Token"
+        $bot_c = "utilCmdArgs"
+        $bod_d = "Basic YWRtaW46"
+        $bot_e = "commandResult"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_0847.yar

@@ -26,3 +26,24 @@ rule Linux_Exploit_CVE_2022_0847_e831c285 {
         ($pp and 2 of ($s*)) or (all of ($bs*))
 }
 
+rule Linux_Exploit_CVE_2022_0847_7ea8d784 {
+    meta:
+        author = "Elastic Security"
+        id = "7ea8d784-055f-4ed8-814a-ec8dc323924a"
+        fingerprint = "68682e92769895d0457fe8cef3a0b0bdc832e7e8b31dd5424c8c7410e93ae4de"
+        creation_date = "2023-08-30"
+        last_modified = "2026-05-22"
+        threat_name = "Linux.Exploit.CVE-2022-0847"
+        reference_sample = "fbb5387ca61db0ce27f8b4663f86c1c228afebaf8f7199da5780fc95480c4ff8"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $a1 = "Usage: %s TARGETFILE OFFSET DATA" fullword
+        $a2 = "splice failed" fullword
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_22965.yar

@@ -0,0 +1,33 @@
+rule Linux_Exploit_CVE_2022_22965_32d3fcd0 {
+    meta:
+        author = "Elastic Security"
+        id = "32d3fcd0-ef4f-4fa3-8d4a-02791d7d8ff8"
+        fingerprint = "11865042f9bd5a88e1bcdaa149b10e02725afb7335b4c7255c9f0e1faaf5b46c"
+        creation_date = "2022-12-15"
+        last_modified = "2026-05-22"
+        threat_name = "Linux.Exploit.CVE-2022-22965"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a_1 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if"
+        $bot_b_1 = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if"
+        $bot_a_2 = "(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in = %2"
+        $bot_b_2 = "(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%2"
+        $bot_a_3 = "5{c1}i.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream(); int "
+        $bot_b_3 = "5%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20"
+        $bot_a_4 = "a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!"
+        $bot_b_4 = "a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!"
+        $bot_a_5 = "%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.cl"
+        $bot_b_5 = "=-1){ out.println(new String(b)); } } %{suffix}i&class.module.cl"
+        $bot_c_6 = "assLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.res"
+        $bot_c_7 = "ources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resou"
+        $bot_c_8 = "rces.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.con"
+        $bot_c_9 = "text.parent.pipeline.first.fileDateFormat="
+    condition:
+        3 of ($bot_c_*) and (3 of ($bot_a_*) or 3 of ($bot_b_*))
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_25075.yar

@@ -0,0 +1,24 @@
+rule Linux_Exploit_CVE_2022_25075_4dc28b4f {
+    meta:
+        author = "Elastic Security"
+        id = "4dc28b4f-921d-4b68-918f-a43f7bfe0b72"
+        fingerprint = "f90c8ea6e4d2523699b877825766e1414798215ca16ae59df0dadd6c1f472008"
+        creation_date = "2022-12-15"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2022-25075"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "cgi-bin/downloadFlile.cgi?payload="
+        $bot_b = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5"
+        $bot_c = "Upgrade-Insecure-Requests"
+        $bod_d = "max-age=0m"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_26186.yar

@@ -0,0 +1,23 @@
+rule Linux_Exploit_CVE_2022_26186_e73c43db {
+    meta:
+        author = "Elastic Security"
+        id = "e73c43db-60c3-435d-9789-2117cbcb43f6"
+        fingerprint = "092b0dc5109d3d72a477b7028131170f0c67acdfcd89ec4e7ae68f7ca25c156b"
+        creation_date = "2022-12-15"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2022-26186"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $bot_a = "cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;"
+        $bot_b = ";&filetype=sh"
+        $bot_c = "SESSION_ID=2:1"
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Linux_Exploit_CVE_2022_26210.yar

@@ -0,0 +1,27 @@
+rule Linux_Exploit_CVE_2022_26210_f56def34 {
+    meta:
+        author = "Elastic Security"
+        id = "f56def34-eef0-4ed5-bcbb-076a2898ce0c"
+        fingerprint = "11b5e292651aa6cb414032a19e8e0c873e09f99708b5675ce6529deafd35d049"
+        creation_date = "2022-12-15"
+        last_modified = "2026-05-22"
+        description = "Exploit code used in the ZeroBot malware"
+        threat_name = "Linux.Exploit.CVE-2022-26210"
+        reference_sample = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $a = "topicurl"
+        $bot_b = "setting/setUpgradeFW"
+        $bot_c = "Flags"
+        $bot_d = "FileName"
+        $bot_e = "cgi-bin/cstecgi.cgi"
+        $bot_f = "XMLHttpRequest"
+        $bot_g = "SESSION_ID=2:1"
+    condition:
+        all of them
+}
+