diff --git a/pkg/action/scan.go b/pkg/action/scan.go index ddd9a8763..644c4c73c 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -159,7 +159,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF return fr, nil } - fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc) + fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind) if err != nil { return nil, NewFileReportError(err, path, TypeGenerateError) } diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 90b7894f4..3d72acb0c 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -79,15 +79,31 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", - "MatchStrings": [ - "math/rand" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "Description": "uses a random number generator", + "MatchStrings": [ + "getrandomUnsupported", + "nonZeroRandomBytes", + "startupRandomData", + "readRandomUint32", + "rand_getrandom", + "portRandomizer", + "random_vectors", + "getRandomData", + "extendRandom", + "altGetRandom", + "randomOrder", + "randomPoint", + "urandom_dev", + "randomEnum", + "nextRandom", + "randomized", + "randomsbom" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "Contains a table that may be used for XOR decryption", @@ -173,6 +189,17 @@ "ID": "c2/client", "RuleName": "clientID" }, + { + "Description": "contains Cloudflare DNS resolver IP", + "MatchStrings": [ + "1.1.1.1" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip", + "ID": "c2/discovery/ip_dns_resolver", + "RuleName": "cloudflare_dns_ip" + }, { "Description": "references a specific architecture", "MatchStrings": [ @@ -1071,7 +1098,8 @@ { "Description": "renames files", "MatchStrings": [ - "os.rename" + "os.rename", + "os.Rename" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1080,15 +1108,15 @@ "RuleName": "explicit_rename" }, { - "Description": "access filesystem metadata", + "Description": "access filesystem information", "MatchStrings": [ - "fs.statDirEntry" + "_stat" ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat", + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#stat", "ID": "fs/file/stat", - "RuleName": "npm_stat" + "RuleName": "stat" }, { "Description": "forcibly synchronizes file state to disk", diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index d8bd98252..233b69fd8 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -71,13 +71,19 @@ var supportedKind = map[string]string{ "h": "text/x-h", "hh": "text/x-h", "html": "", + "jar": "application/java-archive", "java": "text/x-java", "js": "application/javascript", + "ko": "application/x-object", "lnk": "application/x-ms-shortcut", "lua": "text/x-lua", + "M": "text/x-objectivec", + "m": "text/x-objectivec", "macho": "application/x-mach-binary", + "mm": "text/x-objectivec", "md": "", "o": "application/octet-stream", + "pe": "application/vnd.microsoft.portable-executable", "php": "text/x-php", "pl": "text/x-perl", "pm": "text/x-script.perl-module", @@ -209,7 +215,7 @@ func makeFileType(path string, ext string, mime string) *FileType { return Path(".elf") } - if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") { + if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") { return &FileType{ Ext: ext, MIME: mime, diff --git a/pkg/report/report.go b/pkg/report/report.go index b7130a262..82012dd21 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -17,6 +17,7 @@ import ( "github.com/chainguard-dev/clog" "github.com/chainguard-dev/malcontent/pkg/malcontent" + "github.com/chainguard-dev/malcontent/pkg/programkind" yarax "github.com/VirusTotal/yara-x/go" ) @@ -364,8 +365,20 @@ func TrimPrefixes(path string, prefixes []string) string { return path } +// fileMatchesRules checks the scanned file's type against a rule's defined filetypes. +func fileMatchesRule(meta []yarax.Metadata, ext string) bool { + for _, m := range meta { + if m.Identifier() == "filetypes" { + filetypes := strings.Split(fmt.Sprintf("%s", m.Value()), ",") + return slices.Contains(filetypes, ext) + } + } + // Rules without filetype metadata are universal + return true +} + //nolint:cyclop // ignore complexity of 64 -func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte) (*malcontent.FileReport, error) { +func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte, kind *programkind.FileType) (*malcontent.FileReport, error) { if ctx.Err() != nil { return &malcontent.FileReport{}, ctx.Err() } @@ -425,6 +438,10 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon ignoreMalcontent = true } + if !fileMatchesRule(m.Metadata(), kind.Ext) { + continue + } + override := slices.Contains(m.Tags(), "override") risk = behaviorRisk(m.Namespace(), m.Identifier(), m.Tags()) diff --git a/rules/anti-behavior/LD_DEBUG.yara b/rules/anti-behavior/LD_DEBUG.yara index 84c21dd11..c3aed0493 100644 --- a/rules/anti-behavior/LD_DEBUG.yara +++ b/rules/anti-behavior/LD_DEBUG.yara @@ -1,6 +1,7 @@ rule env_LD_DEBUG: medium { meta: description = "may check if dynamic linker debugging is enabled" + filetypes = "elf,macho" strings: $val = "LD_DEBUG" fullword diff --git a/rules/anti-behavior/LD_PROFILE.yara b/rules/anti-behavior/LD_PROFILE.yara index 5e1aeff67..bcb9c09b6 100644 --- a/rules/anti-behavior/LD_PROFILE.yara +++ b/rules/anti-behavior/LD_PROFILE.yara @@ -1,6 +1,7 @@ rule env_LD_PROFILE: medium { meta: description = "may check if dynamic linker profiling is enabled" + filetypes = "elf,macho" strings: $val = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara index 450f61828..d6bb0cd11 100644 --- a/rules/anti-behavior/anti-debugger.yara +++ b/rules/anti-behavior/anti-debugger.yara @@ -1,6 +1,7 @@ rule win_debugger_present: medium windows { meta: description = "Detects if process is being executed within a debugger" + filetypes = "exe,pe,ps1" strings: $debug_idp = "IsDebuggerPresent" @@ -13,6 +14,7 @@ rule win_debugger_present: medium windows { rule win_debugger_or_vm: medium windows { meta: description = "Detects if process is being executed within a debugger or VM" + filetypes = "exe,pe,ps1" strings: $cpu_pfp = "IsProcessorFeaturePresent" @@ -27,6 +29,7 @@ rule win_debugger_or_vm: medium windows { rule multiple_linux_methods: high linux { meta: description = "possible debugger detection across multiple methods" + filetypes = "elf" strings: $ld_profile = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/process-check.yara b/rules/anti-behavior/process-check.yara index 9cfeb71c4..ab8b972a3 100644 --- a/rules/anti-behavior/process-check.yara +++ b/rules/anti-behavior/process-check.yara @@ -1,6 +1,7 @@ rule activity_monitor_checker: high macos { meta: description = "checks if 'Activity Monitor' is running" + filetypes = "macho" strings: $ps = "ps" fullword @@ -16,6 +17,7 @@ rule activity_monitor_checker: high macos { rule linux_monitors: high linux { meta: description = "checks if various process monitors are running" + filetypes = "elf" strings: $pgrep = "pgrep" fullword @@ -45,6 +47,7 @@ rule linux_monitors: high linux { rule anti_rootkit_hunter: high linux { meta: description = "checks if rootkit detectors are running" + filetypes = "elf" strings: $proc = "/proc/" diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara index 7e7d82a25..6e45dbe2f 100644 --- a/rules/anti-behavior/random_behavior.yara +++ b/rules/anti-behavior/random_behavior.yara @@ -20,6 +20,7 @@ private rule random_behavior_pythonSetup { rule setuptools_random: critical { meta: description = "Python library installer that exhibits random behavior" + filetypes = "py" strings: $ref = "import random" @@ -32,6 +33,7 @@ rule setuptools_random: critical { rule java_random: low { meta: description = "exhibits random behavior" + filetypes = "java" strings: $ref = "java/util/Random" @@ -43,6 +45,7 @@ rule java_random: low { rule go_rand: medium { meta: description = "exhibits random behavior" + filetypes = "go" strings: $ref = "math/rand" @@ -54,6 +57,7 @@ rule go_rand: medium { rule rand_call: medium { meta: description = "exhibits random behavior" + filetypes = "c,pl,php" strings: $ref = "rand()" diff --git a/rules/anti-static/base64/eval.yara b/rules/anti-static/base64/eval.yara index 8aa1a4b3d..8c13d3ea7 100644 --- a/rules/anti-static/base64/eval.yara +++ b/rules/anti-static/base64/eval.yara @@ -3,6 +3,7 @@ import "math" rule eval_base64: high { meta: description = "Evaluates base64 content" + filetypes = "js,ts" strings: $eval = /eval\(.{0,256}base64/ @@ -14,6 +15,7 @@ rule eval_base64: high { rule ruby_eval_base64_decode: critical { meta: description = "Evaluates base64 content" + filetypes = "rb" strings: $eval_base64_decode = "eval(Base64." @@ -25,6 +27,7 @@ rule ruby_eval_base64_decode: critical { rule ruby_eval_near_enough: high { meta: description = "Evaluates base64 content" + filetypes = "rb" strings: $eval = "eval(" @@ -37,6 +40,7 @@ rule ruby_eval_near_enough: high { rule ruby_eval2_near_enough: high { meta: description = "Evaluates base64 content" + filetypes = "rb" strings: $eval = "eval(" @@ -49,6 +53,7 @@ rule ruby_eval2_near_enough: high { rule python_exec_near_enough_base64: high { meta: description = "Likely executes base64 content" + filetypes = "py" strings: $exec = "exec(" @@ -61,6 +66,7 @@ rule python_exec_near_enough_base64: high { rule python_base64_exec: critical { meta: description = "executes compressed base64 content" + filetypes = "py" strings: $dec_b64decode_exec = /.{0,8}\.decompress\(.{0,96}\.b64decode\(.{0,64}\Wexec\(.{0,16}/ diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara index 7256bd0c0..7c989e370 100644 --- a/rules/anti-static/base64/exec.yara +++ b/rules/anti-static/base64/exec.yara @@ -50,6 +50,7 @@ rule base64_suspicious_commands: critical { rule base64_exec: critical { meta: description = "executes base64 encoded commands" + filetypes = "py" strings: $os_system = /os\.system\(b64[\"\'\(\)\w\=]{3,96}/ fullword @@ -61,6 +62,7 @@ rule base64_exec: critical { rule echo_decode_bash: critical { meta: description = "executes base64 encoded shell commands" + filetypes = "bash,sh,zsh" strings: $pipe = /base64 {0,2}(-d|--decode) {0,2}\| {0,2}(bash|zsh|sh)/ fullword @@ -75,6 +77,7 @@ import "math" rule echo_decode_bash_probable: high { meta: description = "likely pipes base64 into a shell" + filetypes = "bash,sh,zsh" strings: $decode = /base64 {0,2}(-d|--decode)/ fullword @@ -87,6 +90,7 @@ rule echo_decode_bash_probable: high { rule ruby_system_near_enough: critical { meta: description = "Executes commands from base64 content" + filetypes = "rb" strings: $system = /system\(["'\w\)]{0,16}/ diff --git a/rules/anti-static/base64/function_names.yara b/rules/anti-static/base64/function_names.yara index f7bbf513e..61ed6811d 100644 --- a/rules/anti-static/base64/function_names.yara +++ b/rules/anti-static/base64/function_names.yara @@ -1,6 +1,7 @@ rule base64_php_functions: medium { meta: description = "References PHP functions in base64 form" + filetypes = "php" strings: $php = "6.95)" + filetypes = "elf" condition: normal_elf and math.entropy(1, filesize) >= 6.95 @@ -21,6 +22,7 @@ rule higher_elf_entropy_68: medium { rule normal_elf_high_entropy_7_4: high { meta: description = "high entropy ELF binary (>7.4)" + filetypes = "elf" strings: $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" @@ -33,6 +35,7 @@ rule normal_elf_high_entropy_7_4: high { rule normal_elf_high_entropy_footer_7_4: high { meta: description = "high entropy footer in ELF binary (>7.4)" + filetypes = "elf" condition: normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4 @@ -41,6 +44,7 @@ rule normal_elf_high_entropy_footer_7_4: high { rule normal_elf_high_entropy_footer_7_4_rc4: high { meta: description = "high entropy footer in ELF binary (>7.4), likely RC4 encrypted" + filetypes = "elf" strings: $cmp_e_x_256 = { 81 f? 00 01 00 00 } // cmp {ebx, ecx, edx}, 256 diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara index 91d1ed930..fa0218305 100644 --- a/rules/anti-static/elf/header.yara +++ b/rules/anti-static/elf/header.yara @@ -5,7 +5,7 @@ rule single_load_rwe: critical { meta: description = "Binary with a single LOAD segment marked RWE" family = "Stager" - filetype = "ELF" + filetypes = "elf" author = "Tenable" @@ -17,7 +17,7 @@ rule fake_section_headers_conflicting_entry_point_address: critical { meta: description = "binary with fake sections header" family = "Obfuscation" - filetype = "ELF" + filetypes = "elf" author = "Tenable" @@ -29,7 +29,7 @@ rule fake_dynamic_symbols: critical { meta: description = "binary with fake dynamic symbol table" family = "Obfuscation" - filetype = "ELF" + filetypes = "elf" author = "Tenable" condition: @@ -39,6 +39,7 @@ rule fake_dynamic_symbols: critical { rule high_entropy_header: high { meta: description = "high entropy ELF header (>7)" + filetypes = "elf" strings: $not_pyinst = "pyi-bootloader-ignore-signals" diff --git a/rules/anti-static/elf/multiple.yara b/rules/anti-static/elf/multiple.yara index db1efd6c1..894bbf520 100644 --- a/rules/anti-static/elf/multiple.yara +++ b/rules/anti-static/elf/multiple.yara @@ -3,6 +3,7 @@ import "elf" rule multiple_elf: medium { meta: description = "multiple ELF binaries within an ELF binary" + filetypes = "elf" strings: $elf_head = "\x7fELF" diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara index 48edec212..d309da820 100644 --- a/rules/anti-static/elf/tiny.yara +++ b/rules/anti-static/elf/tiny.yara @@ -3,6 +3,7 @@ import "elf" rule impossibly_small_elf_program: high { meta: description = "ELF binary is unusually small" + filetypes = "elf" strings: $not_hello_c = "hello.c" diff --git a/rules/anti-static/macho/entropy.yara b/rules/anti-static/macho/entropy.yara index a10a1fe47..6a821c505 100644 --- a/rules/anti-static/macho/entropy.yara +++ b/rules/anti-static/macho/entropy.yara @@ -8,6 +8,7 @@ private rule smaller_macho { rule higher_entropy_6_9: medium { meta: description = "higher entropy binary (>6.9)" + filetypes = "macho" condition: smaller_macho and math.entropy(1, filesize) >= 6.9 @@ -16,6 +17,7 @@ rule higher_entropy_6_9: medium { rule high_entropy_7_2: high { meta: description = "high entropy binary (>7.2)" + filetypes = "macho" strings: // prevent bazel false positive diff --git a/rules/anti-static/macho/footer.yara b/rules/anti-static/macho/footer.yara index 71f6c8a47..5ee0acac5 100644 --- a/rules/anti-static/macho/footer.yara +++ b/rules/anti-static/macho/footer.yara @@ -9,6 +9,7 @@ rule high_entropy_trailer: high { meta: description = "higher-entropy machO trailer (normally NULL) - possible viral infection" ref = "https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness" + filetypes = "macho" strings: $page_zero = "_PAGEZERO" @@ -16,4 +17,3 @@ rule high_entropy_trailer: high { condition: filesize < 10MB and anti_static_macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4 } - diff --git a/rules/anti-static/macho/tiny.yara b/rules/anti-static/macho/tiny.yara index 05bb6d6c5..f017ded56 100644 --- a/rules/anti-static/macho/tiny.yara +++ b/rules/anti-static/macho/tiny.yara @@ -1,6 +1,7 @@ rule impossibly_small_macho_program: medium { meta: description = "machO binary is unusually small" + filetypes = "macho" strings: $stub_helper = "__stub_helper" diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index a40b71e8b..b1ad5ce3e 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -41,6 +41,7 @@ rule excessive_bitwise_math: high { rule bitwise_math: low { meta: description = "uses bitwise math" + filetypes = "py" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -54,6 +55,7 @@ rule bidirectional_bitwise_math: medium { meta: description = "uses bitwise math in both directions" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -67,6 +69,7 @@ rule bitwise_python_string: medium { meta: description = "creates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -79,6 +82,7 @@ rule bitwise_python_string_exec_eval: high { meta: description = "creates and evaluates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -93,6 +97,7 @@ rule bitwise_python_string_exec_eval_nearby: critical { meta: description = "creates and executes string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -107,7 +112,7 @@ rule unsigned_bitwise_math: medium { meta: description = "uses unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -124,7 +129,7 @@ rule unsigned_bitwise_math_excess: high { meta: description = "uses an excessive amount of unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -142,7 +147,7 @@ rule unsigned_bitwise_math_excess: high { rule charAtBitwise: high { meta: description = "converts manipulated numbers into characters" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" diff --git a/rules/anti-static/obfuscation/bool.yara b/rules/anti-static/obfuscation/bool.yara index 08404c82d..a43974963 100644 --- a/rules/anti-static/obfuscation/bool.yara +++ b/rules/anti-static/obfuscation/bool.yara @@ -1,6 +1,7 @@ rule js_while_true_obfuscation: medium { meta: description = "obfuscated 'while true' loop" + filetypes = "js,ts" strings: $ref = "while (!![])" diff --git a/rules/anti-static/obfuscation/casing.yara b/rules/anti-static/obfuscation/casing.yara index 6d756130f..d336e55d1 100644 --- a/rules/anti-static/obfuscation/casing.yara +++ b/rules/anti-static/obfuscation/casing.yara @@ -2,6 +2,7 @@ rule casing_obfuscation: medium windows { meta: description = "unusual casing obfuscation" author = "Florian Roth" + filetypes = "ps1" strings: $ref = / (sEt|SEt|SeT|sET|seT) / ascii wide @@ -13,6 +14,7 @@ rule casing_obfuscation: medium windows { rule set_variable_variable_casing: high windows { meta: description = "Set-Item case obfuscation" + filetypes = "ps1" strings: $ref = /[Ss][eE][tT]-[vV][aA][rR][iI][aA][bB][Ll][eE]/ @@ -29,6 +31,7 @@ rule set_variable_variable_casing: high windows { rule set_item_variable_casing: high windows { meta: description = "Set-Item case obfuscation" + filetypes = "ps1" strings: $ref = /[Ss][eE][tT]-[Ii][Tt][Ee][Mm]/ @@ -45,6 +48,7 @@ rule set_item_variable_casing: high windows { rule string_variable_casing: high windows { meta: description = "[string] case obfuscation" + filetypes = "ps1" strings: $ref = /\[[Ss][Tt][Rr][Ii][Nn][Gg]\]/ @@ -59,6 +63,7 @@ rule string_variable_casing: high windows { rule length_casing: medium windows { meta: description = "length case obfuscation" + filetypes = "ps1" strings: $ref = /\.[Ll][Ee][Nn][Gg][Tt][Hh]/ @@ -73,6 +78,7 @@ rule length_casing: medium windows { rule pshome_casing: high windows { meta: description = "PSHOME case obfuscation" + filetypes = "ps1" strings: $ref = /[Pp][Ss][Hh][Oo][Mm][Ee]/ fullword @@ -87,6 +93,7 @@ rule pshome_casing: high windows { rule variable_casing: high windows { meta: description = "Variable case obfuscation" + filetypes = "ps1" strings: $ref = /[Vv][Aa][Rr][Ii][Aa][Bb][Ll][Ee]/ fullword @@ -101,6 +108,7 @@ rule variable_casing: high windows { rule pshome_multiple_casing: critical windows { meta: description = "Multiple forms of case obfuscation" + filetypes = "ps1" strings: $ref = /[Pp][Ss][Hh][Oo][Mm][Ee]/ fullword @@ -115,6 +123,7 @@ rule pshome_multiple_casing: critical windows { rule string_multiple_casing: critical windows { meta: description = "Multiple forms of case obfuscation" + filetypes = "ps1" strings: $ref = /\[[Ss][Tt][Rr][Ii][Nn][Gg]\]/ diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara index 94fd883f5..324b4fd3e 100644 --- a/rules/anti-static/obfuscation/hex.yara +++ b/rules/anti-static/obfuscation/hex.yara @@ -13,6 +13,7 @@ rule excessive_hex_refs: medium { rule hex_parse: medium { meta: description = "converts hex data to ASCII" + filetypes = "py" strings: $node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -26,6 +27,7 @@ rule hex_parse: medium { rule hex_convert_from_base64: medium { meta: description = "converts base64 hex data to ASCII" + filetypes = "py" strings: $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -40,6 +42,7 @@ rule hex_convert_from_base64: medium { rule hex_parse_base64_high: high { meta: description = "converts base64 hex data to ASCII" + filetypes = "py" strings: $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -58,6 +61,7 @@ rule hex_parse_base64_high: high { rule mega_string: high { meta: description = "python script decodes large hexadecimal string" + filetypes = "py" strings: $unhexlify = "unhexlify" diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara index 891a1cfae..05939ac6e 100644 --- a/rules/anti-static/obfuscation/js.yara +++ b/rules/anti-static/obfuscation/js.yara @@ -1,58 +1,9 @@ import "math" -private rule obfs_probably_js { - strings: - $f_Array = "Array.prototype" fullword - $f_async = "async function" - $f_await = "await" - $f_catch = "} catch" - $f_class = "@class" - $f_const = /\bconst\s/ - $f_define = "define(" - $f_false = "false);" - $f_function = /function\(\w{0,32}\)/ - $f_function2 = "function()" - $f_function3 = "function ()" - $f_global = "global[" - $f_method = "@method" - $f_namespace = "@namespace" - $f_Object = "Object." - $f_param = "@param" - $f_private = "@private" - $f_promise = "Promise" - $f_prototype = ".prototype" - $f_require = "require(" - $f_return = /\breturn\s/ - $f_Run = ".Run(" - $f_run = ".run(" - $f_strict = " === " - $f_this = "this." - $f_this2 = "this[" - $f_true = "true);" - $f_try = "try {" - $f_var = /\bvar\s/ - - $not_asyncio = "await asyncio" - $not_class = /class \w{1,32}\(/ fullword - $not_def = /def [a-zA-Z_][a-zA-Z0-9_]{1,32} \(/ ascii - $not_equals_comment = "// ===" - $not_error = "err error" - $not_header = /^#ifndef\s/ - $not_header2 = /^#define\s/ - $not_header3 = /^#include\s/ - $not_import = /^import \(/ - $not_package = /^package\s/ - $not_self_assert_equal = "self.assertEqual(" - $not_struct = /^type \w{1,32} struct \{/ fullword - $not_typedef = "typedef typename" - - condition: - filesize < 5MB and 4 of ($f*) and none of ($not*) -} - rule js_var_misdirection: medium { meta: description = "multiple layers of variable misdirection" + filetypes = "js,ts" strings: $short_mix_high = /var [a-z]{0,2}[A-Z]{1,2}[a-z]\w{1,2}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/ @@ -61,13 +12,13 @@ rule js_var_misdirection: medium { $short_low = /var [a-z]{1,3}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/ condition: - obfs_probably_js and filesize < 4MB and 3 of them + filesize < 4MB and 3 of them } rule character_obfuscation: medium { meta: description = "obfuscated javascript that relies on character manipulation" - filetypes = "javascript" + filetypes = "js,ts" strings: $a_char = "charCodeAt" @@ -83,25 +34,26 @@ rule character_obfuscation: medium { $return = "{return" condition: - obfs_probably_js and filesize < 4MB and all of them + filesize < 4MB and all of them } rule js_char_code_at_substitution: high { meta: description = "converts integers into strings and contains a substitution map" - filetypes = "javascript" + filetypes = "js,ts" strings: $charCodeAt = "charCodeAt" fullword $index = "fghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345" condition: - obfs_probably_js and filesize < 256KB and all of them + filesize < 256KB and all of them } rule child_process: high { meta: description = "obfuscated javascript that calls external programs" + filetypes = "js,ts" strings: $f_const = "const" fullword @@ -114,13 +66,13 @@ rule child_process: high { $wtf_hex = /\w{4,16}\<\-0x\d{2,4}/ condition: - obfs_probably_js and filesize < 1MB and all of them and math.entropy(1, filesize) >= 6 + filesize < 1MB and all of them and math.entropy(1, filesize) >= 6 } rule ebe: high { meta: description = "highly obfuscated javascript (eBe)" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -129,13 +81,13 @@ rule ebe: high { $ref = /eBe\([-]?\d{1,3}\)/ condition: - obfs_probably_js and filesize < 5MB and $function and $charCodeAt and #ref > 10 + filesize < 5MB and $function and $charCodeAt and #ref > 10 } rule ebe_generic: high { meta: description = "highly obfuscated javascript" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -146,12 +98,13 @@ rule ebe_generic: high { $ref3 = /\>\w{1,3}\(\d{1,3}\)\);\w\[\w{1,3}\(\d{1,3}\)\]\=/ condition: - obfs_probably_js and filesize < 5MB and #function > 0 and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5) + filesize < 5MB and #function > 0 and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5) } rule exec_console_log: critical { meta: description = "evaluates the return of console.log()" + filetypes = "js,ts" strings: $ref = ".exec(console.log(" @@ -163,6 +116,7 @@ rule exec_console_log: critical { rule js_const_func_obfuscation: medium { meta: description = "javascript obfuscation (excessive const functions)" + filetypes = "js,ts" strings: $const = "const " @@ -170,65 +124,69 @@ rule js_const_func_obfuscation: medium { $return = "{return" condition: - obfs_probably_js and filesize < 256KB and #const > 32 and #function > 48 and #return > 64 + filesize < 256KB and #const > 32 and #function > 48 and #return > 64 } -rule js_hex_eval_obfuscation: critical { +rule js_hex_eval_obfuscation: high { meta: description = "javascript eval obfuscation (hex)" + filetypes = "js,ts" strings: $return = /\(eval, _{0,4}0x[\w]{0,32}[\(\[]/ condition: - obfs_probably_js and filesize < 128KB and any of them + filesize < 128KB and any of them } rule js_hex_obfuscation: high { meta: description = "javascript function obfuscation (hex)" + filetypes = "js,ts" strings: $return = /return _{0,4}0x[\w]{0,32}[\(\w]{0,32}/ $const = /const _{0,4}0x[\w]{0,32}\s*=[\w]{0,32}/ condition: - obfs_probably_js and filesize < 1MB and any of them + filesize < 1MB and any of them } rule high_entropy: medium { meta: description = "high entropy javascript (>6)" + filetypes = "js,ts" condition: - obfs_probably_js and math.entropy(1, filesize) >= 6 + math.entropy(1, filesize) >= 6 } rule very_high_entropy: high { meta: description = "very high entropy javascript (>7)" + filetypes = "js,ts" condition: - obfs_probably_js and math.entropy(1, filesize) >= 7 + math.entropy(1, filesize) >= 7 } rule charCodeAtIncrement: medium { meta: description = "converts incremented numbers into characters" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = "function(" $increment = /charCodeAt\(\+\+\w{0,4}\)/ condition: - obfs_probably_js and filesize < 4MB and $function and #increment > 1 + filesize < 4MB and $function and #increment > 1 } rule js_many_parseInt: high { meta: description = "javascript obfuscation (integer parsing)" - filetypes = "javascript" + filetypes = "js,ts" strings: $const = "const " @@ -237,13 +195,13 @@ rule js_many_parseInt: high { $parseInt = "parseInt" condition: - obfs_probably_js and filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32 + filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32 } rule over_powered_arrays: high { meta: description = "uses many powered array elements (>25)" - filetypes = "javascript" + filetypes = "js,ts" strings: $function = /function\(\w,/ @@ -251,12 +209,13 @@ rule over_powered_arrays: high { $power_array = /\w\[\d{1,4}\]\^\w\[\d{1,4}\]/ condition: - obfs_probably_js and filesize < 5MB and $function and $charAt and #power_array > 25 + filesize < 5MB and $function and $charAt and #power_array > 25 } rule string_prototype_function: high { meta: description = "obfuscates function calls via string prototypes" + filetypes = "js,ts" strings: $ref = /String\["prototype"\].{1,32} = function\(\) \{ eval\(this\.toString\(\)\)\;/ @@ -269,17 +228,19 @@ rule string_prototype_function: high { rule unicode_prototype: critical { meta: description = "sets obfuscated Array.prototype attribute" + filetypes = "js,ts" strings: $ref = /Array\.prototype\.\\[\w\\]{2,256}\s{0,2}=.{0,64}/ condition: - obfs_probably_js and any of them + any of them } rule var_filler: high { meta: description = "header is filled with excessive variable declarations" + filetypes = "js,ts" strings: $ref = /[a-z]{2,8}\d{1,5} = "[a-z]{2,8}\d{1,5}"/ fullword @@ -291,73 +252,80 @@ rule var_filler: high { rule large_random_variables: high { meta: description = "contains large random variable names" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{32,256} = '.{4}/ fullword condition: - obfs_probably_js and #ref > 1 + #ref > 1 } rule many_complex_var: medium { meta: description = "defines multiple complex variables" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{1,256} = \(/ condition: - obfs_probably_js and #ref > 64 + #ref > 64 } rule many_complex_var_high: high { meta: description = "excessive complex variable declarations" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{1,256} = \(.{1,64}/ condition: - obfs_probably_js and #ref > 400 + #ref > 400 } rule many_static_map_lookups: medium { meta: description = "contains large number of static map lookups" + filetypes = "js,ts" strings: $ref = /\[[\"\'][a-z]{1,32}[\"\']\]/ condition: - obfs_probably_js and #ref > 128 + #ref > 128 } rule obfuscated_map_to_array_conversions: high { meta: description = "obfuscated map to array conversions" + filetypes = "js,ts" strings: $ref = /\[[\"\'a-z]{1,32}\]\s{0,2}\+\s{0,2}\[\]\)\[\d{1,4}\]/ condition: - obfs_probably_js and #ref > 32 + #ref > 32 } rule large_obfuscated_array: high { meta: description = "contains large obfuscated arrays" + filetypes = "js,ts" strings: $ref = /[a-z]{32,256}=\[\]/ fullword $ref2 = /[a-z]{1,256}\[\'\w{32,2048}\'\]/ fullword condition: - obfs_probably_js and all of them + all of them } rule high_entropy_charAt: medium { meta: description = "high entropy javascript (>5.37) that uses charAt/substr/join loops" + filetypes = "js,ts" strings: $ = "charAt(" @@ -367,12 +335,13 @@ rule high_entropy_charAt: medium { $s_for = /for\s{0,2}\(/ condition: - obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them + math.entropy(1, filesize) >= 5.37 and all of them } rule charAt_long_string: medium { meta: description = "uses charAt/substr/join loops with a long variable" + filetypes = "js,ts" strings: $s_charAt = "charAt(" @@ -385,12 +354,13 @@ rule charAt_long_string: medium { $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/ condition: - obfs_probably_js and all of ($s*) and any of ($long*) + all of ($s*) and any of ($long*) } rule charAt_long_vars: medium { meta: description = "uses charAt/substr/join loops with long variables" + filetypes = "js,ts" strings: $s_charAt = "charAt(" @@ -403,17 +373,18 @@ rule charAt_long_vars: medium { $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/ condition: - obfs_probably_js and all of ($s*) and (#long_string + #long_garbage) > 3 + all of ($s*) and (#long_string + #long_garbage) > 3 } rule obfuscated_require: high { meta: description = "sets variable to the 'require' keyword" + filetypes = "js,ts" strings: $ = /global\[\"\w{1,16}\"\]\s{0,2}=\s{0,2}require;/ $ = /var \w{1,16}\s{0,2}=\s{0,2}require;/ condition: - obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them + math.entropy(1, filesize) >= 5.37 and all of them } diff --git a/rules/anti-static/obfuscation/math.yara b/rules/anti-static/obfuscation/math.yara index 81c5dc9c6..690edd3a7 100644 --- a/rules/anti-static/obfuscation/math.yara +++ b/rules/anti-static/obfuscation/math.yara @@ -1,41 +1,31 @@ -private rule math_probably_js { - strings: - $f_function = "function" - $f_return = "return" - $f_local = "local" - $f_var = "var" fullword - $f_global = "global[" - $f_end = "end" fullword - - condition: - filesize < 5MB and 3 of ($f*) -} - rule js_long_math: high { meta: description = "performs multiple rounds of long integer math" + filetypes = "js,ts" strings: $d = /\d{6,14}[\+\-]\d{6,14}/ fullword condition: - math_probably_js and #d > 64 + #d > 64 } rule js_long_dumb_math: critical { meta: description = "performs multiple rounds of long dumb integer math" + filetypes = "js,ts" strings: $d = /[-\+]\([-\+]\d{6,14}[-\+]\([-\+]\d{6,14}\)\)/ condition: - math_probably_js and #d > 32 + #d > 32 } rule js_junk_math: medium { meta: description = "suspicious junk math" + filetypes = "js,ts" strings: $charAt = "charAt" @@ -46,12 +36,13 @@ rule js_junk_math: medium { $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/ condition: - math_probably_js and $charAt and 2 of ($m*) + $charAt and 2 of ($m*) } rule js_junk_math_high: high { meta: description = "multiple examples of suspicious junk math" + filetypes = "js,ts" strings: $charAt = "charAt" @@ -62,5 +53,5 @@ rule js_junk_math_high: high { $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/ condition: - math_probably_js and $charAt and 3 of ($m*) + $charAt and 3 of ($m*) } diff --git a/rules/anti-static/obfuscation/nodejs.yara b/rules/anti-static/obfuscation/nodejs.yara index 87517b991..3e7d7c745 100644 --- a/rules/anti-static/obfuscation/nodejs.yara +++ b/rules/anti-static/obfuscation/nodejs.yara @@ -1,6 +1,7 @@ rule nodejs_buffer_from: medium { meta: description = "loads arbitrary bytes from a buffer" + filetypes = "js,ts" strings: $ref = /Buffer\.from\(\[[\d,]{8,63}\)/ @@ -12,6 +13,7 @@ rule nodejs_buffer_from: medium { rule nodejs_buffer_from_many: high { meta: description = "loads many arbitrary bytes from a buffer" + filetypes = "js,ts" strings: $ref = /Buffer\.from\(\[[\d,]{63,2048}/ diff --git a/rules/anti-static/obfuscation/osascript.yara b/rules/anti-static/obfuscation/osascript.yara index e933d1d36..34a90767c 100644 --- a/rules/anti-static/obfuscation/osascript.yara +++ b/rules/anti-static/obfuscation/osascript.yara @@ -1,6 +1,7 @@ rule compiled_osascript: medium { meta: description = "compiled osascript" + filetypes = "scpt,scptd" strings: $s_sysoexec = "sysoexecTEXT" diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara index a892daf0a..261e1f270 100644 --- a/rules/anti-static/obfuscation/php.yara +++ b/rules/anti-static/obfuscation/php.yara @@ -28,6 +28,8 @@ rule php_hex_functions: high { meta: description = "contains function references encoded in hex" + filetypes = "php" + strings: $h_globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase $h_eval = "\\x65\\x76\\x61\\x6C\\x28" nocase @@ -47,6 +49,8 @@ rule php_non_printable: medium { description = "non-printable values unexpectedly passed to a function" credit = "Ported from https://github.com/jvoisin/php-malware-finder" + filetypes = "php" + strings: $ref = /(function|return|base64_decode).{,64}[^\x09-\x0d\x20-\x7E]{3}/ $php = " 100 and none of ($not*) + filesize < 10MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) } rule dumb_int_compares: high { @@ -239,7 +235,7 @@ rule dumb_int_compares: high { $decode_or_b64decode = /if \d{2,16} == \d{2,16}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule py_lib_alias_val: medium { @@ -253,7 +249,7 @@ rule py_lib_alias_val: medium { $val } -rule multi_decode_3: medium { +rule multi_decode_3: high { meta: description = "multiple (3+) levels of decoding" filetypes = "py" @@ -263,20 +259,7 @@ rule multi_decode_3: medium { $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ condition: - obfs_probably_python and filesize < 10MB and all of them -} - -rule multi_decode_3_smaller_file: high { - meta: - description = "multiple (3+) levels of decoding" - filetypes = "py" - - strings: - $return = "return" - $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ - - condition: - obfs_probably_python and filesize < 256KB and all of them + filesize < 10MB and all of them } rule multi_decode: medium { @@ -289,34 +272,37 @@ rule multi_decode: medium { $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,32}\.[b64]{0,3}decode\(/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_requests: medium { meta: description = "imports 'requests' library and gives it another name" + filetypes = "py" strings: $ref = /import requests as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_requests_2char: high { meta: description = "imports 'requests' library and gives it a shorter name" + filetypes = "py" strings: $ref = /import requests as \w{1,2}/ fullword condition: - obfs_probably_python and filesize < 32KB and all of them + filesize < 32KB and all of them } rule rename_os: high { meta: description = "imports 'os' library and gives it another name" + filetypes = "py" strings: $ref = /import os as \w{0,64}/ @@ -330,17 +316,19 @@ rule rename_os: high { rule rename_marshal: critical { meta: description = "imports 'marshal' library and gives it another name" + filetypes = "py" strings: $ref = /import marshal as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_base64: critical { meta: description = "imports 'base64' library and gives it another name" + filetypes = "py" strings: $ref = /import base64 as \w{0,64}/ @@ -359,17 +347,19 @@ rule rename_base64: critical { rule rename_zlib: high { meta: description = "imports 'base64' library and gives it another name" + filetypes = "py" strings: $ref = /import zlib as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule too_many_lambdas_small: high { meta: description = "lambda based obfuscation" + filetypes = "py" strings: $ref = /lambda \W: \W [\+\-\*]/ @@ -381,17 +371,19 @@ rule too_many_lambdas_small: high { rule too_many_lambdas_large: high { meta: description = "lambda based obfuscation" + filetypes = "py" strings: $ref = /lambda \W: \W [\+\-\*]/ condition: - obfs_probably_python and filesize < 10MB and #ref > 100 + filesize < 10MB and #ref > 100 } rule lambda_funk: high { meta: description = "likely obfuscated with lambda functions" + filetypes = "py" strings: $ = "__builtins__.__dict__" @@ -402,12 +394,13 @@ rule lambda_funk: high { $ = ".decode('utf-8'))" condition: - obfs_probably_python and filesize < 10MB and 80 % of them + filesize < 10MB and 80 % of them } rule lambda_funk_high: high { meta: description = "obfuscated with lambda expressions" + filetypes = "py" strings: $ = "__builtins__.__dict__" @@ -424,6 +417,7 @@ rule lambda_funk_high: high { rule confusing_function_name: high { meta: description = "obfuscated with confusing function names" + filetypes = "py" strings: $def = /def [Il]{6,64}/ @@ -439,6 +433,7 @@ rule confusing_function_name: high { rule decompress_base64_entropy: high { meta: description = "hidden base64-encoded compressed content" + filetypes = "py" strings: $k_lzma = "lzma" @@ -452,36 +447,39 @@ rule decompress_base64_entropy: high { $b64decode_long = /b64decode\(\"[\+\=\w\/]{96}/ condition: - obfs_probably_python and filesize < 10MB and any of ($k*) and $b64decode_long and any of ($f*) + filesize < 10MB and any of ($k*) and $b64decode_long and any of ($f*) } rule join: low { meta: description = "joins array together with an empty delimiter" + filetypes = "py" strings: $join = "''.join(" $join_double = "\"\".join(" condition: - obfs_probably_python and any of them + any of them } rule join_chr_array: medium { meta: description = "joins lengthy character array" + filetypes = "py" strings: $ref = /[a-z]{1,64}\s{0,2}=\s{0,2}\[\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}/ $chr_int = "chr(int(" condition: - obfs_probably_python and join and all of them + join and all of them } rule join_chr_array_exec: high { meta: description = "joins lengthy character array and executes arbitrary code" + filetypes = "py" strings: $val = /exec\(\w{1,32}\)/ fullword @@ -493,6 +491,7 @@ rule join_chr_array_exec: high { rule join_chr_array_math: high { meta: description = "joins obfuscated character array" + filetypes = "py" strings: $ref2 = /chr\(int\([a-z]{1,32}\)\s{0,2}[\-\*\+\^]\s{0,2}\w{1,32}/ @@ -504,6 +503,7 @@ rule join_chr_array_math: high { rule join_chr_array_exec_math: critical { meta: description = "joins obfuscated character array and executes arbitrary code" + filetypes = "py" strings: $val = /exec\(\w{1,32}\)/ fullword @@ -521,12 +521,13 @@ rule urllib_as_int_array: critical { $urllib_dot2 = "117, 114, 108, 108, 105, 98, 46" condition: - obfs_probably_python and filesize < 10MB and any of them + filesize < 10MB and any of them } rule import_manipulator: critical { meta: description = "manipulates globals and imports into executing obfuscated code" + filetypes = "py" strings: $import = "__import__(" @@ -541,12 +542,13 @@ rule import_manipulator: critical { condition: // a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6 is the sha256 hash // for https://github.com/pypy/pypy/blob/main/lib-python/2.7/pickle.py - obfs_probably_python and filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them + filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them } rule bloated_hex_python: high { meta: description = "python script bloated with obfuscated content" + filetypes = "py" strings: $f_unhexlify = "unhexlify" fullword @@ -564,5 +566,5 @@ rule bloated_hex_python: high { $not_highlight = "highlight" condition: - obfs_probably_python and filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*) + filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*) } diff --git a/rules/anti-static/obfuscation/python_setuptools.yara b/rules/anti-static/obfuscation/python_setuptools.yara index ef38dd83f..ab7741f2f 100644 --- a/rules/anti-static/obfuscation/python_setuptools.yara +++ b/rules/anti-static/obfuscation/python_setuptools.yara @@ -1,29 +1,13 @@ import "math" -private rule obfuscation_pythonSetup { - strings: - $if_distutils = /from distutils.core import .{0,32}setup/ - $if_setuptools = /from setuptools import .{0,32}setup/ - $i_setuptools = "import setuptools" - $setup = "setup(" - - $not_setup_example = ">>> setup(" - $not_setup_todict = "setup(**config.todict()" - $not_import_quoted = "\"from setuptools import setup" - $not_setup_quoted = "\"setup(name=" - $not_distutils = "from distutils.errors import" - - condition: - filesize < 128KB and $setup and any of ($i*) and none of ($not*) -} - rule setuptools_builtins: medium { meta: description = "Python library installer that references builtins" + filetypes = "py" strings: $ref = "__builtins__" fullword condition: - obfuscation_pythonSetup and $ref + any of them } diff --git a/rules/anti-static/obfuscation/reverse.yara b/rules/anti-static/obfuscation/reverse.yara index abc8c211a..996e0daaf 100644 --- a/rules/anti-static/obfuscation/reverse.yara +++ b/rules/anti-static/obfuscation/reverse.yara @@ -1,54 +1,7 @@ -private rule reverse_probably_js { - strings: - $f_Array = "Array.prototype" fullword - $f_async = "async function" - $f_await = "await" - $f_catch = "} catch" - $f_class = "@class" - $f_const = /\bconst\s/ - $f_define = "define(" - $f_false = "false);" - $f_function = /function\(\w{0,32}\)/ - $f_function2 = "function()" - $f_method = "@method" - $f_namespace = "@namespace" - $f_Object = "Object." - $f_param = "@param" - $f_private = "@private" - $f_promise = "Promise" - $f_prototype = ".prototype" - $f_require = "require(" - $f_return = /\breturn\s/ - $f_Run = ".Run(" - $f_run = ".run(" - $f_strict = " === " - $f_this = "this." - $f_this2 = "this[" - $f_true = "true);" - $f_try = "try {" - $f_var = /\bvar\s/ - - $not_asyncio = "await asyncio" - $not_class = /class \w{1,32}\(/ fullword - $not_def = /def [a-zA-Z_][a-zA-Z0-9_]{1,32} \(/ ascii - $not_equals_comment = "// ===" - $not_error = "err error" - $not_header = /^#ifndef\s/ - $not_header2 = /^#define\s/ - $not_header3 = /^#include\s/ - $not_import = /^import \(/ - $not_package = /^package\s/ - $not_self_assert_equal = "self.assertEqual(" - $not_struct = /^type \w{1,32} struct \{/ fullword - $not_typedef = "typedef typename" - - condition: - filesize < 5MB and 4 of ($f*) and none of ($not*) -} - rule string_reversal: medium { meta: description = "reverses strings" + filetypes = "py" strings: $ref = ".reverse().join(\"\")" @@ -60,6 +13,7 @@ rule string_reversal: medium { rule function_reversal: high { meta: description = "reversed function definition" + filetypes = "js,ts" strings: $ref = /n.{0,3}o.{0,3}i.{0,3}t.{0,3}c.{0,3}n.{0,3}u.{0,3}f/ @@ -68,14 +22,15 @@ rule function_reversal: high { filesize < 1MB and any of them } -rule js_reversal: critical { +rule js_reversal: high { meta: description = "multiple reversed javascript calls" + filetypes = "js,ts" strings: $ref = /n.{0,3}o.{0,3}i.{0,3}t.{0,3}c.{0,3}n.{0,3}u.{0,3}f/ $ref2 = /n.{0,3}r.{0,3}u.{0,3}t.{0,3}e.{0,3}r/ condition: - reverse_probably_js and filesize < 1MB and all of them + filesize < 1MB and all of them } diff --git a/rules/anti-static/obfuscation/sh.yara b/rules/anti-static/obfuscation/sh.yara index ce376313f..f6872bc6e 100644 --- a/rules/anti-static/obfuscation/sh.yara +++ b/rules/anti-static/obfuscation/sh.yara @@ -1,6 +1,7 @@ rule echo_base64_decode: high { meta: description = "echo and decode base64 text" + filetypes = "bash,sh,zsh" strings: $ref = /echo [\w=\$]{2,256} {0,2}\| {0,2}base64 {0,2}(-d|--decode)/ fullword diff --git a/rules/anti-static/obfuscation/strtoi.yara b/rules/anti-static/obfuscation/strtoi.yara index 21e8806b2..587038cd1 100644 --- a/rules/anti-static/obfuscation/strtoi.yara +++ b/rules/anti-static/obfuscation/strtoi.yara @@ -1,6 +1,7 @@ rule sketchy_parseint_math: medium { meta: description = "complex math and string to integer conversion" + filetypes = "js,ts" strings: $m1 = /\d{2,16}[\-\+\*\^]\w{1,8}/ diff --git a/rules/anti-static/obfuscation/syscall.yara b/rules/anti-static/obfuscation/syscall.yara index 58074fd57..0975bbb95 100644 --- a/rules/anti-static/obfuscation/syscall.yara +++ b/rules/anti-static/obfuscation/syscall.yara @@ -1,6 +1,7 @@ rule syscall: medium { meta: description = "directly invokes syscalls" + filetypes = "rb" strings: $ruby = "ruby" fullword diff --git a/rules/anti-static/obfuscation/url.yara b/rules/anti-static/obfuscation/url.yara index a9a4f946e..1bd38c3f0 100644 --- a/rules/anti-static/obfuscation/url.yara +++ b/rules/anti-static/obfuscation/url.yara @@ -3,6 +3,7 @@ import "math" rule decode_url_component_char_code: critical { meta: description = "decodes obfuscated URL components" + filetypes = "js,ts" strings: $ref = "decodeURIComponent" diff --git a/rules/anti-static/obfuscation/utf16.yara b/rules/anti-static/obfuscation/utf16.yara index bfc819549..a55a12ed5 100644 --- a/rules/anti-static/obfuscation/utf16.yara +++ b/rules/anti-static/obfuscation/utf16.yara @@ -1,6 +1,7 @@ rule sketchy_fromCharCode_math: medium { meta: description = "complex math and utf16 code unit conversion" + filetypes = "js,ts" strings: $m1 = /\d{2,16}[\-\+\*\^]\w{1,8}/ @@ -11,9 +12,10 @@ rule sketchy_fromCharCode_math: medium { filesize < 1MB and any of ($f*) and ((#m1 > 5) or (#m2 > 5)) } -rule static_charcode_math: critical { +rule static_charcode_math: high { meta: description = "assembles strings from character codes and static integers" + filetypes = "js,ts" strings: $ref = /fromCharCode\(\d{1,16}\s{0,2}[\-\+\*\^]{1,2}\d{1,16}/ diff --git a/rules/anti-static/packer/aes.yara b/rules/anti-static/packer/aes.yara index 0c2cd6c6c..9f6c446d3 100644 --- a/rules/anti-static/packer/aes.yara +++ b/rules/anti-static/packer/aes.yara @@ -9,7 +9,7 @@ private rule smallBinary { rule go_aes: high { meta: description = "go binary packed with AES" - filetypes = "macho,elf" + filetypes = "elf,macho" strings: $aes = "crypto/aes" @@ -19,4 +19,3 @@ rule go_aes: high { condition: smallBinary and math.entropy(1, filesize) >= 7 and all of them } - diff --git a/rules/anti-static/packer/blankobf.yara b/rules/anti-static/packer/blankobf.yara index a0ee0769c..3c2484dde 100644 --- a/rules/anti-static/packer/blankobf.yara +++ b/rules/anti-static/packer/blankobf.yara @@ -14,4 +14,3 @@ rule blankOBF: critical { condition: filesize < 1MB and any of them } - diff --git a/rules/anti-static/packer/cx_freeze.yara b/rules/anti-static/packer/cx_freeze.yara index 8b7adaea8..1bbd630c7 100644 --- a/rules/anti-static/packer/cx_freeze.yara +++ b/rules/anti-static/packer/cx_freeze.yara @@ -1,6 +1,7 @@ rule cxFreeze_Python_executable: high { meta: description = "uses cxFreeze packer" + filetypes = "py" strings: $cxfreeze = "cx_Freeze" diff --git a/rules/anti-static/packer/kiteshield.yara b/rules/anti-static/packer/kiteshield.yara index ce3b029c8..708fdda7d 100644 --- a/rules/anti-static/packer/kiteshield.yara +++ b/rules/anti-static/packer/kiteshield.yara @@ -7,6 +7,7 @@ rule kiteshield: high { reference = "https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors" tool = "Kiteshield" tool_repository = "https://github.com/GunshipPenguin/kiteshield" + filetypes = "elf" strings: $loader_jmp = { 31 D2 31 C0 31 C9 31 F6 31 FF 31 ED 45 31 C0 45 31 C9 45 31 D2 45 31 DB 45 31 E4 45 31 ED 45 31 F6 45 31 FF 5B FF E3 } diff --git a/rules/anti-static/packer/nuitka.yara b/rules/anti-static/packer/nuitka.yara index 5bcec14c5..be9e51f30 100644 --- a/rules/anti-static/packer/nuitka.yara +++ b/rules/anti-static/packer/nuitka.yara @@ -3,6 +3,7 @@ import "math" rule nuitka: critical { meta: description = "packed with Nuitka (Python compiler)" + filetypes = "py" strings: $old = "onefile_%PID%_%TIME%" diff --git a/rules/anti-static/packer/pe.yara b/rules/anti-static/packer/pe.yara index b17c434cd..260202c2a 100644 --- a/rules/anti-static/packer/pe.yara +++ b/rules/anti-static/packer/pe.yara @@ -3,6 +3,7 @@ import "math" rule pe_packed: high windows { meta: description = "packed PE file (Windows EXE) with high entropy (>7)" + filetype = "exe,pe" condition: uint16(0) == 0x5a4d and math.entropy(0, filesize) > 7 diff --git a/rules/anti-static/packer/py_vare.yara b/rules/anti-static/packer/py_vare.yara index fb53abc5a..688da08c7 100644 --- a/rules/anti-static/packer/py_vare.yara +++ b/rules/anti-static/packer/py_vare.yara @@ -1,7 +1,7 @@ rule Vare_Obfuscator: critical { meta: description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" - filetype = "py" + filetypes = "py" strings: $var = "__VareObfuscator__" diff --git a/rules/anti-static/packer/pycloak.yara b/rules/anti-static/packer/pycloak.yara index 73d8bba7c..5532ac54e 100644 --- a/rules/anti-static/packer/pycloak.yara +++ b/rules/anti-static/packer/pycloak.yara @@ -2,6 +2,7 @@ rule pycloak: critical { meta: description = "packed with pycloak" ref = "https://github.com/addi00000/pycloak" + filetypes = "py" strings: $ = "__builtins__.__dict__[__builtins__.__dict__" diff --git a/rules/anti-static/packer/pyobfuscate.yara b/rules/anti-static/packer/pyobfuscate.yara index a65759570..bde8940f6 100644 --- a/rules/anti-static/packer/pyobfuscate.yara +++ b/rules/anti-static/packer/pyobfuscate.yara @@ -1,6 +1,7 @@ rule pyobfuscate: high { meta: description = "uses 'pyobfuscate' packer" + filetypes = "py" strings: $def = "def" fullword diff --git a/rules/anti-static/packer/upx.yara b/rules/anti-static/packer/upx.yara index 762ceb7d4..6fa1801b4 100644 --- a/rules/anti-static/packer/upx.yara +++ b/rules/anti-static/packer/upx.yara @@ -1,6 +1,7 @@ rule upx: high { meta: description = "Binary is packed with UPX" + filetype = "upx" strings: $u_upx_sig = "UPX!" @@ -15,6 +16,7 @@ rule upx: high { rule upx_elf: high { meta: description = "Linux ELF binary packed with UPX" + filetype = "upx" strings: $proc_self = "/proc/self/exe" @@ -28,6 +30,7 @@ rule upx_elf: high { rule upx_elf_tampered: critical { meta: description = "Linux ELF binary packed with modified UPX" + filetype = "upx" strings: $prot_exec = "PROT_EXEC|PROT_WRITE failed" diff --git a/rules/anti-static/unmarshal/marshal.yara b/rules/anti-static/unmarshal/marshal.yara index 4ce767fc6..e2da33b3d 100644 --- a/rules/anti-static/unmarshal/marshal.yara +++ b/rules/anti-static/unmarshal/marshal.yara @@ -14,6 +14,7 @@ private rule pySetup { rule unmarshal_py_marshal: medium { meta: description = "reads python values from binary content" + filetypes = "py" strings: $ref = "import marshal" @@ -25,6 +26,7 @@ rule unmarshal_py_marshal: medium { rule setuptools_py_marshal: suspicious { meta: description = "Python library installer that reads values from binary content" + filetypes = "py" condition: pySetup and unmarshal_py_marshal diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index d2e074f92..c51da388d 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -27,6 +27,7 @@ private rule ip_elf_or_macho { rule bin_hardcoded_ip: high { meta: description = "ELF with hardcoded IP address" + filetypes = "elf,macho" strings: // stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google) diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 23bcfe0a0..963e89ffc 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -79,6 +79,7 @@ rule http_url_with_question: medium { rule binary_with_url: low { meta: description = "binary contains hardcoded URL" + filetypes = "elf,macho" strings: $ref = /https*:\/\/[\w\.\/]{8,160}[\/\w\=\&]{0,32}/ @@ -90,6 +91,7 @@ rule binary_with_url: low { rule binary_url_with_question: high { meta: description = "binary contains hardcoded URL with question mark" + filetypes = "elf,macho" strings: $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{1,32}/ diff --git a/rules/c2/connect/bash_tcp.yara b/rules/c2/connect/bash_tcp.yara index fbb80a505..1ce61ca5c 100644 --- a/rules/c2/connect/bash_tcp.yara +++ b/rules/c2/connect/bash_tcp.yara @@ -1,6 +1,7 @@ rule bash_tcp: high { meta: description = "sends data via /dev/tcp (bash)" + filetypes = "bash,sh,zsh" strings: $ref = /[\w \-\\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ diff --git a/rules/c2/discovery/ip-dns_resolver.yara b/rules/c2/discovery/ip-dns_resolver.yara index c48923497..0689e72ca 100644 --- a/rules/c2/discovery/ip-dns_resolver.yara +++ b/rules/c2/discovery/ip-dns_resolver.yara @@ -3,8 +3,32 @@ rule google_dns_ip: medium { description = "contains Google Public DNS resolver IP" strings: - $primary = "8.8.8.8" - $secondary = "8.8.4.4" + $primary = "8.8.8.8" + $secondary = "8.8.4.4" + $primary_6 = "2001:4860:4860::8888" + $secondary_6 = "2001:4860:4860::8844" + + condition: + any of them +} + +rule cloudflare_dns_ip: medium { + meta: + description = "contains Cloudflare DNS resolver IP" + + strings: + $primary = "1.1.1.1" + $primary_6 = "2606:4700:4700::1111" + $secondary = "1.0.0.1" + $secondary_6 = "2606:4700:4700::1001" + $tertiary = "1.1.1.2" + $tertiary_6 = "2606:4700:4700::1112" + $quaternary = "1.0.0.2" + $quaternary_6 = "2606:4700:4700::1002" + $quinary = "1.1.1.3" + $quinary_6 = "2606:4700:4700::1113" + $senary = "1.0.0.3" + $senary_6 = "2606:4700:4700::1003" condition: any of them @@ -27,8 +51,10 @@ rule ctrld_ip: high { description = "contains 'Control D' DNS resolver IP" strings: - $primary = "76.76.2.0" - $secondary = "76.76.10.0" + $primary = "76.76.2.0" + $primary_6 = "2606:1a40::" + $secondary = "76.76.10.0" + $secondary_6 = "2606:1a40:1::" condition: any of them @@ -39,8 +65,10 @@ rule quad9_ip: medium { description = "contains Quad9 DNS resolver IP" strings: - $primary = "9.9.9.9" - $secondary = "149.112.112.112" + $primary = "9.9.9.9" + $primary_6 = "2620:fe::fe" + $secondary = "149.112.112.112" + $seconday_6 = "2620:fe::9" condition: any of them diff --git a/rules/c2/tool_transfer/chmod_dropper.yara b/rules/c2/tool_transfer/chmod_dropper.yara index c07e33e44..244d90443 100644 --- a/rules/c2/tool_transfer/chmod_dropper.yara +++ b/rules/c2/tool_transfer/chmod_dropper.yara @@ -1,7 +1,7 @@ rule chmod_77x_dropper: critical { meta: description = "transfers program, uses dangerous permissions, and possibly runs a binary" - filetypes = "macho,elf" + filetypes = "elf,macho" strings: $chmod = /chmod [\-\w ]{0,3}77[750] [ \$\@\w\/\.]{0,64}/ @@ -21,7 +21,7 @@ rule chmod_77x_dropper: critical { rule chmod_executable_shell_binary: high { meta: description = "executable makes another file executable" - filetypes = "macho,elf" + filetypes = "elf,macho" strings: $chmod = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara index a66a2b4e6..13acfe6a4 100644 --- a/rules/c2/tool_transfer/download.yara +++ b/rules/c2/tool_transfer/download.yara @@ -26,6 +26,7 @@ rule download_sites: high { $not_manual = "manually upload" $not_paste_go = "paste.go" $not_netlify = "netlify.app" + $not_misp_galaxy = "misp-galaxy:" condition: any of ($d_*) and none of ($not*) @@ -56,8 +57,10 @@ rule pastebin: medium { strings: $d_pastebin = /[\w\.]{1,128}astebin[\w\.\/]{1,128}/ + $not_misp_galaxy = "misp-galaxy:" + condition: - any of ($d_*) + any of ($d_*) and none of ($not*) } rule program_dropper_url: medium { @@ -119,6 +122,7 @@ private rule smallerBinary { rule http_archive_url_higher: high { meta: description = "accesses hardcoded archive file endpoint" + filetypes = "elf,macho" strings: $ref = /https{0,1}:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword diff --git a/rules/c2/tool_transfer/exe_url.yara b/rules/c2/tool_transfer/exe_url.yara index 0b1e35d1a..4a13bf471 100644 --- a/rules/c2/tool_transfer/exe_url.yara +++ b/rules/c2/tool_transfer/exe_url.yara @@ -5,6 +5,7 @@ rule http_url_with_exe: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/ $not_mongodb_404 = "https://docs.mongodb.com/manual/reference/method/Bulk.exe" + $not_elastic = "\"license\": \"Elastic License v2\"" condition: any of ($exe*) and none of ($not*) @@ -17,8 +18,10 @@ rule http_ip_url_with_exe: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_url_with_msi: high { @@ -28,8 +31,10 @@ rule http_url_with_msi: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.msi/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_ip_url_with_msi: critical { @@ -39,8 +44,10 @@ rule http_ip_url_with_msi: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.msi/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_url_with_powershell: high { @@ -50,8 +57,10 @@ rule http_url_with_powershell: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.ps1/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_ip_url_with_powershell: critical { @@ -61,6 +70,8 @@ rule http_ip_url_with_powershell: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.ps1/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } diff --git a/rules/c2/tool_transfer/js.yara b/rules/c2/tool_transfer/js.yara index 97c8ea8d2..28732a0b2 100644 --- a/rules/c2/tool_transfer/js.yara +++ b/rules/c2/tool_transfer/js.yara @@ -1,6 +1,7 @@ rule javascript_dropper: critical { meta: description = "Javascript dropper" + filetypes = "js,ts" strings: $lh = /require\(['"]https{0,1}['"]\)/ diff --git a/rules/c2/tool_transfer/macos.yara b/rules/c2/tool_transfer/macos.yara index 7c46ca6c1..4c82c9b22 100644 --- a/rules/c2/tool_transfer/macos.yara +++ b/rules/c2/tool_transfer/macos.yara @@ -26,7 +26,8 @@ rule macos_chflags_hidden: critical { rule cocoa_bundle_dropper: critical { meta: - ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" + ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" + filetypes = "macho" strings: $bundle = "NSBundle" fullword diff --git a/rules/c2/tool_transfer/npm.yara b/rules/c2/tool_transfer/npm.yara index 07988bddb..20306a097 100644 --- a/rules/c2/tool_transfer/npm.yara +++ b/rules/c2/tool_transfer/npm.yara @@ -2,6 +2,7 @@ rule npm_dropper: critical { meta: description = "NPM binary dropper" ref = "https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks" + filetypes = "js,ts" strings: $npm_format = /"format":/ diff --git a/rules/c2/tool_transfer/osascript.yara b/rules/c2/tool_transfer/osascript.yara index 50e78c0ca..20eb94bea 100644 --- a/rules/c2/tool_transfer/osascript.yara +++ b/rules/c2/tool_transfer/osascript.yara @@ -1,6 +1,7 @@ rule osascript_dropper: high { meta: description = "osascript dropper" + filetypes = "scpt,scptd" strings: $c_osascript = "osascript" fullword diff --git a/rules/c2/tool_transfer/php.yara b/rules/c2/tool_transfer/php.yara index 599a8a437..dd623611a 100644 --- a/rules/c2/tool_transfer/php.yara +++ b/rules/c2/tool_transfer/php.yara @@ -1,6 +1,7 @@ rule php_copy_url: high { meta: - ref = "kinsing" + ref = "kinsing" + filetypes = "php" strings: $php = "]{0,64} &/ @@ -109,6 +124,7 @@ rule nohup_bash_background: high { rule fetch_pipe_shell_value: medium { meta: description = "fetches content and pipes it to a shell" + filetypes = "bash,sh,zsh" strings: $wget_bash = /wget .{8,128}\| {0,2}bash/ @@ -123,6 +139,7 @@ rule fetch_pipe_shell_value: medium { rule fetch_chmod_execute: high { meta: description = "single line fetch, chmod, execute" + filetypes = "bash,sh,zsh" strings: $wget = /wget .{8,64} \&\&.{0,64} chmod .{3,16} \&\& \.\/[\.\w]{1,16}/ @@ -135,6 +152,7 @@ rule fetch_chmod_execute: high { rule possible_dropper: high { meta: description = "download and execute a program" + filetypes = "bash,sh,zsh" strings: $http = /https{0,1}:\/\/[\.\w\/\?\=\-]{1,64}/ @@ -154,6 +172,7 @@ rule possible_dropper: high { rule nohup_dropper: critical { meta: description = "downloads and executes a program with nohup" + filetypes = "bash,sh,zsh" strings: $nohup = "nohup" fullword @@ -165,6 +184,7 @@ rule nohup_dropper: critical { rule obsessive_dropper: high { meta: description = "invokes multiple tools to download and execute a program" + filetypes = "bash,sh,zsh" strings: $http = "http://" diff --git a/rules/collect/archives/tar-command.yara b/rules/collect/archives/tar-command.yara index 400297f39..81bac2fe7 100644 --- a/rules/collect/archives/tar-command.yara +++ b/rules/collect/archives/tar-command.yara @@ -1,6 +1,7 @@ rule tar_script: medium { meta: description = "script shells out to tar" + filetypes = "bash,sh,zsh" strings: $a_tar_rX = /tar -r -X[\|\-\\\"\$\w\; ]{0,64}/ @@ -14,6 +15,7 @@ rule tar_script: medium { rule local_tar: medium { meta: description = "command archives current directory" + filetypes = "bash,sh,zsh" strings: $a_tar_c = /tar -c\w{0,8} \. [\|\-\\\"\$\w\; ]{0,64}/ @@ -25,6 +27,7 @@ rule local_tar: medium { rule collect_executable_calls_archive_tool: high { meta: description = "command shells out to tar" + filetypes = "bash,sh,zsh" strings: $a_tar_c = /tar -c\w{0,8} \. [\|\-\\\"\$\w\; ]{0,64}/ diff --git a/rules/collect/localstorage.yara b/rules/collect/localstorage.yara index 6048f1bbf..5c5b21e27 100644 --- a/rules/collect/localstorage.yara +++ b/rules/collect/localstorage.yara @@ -1,6 +1,7 @@ rule localstorage: medium { meta: description = "accesses browser local storage" + filetypes = "js,ts" strings: $ref = "localStorage.get" diff --git a/rules/credential/clipboard.yara b/rules/credential/clipboard.yara index baf17290e..b40491dc7 100644 --- a/rules/credential/clipboard.yara +++ b/rules/credential/clipboard.yara @@ -17,6 +17,7 @@ rule nspasteboard: medium macos { rule py_pasteboard: high { meta: description = "access clipboard contents" + filetypes = "py" strings: $clip = "pyperclip.copy(" @@ -25,4 +26,3 @@ rule py_pasteboard: high { condition: any of them } - diff --git a/rules/crypto/cipher.yara b/rules/crypto/cipher.yara index dfebf184a..147a99cbb 100644 --- a/rules/crypto/cipher.yara +++ b/rules/crypto/cipher.yara @@ -1,6 +1,7 @@ rule go_cipher: harmless { meta: description = "Uses crypto/cipher" + filetypes = "elf,go,macho" strings: $ref = "XORKeyStream" diff --git a/rules/crypto/ecdsa.yara b/rules/crypto/ecdsa.yara index d4e310eef..742aa1657 100644 --- a/rules/crypto/ecdsa.yara +++ b/rules/crypto/ecdsa.yara @@ -1,6 +1,7 @@ rule crypto_ecdsa { meta: description = "Uses the Go crypto/ecdsa library" + filetypes = "elf,go,macho" strings: $ref = "crypto/ecdsa" diff --git a/rules/crypto/encrypted-stream.yara b/rules/crypto/encrypted-stream.yara index 4c9243937..b60aa62d0 100644 --- a/rules/crypto/encrypted-stream.yara +++ b/rules/crypto/encrypted-stream.yara @@ -1,6 +1,7 @@ rule go_encrypted_stream: high { meta: description = "Uses github.com/nknorg/encrypted-stream to encrypt streams" + filetypes = "elf,go,macho" strings: $ref1 = ").Encrypt" diff --git a/rules/crypto/ethereum.yara b/rules/crypto/ethereum.yara index 52068a24c..6beca8945 100644 --- a/rules/crypto/ethereum.yara +++ b/rules/crypto/ethereum.yara @@ -1,6 +1,7 @@ rule ethereum: medium { meta: description = "uses Ethereum" + filetypes = "js,ts" strings: $ethers = "require(\"ethers\");" diff --git a/rules/crypto/fastrand.yara b/rules/crypto/fastrand.yara index 0ed6967f1..de456c94b 100644 --- a/rules/crypto/fastrand.yara +++ b/rules/crypto/fastrand.yara @@ -1,6 +1,7 @@ rule uses_pseudo_rng: medium { meta: description = "uses a fast pseudorandom generator" + filetypes = "elf,go,macho" strings: $ethers = "valyala/fastrand" diff --git a/rules/crypto/ssl.yara b/rules/crypto/ssl.yara index b6da5b47f..c13759c56 100644 --- a/rules/crypto/ssl.yara +++ b/rules/crypto/ssl.yara @@ -1,6 +1,7 @@ rule py_ssl { meta: description = "uses Python SSL library" + filetypes = "py" strings: $ssl = "import ssl" fullword diff --git a/rules/data/base64/base64-decode.yara b/rules/data/base64/base64-decode.yara index 8e0654409..47b8e6ee1 100644 --- a/rules/data/base64/base64-decode.yara +++ b/rules/data/base64/base64-decode.yara @@ -2,6 +2,7 @@ rule base64_decode: medium python { meta: description = "decode base64 strings" ref = "https://docs.python.org/3/library/base64.html" + filetypes = "py" strings: $b64decode = "b64decode" @@ -13,6 +14,7 @@ rule base64_decode: medium python { rule py_base64_decode: medium php { meta: description = "decode base64 strings" + filetypes = "py" strings: $b64decode = "base64_decode" @@ -24,6 +26,7 @@ rule py_base64_decode: medium php { rule js_base64_decode: medium js { meta: description = "decode base64 strings" + filetypes = "js,ts" strings: $atob = "atob(" @@ -35,6 +38,7 @@ rule js_base64_decode: medium js { rule js_double_base64_decode: critical js { meta: description = "double-decodes base64 strings" + filetypes = "js,ts" strings: $atob = "atob(atob(" @@ -46,6 +50,7 @@ rule js_double_base64_decode: critical js { rule ruby_base64_decode: medium ruby { meta: description = "decode base64 strings" + filetypes = "rb" strings: $b64decode = /[\._]decode64/ @@ -58,6 +63,7 @@ rule urlsafe_decode64: medium ruby { meta: description = "decode base64 strings" ref = "https://ruby-doc.org/3.3.0/stdlibs/base64/Base64.html" + filetypes = "rb" strings: $urlsafe_decode64_ruby = "urlsafe_decode64" @@ -70,6 +76,7 @@ rule powershell_decode: medium { meta: description = "decode base64 strings" ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0" + filetypes = "ps1" strings: $ref = /System\.Convert[\]: ]+FromBase64String/ ascii diff --git a/rules/data/base64/base64-encode.yara b/rules/data/base64/base64-encode.yara index e53690c92..3d4f54b0c 100644 --- a/rules/data/base64/base64-encode.yara +++ b/rules/data/base64/base64-encode.yara @@ -2,6 +2,7 @@ rule base64_encode: medium python { meta: description = "encode base64 strings" ref = "https://docs.python.org/3/library/base64.html" + filetypes = "py" strings: $b64encode = "b64encode" @@ -13,6 +14,7 @@ rule base64_encode: medium python { rule py_base64_encode: medium php { meta: description = "encode base64 strings" + filetypes = "php" strings: $b64encode = "base64_encode" @@ -24,6 +26,7 @@ rule py_base64_encode: medium php { rule ruby_base64_encode: medium ruby { meta: description = "encode base64 strings" + filetypes = "rb" strings: $b64encode = /[\._]encode64/ @@ -36,6 +39,7 @@ rule urlsafe_encode64: medium ruby { meta: description = "encode base64 strings" ref = "https://ruby-doc.org/3.3.0/stdlibs/base64/Base64.html" + filetypes = "rb" strings: $urlsafe_encode64_ruby = "urlsafe_encode64" @@ -48,6 +52,7 @@ rule powershell_encode: medium { meta: description = "encode base64 strings" ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0" + filetypes = "ps1" strings: $ref = /System\.Convert[\]: ]+ToBase64String/ ascii @@ -59,6 +64,7 @@ rule powershell_encode: medium { rule java_base64_encode: medium { meta: description = "encode base64 strings" + filetypes = "jar,java" strings: $ref = "Base64$Encoder" diff --git a/rules/data/builtin/kernel_module.yara b/rules/data/builtin/kernel_module.yara index 6cc4b3420..7616e025b 100644 --- a/rules/data/builtin/kernel_module.yara +++ b/rules/data/builtin/kernel_module.yara @@ -2,7 +2,7 @@ rule kmod: medium linux { meta: description = "Linux kernel module source code" - filetypes = "c,h" + filetypes = "c,h,hh" strings: $ref = "" diff --git a/rules/data/builtin/multiple.yara b/rules/data/builtin/multiple.yara index e76018435..e4567dad1 100644 --- a/rules/data/builtin/multiple.yara +++ b/rules/data/builtin/multiple.yara @@ -30,6 +30,7 @@ private rule _bundled_glibc: medium { rule elf_with_bundled_glibc_and_openssl: high { meta: description = "includes bundled copy of glibc and OpenSSL" + filetypes = "elf" condition: _bundled_openssl and _bundled_glibc diff --git a/rules/discover/processes/list.yara b/rules/discover/processes/list.yara index 13f5e880a..b2c6af543 100644 --- a/rules/discover/processes/list.yara +++ b/rules/discover/processes/list.yara @@ -71,6 +71,7 @@ rule proclist: medium { rule java_lang_processes_opaque: medium { meta: description = "accesses process list" + filetypes = "jar,java" strings: $processes = "processes" fullword diff --git a/rules/discover/system/environment.yara b/rules/discover/system/environment.yara index 30d8ffe6a..fddfe40f4 100644 --- a/rules/discover/system/environment.yara +++ b/rules/discover/system/environment.yara @@ -1,6 +1,7 @@ rule os_environ: medium { meta: description = "Dump values from the environment" + filetypes = "py" strings: $ref = "os.environ.items()" fullword diff --git a/rules/discover/system/multiple.yara b/rules/discover/system/multiple.yara index 7ddc1123c..03b40216f 100644 --- a/rules/discover/system/multiple.yara +++ b/rules/discover/system/multiple.yara @@ -41,6 +41,7 @@ rule hostinfo_collector_api: high macos { rule hostinfo_collector_npm: critical { meta: description = "collects an unusual amount of host information" + filetypes = "js,ts" strings: $f_userInfo = "os.userInfo()" diff --git a/rules/discover/system/platform.yara b/rules/discover/system/platform.yara index d5ec29aaf..dac8a3614 100644 --- a/rules/discover/system/platform.yara +++ b/rules/discover/system/platform.yara @@ -74,6 +74,7 @@ rule python_platform: medium { meta: description = "system platform identification" ref = "https://docs.python.org/3/library/platform.html" + filetypes = "py" strings: $ref = "platform.dist()" @@ -101,6 +102,7 @@ rule npm_uname: medium { meta: description = "get system identification" ref = "https://nodejs.org/api/process.html" + filetypes = "js,ts" strings: $ = "process.platform" @@ -118,6 +120,7 @@ rule npm_uname: medium { rule ruby_uname: medium ruby { meta: description = "get system identification" + filetypes = "rb" strings: $ = "CONFIG['host_os']" diff --git a/rules/discover/user/HOME.yara b/rules/discover/user/HOME.yara index aa2f1c4fb..80c848f83 100644 --- a/rules/discover/user/HOME.yara +++ b/rules/discover/user/HOME.yara @@ -16,6 +16,7 @@ rule node_HOME { meta: description = "Looks up the HOME directory for the current user" ref = "https://man.openbsd.org/login.1#ENVIRONMENT" + filetypes = "js,ts" strings: $ref = "env.HOME" fullword @@ -27,6 +28,7 @@ rule node_HOME { rule py_HOME { meta: description = "Looks up the HOME directory for the current user" + filetypes = "py" strings: $ref = "os.path.expanduser(\"~\")" fullword @@ -34,4 +36,3 @@ rule py_HOME { condition: all of them } - diff --git a/rules/discover/user/userinfo.yara b/rules/discover/user/userinfo.yara index 85e8e7a83..70c81dd37 100644 --- a/rules/discover/user/userinfo.yara +++ b/rules/discover/user/userinfo.yara @@ -2,6 +2,7 @@ rule userinfo: medium { meta: syscall = "getuid" description = "returns user info for the current process" + filetypes = "js,ts" strings: $ref = "os.userInfo()" diff --git a/rules/discover/user/username-get.yara b/rules/discover/user/username-get.yara index 22b9052db..8e0dfacc9 100644 --- a/rules/discover/user/username-get.yara +++ b/rules/discover/user/username-get.yara @@ -47,6 +47,7 @@ private rule user_pythonSetup { rule pysetup_gets_login: high { meta: description = "Python library installer gets login information" + filetypes = "py" strings: $ref = "os.getlogin" fullword diff --git a/rules/evasion/indicator_blocking/echo_off.yara b/rules/evasion/indicator_blocking/echo_off.yara index b53e287b9..e9cbf833c 100644 --- a/rules/evasion/indicator_blocking/echo_off.yara +++ b/rules/evasion/indicator_blocking/echo_off.yara @@ -1,6 +1,7 @@ rule js_echo_off: high { meta: description = "runs a batch file and hides command output" + filetypes = "js,ts" strings: $ref = "@echo off" diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara index a5a1c57ca..3ed227b4d 100644 --- a/rules/evasion/indicator_blocking/hidden_window.yara +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -1,6 +1,7 @@ rule subprocess_CREATE_NO_WINDOW: medium { meta: description = "runs commands, hides windows" + filetypes = "py" strings: $sub = "subprocess" @@ -30,6 +31,7 @@ private rule hidden_window_pythonSetup { rule subprocess_CREATE_NO_WINDOW_setuptools: high { meta: description = "runs commands, hides windows" + filetypes = "py" strings: $sub = "subprocess" @@ -42,6 +44,7 @@ rule subprocess_CREATE_NO_WINDOW_setuptools: high { rule subprocess_CREATE_NO_WINDOW_high: high { meta: description = "runs commands, hides windows" + filetypes = "py" strings: $s_sub = "subprocess" diff --git a/rules/evasion/indicator_blocking/hide_errors.yara b/rules/evasion/indicator_blocking/hide_errors.yara index bde087325..7f7ba735a 100644 --- a/rules/evasion/indicator_blocking/hide_errors.yara +++ b/rules/evasion/indicator_blocking/hide_errors.yara @@ -2,6 +2,7 @@ rule php_suppressed_include: high { meta: description = "Includes a file, suppressing errors" credit = "Inspired by DodgyPHP rule in php-malware-finder" + filetypes = "php" strings: $php = " 1 + filesize < 1MB and #val > 1 } rule js_eval_response: critical { meta: description = "executes code directly from HTTP response" + filetypes = "js,ts" strings: $val = /eval\(\w{0,16}\.responseText\)/ condition: - eval_probably_js and filesize < 1MB and any of ($val*) + filesize < 1MB and any of ($val*) } rule js_eval_near_enough_fromChar: high { meta: description = "Likely executes encrypted content" + filetypes = "js,ts" strings: $exec = /[\s\{]eval\(/ $decrypt = "String.fromCharCode" condition: - eval_probably_js and filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 + filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 } rule js_eval_obfuscated_fromChar: critical { meta: description = "Likely executes encrypted content" + filetypes = "js,ts" strings: $exec = /[\s\{]eval\(/ $ref = /fromCharCode\(\w{0,16}\s{0,2}[\-\+\*\^]{0,2}\w{0,16}/ condition: - eval_probably_js and filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 + filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 } rule js_anonymous_function: medium { meta: description = "evaluates code using an anonymous function" + filetypes = "js,ts" strings: $func = /\n\s{0,8}\(function\s{0,8}\(\)\s{0,8}\{/ $run = /\n\s{0,8}\}\)\(\);/ condition: - eval_probably_js and filesize < 5MB and all of them and (@run - @func) > 384 + filesize < 5MB and all of them and (@run - @func) > 384 } rule python_exec: medium { meta: description = "evaluate code dynamically using exec()" + filetypes = "py" strings: $f_import = "import" fullword @@ -161,70 +104,76 @@ rule python_exec: medium { $empty = "exec()" condition: - eval_probably_python and filesize < 1MB and any of ($f*) and $val and not $empty + filesize < 1MB and any of ($f*) and $val and not $empty } rule python_exec_near_enough_chr: high { meta: description = "Likely executes encoded character content" + filetypes = "py" strings: $exec = "exec(" $chr = "chr(" condition: - eval_probably_python and all of them and math.abs(@chr - @exec) < 768 + all of them and math.abs(@chr - @exec) < 768 } rule python_exec_near_enough_fernet: high { meta: description = "Likely executes Fernet encrypted content" + filetypes = "py" strings: $exec = "exec(" $fernet = "Fernet(" condition: - eval_probably_python and all of them and math.abs(@exec - @fernet) < 768 + all of them and math.abs(@exec - @fernet) < 768 } rule python_exec_near_enough_decrypt: high { meta: description = "Likely executes encrypted content" + filetypes = "py" strings: $exec = /\bexec\(/ $decrypt = "decrypt(" condition: - eval_probably_python and all of them and math.abs(@exec - @decrypt) < 768 + all of them and math.abs(@exec - @decrypt) < 768 } rule python_exec_chr: critical { meta: description = "Executes encoded character content" + filetypes = "py" strings: $exec = /exec\(.{0,16}chr\(.{0,16}\[\d[\d\, ]{0,64}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule python_exec_bytes: critical { meta: description = "Executes a transformed bytestream" + filetypes = "py" strings: $exec = /exec\([\w\.\(]{0,16}\(b['"].{8,16}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule python_exec_complex: high { meta: description = "Executes code from a complex expression" + filetypes = "py" strings: $exec = /exec\([\w\. =]{1,32}\(.{0,8192}\)\)/ fullword @@ -233,23 +182,25 @@ rule python_exec_complex: high { $not_versioneer = "exec(VERSIONEER.decode(), globals())" condition: - eval_probably_python and filesize < 512KB and $exec and none of ($not*) + filesize < 512KB and $exec and none of ($not*) } rule python_exec_fernet: critical { meta: description = "Executes Fernet encrypted content" + filetypes = "py" strings: $exec = /exec\(.{0,16}Fernet\(.{0,64}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule shell_eval: medium { meta: description = "evaluate shell code dynamically using eval" + filetypes = "bash,sh,zsh" strings: $val = /eval \$\w{0,64}/ fullword @@ -262,6 +213,7 @@ rule shell_eval: medium { rule php_create_function_no_args: high { meta: description = "dynamically creates PHP functions without arguments" + filetypes = "php" strings: $val = /create_function\([\'\"]{2},\$/ @@ -273,6 +225,7 @@ rule php_create_function_no_args: high { rule php_at_eval: critical { meta: description = "evaluates code in a way that suppresses errors" + filetypes = "php" strings: $at_eval = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/ diff --git a/rules/exec/shell/command.yara b/rules/exec/shell/command.yara index e5f337286..ce263e67b 100644 --- a/rules/exec/shell/command.yara +++ b/rules/exec/shell/command.yara @@ -29,6 +29,8 @@ rule generic_shell_exec: medium { meta: description = "execute a shell command" + filetypes = "php" + strings: $exec = "shell_exec" diff --git a/rules/exfil/curl_elf.yara b/rules/exfil/curl_elf.yara index 2c7259236..8bbfc7986 100644 --- a/rules/exfil/curl_elf.yara +++ b/rules/exfil/curl_elf.yara @@ -6,7 +6,7 @@ rule exfil_libcurl_elf: high linux { description = "obfuscated binary may exfiltrate data" sha256 = "caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c" ref = "https://www.uptycs.com/blog/threat-research-report-team/new-poc-exploit-backdoor-malware" - filetypes = "elf" + filetypes = "application/x-elf" strings: $f_curl_easy = "curl_easy_init" fullword diff --git a/rules/exfil/discord.yara b/rules/exfil/discord.yara index 15ec6b44e..6c15d1f9d 100644 --- a/rules/exfil/discord.yara +++ b/rules/exfil/discord.yara @@ -1,15 +1,29 @@ rule discord_bot: high { meta: description = "Uses the Discord webhooks API" - ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706" strings: - $ = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ - $ = /discord.com\/api\/webhooks[\/\d]{0,32}/ - $ = "import discord" + $webhook_endpoint = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ + $webhook_endpoint2 = /discord.com\/api\/webhooks[\/\d]{0,32}/ + $l_discordjs = "discord.js" + $l_discord4j = "discord4j" + $l_discordgo = "discordgo" + $l_discord = "import discord" + $l_disnake = "import disnake" + $l_hikari = "import hikari" + $l_interactions = "import interactions" + $l_nextcord = "import nextcord" + $l_jda = "net.dv8tion:JDA" + $l_discordia = "discordia" + $l_eris = /require\(("|')eris("|')\);/ + $l_oceanic = /require\(("|')oceanic.js("|')\);/ + $l_discordphp = "use Discord\\Discord;" + + $not_pypi_index = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/ + $not_pypi_index2 = "\"package_names\"" condition: - any of them + any of them and none of ($not*) } private rule iplookup_website_value_copy: high { diff --git a/rules/exfil/nodejs.yara b/rules/exfil/nodejs.yara index 6b55b0c10..7c3d23044 100644 --- a/rules/exfil/nodejs.yara +++ b/rules/exfil/nodejs.yara @@ -3,6 +3,7 @@ import "math" rule nodejs_sysinfoexfil: high { meta: description = "may gather and exfiltrate system information" + filetypes = "js,ts" strings: $proc1 = "process.platform" @@ -20,6 +21,7 @@ rule nodejs_sysinfoexfil: high { rule nodejs_phone_home: high { meta: description = "accesses system information and reports back" + filetypes = "js,ts" strings: $f_homedir = "os.homedir" @@ -45,6 +47,7 @@ rule nodejs_phone_home: high { rule nodejs_phone_home_obscure: critical { meta: description = "accesses system information and uploads it" + filetypes = "js,ts" strings: $f_homedir = "homedir" @@ -73,6 +76,7 @@ rule nodejs_phone_home_obscure: critical { rule nodejs_phone_home_interact_sh: critical { meta: description = "accesses system information and uploads it to a known site" + filetypes = "js,ts" strings: $ref = /[\w]{8,32}\.interactsh\.com/ @@ -88,6 +92,7 @@ rule nodejs_phone_home_interact_sh: critical { rule nodejs_phone_home_hardcoded_host: critical { meta: description = "accesses system information and uploads it to hardcoded host" + filetypes = "js,ts" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -99,6 +104,7 @@ rule nodejs_phone_home_hardcoded_host: critical { rule post_hardcoded_hardcoded_host: medium { meta: description = "posts content to a hardcoded host" + filetypes = "js,ts" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -112,6 +118,7 @@ rule post_hardcoded_hardcoded_host: medium { rule post_hardcoded_hardcoded_host_os: high { meta: description = "posts content to a hardcoded host" + filetypes = "js,ts" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -151,6 +158,7 @@ private rule nodejs_iplookup_website: high { rule get_hardcoded_hardcoded_host_os: critical { meta: description = "leaks host information to a hardcoded host" + filetypes = "js,ts" strings: $ref = /get\([\"']https{0,1}:\/\/[\w\.\-]{5,63}.{0,64}\?.{0,16}=[\'"]\s{0,2}\+/ diff --git a/rules/exfil/php.yara b/rules/exfil/php.yara index a651a618d..eab2ed357 100644 --- a/rules/exfil/php.yara +++ b/rules/exfil/php.yara @@ -1,6 +1,7 @@ rule python_sysinfo_http: high { meta: description = "exfiltrate system information" + filetypes = "php" strings: $r_user = "getpass.getuser" diff --git a/rules/exfil/stealer/keylogger.yara b/rules/exfil/stealer/keylogger.yara index 467e8f5f6..dabf42d4c 100644 --- a/rules/exfil/stealer/keylogger.yara +++ b/rules/exfil/stealer/keylogger.yara @@ -56,7 +56,7 @@ rule py_keykeyboard_exfil: high { rule java_keylogger { meta: description = "listens for keyboard events" - filetypes = "java,jar" + filetypes = "jar,java" strings: $jnativehook = "jnativehook" diff --git a/rules/exfil/stealer/python.yara b/rules/exfil/stealer/python.yara index 631cbb9bc..ade1d44d8 100644 --- a/rules/exfil/stealer/python.yara +++ b/rules/exfil/stealer/python.yara @@ -1,7 +1,7 @@ rule py_exe_stealer: critical windows { meta: description = "Compiled Python Windows Stealer" - filetypes = "py" + filetypes = "exe,pe,py,pyc" strings: $installer = "PyInstaller" diff --git a/rules/exfil/zip.yara b/rules/exfil/zip.yara index 2d4bd5412..a9a239892 100644 --- a/rules/exfil/zip.yara +++ b/rules/exfil/zip.yara @@ -2,6 +2,7 @@ rule zip_a_folder: medium { meta: description = "may zip up a local directory for exiltration" ref = "https://www.npmjs.com/package/zip-a-folder" + filetypes = "js,ts" strings: $zip_a_fold = /zip-a-fold[a-z]{0,2}/ @@ -10,4 +11,3 @@ rule zip_a_folder: medium { condition: any of them } - diff --git a/rules/fs/attributes/chattr.yara b/rules/fs/attributes/chattr.yara index 369eddb9d..65b963394 100644 --- a/rules/fs/attributes/chattr.yara +++ b/rules/fs/attributes/chattr.yara @@ -1,6 +1,6 @@ rule chattr_caller: medium { meta: - filetypes = "!service" + filetypes = "service" strings: $chattr = /chattr [-\+][\w\- ]{0,32} [\w\.\/]{0,64}/ @@ -13,7 +13,7 @@ rule chattr_immutable_caller_high: high { meta: description = "modifies immutability of a file" - filetypes = "!service" + filetypes = "service" strings: $chattr = /chattr [-\+]i [\-\w\.\/]{0,64}/ diff --git a/rules/fs/directory/directory-list.yara b/rules/fs/directory/directory-list.yara index 9a97a61cb..b3d8e1ad1 100644 --- a/rules/fs/directory/directory-list.yara +++ b/rules/fs/directory/directory-list.yara @@ -41,11 +41,11 @@ rule bin_ls { any of them } -rule NodeReadDir { +rule node_readdir { meta: description = "Uses NodeJS functions to list a directory" pledge = "rpath" - filetypes = "javascript" + filetypes = "js,ts" strings: $ref = ".readdirSync(" @@ -54,11 +54,11 @@ rule NodeReadDir { any of them } -rule PythonListDir { +rule python_listdir { meta: description = "lists contents of a directory" pledge = "rpath" - filetypes = "python" + filetypes = "py" strings: $ref = ".listdir(" @@ -71,7 +71,7 @@ rule java_listdir { meta: description = "lists contents of a directory" pledge = "rpath" - filetypes = "class,java" + filetypes = "jar,java" strings: $listFiles = "listFiles" diff --git a/rules/fs/file/exists.yara b/rules/fs/file/exists.yara index 4a220cd72..beafedf71 100644 --- a/rules/fs/file/exists.yara +++ b/rules/fs/file/exists.yara @@ -12,6 +12,7 @@ rule path_exists: low { rule java_exists: low { meta: description = "check if a file exists" + filetypes = "java" strings: $ref = "java/io/File" fullword diff --git a/rules/fs/file/file-make_executable.yara b/rules/fs/file/file-make_executable.yara index 940276f8e..82f90bda0 100644 --- a/rules/fs/file/file-make_executable.yara +++ b/rules/fs/file/file-make_executable.yara @@ -14,7 +14,7 @@ rule chmod_executable_shell: medium { rule chmod_executable_binary: high { meta: description = "executable makes another file executable" - filetypes = "macho,elf" + filetypes = "elf,macho" strings: $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ diff --git a/rules/fs/file/file-read.yara b/rules/fs/file/file-read.yara index b028513e5..a97a92e3f 100644 --- a/rules/fs/file/file-read.yara +++ b/rules/fs/file/file-read.yara @@ -37,6 +37,7 @@ rule python_read { rule ruby_read { meta: description = "reads files" + filetypes = "rb" strings: $ref = /File\.read\([\w\.'"]{1,64}\)/ @@ -48,6 +49,7 @@ rule ruby_read { rule python_file_read { meta: description = "opens a file for read" + filetypes = "py" strings: $val = /open\([\"\w\.]{1,32}\, {0,2}["']r["']\)/ @@ -59,6 +61,7 @@ rule python_file_read { rule python_file_read_binary: medium { meta: description = "opens a binary file for read" + filetypes = "py" strings: $val = /open\([\"\w\.]{1,32}\, {0,2}["']rb["']\)/ diff --git a/rules/fs/file/file-rename.yara b/rules/fs/file/file-rename.yara index fe1db696e..60c169142 100644 --- a/rules/fs/file/file-rename.yara +++ b/rules/fs/file/file-rename.yara @@ -14,7 +14,7 @@ rule rename: harmless posix { rule explicit_rename: low { meta: description = "renames files" - filetypes = "py,rb" + filetypes = "elf,go,js,macho,m,py,rb,ts" strings: $rename = "os.rename" fullword @@ -22,6 +22,7 @@ rule explicit_rename: low { $move_file = "MoveFile" $ruby = "File.rename" $objc = "renameFile" fullword + $go = "os.Rename" fullword condition: any of them @@ -30,6 +31,7 @@ rule explicit_rename: low { rule ren: medium windows { meta: description = "renames files" + filetypes = "exe,pe,ps1" strings: $rename = "rename" diff --git a/rules/fs/file/file-stat.yara b/rules/fs/file/file-stat.yara index abc5bdd8f..c0b422280 100644 --- a/rules/fs/file/file-stat.yara +++ b/rules/fs/file/file-stat.yara @@ -45,7 +45,8 @@ rule go_stat: harmless { syscall = "stat" strings: - $filestat = "os.(*fileStat)" + $filestat = "os.(*fileStat)" + $filestat2 = "os.Stat(" condition: any of them @@ -56,6 +57,7 @@ rule py_timestamps { description = "Access filesystem timestamps" pledge = "rpath" syscall = "stat" + filetypes = "py" strings: $atime = "os.path.getatime" @@ -71,6 +73,7 @@ rule npm_stat { description = "access filesystem metadata" pledge = "rpath" syscall = "stat" + filetypes = "js,ts" strings: $filestat = /fs\.stat[\w\(\'\.\)]{0,32}/ diff --git a/rules/fs/file/file-write.yara b/rules/fs/file/file-write.yara index f8d93c6c7..f4af22240 100644 --- a/rules/fs/file/file-write.yara +++ b/rules/fs/file/file-write.yara @@ -14,6 +14,7 @@ rule file_write { rule python_file_write { meta: description = "writes to a file" + filetypes = "py" strings: $val = /open\([\"\'\w\.]{1,32}\, {0,2}["'][wa]["']\)/ @@ -26,6 +27,7 @@ rule python_file_write { rule ruby_file_write: medium { meta: description = "writes to a file" + filetypes = "rb" strings: $val = /File\.open\(.{1,64} {0,2}["']w[ab\+]{0,2}["']\)/ @@ -38,6 +40,7 @@ rule powershell_fs_write { meta: description = "writes content to disk" syscall = "pwrite" + filetypes = "ps1" strings: $write_val = "System.IO.File]::WriteAllBytes" diff --git a/rules/fs/path/applications.yara b/rules/fs/path/applications.yara index 65a2d728b..e9ef9ebb4 100644 --- a/rules/fs/path/applications.yara +++ b/rules/fs/path/applications.yara @@ -22,6 +22,7 @@ private rule applicatons_macho { rule macho_app_path: high { meta: description = "references hardcoded application path" + filetypes = "macho" strings: $ref = /\/Applications\/.{0,32}\.app\/Contents\/MacOS\/[\w \.\-]{0,32}/ @@ -33,6 +34,7 @@ rule macho_app_path: high { rule mac_applications: medium { meta: description = "references /Applications directly" + filetypes = "macho" strings: $ref = "/Applications" fullword diff --git a/rules/fs/path/boot.yara b/rules/fs/path/boot.yara index 17ed66213..c84e16ab5 100644 --- a/rules/fs/path/boot.yara +++ b/rules/fs/path/boot.yara @@ -12,6 +12,7 @@ rule boot_path: medium { rule elf_boot_path: medium { meta: description = "path reference within /boot" + filetypes = "elf" strings: $ref = /\/boot\/[\%\w\.\-\/]{4,32}/ fullword diff --git a/rules/fs/path/lib64.yara b/rules/fs/path/lib64.yara index 258181afb..1b4fb3d79 100644 --- a/rules/fs/path/lib64.yara +++ b/rules/fs/path/lib64.yara @@ -1,6 +1,7 @@ rule elf_lib_dir_refs: harmless { meta: description = "references /lib64 path" + filetypes = "elf" strings: $ref = /\/lib64\/[\%\w\.\-\/]{4,32}/ fullword diff --git a/rules/impact/degrade/app.yara b/rules/impact/degrade/app.yara index 0e2808a22..d6ff59dc9 100644 --- a/rules/impact/degrade/app.yara +++ b/rules/impact/degrade/app.yara @@ -1,6 +1,7 @@ rule osascript_window_closer: medium { meta: description = "closes the window of a running application" + filetypes = "scpt,scptd" strings: $c_osascript = "osascript" fullword @@ -18,6 +19,7 @@ rule osascript_window_closer: medium { rule osascript_quitter: medium { meta: description = "quits a running application" + filetypes = "scpt,scptd" strings: $c_osascript = "osascript" fullword diff --git a/rules/impact/degrade/edr.yara b/rules/impact/degrade/edr.yara index 7bcc9f4c6..c37d72924 100644 --- a/rules/impact/degrade/edr.yara +++ b/rules/impact/degrade/edr.yara @@ -20,7 +20,7 @@ rule win_kill_proc: medium windows { rule win_edr_stopper: critical windows { meta: description = "Stops EDR/Antivirus services" - filetypes = "exe,dll" + filetypes = "bat,exe,pe" strings: $kind_malwarebytes = "alwarebytes" @@ -30,7 +30,7 @@ rule win_edr_stopper: critical windows { filesize < 1MB and $stop and any of ($kind*) } -rule linux_edr_killlall: critical linux { +rule linux_edr_killall: critical linux { meta: description = "Kills EDR/Antivirus services" @@ -67,7 +67,7 @@ rule linux_edr_unistall: critical linux { rule linux_edr_kill: high linux { meta: description = "Kills EDR/Antivirus services" - filetypes = "exe,dll" + filetypes = "bat,exe,pe" strings: $kill = "kill" diff --git a/rules/impact/degrade/panic.yara b/rules/impact/degrade/panic.yara index 75f13d6c5..3bb0ba57d 100644 --- a/rules/impact/degrade/panic.yara +++ b/rules/impact/degrade/panic.yara @@ -1,7 +1,7 @@ rule raise_hard_error: medium windows { meta: description = "crashes (bluescreens) the machine" - filetypes = "py,exe" + filetypes = "exe,pe,py" strings: $crash = "NtRaiseHardError" fullword diff --git a/rules/impact/ransom/fernet_listdir.yara b/rules/impact/ransom/fernet_listdir.yara index 1af070c83..e378341db 100644 --- a/rules/impact/ransom/fernet_listdir.yara +++ b/rules/impact/ransom/fernet_listdir.yara @@ -2,6 +2,7 @@ rule fernet_walker: high { meta: description = "walks filesystem, encrypts content using Fernet" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $walk = /\w{0,2}\.walk[\(\w\)]{1,16}/ @@ -16,6 +17,7 @@ rule fernet_locker: critical { meta: description = "walks filesystem, encrypts and deletes content using Fernet" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "py" strings: $walk = /\w{0,2}\.walk[\(\w\)]{1,16}/ diff --git a/rules/impact/ransom/linux.yara b/rules/impact/ransom/linux.yara index f8e9caf34..9bfe17494 100644 --- a/rules/impact/ransom/linux.yara +++ b/rules/impact/ransom/linux.yara @@ -70,7 +70,7 @@ rule linux_syscalls: high { rule conti_alike: high posix { meta: description = "Reads directories, renames files, encrypts files" - filetypes = "so,elf,macho" + filetypes = "elf,macho,so" strings: $readdir = "readdir" fullword @@ -86,4 +86,3 @@ rule conti_alike: high posix { condition: filesize < 512KB and $readdir and $rename and 2 of ($enc*) and none of ($not*) } - diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index 9dd9d4a0b..1a765860c 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -112,6 +112,7 @@ private rule backdoor_small_macho { rule macho_backdoor_libc_signature: high { meta: description = "executes libc functions common to backdoors" + filetypes = "macho" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword @@ -155,7 +156,7 @@ rule macho_backdoor_libc_signature: high { rule minecraft_load_fetch_class_backdoor: critical { meta: description = "likely minecraft backdoor" - filetypes = "class,java" + filetypes = "jar,java" strings: $minecraft = "minecraft" diff --git a/rules/impact/remote_access/botnet.yara b/rules/impact/remote_access/botnet.yara index cee3ce7fe..0e47f334e 100644 --- a/rules/impact/remote_access/botnet.yara +++ b/rules/impact/remote_access/botnet.yara @@ -28,10 +28,11 @@ rule botnet_high: high { description = "References a 'botnet'" strings: - $bot_deployed = "bot deployed" - $botnet = "Botnet" - $not_phishing = "phishing" - $not_keylogger = "keylogger" + $bot_deployed = "bot deployed" + $botnet = "Botnet" + $not_phishing = "phishing" + $not_keylogger = "keylogger" + $not_wikiticker_contribution = "Undid revision 680586363 by" condition: filesize < 20MB and any of ($bot*) and none of ($not*) diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index ad325cd2d..4e7213023 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -24,6 +24,7 @@ private rule remote_access_pythonSetup { rule setuptools_oslogin: medium { meta: description = "Python library installer that accesses user information" + filetypes = "py" strings: $oslogin = "os.login()" @@ -35,6 +36,7 @@ rule setuptools_oslogin: medium { rule setuptools_homedir: high { meta: description = "Python library installer that users home directory" + filetypes = "py" strings: $oslogin = "C:\\Users\\.{0,64}os.login()" @@ -46,6 +48,7 @@ rule setuptools_homedir: high { rule setuptools_cmd_exec: high { meta: description = "Python library installer that executes external commands" + filetypes = "py" strings: $f_os_system = /os.system\([\"\'\.:\\\{\w\ \-\)\/]{0,64}/ @@ -65,6 +68,7 @@ rule setuptools_cmd_exec: high { rule setuptools_cmd_exec_start: critical { meta: description = "Python library installer that executes the Windows 'start' command" + filetypes = "py" strings: $f_os_system = /os.system\([f\"\']{0,2}start .{0,64}/ @@ -79,6 +83,7 @@ rule setuptools_cmd_exec_start: critical { rule setuptools_eval: medium { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "py" strings: $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -90,6 +95,7 @@ rule setuptools_eval: medium { rule setuptools_eval_high: high { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "py" strings: $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -102,6 +108,7 @@ rule setuptools_eval_high: high { rule setuptools_exec: medium { meta: description = "Python library installer that executes arbitrary code" + filetypes = "py" strings: $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -115,6 +122,7 @@ rule setuptools_exec: medium { rule setuptools_exec_high: high { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "py" strings: $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -136,6 +144,7 @@ rule setuptools_exec_high: high { rule setuptools_b64decode: suspicious { meta: description = "Python library installer that does base64 decoding" + filetypes = "py" strings: $base64 = "b64decode" @@ -147,6 +156,7 @@ rule setuptools_b64decode: suspicious { rule setuptools_preinstall: suspicious { meta: description = "Python library installer that imports a pre_install script" + filetypes = "py" strings: $preinstall = "import preinstall" @@ -161,6 +171,7 @@ rule setuptools_preinstall: suspicious { rule setuptools_b64encode: suspicious { meta: description = "Python library installer that does base64 encoding" + filetypes = "py" strings: $base64 = "b64encode" @@ -172,6 +183,7 @@ rule setuptools_b64encode: suspicious { rule setuptools_exec_powershell: critical windows { meta: description = "Python library installer that runs powershell" + filetypes = "py" strings: $powershell = "powershell" fullword @@ -185,6 +197,7 @@ rule setuptools_exec_powershell: critical windows { rule setuptools_os_path_exists: medium { meta: description = "Python library installer that checks for file existence" + filetypes = "py" strings: $ref = /[\w\.]{0,8}path.exists\([\"\'\w\ \-\)\/]{0,32}/ @@ -199,6 +212,7 @@ rule setuptools_os_path_exists: medium { rule setuptools_excessive_bitwise_math: critical { meta: description = "Python library installer that makes heavy use of bitwise math" + filetypes = "py" strings: $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/ diff --git a/rules/impact/remote_access/remote_eval.yara b/rules/impact/remote_access/remote_eval.yara index 14e08ac32..9ea692eac 100644 --- a/rules/impact/remote_access/remote_eval.yara +++ b/rules/impact/remote_access/remote_eval.yara @@ -3,6 +3,7 @@ import "math" rule remote_eval: critical { meta: description = "Evaluates remotely sourced code" + filetypes = "py,rb" strings: $http = "http" @@ -25,8 +26,7 @@ rule remote_eval: critical { rule remote_eval_close: high { meta: description = "Evaluates remotely sourced code" - - filetypes = "php" + filetypes = "php" strings: $php = "&1" fullword + $not_elastic = "\"license\": \"Elastic License v2\"" $not_ref_1 = "reverse shellConf" $not_ref_2 = "reverse shellshare" $not_pypi_index = "testpack-id-lb001" @@ -27,6 +28,7 @@ rule possible_reverse_shell: medium { $sh_bash = "/bin/bash" $sh = "/bin/sh" + $not_elastic = "\"license\": \"Elastic License v2\"" $not_uc2 = "ucs2reverse" $not_pypi_index = "testpack-id-lb001" diff --git a/rules/impact/resource/forkbomb.yara b/rules/impact/resource/forkbomb.yara index b3472df7e..717f406a1 100644 --- a/rules/impact/resource/forkbomb.yara +++ b/rules/impact/resource/forkbomb.yara @@ -1,6 +1,7 @@ rule elf_pthread_forkbomb: high { meta: description = "may implement a pthread-based forkbomb" + filetypes = "elf" strings: $f_wait = "wait" fullword @@ -19,6 +20,7 @@ rule elf_pthread_forkbomb: high { rule elf_fork_usleep: high { meta: description = "may implement a forkbomb" + filetypes = "elf" strings: $f_wait = "wait" fullword diff --git a/rules/impact/wipe/crypto.yara b/rules/impact/wipe/crypto.yara index 63d303f8c..71d8670db 100644 --- a/rules/impact/wipe/crypto.yara +++ b/rules/impact/wipe/crypto.yara @@ -6,6 +6,7 @@ private rule crypto_elf_or_macho { rule uname_hostname_encrypt_wipe_kill_small: high { meta: description = "May encrypt, wipe files, and kill processes" + filetypes = "elf,macho" strings: $encrypt = "encrypt" fullword @@ -22,6 +23,7 @@ rule uname_hostname_encrypt_wipe_kill_small: high { rule uname_hostname_encrypt_wipe_kill: medium { meta: description = "May encrypt, wipe files, and kill processes" + filetypes = "elf,macho" strings: $encrypt = "encrypt" fullword diff --git a/rules/impact/wipe/desktop.yara b/rules/impact/wipe/desktop.yara index 694a3dbb3..46d5ec091 100644 --- a/rules/impact/wipe/desktop.yara +++ b/rules/impact/wipe/desktop.yara @@ -1,6 +1,7 @@ rule USERPROFILE_delete: high { meta: description = "deletes files in the USERPROFILE directory" + filetypes = "py" strings: $appdata = "USERPROFILE" fullword @@ -14,6 +15,7 @@ rule USERPROFILE_delete: high { rule Desktop_delete: critical { meta: description = "deletes files in the Desktop directory" + filetypes = "py" strings: $appdata = "USERPROFILE" fullword diff --git a/rules/lateral/scan/cve-2024-4577.yara b/rules/lateral/scan/cve-2024-4577.yara index c41594349..8843ec9ec 100644 --- a/rules/lateral/scan/cve-2024-4577.yara +++ b/rules/lateral/scan/cve-2024-4577.yara @@ -7,6 +7,7 @@ rule php_cgi_argument_injection: critical { reference = "https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en" repository = "https://github.com/watchtowrlabs/CVE-2024-4577" technical = "https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577" + filetypes = "php" strings: $url_pattern = /\?%ADd\+allow_url_include%3d1\+(%ADd|-)[d+]\+auto_prepend_file%3dphp:\/\/input/ diff --git a/rules/malware/family/beaver_tail.yara b/rules/malware/family/beaver_tail.yara index 737652644..a78ba4e62 100644 --- a/rules/malware/family/beaver_tail.yara +++ b/rules/malware/family/beaver_tail.yara @@ -2,7 +2,7 @@ rule beaver_tail: critical macos { meta: description = "Beaver Tail Infostealer" - filetypes = "macho,elf" + filetypes = "elf,macho" ref = "https://objective-see.org/blog/blog_0x7A.html" strings: @@ -24,4 +24,3 @@ rule beaver_tail: critical macos { condition: filesize < 2MB and 3 of them } - diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara index 2b2de8c51..179f689a2 100644 --- a/rules/malware/family/beurk.yara +++ b/rules/malware/family/beurk.yara @@ -33,4 +33,3 @@ rule beurk_xor: critical linux { condition: filesize < 2MB and $dlsym and any of ($x*) } - diff --git a/rules/malware/family/clapzok.yara b/rules/malware/family/clapzok.yara index 09e5c7551..cda522a93 100644 --- a/rules/malware/family/clapzok.yara +++ b/rules/malware/family/clapzok.yara @@ -7,6 +7,7 @@ rule clapzok_macho: critical { meta: description = "likely infected with Clapzok" ref = "https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness" + filetypes = "macho" strings: $ref = "SfcIsFileProtected" @@ -14,4 +15,3 @@ rule clapzok_macho: critical { condition: filesize < 10MB and is_macho and $ref in (filesize - 2200..filesize - 100) } - diff --git a/rules/malware/family/emp3r0r.yara b/rules/malware/family/emp3r0r.yara index 631a067ec..28ce6c392 100644 --- a/rules/malware/family/emp3r0r.yara +++ b/rules/malware/family/emp3r0r.yara @@ -2,7 +2,7 @@ rule emp3r0r: critical { meta: description = "emp3r0r post-exploitation agent" ref = "https://github.com/jm33-m0/emp3r0r" - filetypes = "macho,elf" + filetypes = "elf,macho" hash = "11974b1de679d7058d897765e7923ab6058d980c49f52ca333f13e528b3396e5" strings: diff --git a/rules/malware/family/leet_hozer.yara b/rules/malware/family/leet_hozer.yara index b50c5bda4..50ca3267d 100644 --- a/rules/malware/family/leet_hozer.yara +++ b/rules/malware/family/leet_hozer.yara @@ -11,4 +11,3 @@ rule leet_hozer: critical macos { condition: filesize > 1MB and all of them } - diff --git a/rules/mem/anonymous-file.yara b/rules/mem/anonymous-file.yara index 20e7f3b69..6d218e85a 100644 --- a/rules/mem/anonymous-file.yara +++ b/rules/mem/anonymous-file.yara @@ -17,6 +17,7 @@ rule go_memfd_create: high { syscall = "memfd_create" description = "create an anonymous file" capability = "CAP_IPC_LOCK" + filetypes = "elf,go,macho" strings: $go = "MemfdCreate" diff --git a/rules/mem/protect.yara b/rules/mem/protect.yara index bfa835e5c..426ae6b60 100644 --- a/rules/mem/protect.yara +++ b/rules/mem/protect.yara @@ -12,6 +12,7 @@ rule virtualprotect: low windows { rule virtualprotect_py_crazy: high windows { meta: description = "Changes the protection of virtual memory within the calling process" + filetypes = "py" strings: $ref = "ctypes.windll.kernel32.VirtualProtect" fullword diff --git a/rules/net/download/fetch.yara b/rules/net/download/fetch.yara index 31d7dacdf..0ffa22c31 100644 --- a/rules/net/download/fetch.yara +++ b/rules/net/download/fetch.yara @@ -104,7 +104,7 @@ rule fetch_tool: medium { rule binary_calls_fetch_tool: high { meta: description = "binary calls fetch tool" - filetypes = "macho,elf" + filetypes = "elf,macho" strings: $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.\"]{0,32}/ diff --git a/rules/net/http/websocket.yara b/rules/net/http/websocket.yara index 98e2ba0b3..170d9a2ee 100644 --- a/rules/net/http/websocket.yara +++ b/rules/net/http/websocket.yara @@ -16,6 +16,7 @@ rule websocket: medium { rule websocket_send_json: medium { meta: description = "uploads JSON data via web socket" + filetypes = "js,ts" strings: $send = "ws.send(JSON.stringify(" diff --git a/rules/net/resolve/hostname-resolve.yara b/rules/net/resolve/hostname-resolve.yara index 312737f32..f532d77fd 100644 --- a/rules/net/resolve/hostname-resolve.yara +++ b/rules/net/resolve/hostname-resolve.yara @@ -52,6 +52,7 @@ rule net_hostlookup { rule nodejs: medium { meta: description = "resolve network host name to IP address" + filetypes = "js,ts" strings: $resolve = "resolve4" fullword @@ -63,6 +64,7 @@ rule nodejs: medium { rule go_resolve: medium { meta: description = "resolve network host name to IP address" + filetypes = "elf,go,macho" strings: $resolve = "LookupHost" fullword diff --git a/rules/net/socket/multiplexing.yara b/rules/net/socket/multiplexing.yara index 60ca6ed4b..998a6e0ce 100644 --- a/rules/net/socket/multiplexing.yara +++ b/rules/net/socket/multiplexing.yara @@ -1,6 +1,7 @@ rule go_nps_mux: high { meta: description = "Uses github.com/smallbutstrong/nps-mux to multiplex network connections" + filetypes = "elf,go,macho" strings: $ref1 = ").ReturnBucket" diff --git a/rules/net/socket/socket-connect.yara b/rules/net/socket/socket-connect.yara index 4cb2f490a..30aeeed23 100644 --- a/rules/net/socket/socket-connect.yara +++ b/rules/net/socket/socket-connect.yara @@ -30,6 +30,7 @@ rule py_connect: medium { description = "initiate a connection on a socket" syscall = "connect" ref = "https://docs.python.org/3/library/socket.html" + filetypes = "py" strings: $socket = "socket.socket" @@ -44,6 +45,7 @@ rule php_connect: medium { description = "initiate a connection on a socket" syscall = "connect" ref = "https://www.php.net/manual/en/function.fsockopen.php" + filetypes = "php" strings: $ref = "fsockopen" diff --git a/rules/net/socket/socket-listen.yara b/rules/net/socket/socket-listen.yara index dcec66488..4a0e75204 100644 --- a/rules/net/socket/socket-listen.yara +++ b/rules/net/socket/socket-listen.yara @@ -19,6 +19,7 @@ rule go_listen: medium { description = "listen on a socket" pledge = "inet" syscall = "accept" + filetypes = "elf,go,macho" strings: $net_listen = "net.Listen" @@ -49,6 +50,7 @@ rule netcat_listener: medium { rule ruby_listener: medium { meta: description = "listens at a TCP socket" + filetypes = "rb" strings: $socket_tcp = "Socket.tcp_server" diff --git a/rules/net/socket/socket-options-set.yara b/rules/net/socket/socket-options-set.yara index ed7824c7b..335a9ed60 100644 --- a/rules/net/socket/socket-options-set.yara +++ b/rules/net/socket/socket-options-set.yara @@ -15,6 +15,7 @@ rule go_setsockopt_int: medium { meta: description = "set socket options by integer" syscall = "setsockopt" + filetypes = "elf,go,macho" strings: $setsockopt = "SetsockoptInt" diff --git a/rules/net/ssl/no_verify.yara b/rules/net/ssl/no_verify.yara index 6eb9e1c6f..9783cd1b9 100644 --- a/rules/net/ssl/no_verify.yara +++ b/rules/net/ssl/no_verify.yara @@ -1,6 +1,7 @@ rule disable_verify: medium { meta: description = "disables SSL verification" + filetypes = "py" strings: $ref1 = /verify_mode.{0,8}ssl\.CERT_NONE/ diff --git a/rules/net/udp/kcp.yara b/rules/net/udp/kcp.yara index 636e8f9b7..4a9aec2cf 100644 --- a/rules/net/udp/kcp.yara +++ b/rules/net/udp/kcp.yara @@ -1,6 +1,7 @@ rule kcp_go: medium { meta: description = "uses kcp-go, a reliable UDP library for Go" + filetypes = "elf,go,macho" strings: $ = "ikcp_waitsnd" diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara index 464e7b174..717a505bb 100644 --- a/rules/persist/kernel_module/module.yara +++ b/rules/persist/kernel_module/module.yara @@ -43,7 +43,7 @@ rule init_module: medium linux { syscall = "init_module" capability = "CAP_SYS_MODULE" - filetypes = "ko,elf,so" + filetypes = "elf,ko,so" strings: $ref = "init_module" fullword @@ -51,4 +51,3 @@ rule init_module: medium linux { condition: filesize < 1MB and all of them } - diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara index 62e0ecba3..8a053bf00 100644 --- a/rules/persist/kernel_module/symbol-lookup.yara +++ b/rules/persist/kernel_module/symbol-lookup.yara @@ -3,7 +3,7 @@ rule kallsyms_lookup: high linux { description = "access unexported kernel symbols" ref = "https://lwn.net/Articles/813350/" - filetypes = "so,elf" + filetypes = "c,elf,so" strings: $ref = "kallsyms_lookup_name" fullword @@ -29,7 +29,7 @@ rule kallsyms: medium linux { rule bpftrace: override linux { meta: description = "bpftrace" - filetypes = "so,elf" + filetypes = "c,elf,so" kallsyms = "medium" strings: @@ -42,7 +42,7 @@ rule bpftrace: override linux { rule bpf: override linux { meta: description = "libbpf" - filetypes = "so,elf" + filetypes = "c,so,elf" kallsyms_lookup = "medium" proc_d_exe_high = "medium" proc_d_cmdline = "medium" diff --git a/rules/persist/systemd/execstart-elsewhere.yara b/rules/persist/systemd/execstart-elsewhere.yara index 8afad89bd..62329d4cc 100644 --- a/rules/persist/systemd/execstart-elsewhere.yara +++ b/rules/persist/systemd/execstart-elsewhere.yara @@ -2,6 +2,7 @@ rule execstart_danger_path_val: high { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" description = "Starts from a dangerous-looking path" + filetypes = "service" strings: $awkward = /ExecStart=\/(boot|var|tmp|dev|root)\/[\.\w\-\/]{0,32}/ @@ -14,6 +15,7 @@ rule execstart_unexpected_dir_val: medium { meta: description = "Starts from an unusual path" ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + filetypes = "service" strings: $execstart = /ExecStart=\/[\w\/]{1,128}/ diff --git a/rules/persist/systemd/execstop-bin-sh.yara b/rules/persist/systemd/execstop-bin-sh.yara index ec1fc9353..3648e88f4 100644 --- a/rules/persist/systemd/execstop-bin-sh.yara +++ b/rules/persist/systemd/execstop-bin-sh.yara @@ -2,6 +2,7 @@ rule bin_sh_execstop: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs shell script at stop" + filetypes = "service" strings: $execstop = /ExecStop=\/bin\/sh\/[\w\. \-\'\"]{0,64}/ diff --git a/rules/persist/systemd/execstop-elsewhere.yara b/rules/persist/systemd/execstop-elsewhere.yara index 28a43fab0..fe3f51756 100644 --- a/rules/persist/systemd/execstop-elsewhere.yara +++ b/rules/persist/systemd/execstop-elsewhere.yara @@ -2,6 +2,7 @@ rule execstop_elsewhere: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from unexpected directory at stop" + filetypes = "service" strings: $execstop = /ExecStop=\/[\w\.\_\-]{2,64}/ diff --git a/rules/persist/systemd/execstop-usr-bin.yara b/rules/persist/systemd/execstop-usr-bin.yara index 122e6d29d..816b3a8b7 100644 --- a/rules/persist/systemd/execstop-usr-bin.yara +++ b/rules/persist/systemd/execstop-usr-bin.yara @@ -2,6 +2,7 @@ rule usr_bin_execstop: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from /usr/bin at stop" + filetypes = "service" strings: $execstop = /ExecStop=\/usr\/bin\/[\w\.]{0,32}/ diff --git a/rules/persist/systemd/no_blank_lines.yara b/rules/persist/systemd/no_blank_lines.yara index 628fcda24..8126c1d86 100644 --- a/rules/persist/systemd/no_blank_lines.yara +++ b/rules/persist/systemd/no_blank_lines.yara @@ -1,6 +1,7 @@ rule systemd_no_blank_lines: high { meta: - ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + filetypes = "service" strings: $execstart = "ExecStart" diff --git a/rules/persist/systemd/no_docs_or_comments.yara b/rules/persist/systemd/no_docs_or_comments.yara index 024968ab7..ca1633579 100644 --- a/rules/persist/systemd/no_docs_or_comments.yara +++ b/rules/persist/systemd/no_docs_or_comments.yara @@ -2,6 +2,7 @@ rule systemd_no_comments_or_documentation: medium { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" description = "systemd unit is undocumented" + filetypes = "service" strings: $execstart = "ExecStart=" diff --git a/rules/persist/systemd/no_output.yara b/rules/persist/systemd/no_output.yara index af22a6f16..f301ee514 100644 --- a/rules/persist/systemd/no_output.yara +++ b/rules/persist/systemd/no_output.yara @@ -1,6 +1,7 @@ rule systemd_no_output: high { meta: description = "Discards all logging output" + filetypes = "service" strings: $discard_stdout = "StandardOutput=null" diff --git a/rules/persist/systemd/restart-always.yara b/rules/persist/systemd/restart-always.yara index b7eaa5694..d2768ea95 100644 --- a/rules/persist/systemd/restart-always.yara +++ b/rules/persist/systemd/restart-always.yara @@ -1,6 +1,7 @@ rule systemd_restart_always: medium { meta: description = "service restarts no matter how many times it crashes" + filetypes = "service" strings: $restart = "Restart=always" diff --git a/rules/persist/systemd/short-description.yara b/rules/persist/systemd/short-description.yara index 5b9308976..b5f33848e 100644 --- a/rules/persist/systemd/short-description.yara +++ b/rules/persist/systemd/short-description.yara @@ -1,6 +1,7 @@ rule systemd_short_description { meta: description = "Short or no description" + filetypes = "service" strings: $execstart = "ExecStart=" diff --git a/rules/persist/xdg_desktop_entry.yara b/rules/persist/xdg_desktop_entry.yara index abe04f415..4299e5850 100644 --- a/rules/persist/xdg_desktop_entry.yara +++ b/rules/persist/xdg_desktop_entry.yara @@ -14,6 +14,7 @@ rule desktop_app_exec_entry: medium { rule elf_desktop_app_exec_entry: high { meta: description = "persists via an XDG Desktop Entry" + filetypes = "elf" strings: $ = "[Desktop Entry]" diff --git a/rules/privesc/osascript.yara b/rules/privesc/osascript.yara index dbfab7cf7..7f4e47b87 100644 --- a/rules/privesc/osascript.yara +++ b/rules/privesc/osascript.yara @@ -1,6 +1,7 @@ rule osascript_shell_as_admin: medium { meta: description = "uses osascript with admin privileges" + filetypes = "scpt,scptd" strings: $do_shell = "do shell script" @@ -15,6 +16,7 @@ rule osascript_shell_as_admin: medium { rule osascript_fake_password: critical { meta: description = "uses osascript to prompt for a sudo password" + filetypes = "scpt,scptd" strings: $osascript = "osascript" diff --git a/rules/privesc/runas.yara b/rules/privesc/runas.yara index 237ac5551..f721d93c1 100644 --- a/rules/privesc/runas.yara +++ b/rules/privesc/runas.yara @@ -13,6 +13,7 @@ rule runas_admin: high { rule py_runas_admin: high { meta: description = "Uses RunAs to execute itself as another user" + filetypes = "py" strings: $double = "\"runas\", sys.executable," diff --git a/rules/process/executable_path.yara b/rules/process/executable_path.yara index d94d2495a..22f534ecc 100644 --- a/rules/process/executable_path.yara +++ b/rules/process/executable_path.yara @@ -1,6 +1,7 @@ rule python_sys_executable: medium { meta: description = "gets executable associated to this process" + filetypes = "py" strings: $ref = "sys.executable" fullword diff --git a/rules/process/multiprocess.yara b/rules/process/multiprocess.yara index 83fa614e0..effa1c1d4 100644 --- a/rules/process/multiprocess.yara +++ b/rules/process/multiprocess.yara @@ -2,6 +2,7 @@ rule py_multiprocessing: medium { meta: syscall = "pthread_create" description = "uses python multiprocessing" + filetypes = "py" strings: $ref = "multiprocessing" diff --git a/rules/process/multithreaded.yara b/rules/process/multithreaded.yara index b5115efe1..ce94565a9 100644 --- a/rules/process/multithreaded.yara +++ b/rules/process/multithreaded.yara @@ -16,6 +16,7 @@ rule py_thread_create: medium { syscall = "pthread_create" description = "uses python threading" ref = "https://docs.python.org/3/library/threading.html" + filetypes = "py" strings: $ref = "threading.Thread" diff --git a/rules/sus/compiler.yara b/rules/sus/compiler.yara index 3cc659682..08a18b2f7 100644 --- a/rules/sus/compiler.yara +++ b/rules/sus/compiler.yara @@ -1,6 +1,7 @@ rule archaic_gcc: medium { meta: description = "built by an ancient version of GCC" + filetypes = "elf,macho" strings: $gcc_v4 = /GCC: \([\w \.\-\~]{1,128}\) 4\.\d{1,16}\.\d{1,128}/ @@ -13,6 +14,7 @@ rule archaic_gcc: medium { rule small_opaque_archaic_gcc: high linux { meta: description = "small and built by an ancient version of GCC" + filetypes = "elf,macho" strings: $gcc_v4 = /GCC: \([\w \.\-\~]{1,128}\) 4\.\d{1,16}\.\d{1,128}/ @@ -35,6 +37,7 @@ private rule binary { rule multiple_gcc: medium { meta: description = "built with multiple versions of GCC" + filetypes = "elf,macho" strings: $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword @@ -46,6 +49,7 @@ rule multiple_gcc: medium { rule multiple_gcc_high: high { meta: description = "built with multiple versions of GCC" + filetypes = "elf,macho" strings: $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword diff --git a/rules/sus/entitlement.yara b/rules/sus/entitlement.yara index 9a5e05dc7..ca2e4ba68 100644 --- a/rules/sus/entitlement.yara +++ b/rules/sus/entitlement.yara @@ -11,6 +11,7 @@ private rule entitlement_macho { rule com_apple_get_task_allow: medium { meta: description = "debug binary" + filetypes = "macho" strings: $get_task_allow = "com.apple.security.get-task-allow" diff --git a/tests/c/clean/ruby_http_parser/test.c.simple b/tests/c/clean/ruby_http_parser/test.c.simple index df2cd0d0c..48fd3945d 100644 --- a/tests/c/clean/ruby_http_parser/test.c.simple +++ b/tests/c/clean/ruby_http_parser/test.c.simple @@ -18,7 +18,6 @@ net/http/request: low net/http/websocket: medium net/ip/host_port: medium net/socket/send: low -net/udp/kcp: medium net/udp/upnp: medium net/url/embedded: low net/url/encode: medium diff --git a/tests/javascript/2022.an-instance.99.10.9/index.js.simple b/tests/javascript/2022.an-instance.99.10.9/index.js.simple index b20cead17..fc531b160 100644 --- a/tests/javascript/2022.an-instance.99.10.9/index.js.simple +++ b/tests/javascript/2022.an-instance.99.10.9/index.js.simple @@ -1,5 +1,4 @@ # javascript/2022.an-instance.99.10.9/index.js: critical -anti-static/obfuscation/hex: medium data/encoding/int: low data/encoding/json_encode: low discover/network/interface_list: medium diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index ebf6c067b..1ecf42b8e 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,6 +1,6 @@ -## Changed (50 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] +## Changed (49 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 50 new behaviors +### 49 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| @@ -8,8 +8,7 @@ | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | -| +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | contains a large hexadecimal string variable | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | -| +MEDIUM | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#multi_decode_3)** | multiple (3+) levels of decoding | [.decode(n);return o._baseCache.set(i,t),o}},jE=(e,t)=>{switch(e[0]){case"Q":{let r=t||N_;return[N_.prefix,r.decode(`${N_.prefix}${e}`)]}case N_.prefix:{let r=t||N_;return[N_.prefix,r.decode(e)]}case y_.prefix:{let r=t||y_;return[y_.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CjE%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28%60%24%7BN_.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+N_.prefix%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28e%29%5D%7Dcase+y_.prefix%3A%7Blet+r%3Dt%7C%7Cy_%3Breturn%5By_.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code)
[.decode(n);return o._baseCache.set(i,t),o}},vB=(e,t)=>{switch(e[0]){case"Q":{let r=t||fN;return[fN.prefix,r.decode(`${fN.prefix}${e}`)]}case fN.prefix:{let r=t||fN;return[fN.prefix,r.decode(e)]}case JO.prefix:{let r=t||JO;return[JO.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CvB%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28%60%24%7BfN.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+fN.prefix%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28e%29%5D%7Dcase+JO.prefix%3A%7Blet+r%3Dt%7C%7CJO%3Breturn%5BJO.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code) | +| +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#long_hex_var)** | contains a large hexadecimal string variable | [Zc="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102](https://github.com/search?q=Zc%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102&type=code) | | +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [https://](https://)
[http://](http://)
[Windows](https://github.com/search?q=Windows&type=code)
[windows](https://github.com/search?q=windows&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[linux](https://github.com/search?q=linux&type=code) | diff --git a/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple b/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple index cdd2d3395..59f5eb615 100644 --- a/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple +++ b/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple @@ -1,6 +1,5 @@ # javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js: critical anti-static/obfuscation/js: high -anti-static/obfuscation/reverse: medium exec/script/activex: medium exec/script/wsh: high exfil/stealer/vmware: high diff --git a/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple b/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple index 3732874af..d65357ece 100644 --- a/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple +++ b/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple @@ -2,5 +2,4 @@ anti-static/obfuscation/js: high data/encoding/json_decode: low exec/plugin: low -exec/remote_commands/code_eval: medium net/url/encode: medium diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index 6d0e38267..4d1cafb23 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -23,7 +23,6 @@ discover/user/name_get: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low -exec/remote_commands/code_eval: medium exec/shell/SHELL: low exec/shell/TERM: low exec/shell/power: medium diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 3b0c5232d..79161f7f9 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -2,7 +2,6 @@ anti-behavior/random_behavior: low anti-static/obfuscation/js: medium anti-static/obfuscation/math: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium @@ -18,8 +17,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -38,7 +35,7 @@ discover/process/egid: medium discover/process/parent: low discover/processes/list: medium discover/system/hostname: low -discover/system/platform: medium +discover/system/platform: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium @@ -50,7 +47,6 @@ exec/plugin: low exec/program: medium exec/program/background: low exec/remote_commands/code_eval: medium -exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium fs/directory/create: low @@ -96,7 +92,6 @@ net/ip/string: medium net/proxy/tunnel: medium net/resolve/hostname: low net/resolve/hostport_parse: low -net/socket/connect: medium net/socket/listen: medium net/socket/local_addr: low net/socket/pair: medium diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 6a519e1a1..af5d261ac 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -2,7 +2,6 @@ anti-behavior/random_behavior: low anti-static/obfuscation/js: medium anti-static/obfuscation/math: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium @@ -18,8 +17,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -39,7 +36,7 @@ discover/process/egid: medium discover/process/parent: low discover/processes/list: medium discover/system/hostname: low -discover/system/platform: medium +discover/system/platform: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium @@ -49,8 +46,6 @@ exec/cmd: medium exec/plugin: low exec/program: medium exec/program/background: low -exec/remote_commands/code_eval: medium -exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium fs/directory/create: low @@ -96,7 +91,6 @@ net/ip/string: medium net/proxy/tunnel: medium net/resolve/hostname: low net/resolve/hostport_parse: low -net/socket/connect: medium net/socket/listen: medium net/socket/local_addr: low net/socket/pair: medium diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index 6fc3fb6b4..240accadf 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -1,6 +1,5 @@ # javascript/clean/connection.js: medium anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium c2/client: medium c2/tool_transfer/os: low credential/password: low @@ -11,7 +10,6 @@ data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low discover/system/hostname: low -exec/remote_commands/code_eval: medium net/dns: low net/http: low net/ip/host_port: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index 457e7d865..05dca08b9 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -1,6 +1,8 @@ # javascript/clean/faker.js: medium anti-behavior/blocklist/user: low anti-behavior/random_behavior: low +anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/ip: medium c2/tool_transfer/arch: low diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index d777c618e..1c100a083 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -6,7 +6,6 @@ c2/addr/ip: medium c2/connect/ping_pong: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -c2/tool_transfer/python: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -16,8 +15,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/compression/bzip2: low data/compression/lzma: low data/compression/zlib: low @@ -38,7 +35,6 @@ exec/cmd: medium exec/plugin: low exec/program/background: low exec/program/hidden: medium -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index 7067d2a38..c8190f641 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -6,7 +6,6 @@ c2/addr/ip: medium c2/connect/ping_pong: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -c2/tool_transfer/python: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -16,8 +15,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/compression/bzip2: low data/compression/lzma: low data/compression/zlib: low @@ -38,7 +35,6 @@ exec/cmd: medium exec/plugin: low exec/program/background: low exec/program/hidden: medium -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index e2c2fa125..5d5c802b6 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -13,8 +13,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -35,7 +33,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low @@ -67,7 +64,6 @@ net/ip/string: medium net/proxy/tunnel: medium net/resolve/hostname: low net/resolve/hostport_parse: low -net/socket/connect: medium net/socket/listen: medium net/socket/local_addr: low net/socket/peer_address: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index cb9353a64..406ce0175 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -13,8 +13,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -35,7 +33,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low @@ -67,7 +64,6 @@ net/ip/string: medium net/proxy/tunnel: medium net/resolve/hostname: low net/resolve/hostport_parse: low -net/socket/connect: medium net/socket/listen: medium net/socket/local_addr: low net/socket/peer_address: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index d118387a5..e60fdfaeb 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -13,8 +13,6 @@ crypto/decrypt: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/gzip: low data/compression/zlib: low @@ -33,8 +31,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/remote_commands/code_eval: medium -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low @@ -64,7 +60,6 @@ net/ip/spoof: medium net/ip/string: medium net/proxy/tunnel: medium net/resolve/hostname: low -net/socket/connect: medium net/socket/listen: medium net/socket/local_addr: low net/socket/peer_address: low diff --git a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple index f1b068e88..be4d9a7a3 100644 --- a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple +++ b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple @@ -17,7 +17,6 @@ discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium exec/plugin: low -exec/remote_commands/code_eval: medium exec/shell/SHELL: low exec/shell/TERM: low exec/shell/power: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index bbe758933..31054d0cc 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -3,7 +3,6 @@ anti-behavior/random_behavior: low anti-static/obfuscation/bitwise: medium anti-static/obfuscation/js: medium anti-static/obfuscation/math: medium -anti-static/obfuscation/reverse: medium anti-static/xor/functions: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: medium diff --git a/tests/javascript/clean/yarn-3.8.7.cjs.simple b/tests/javascript/clean/yarn-3.8.7.cjs.simple index 3ec0580d9..b59ec3550 100644 --- a/tests/javascript/clean/yarn-3.8.7.cjs.simple +++ b/tests/javascript/clean/yarn-3.8.7.cjs.simple @@ -1,9 +1,5 @@ # javascript/clean/yarn-3.8.7.cjs: medium anti-behavior/random_behavior: low -anti-static/obfuscation/bitwise: medium -anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: medium -anti-static/obfuscation/math: medium c2/addr/ip: medium c2/tool_transfer/arch: low c2/tool_transfer/github: medium @@ -25,7 +21,7 @@ data/encoding/utf16: medium discover/network/interface_list: medium discover/process/parent: low discover/process/working_directory: low -discover/system/platform: medium +discover/system/platform: low discover/user/USER: low discover/user/USERPROFILE: low discover/user/name_get: medium @@ -35,14 +31,12 @@ exec/program: medium exec/shell/TERM: low exec/shell/exec: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/append: low fs/file/copy: medium fs/file/delete: low fs/file/delete_forcibly: medium fs/file/read: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index 760219d54..e1429eb5e 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -1,6 +1,5 @@ # javascript/clean/zxcvbn.js: medium anti-behavior/random_behavior: low -anti-static/obfuscation/reverse: medium anti-static/obfuscation/strtoi: medium anti-static/xor/functions: medium c2/tool_transfer/dropper: medium @@ -11,7 +10,6 @@ crypto/cipher: medium data/encoding/int: low discover/user/name_get: medium exec/plugin: low -exec/remote_commands/code_eval: medium fs/lock_update: low fs/mount: low fs/path/relative: medium diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple index 9a080d05f..3a5e61a98 100644 --- a/tests/linux/2020.bdvl/bdvl.so.simple +++ b/tests/linux/2020.bdvl/bdvl.so.simple @@ -1,7 +1,5 @@ # linux/2020.bdvl/bdvl.so: critical 3P/elastic/rootkit_bedevil: critical -anti-behavior/LD_DEBUG: medium -anti-behavior/process_check: high credential/password: low credential/sniffer/pcap: high credential/ssh/d: high @@ -15,7 +13,6 @@ evasion/hijack_execution/etc_ld.so.preload: medium evasion/indicator_blocking/process: high evasion/logging/acct: low evasion/logging/hide_shell_history: high -evasion/net/hide_ports: high evasion/process_injection/dlsym: high evasion/process_injection/ptrace: medium evasion/rootkit/userspace: high diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 9acb64169..d3b44485a 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -17,7 +17,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/rc4: low -data/base64/decode: medium data/compression/zlib: low data/embedded/html: medium data/encoding/base64: low diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple index 97fb0e7bd..daf2493d1 100644 --- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -7,7 +7,6 @@ discover/network/interface_list: medium discover/system/platform: low evasion/bypass_security/linux/pam: medium evasion/indicator_blocking/process: high -evasion/net/hide_ports: high evasion/rootkit/userspace: critical exec/dylib/symbol_address: medium exfil/stealer/pam: critical @@ -25,4 +24,3 @@ net/ip/byte_order: medium net/ip/parse: medium net/socket/receive: low net/socket/send: low -sus/compiler: medium diff --git a/tests/linux/2022.ez-pwnkit/PWN.so.simple b/tests/linux/2022.ez-pwnkit/PWN.so.simple index 0bc280048..8bc0fbe71 100644 --- a/tests/linux/2022.ez-pwnkit/PWN.so.simple +++ b/tests/linux/2022.ez-pwnkit/PWN.so.simple @@ -1,6 +1,5 @@ # linux/2022.ez-pwnkit/PWN.so: critical exec/program: medium -exec/shell/command: medium exec/shell/exec: medium fs/file/delete_forcibly: low fs/path/home: low diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index 089af75ab..4d26d9f13 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -1,6 +1,6 @@ # linux/2024.Kaiji/eight-nebraska-autumn-illinois: critical 3P/elastic/threat: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: medium c2/addr/url: low c2/discovery/ip_dns_resolver: medium diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index 299c71a70..f3d540c1d 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -1,6 +1,6 @@ # linux/2024.TellYouThePass/uranus-ack-mike-cat: critical 3P/arkbird/solg_ran_elf: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high collect/databases/mysql: medium collect/databases/postgresql: medium diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index 1cff41032..12e4936b4 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -1,8 +1,9 @@ # linux/2024.chisel/crondx: critical 3P/sekoia/chisel_strings: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high c2/addr/url: low +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low collect/archives/zip: medium diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index 5563260b4..923184645 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -1,6 +1,6 @@ # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72: critical 3P/elastic/threat: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/base64/exec: high anti-static/base64/http_agent: high anti-static/elf/base64: critical diff --git a/tests/linux/2024.hadooken/drop1.sh.simple b/tests/linux/2024.hadooken/drop1.sh.simple index 67739575b..14c5c93f5 100644 --- a/tests/linux/2024.hadooken/drop1.sh.simple +++ b/tests/linux/2024.hadooken/drop1.sh.simple @@ -1,6 +1,5 @@ # linux/2024.hadooken/drop1.sh: critical anti-static/base64/exec: critical -anti-static/base64/function_names: critical c2/addr/ip: high c2/tool_transfer/shell: high data/base64/external: medium diff --git a/tests/linux/2024.hadooken/drop2.sh.simple b/tests/linux/2024.hadooken/drop2.sh.simple index 58ad798e4..86ac2b0f6 100644 --- a/tests/linux/2024.hadooken/drop2.sh.simple +++ b/tests/linux/2024.hadooken/drop2.sh.simple @@ -1,8 +1,5 @@ -# linux/2024.hadooken/drop2.sh: critical +# linux/2024.hadooken/drop2.sh: high c2/addr/ip: high -exec/imports/python: low -exec/remote_commands/code_eval: high -impact/remote_access/remote_eval: critical net/http: low net/url/embedded: low net/url/parse: low diff --git a/tests/linux/2024.hadooken/ssh_worm.sh.simple b/tests/linux/2024.hadooken/ssh_worm.sh.simple index a3ca54e4a..ede66907b 100644 --- a/tests/linux/2024.hadooken/ssh_worm.sh.simple +++ b/tests/linux/2024.hadooken/ssh_worm.sh.simple @@ -1,6 +1,5 @@ # linux/2024.hadooken/ssh_worm.sh: critical anti-static/base64/exec: critical -anti-static/base64/function_names: critical c2/addr/ip: high c2/tool_transfer/shell: medium credential/shell/bash_history: high diff --git a/tests/linux/2024.k4spreader/degrader.sh.simple b/tests/linux/2024.k4spreader/degrader.sh.simple index 5da701263..626cb23a7 100644 --- a/tests/linux/2024.k4spreader/degrader.sh.simple +++ b/tests/linux/2024.k4spreader/degrader.sh.simple @@ -2,6 +2,5 @@ evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium evasion/hijack_execution/etc_ld.so.preload: high -fs/attributes/chattr: medium fs/path/etc: low impact/degrade/firewall: high diff --git a/tests/linux/2024.kworker_pretenders/aclocal.m4.simple b/tests/linux/2024.kworker_pretenders/aclocal.m4.simple index 585db0e28..0f1826319 100644 --- a/tests/linux/2024.kworker_pretenders/aclocal.m4.simple +++ b/tests/linux/2024.kworker_pretenders/aclocal.m4.simple @@ -1,9 +1,8 @@ -# linux/2024.kworker_pretenders/aclocal.m4: high +# linux/2024.kworker_pretenders/aclocal.m4: medium c2/connect/curl_easy: medium discover/user/HOME: low exec/shell/command: medium exec/shell/exec: medium -exfil/curl_elf: high fs/file/times_set: medium fs/file/truncate: low fs/link_read: low diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 2008dc1da..0b8b30153 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -1,6 +1,6 @@ # linux/2024.kworker_pretenders/emp3r0r.agent: critical 3P/elastic/exploit_cve_2021: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-behavior/vm_check: medium anti-static/elf/entropy: high anti-static/obfuscation/syscall: medium @@ -68,7 +68,6 @@ exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/plugin: low exec/program: medium -exec/remote_commands/code_eval: medium exec/script/shell: medium exec/shell/SHELL: low exec/shell/TERM: low diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index 4ec649dfc..6ef41ffa4 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -1,6 +1,5 @@ # linux/2024.kworker_pretenders/gafgyt: critical 3P/elastic/mirai: critical -anti-static/base64/exec: critical anti-static/elf/content: high credential/ssh/d: medium crypto/rc4: low diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple index c35626373..ad34f79f5 100644 --- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple +++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple @@ -1,6 +1,7 @@ # linux/2024.melofee/2023.8d855c2874.elf: critical anti-behavior/random_behavior: low c2/addr/ip: medium +c2/discovery/ip_dns_resolver: medium credential/password: low credential/ssl/private_key: low crypto/aes: low @@ -10,7 +11,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/rc4: low -data/base64/decode: medium data/builtin/openssl: medium data/compression/zlib: low data/encoding/base64: low diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple index 0d28e950b..dd9047f9a 100644 --- a/tests/linux/2024.melofee/pskt.simple +++ b/tests/linux/2024.melofee/pskt.simple @@ -5,7 +5,6 @@ anti-behavior/LD_PROFILE: medium anti-behavior/random_behavior: low anti-static/elf/entropy: high anti-static/elf/multiple: medium -anti-static/obfuscation/js: medium c2/addr/ip: medium c2/addr/url: low c2/tool_transfer/arch: low @@ -21,7 +20,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/rc4: low -data/base64/decode: medium data/builtin/glibc: medium data/builtin/multiple: high data/builtin/openssl: medium diff --git a/tests/linux/2024.vncjew/__min__c.json b/tests/linux/2024.vncjew/__min__c.json index be9bf1a41..b7cb6ad31 100644 --- a/tests/linux/2024.vncjew/__min__c.json +++ b/tests/linux/2024.vncjew/__min__c.json @@ -35,15 +35,28 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", - "MatchStrings": [ - "math/rand" + "Description": "uses a random number generator", + "MatchStrings": [ + "nonZeroRandomBytes", + "p224RandomPoint", + "p521RandomPoint", + "p384RandomPoint", + "getRandomBatch", + "getRandomData", + "serverRandom", + "extendRandom", + "clientRandom", + "randomOrder", + "randomEnum", + "urandom127", + "getrandom", + "GetRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", @@ -71,6 +84,17 @@ "ID": "c2/addr/url", "RuleName": "binary_with_url" }, + { + "Description": "contains Cloudflare DNS resolver IP", + "MatchStrings": [ + "1.1.1.1" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip", + "ID": "c2/discovery/ip_dns_resolver", + "RuleName": "cloudflare_dns_ip" + }, { "Description": "references a specific architecture", "MatchStrings": [ @@ -980,33 +1004,6 @@ "stdio" ], "Behaviors": [ - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -1021,26 +1018,15 @@ "RuleName": "upx" }, { - "Description": "ELF with hardcoded IP address", + "Description": "hardcoded IP address", "MatchStrings": [ "2.5.4.3" ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#bin_hardcoded_ip", + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip", "ID": "c2/addr/ip", - "RuleName": "bin_hardcoded_ip" - }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" + "RuleName": "hardcoded_ip" }, { "Description": "references a specific architecture", @@ -1125,8 +1111,8 @@ "RuleName": "http_url" } ], - "RiskScore": 4, - "RiskLevel": "CRITICAL" + "RiskScore": 3, + "RiskLevel": "HIGH" } } } diff --git a/tests/linux/clean/acme.sh.simple b/tests/linux/clean/acme.sh.simple index ba723ba14..48e5306f9 100644 --- a/tests/linux/clean/acme.sh.simple +++ b/tests/linux/clean/acme.sh.simple @@ -6,7 +6,6 @@ credential/password: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/encode: medium data/base64/external: medium data/embedded/pem_certificate: low data/encoding/base64: low diff --git a/tests/linux/clean/bazel.simple b/tests/linux/clean/bazel.simple index 46b5d4928..245b3c46d 100644 --- a/tests/linux/clean/bazel.simple +++ b/tests/linux/clean/bazel.simple @@ -10,8 +10,6 @@ c2/client: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium crypto/aes: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low data/encoding/base64: low diff --git a/tests/linux/clean/botan.simple b/tests/linux/clean/botan.simple index df8bebc7e..0f90764dd 100644 --- a/tests/linux/clean/botan.simple +++ b/tests/linux/clean/botan.simple @@ -9,8 +9,6 @@ crypto/ed25519: low crypto/public_key: low crypto/rc4: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low data/encoding/base64: low diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index 2fc3c1d37..c34456320 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -1,5 +1,5 @@ # linux/clean/buildah: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index 0ecf36790..d77ca909a 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -1,5 +1,5 @@ # linux/clean/buildkitd: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium @@ -61,7 +61,6 @@ fs/file/delete: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/write: low fs/link_create: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index d907c22b6..a4a4ff9ea 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -1,5 +1,5 @@ # linux/clean/caddy: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index facb84fd6..776bbbcf7 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -1,5 +1,5 @@ # linux/clean/chezmoi: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium anti-static/xor/functions: medium c2/addr/discord: medium @@ -8,6 +8,7 @@ c2/addr/ip: medium c2/addr/telegram: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium @@ -79,7 +80,6 @@ exec/shell/background_sleep: medium exec/shell/exec: medium exec/system_controls/systemd: low exfil/upload: medium -fs/attributes/chattr: medium fs/directory/create: low fs/directory/list: low fs/directory/remove: low @@ -90,7 +90,6 @@ fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/write: low fs/link_create: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index c8856e8ca..6e4b26a54 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -31,7 +31,6 @@ crypto/public_key: low crypto/rc4: medium crypto/tls: low crypto/uuid: medium -data/base64/decode: medium data/compression/bzip2: low data/compression/gzip: low data/compression/lzma: low diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index f72107afe..24c5ccd91 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -7,6 +7,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/client: medium c2/discovery/dyndns: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium @@ -16,7 +17,6 @@ collect/databases/leveldb: medium collect/databases/mysql: medium collect/databases/postgresql: medium collect/databases/sqlite: medium -collect/localstorage: medium credential/cloud/aws: medium credential/cloud/g: medium credential/gaming/minecraft: medium @@ -31,8 +31,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -94,7 +92,6 @@ exec/system_controls/systemd: low exfil/collection: medium exfil/proxy: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/capabilities_set: low fs/file/copy: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index b09615737..0717d207a 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -6,12 +6,11 @@ | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [message_port](https://github.com/search?q=message_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [2001:4860:4860::8888](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8888&type=code)
[2001:4860:4860::8844](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8844&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[darwin](https://github.com/search?q=darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | @@ -23,8 +22,6 @@ | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | `$opt48`
`$opt52`
`$opt12`
`$opt13`
`$opt14`
`$opt63`
`$opt62`
`$opt61`
`$opt60`
`$opt59`
`$opt15`
`$opt16`
`$opt17`
`$opt18`
`$opt19`
`$opt20`
`$opt21`
`$opt22`
`$opt23`
`$opt24`
`$opt25`
`$opt26`
`$opt27`
`$opt28`
`$opt29`
`$opt30`
`$opt31`
`$opt32`
`$opt33`
`$opt34`
`$opt35`
`$opt36`
`$opt37`
`$opt38`
`$opt39`
`$opt40`
`$opt41`
`$opt42`
`$opt43`
`$opt44`
`$opt45`
`$opt46`
`$opt47`
`$opt49`
`$opt50`
`$opt51`
`$opt53`
`$opt54`
`$opt55`
`$opt56`
`$opt57`
`$opt58`
`$opt10`
`$opt11`
`$opt0`
`$opt7`
`$opt8`
`$opt9`
[7654](https://github.com/search?q=7654&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[onml](https://github.com/search?q=onml&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[3210](https://github.com/search?q=3210&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#js_base64_decode) | decode base64 strings | [js_base64_decode::atob(](https://github.com/search?q=js_base64_decode%3A%3Aatob%28&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::h0dHBzOi8v](https://github.com/search?q=contains_base64_url%3A%3Ah0dHBzOi8v&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | @@ -36,7 +33,6 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#browser_platform) | system platform identification via browser user-agent | [platformVersion](https://github.com/search?q=platformVersion&type=code)
[userAgentData](https://github.com/search?q=userAgentData&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code)
[ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen_go) | [launches program and reads its output](https://linux.die.net/man/3/popen) | [CombinedOutput](https://github.com/search?q=CombinedOutput&type=code)
[exec](https://github.com/search?q=exec&type=code) | @@ -140,7 +136,6 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index 69a9f2a59..311d92460 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -1,10 +1,11 @@ # linux/clean/containerd: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/archives/zip: medium diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index d478dff40..5794c73a7 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -8,8 +8,6 @@ | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[Darwin](https://github.com/search?q=Darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | `$ref` | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | diff --git a/tests/linux/clean/http-fingerprints.lua.simple b/tests/linux/clean/http-fingerprints.lua.simple index b71c46429..b9437a03b 100644 --- a/tests/linux/clean/http-fingerprints.lua.simple +++ b/tests/linux/clean/http-fingerprints.lua.simple @@ -8,7 +8,6 @@ collect/databases/mysql: medium credential/password: low credential/server/htpasswd: medium exec/plugin: low -fs/file/read: low fs/path/etc: low fs/path/home: low fs/path/root: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple index 3a0f3a713..15320452a 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple @@ -16,7 +16,6 @@ crypto/openssl: medium data/encoding/json_decode: low evasion/file/prefix: medium evasion/rootkit/refs: medium -evasion/rootkit/userspace: low exec/plugin: low exec/shell/power: medium exfil/upload: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index a1cbe7ec8..f15927b14 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -2,7 +2,6 @@ anti-behavior/random_behavior: low anti-static/obfuscation/js: medium anti-static/obfuscation/math: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/url: low c2/discovery/dyndns: medium @@ -30,7 +29,6 @@ discover/process/name: medium discover/process/parent: low evasion/file/prefix: medium evasion/rootkit/refs: medium -evasion/rootkit/userspace: low exec/cmd: medium exec/plugin: low exec/shell/power: medium diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple index f634f96ff..143cbf616 100644 --- a/tests/linux/clean/kolide/launcher.simple +++ b/tests/linux/clean/kolide/launcher.simple @@ -1,9 +1,10 @@ # linux/clean/kolide/launcher: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/archives/zip: medium @@ -56,7 +57,6 @@ fs/file/delete: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/truncate: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/kolide/osqueryd.simple b/tests/linux/clean/kolide/osqueryd.simple index 694846628..70d39c5ea 100644 --- a/tests/linux/clean/kolide/osqueryd.simple +++ b/tests/linux/clean/kolide/osqueryd.simple @@ -6,6 +6,7 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/databases/leveldb: medium @@ -25,7 +26,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/tls: low -data/base64/decode: medium data/compression/bzip2: low data/compression/gzip: low data/compression/lzma: low diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index abc417631..ea67d52e5 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -6,6 +6,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -74,7 +75,6 @@ fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/write: low fs/link_read: low fs/mount: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index 0180d38ee..654f30a3d 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -1,8 +1,4 @@ # linux/clean/ld-2.27.so: medium -anti-behavior/LD_DEBUG: medium -anti-behavior/LD_PROFILE: medium -anti-static/elf/multiple: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: low discover/process/runtime_deps: medium diff --git a/tests/linux/clean/libasan.so.8.0.0.simple b/tests/linux/clean/libasan.so.8.0.0.simple index 07c61174b..4f7172862 100644 --- a/tests/linux/clean/libasan.so.8.0.0.simple +++ b/tests/linux/clean/libasan.so.8.0.0.simple @@ -1,6 +1,5 @@ # linux/clean/libasan.so.8.0.0: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium data/compression/lzma: low diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple index dfffdc8b8..76ed71448 100644 --- a/tests/linux/clean/libc.so.6.simple +++ b/tests/linux/clean/libc.so.6.simple @@ -1,7 +1,6 @@ # linux/clean/libc.so.6: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: low credential/os/gshadow: medium credential/os/shadow: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index fc3b19135..2ae9cc7bc 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -2,7 +2,6 @@ 3P/JPCERT/cobaltstrike_v3v4: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium credential/password: low credential/ssl/private_key: low @@ -43,12 +42,10 @@ exec/shell/SHELL: low exec/shell/command: medium exfil/office_file_ext: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/copy: medium fs/file/delete: medium fs/file/open: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index c524275b6..cb6241d1f 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -2,7 +2,6 @@ 3P/JPCERT/cobaltstrike_v3v4: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium credential/password: low credential/ssl/private_key: low @@ -43,12 +42,10 @@ exec/shell/SHELL: low exec/shell/command: medium exfil/office_file_ext: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/copy: medium fs/file/delete: medium fs/file/open: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple index 429baf58d..a0d121da0 100644 --- a/tests/linux/clean/libsystemd.so.0.simple +++ b/tests/linux/clean/libsystemd.so.0.simple @@ -1,6 +1,5 @@ # linux/clean/libsystemd.so.0: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: low crypto/rc4: low diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index e6463a143..64d9e6c34 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -1,15 +1,15 @@ # linux/clean/melange: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/elf/multiple: medium anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/refs: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -collect/archives/tar_command: medium collect/archives/zip: medium collect/code/github_api: low credential/cloud/g: medium @@ -62,7 +62,6 @@ evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium exec/cmd: medium exec/cmd/pipe: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/shell/TERM: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 949cdc05b..6ff9c762e 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -1,6 +1,5 @@ # linux/clean/mongosh: medium anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium @@ -25,8 +24,6 @@ crypto/openssl: medium crypto/public_key: low crypto/tls: low crypto/uuid: medium -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -57,13 +54,12 @@ discover/process/parent: low discover/process/working_directory: low discover/processes/list: medium discover/system/hostname: low -discover/system/platform: medium +discover/system/platform: low discover/system/sysinfo: medium discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low discover/user/USERPROFILE: medium -discover/user/info: medium discover/user/name_get: low evasion/file/prefix: medium evasion/logging/acct: low @@ -89,7 +85,6 @@ exec/tty/pathname: medium exfil/office_file_ext: medium exfil/stealer/credit_card: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/append: low fs/file/capabilities_set: low @@ -100,7 +95,6 @@ fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index 7a19756d0..e80b78151 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -13,8 +13,6 @@ credential/ssh: medium credential/ssh/d: medium crypto/openssl: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/zlib: low data/encoding/base64: low data/random/insecure: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index fd6452c75..db183ac34 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -1,10 +1,11 @@ # linux/clean/opa: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -18,8 +19,6 @@ crypto/ecdsa: low crypto/ed25519: low crypto/public_key: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zstd: low data/embedded/html: medium @@ -49,7 +48,6 @@ fs/file/delete: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 622edaef5..c8a55bbd8 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -7,6 +7,7 @@ | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) | | MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip) | contains Cloudflare DNS resolver IP | [1.1.1.1](https://github.com/search?q=1.1.1.1&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | @@ -15,8 +16,6 @@ | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | | MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/encoding/utf16](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/utf16.yara#chr) | assembles strings from UTF-16 code units | `$ref` | | MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index cac48ad8e..950abd32a 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -1,11 +1,12 @@ # linux/clean/pulumi: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -64,7 +65,6 @@ evasion/file/prefix: medium exec/cmd: medium exec/cmd/pipe: medium exec/conditional/LANG: low -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/program/background: low diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index 3c1dd5755..8b773f855 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -11,8 +11,6 @@ | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)
[bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)
[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)
[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)
[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)
[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)
[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)
[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)
[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)
[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)
[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)
[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)
[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)
[BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)
[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)
[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)
[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)
[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code)
[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)
[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)
[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)
[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)
[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)
[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)
[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)
[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)
[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)
[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code)
[QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code) | diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple index 1ef6806c2..e1a715d38 100644 --- a/tests/linux/clean/runtime-security-fentry.o.simple +++ b/tests/linux/clean/runtime-security-fentry.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security-fentry.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple index 8a1951a02..de0644066 100644 --- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security-syscall-wrapper.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple index 75cd79c93..b54a1ab6a 100644 --- a/tests/linux/clean/runtime-security.o.simple +++ b/tests/linux/clean/runtime-security.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium evasion/bypass_security/linux/iptables: medium evasion/logging/acct: low diff --git a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple index 84d027a7b..12c5ebb50 100644 --- a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple +++ b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple @@ -1,6 +1,5 @@ # linux/clean/rust_libtest-350a2b8f7a4551b7.so: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium discover/process/runtime_deps: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 71005789d..8f526acfe 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -5,12 +5,11 @@ | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [https://%s](https://%s)
[http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [2001:4860:4860::8888](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8888&type=code)
[2001:4860:4860::8844](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8844&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[darwin](https://github.com/search?q=darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | @@ -23,7 +22,6 @@ | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | `$opt60`
`$opt36`
`$opt62`
`$opt61`
`$opt59`
`$opt58`
`$opt57`
`$opt56`
`$opt55`
`$opt10`
`$opt11`
`$opt12`
`$opt13`
`$opt14`
`$opt15`
`$opt16`
`$opt17`
`$opt18`
`$opt19`
`$opt20`
`$opt21`
`$opt22`
`$opt23`
`$opt24`
`$opt25`
`$opt26`
`$opt27`
`$opt28`
`$opt29`
`$opt30`
`$opt31`
`$opt32`
`$opt33`
`$opt34`
`$opt35`
`$opt37`
`$opt38`
`$opt39`
`$opt40`
`$opt41`
`$opt42`
`$opt43`
`$opt44`
`$opt45`
`$opt46`
`$opt47`
`$opt48`
`$opt49`
`$opt50`
`$opt51`
`$opt52`
`$opt53`
`$opt54`
`$opt63`
`$opt9`
`$opt8`
`$opt7`
`$opt0`
[srqp](https://github.com/search?q=srqp&type=code)
[onml](https://github.com/search?q=onml&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[7654](https://github.com/search?q=7654&type=code)
[3210](https://github.com/search?q=3210&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#js_base64_decode) | decode base64 strings | [js_base64_decode::atob(](https://github.com/search?q=js_base64_decode%3A%3Aatob%28&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::DRVJUSUZJQ0FUR](https://github.com/search?q=contains_base64%3A%3ADRVJUSUZJQ0FUR&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | @@ -36,7 +34,6 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#browser_platform) | system platform identification via browser user-agent | [platformVersion](https://github.com/search?q=platformVersion&type=code)
[userAgentData](https://github.com/search?q=userAgentData&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | @@ -142,7 +139,6 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | diff --git a/tests/linux/clean/trino.linux-amd64.launcher.json b/tests/linux/clean/trino.linux-amd64.launcher.json index b87a5f88c..eecefccec 100644 --- a/tests/linux/clean/trino.linux-amd64.launcher.json +++ b/tests/linux/clean/trino.linux-amd64.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", @@ -855,41 +862,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -903,17 +875,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "references a specific architecture", "MatchStrings": [ diff --git a/tests/linux/clean/trino.linux-arm64.launcher.json b/tests/linux/clean/trino.linux-arm64.launcher.json index d580a67a3..ef6fa0dc9 100644 --- a/tests/linux/clean/trino.linux-arm64.launcher.json +++ b/tests/linux/clean/trino.linux-arm64.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", @@ -839,41 +846,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -887,17 +859,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "Supports AES (Advanced Encryption Standard)", "MatchStrings": [ diff --git a/tests/linux/clean/trino.linux-ppc64le.launcher.json b/tests/linux/clean/trino.linux-ppc64le.launcher.json index 26084c34b..feeacaa91 100644 --- a/tests/linux/clean/trino.linux-ppc64le.launcher.json +++ b/tests/linux/clean/trino.linux-ppc64le.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", @@ -848,41 +855,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Binary is packed with UPX", "MatchStrings": [ @@ -896,17 +868,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "Uses DNS TXT (text) records", "MatchStrings": [ diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index ecc5a4f22..ba833fc54 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -34,8 +34,6 @@ crypto/ed25519: low crypto/openssl: medium crypto/public_key: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/compression/bzip2: low data/compression/gzip: low data/compression/lzma: low @@ -81,7 +79,6 @@ exec/cmd/pipe: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/install_additional/package_install: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/script/osa: medium @@ -104,7 +101,6 @@ fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 5d8378e5b..09a90e0ea 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -47,7 +47,7 @@ | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | -| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | +| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | Uses the Discord webhooks API | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | | MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | | MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code)
[History](https://github.com/search?q=History&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Atomic](https://github.com/search?q=Atomic&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code) | | MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [file.io](https://github.com/search?q=file.io&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | @@ -146,8 +146,7 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code)
[ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[os.Rename](https://github.com/search?q=os.Rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index efc382e09..93ea02624 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -6,11 +6,11 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: medium -collect/archives/tar_command: medium collect/archives/unarchive: medium collect/archives/zip: medium collect/code/github_api: low @@ -74,7 +74,6 @@ exec/cmd: medium exec/cmd/pipe: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/shell/TERM: low @@ -95,7 +94,6 @@ fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/x11vnc.simple b/tests/linux/clean/x11vnc.simple index 00874b2cc..7ccd6eab8 100644 --- a/tests/linux/clean/x11vnc.simple +++ b/tests/linux/clean/x11vnc.simple @@ -1,6 +1,5 @@ # linux/clean/x11vnc: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md index 2295e5695..00cf228d8 100644 --- a/tests/linux/clean/zipdetails.md +++ b/tests/linux/clean/zipdetails.md @@ -2,7 +2,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code) | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[http://](http://)
[Windows](https://github.com/search?q=Windows&type=code)
[Darwin](https://github.com/search?q=Darwin&type=code)
[linux](https://github.com/search?q=linux&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip files](https://github.com/search?q=zip+files&type=code)
[zipfile](https://github.com/search?q=zipfile&type=code)
[ZIP64](https://github.com/search?q=ZIP64&type=code) | diff --git a/tests/linux/mimipenguin/bash/mimipenguin.simple b/tests/linux/mimipenguin/bash/mimipenguin.simple index d705355d3..d5f19d7b0 100644 --- a/tests/linux/mimipenguin/bash/mimipenguin.simple +++ b/tests/linux/mimipenguin/bash/mimipenguin.simple @@ -8,8 +8,6 @@ credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low discover/system/platform: medium -exec/imports/python: medium -exec/shell/command: medium exec/shell/exec: medium exec/shell/ignore_output: medium exfil/stealer/password: critical diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 3dba6765b..9f946cfbf 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -6,14 +6,10 @@ credential/os/shadow: medium credential/password: low credential/password/finder: high credential/ssh/d: medium -data/base64/decode: medium data/encoding/base64: low discover/process/name: medium discover/processes/list: medium -discover/system/platform: medium -exec/imports/python: low exfil/stealer/password: critical -fs/directory/list: low fs/file/open: low fs/path/etc: low fs/path/usr_bin: low diff --git a/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple index ad35cab99..a1cbf5173 100644 --- a/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple +++ b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple @@ -1,5 +1,5 @@ # linux/synthetic/cnc-dns-over-https.aarch64: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high c2/addr/url: low c2/discovery/ip_dns_resolver: medium diff --git a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff index 1c6c0ba57..3de65c25b 100644 --- a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff @@ -1,4 +1,4 @@ -## Changed (2 added, 16 removed): macOS/clean/ls [🟡 MEDIUM → 🔵 LOW] +## Changed (2 added, 14 removed): macOS/clean/ls [🟡 MEDIUM → 🔵 LOW] ### 2 new behaviors @@ -7,13 +7,11 @@ | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | | +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -### 16 removed behaviors +### 14 removed behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | -| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| -MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | -MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[http](https://github.com/search?q=http&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple index d929c3599..f396c7106 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple @@ -12,8 +12,6 @@ c2/tool_transfer/os: low crypto/aes: low crypto/encrypt: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low data/encoding/base64: low diff --git a/tests/macOS/2023.3CX/libffmpeg.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dylib.simple index 3cca27c6a..080038bc7 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dylib.simple @@ -6,8 +6,6 @@ c2/tool_transfer/os: low crypto/aes: low crypto/encrypt: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/zlib: low data/encoding/base64: low exec/shell/TERM: low diff --git a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff index a77e8e67b..9c13f30ad 100644 --- a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff @@ -1,12 +1,10 @@ -## Changed (16 added, 2 removed): macOS/2023.3CX/libffmpeg.dylib [🔵 LOW → 🟡 MEDIUM] +## Changed (14 added, 2 removed): macOS/2023.3CX/libffmpeg.dylib [🔵 LOW → 🟡 MEDIUM] -### 16 new behaviors +### 14 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | -| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| +MEDIUM | **[data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode)** | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[http](https://github.com/search?q=http&type=code) | diff --git a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple index aa4703747..465ed14ae 100644 --- a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple +++ b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple @@ -1,6 +1,5 @@ # macOS/2024.79-137-192-4/var_tmp_exe_starting2: critical anti-static/xor/certs: high -c2/tool_transfer/osascript: high evasion/file/location/var_tmp: medium exec/script/osa: high exec/shell/exec: medium @@ -8,6 +7,5 @@ fs/file/make_executable: high fs/path/tmp: medium fs/path/var: low fs/permission/modify: medium -impact/degrade/app: medium process/create: low process/multithreaded: low diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 528766345..30dad65cf 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -4,7 +4,6 @@ c2/addr/url: low c2/tool_transfer/chmod_dropper: high c2/tool_transfer/macos: critical c2/tool_transfer/os: medium -c2/tool_transfer/shell: critical collect/archives/zip: medium collect/databases/mysql: medium collect/databases/sqlite: medium @@ -80,7 +79,6 @@ os/kernel/dispatch_semaphore: low os/sync/semaphore_user: low persist/daemon: medium persist/launchd/launch_agent: medium -privesc/osascript: critical privesc/setuid: low process/chdir: low process/create: low diff --git a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple index 270e10c62..58ea40364 100644 --- a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple +++ b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple @@ -11,7 +11,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/rc4: low -data/base64/decode: medium data/compression/zlib: low data/encoding/base64: low data/hash/blake2b: low diff --git a/tests/npm/2024.bugsnagmw/index.js.simple b/tests/npm/2024.bugsnagmw/index.js.simple index fe8d747e8..3a4c38a79 100644 --- a/tests/npm/2024.bugsnagmw/index.js.simple +++ b/tests/npm/2024.bugsnagmw/index.js.simple @@ -1,8 +1,7 @@ # npm/2024.bugsnagmw/index.js: critical anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical -anti-static/obfuscation/python: critical +anti-static/obfuscation/js: high data/encoding/int: medium discover/ip/public: high net/http: low diff --git a/tests/npm/2024.harthat/deference.js.simple b/tests/npm/2024.harthat/deference.js.simple index 8938138ca..489644706 100644 --- a/tests/npm/2024.harthat/deference.js.simple +++ b/tests/npm/2024.harthat/deference.js.simple @@ -5,7 +5,6 @@ c2/tool_transfer/os: low discover/system/platform: medium evasion/indicator_blocking/echo_off: high fs/file/delete: medium -fs/file/rename: medium fs/file/write: low impact/remote_access/dll_injection: critical net/download/fetch: critical diff --git a/tests/npm/2024.hlwgirl/index.js.simple b/tests/npm/2024.hlwgirl/index.js.simple index be0480fb1..36b5027e3 100644 --- a/tests/npm/2024.hlwgirl/index.js.simple +++ b/tests/npm/2024.hlwgirl/index.js.simple @@ -1,5 +1,4 @@ # npm/2024.hlwgirl/index.js: high -anti-static/obfuscation/hex: high data/encoding/base64: low fs/file/write: low impact/remote_access/base64_exec: high diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple index 5fff8faa7..6a9780a25 100644 --- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple +++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple @@ -1,6 +1,4 @@ # npm/2024.legacyreact-aws-s3-typescript/package.json: critical -c2/tool_transfer/npm: critical -c2/tool_transfer/shell: high exec/program/hidden: medium exec/shell/background_launcher: high exfil/npm: high diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index cba2c1153..de43eff3f 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -1,5 +1,4 @@ # npm/2024.next-react-notify/tocall.js: critical -anti-static/obfuscation/powershell: critical c2/addr/ip: high c2/addr/url: high c2/tool_transfer/os: low @@ -8,7 +7,6 @@ evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high exec/shell/power: medium fs/file/delete: medium -fs/file/rename: medium fs/file/write: low net/download/fetch: critical net/http: low diff --git a/tests/npm/2024.persona-tool/preinstall.js.simple b/tests/npm/2024.persona-tool/preinstall.js.simple index 858fdff2f..388bfed23 100644 --- a/tests/npm/2024.persona-tool/preinstall.js.simple +++ b/tests/npm/2024.persona-tool/preinstall.js.simple @@ -1,6 +1,5 @@ # npm/2024.persona-tool/preinstall.js: critical anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium c2/addr/ip: medium c2/discovery/ip_dns_resolver: medium data/encoding/json_encode: low diff --git a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple index fa91f7f11..cb7fd8696 100644 --- a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple @@ -1,7 +1,5 @@ # npm/2024.solana_web3/v1.95.7.index.browser.esm.js: critical anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium -anti-static/obfuscation/reverse: medium anti-static/obfuscation/strtoi: medium c2/addr/url: high credential/ssl/key: high @@ -26,4 +24,3 @@ net/ip/host_port: medium net/socket/send: low net/url/embedded: low os/time/clock_sleep: medium -persist/kernel_module/symbol_lookup: low diff --git a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple index 35f5c169d..b19dd72e7 100644 --- a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple @@ -1,6 +1,5 @@ # npm/2024.solana_web3/v1.95.8.index.browser.esm.js: high anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium anti-static/obfuscation/strtoi: medium credential/ssl/key: high credential/ssl/private_key: low @@ -22,4 +21,3 @@ net/ip/host_port: medium net/socket/send: low net/url/embedded: low os/time/clock_sleep: medium -persist/kernel_module/symbol_lookup: low diff --git a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple index 83bffee23..e9d520d94 100644 --- a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple +++ b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple @@ -2,7 +2,6 @@ 3P/sig_base/webshell_php: critical anti-static/base64/function_names: medium anti-static/obfuscation/php: medium -data/base64/decode: medium data/encoding/base64: low evasion/indicator_blocking/mask_exceptions: medium impact/remote_access/php: high diff --git a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple index c8e893f23..c52c7bb02 100644 --- a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple +++ b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple @@ -1,5 +1,4 @@ # php/2024.WordFence.evasion/wp-engine-fast-action.php: critical anti-static/obfuscation/php: high -anti-static/obfuscation/python: critical data/embedded/base64: medium data/encoding/reverse: low diff --git a/tests/php/2024.malcure/simple.php.simple b/tests/php/2024.malcure/simple.php.simple index b3ee01953..b41fe5d44 100644 --- a/tests/php/2024.malcure/simple.php.simple +++ b/tests/php/2024.malcure/simple.php.simple @@ -1,7 +1,6 @@ # php/2024.malcure/simple.php: critical 3P/sig_base/webshell_php: critical 3P/sig_base/webshell_php_obfusc: critical -data/base64/decode: medium data/encoding/base64: low exec/remote_commands/code_eval: high impact/remote_access/backdoor: medium diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index adc01c233..a88adeee7 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -2,14 +2,12 @@ 3P/sig_base/webshell_php: critical c2/addr/url: medium credential/password: low -data/base64/decode: medium data/embedded/base64_url: medium data/embedded/html: medium data/encoding/base64: low discover/process/egid: medium evasion/indicator_blocking/mask_exceptions: medium evasion/time/php_no_limit: medium -exec/imports/python: low exec/shell/command: medium fs/directory/remove: low fs/file/delete: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 094fbe11f..878816868 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -1,7 +1,5 @@ # php/clean/composer-2.7.7: medium -anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium anti-static/obfuscation/php: medium c2/addr/http_dynamic: medium c2/addr/ip: medium @@ -18,7 +16,6 @@ crypto/aes: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium data/base64/encode: medium data/compression/bzip2: low data/compression/gzip: low @@ -49,7 +46,6 @@ fs/directory/remove: low fs/file/copy: medium fs/file/delete: low fs/file/delete_forcibly: medium -fs/file/read: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/php/clean/module.audio-video.quicktime.php.simple b/tests/php/clean/module.audio-video.quicktime.php.simple index d0d6f155d..5eb215b39 100644 --- a/tests/php/clean/module.audio-video.quicktime.php.simple +++ b/tests/php/clean/module.audio-video.quicktime.php.simple @@ -1,7 +1,6 @@ # php/clean/module.audio-video.quicktime.php: medium anti-static/obfuscation/bitwise: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: medium c2/tool_transfer/os: low crypto/encrypt: medium data/compression/zlib: low diff --git a/tests/php/clean/run-tests.php.simple b/tests/php/clean/run-tests.php.simple index 30177c024..c4677531e 100644 --- a/tests/php/clean/run-tests.php.simple +++ b/tests/php/clean/run-tests.php.simple @@ -1,7 +1,6 @@ # php/clean/run-tests.php: medium anti-behavior/random_behavior: low c2/tool_transfer/os: low -data/base64/decode: medium data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low @@ -9,7 +8,6 @@ data/encoding/base64: low discover/system/platform: low discover/user/USER: low evasion/time/php_no_limit: medium -exec/cmd: medium exec/shell/command: medium exec/shell/exec: medium exec/shell/ignore_output: medium diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index f1ae54b0e..68e03eb27 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -12,7 +12,6 @@ evasion/file/prefix/tmp: high exec/cmd/pipe: medium exec/imports/python: low exec/program: medium -exec/shell/command: medium exfil/curl_post: medium exfil/whoami_hostname: high fs/file/read: low diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index a093fd049..b56b156b4 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -30,7 +30,6 @@ exec/dylib/windll: medium exec/imports/python: low exec/program: medium exec/script/wsh: medium -exec/shell/command: medium exec/shell/power: medium exfil/discord: critical exfil/stealer/browser: high diff --git a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple index 54ac0a2f0..fc466e466 100644 --- a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple +++ b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple @@ -5,7 +5,6 @@ data/encoding/base64: low discover/system/platform: medium exec/imports/python: low exec/program: medium -exec/shell/command: medium fs/file/open: low fs/file/write: low fs/tempdir: low diff --git a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple index fa773c151..d1f755835 100644 --- a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple +++ b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple @@ -1,6 +1,5 @@ # python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py: critical credential/password: low exec/imports/python: low -exec/shell/command: medium impact/ransom/locked: high malware/family/lockscreen: critical diff --git a/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple index 957ffa370..a9e4df5ad 100644 --- a/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple +++ b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple @@ -4,6 +4,7 @@ anti-static/obfuscation/python: medium c2/addr/ip: medium c2/addr/url: medium c2/connect/ping_pong: medium +c2/discovery/ip_dns_resolver: medium c2/refs: high c2/tool_transfer/os: low credential/password: low diff --git a/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple b/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple index ed7b7cf7c..f663251f2 100644 --- a/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple +++ b/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple @@ -1,5 +1,6 @@ # python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py: critical anti-static/obfuscation/python: high +anti-static/obfuscation/python_setuptools: medium anti-static/packer/pycloak: critical data/base64/decode: medium data/compression/lzma: low diff --git a/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple index 136721bd0..469d0ceb7 100644 --- a/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple +++ b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple @@ -1,5 +1,6 @@ # python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py: critical anti-static/obfuscation/obfuscate: low anti-static/obfuscation/python: critical +anti-static/obfuscation/python_setuptools: medium anti-static/packer/pyobfuscate: high net/url/embedded: low diff --git a/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple b/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple index 5a741366a..110b904a7 100644 --- a/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple +++ b/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple @@ -10,7 +10,6 @@ collect/code/github_api: low evasion/self_deletion/run_and_delete: high exec/imports/python: low exec/program: medium -exec/shell/command: medium exfil/stealer/browser: medium exfil/upload: medium fs/directory/create: low diff --git a/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple b/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple index 63c42be66..a2562dc70 100644 --- a/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple +++ b/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple @@ -1,7 +1,6 @@ # python/2024.ultralytics/v8.3.46/__init__.py: critical 3P/sig_base/pua_crypto_mining: critical c2/tool_transfer/os: low -c2/tool_transfer/shell: high discover/system/platform: medium exec/imports/python: low exec/program: medium diff --git a/tests/python/clean/google-auth-library-python/setup.py.simple b/tests/python/clean/google-auth-library-python/setup.py.simple index f5d9aa2f0..06ec89f90 100644 --- a/tests/python/clean/google-auth-library-python/setup.py.simple +++ b/tests/python/clean/google-auth-library-python/setup.py.simple @@ -4,7 +4,6 @@ crypto/openssl: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/file/read: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple index 8af62b318..4c4db507f 100644 --- a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple +++ b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple @@ -2,7 +2,6 @@ exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index 7401f555e..9393be389 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -5,7 +5,6 @@ discover/system/platform: medium evasion/file/prefix: medium exec/install_additional/pip_install: medium exec/program: medium -exec/shell/command: medium fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low diff --git a/tests/python/clean/requests/setup.py.simple b/tests/python/clean/requests/setup.py.simple index e4f398bbd..6290ffad5 100644 --- a/tests/python/clean/requests/setup.py.simple +++ b/tests/python/clean/requests/setup.py.simple @@ -3,7 +3,6 @@ c2/tool_transfer/download: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple index 9951a834d..28aedf1ae 100644 --- a/tests/python/clean/setuptools/namespaces.py.simple +++ b/tests/python/clean/setuptools/namespaces.py.simple @@ -1,6 +1,5 @@ -# python/clean/setuptools/namespaces.py: medium +# python/clean/setuptools/namespaces.py: low data/encoding/json_encode: low exec/imports/python: low -exec/shell/command: medium false-positives/setuptools: low fs/directory/create: low diff --git a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple index 3f4fc9686..d429da3dc 100644 --- a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple +++ b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple @@ -2,7 +2,6 @@ c2/tool_transfer/os: low discover/system/platform: medium exec/imports/python: low -exec/shell/command: medium fs/file/open: low net/url/embedded: low os/fd/write: low diff --git a/tests/ruby/2018.CMD_Backdoor/connect.rb.simple b/tests/ruby/2018.CMD_Backdoor/connect.rb.simple index ac423f66d..7cef93853 100644 --- a/tests/ruby/2018.CMD_Backdoor/connect.rb.simple +++ b/tests/ruby/2018.CMD_Backdoor/connect.rb.simple @@ -1,7 +1,6 @@ # ruby/2018.CMD_Backdoor/connect.rb: high discover/process/working_directory: low discover/system/platform: medium -exec/shell/command: medium fs/path/usr_bin: low impact/remote_access/backdoor: high net/http: low diff --git a/tests/ruby/2021.vector/vector.rb.simple b/tests/ruby/2021.vector/vector.rb.simple index 195a9109d..68bef1837 100644 --- a/tests/ruby/2021.vector/vector.rb.simple +++ b/tests/ruby/2021.vector/vector.rb.simple @@ -3,6 +3,5 @@ crypto/decrypt: low crypto/encrypt: medium exec/program: medium exec/script/ruby: medium -exec/shell/command: medium fs/file/write: medium net/url/embedded: medium diff --git a/tests/ruby/2024.Infecting_Simulation/malware.rb.simple b/tests/ruby/2024.Infecting_Simulation/malware.rb.simple index ef81dee51..f247c5282 100644 --- a/tests/ruby/2024.Infecting_Simulation/malware.rb.simple +++ b/tests/ruby/2024.Infecting_Simulation/malware.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.Infecting_Simulation/malware.rb: high fs/directory/traverse: medium -fs/file/read: low fs/file/rename: low fs/file/write: medium malware/ref: high diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple index 7da3aff6d..8792dc9bc 100644 --- a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple +++ b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple @@ -1,7 +1,6 @@ # ruby/2024.Ruby_rootkit/Ruby.c: critical 3P/elastic/rootkit: high c2/refs: medium -evasion/rootkit/kernel: critical evasion/rootkit/refs: high malware/ref: medium persist/kernel_module/symbol_lookup: high diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple index c7b3908d6..cc77719cb 100644 --- a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple +++ b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple @@ -1,7 +1,6 @@ # ruby/2024.Ruby_rootkit/Ruby.rb: critical c2/refs: high evasion/rootkit/refs: high -exec/shell/command: medium exec/shell/exec: medium impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/ruby/2024.gtfo/rsocket.rb.simple b/tests/ruby/2024.gtfo/rsocket.rb.simple index 69d986209..217fecd73 100644 --- a/tests/ruby/2024.gtfo/rsocket.rb.simple +++ b/tests/ruby/2024.gtfo/rsocket.rb.simple @@ -1,5 +1,4 @@ # ruby/2024.gtfo/rsocket.rb: high exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/ruby/2024.reverse_shells/oreilly1.rb.simple b/tests/ruby/2024.reverse_shells/oreilly1.rb.simple index 002d799bc..51719b850 100644 --- a/tests/ruby/2024.reverse_shells/oreilly1.rb.simple +++ b/tests/ruby/2024.reverse_shells/oreilly1.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.reverse_shells/oreilly1.rb: high c2/addr/ip: medium exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/ruby/2024.reverse_shells/oreilly2.rb.simple b/tests/ruby/2024.reverse_shells/oreilly2.rb.simple index 3ca8cdcde..995ca0b57 100644 --- a/tests/ruby/2024.reverse_shells/oreilly2.rb.simple +++ b/tests/ruby/2024.reverse_shells/oreilly2.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.reverse_shells/oreilly2.rb: critical 3P/sig_base/hktl_shellpop_ruby: critical exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index 8e59c9913..8b7e29042 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -5,10 +5,11 @@ 3P/elastic/infostealer_wallets: critical 3P/elastic/multi_threat: high anti-behavior/anti_debugger: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: high c2/tool_transfer/github: medium @@ -28,7 +29,6 @@ credential/ssl/private_key: low crypto/aes: low crypto/cipher: medium crypto/decrypt: low -crypto/ecdsa: low crypto/ed25519: low crypto/public_key: low crypto/rc4: low @@ -44,7 +44,6 @@ discover/ip/public: high discover/network/mac_address: medium discover/processes/list: medium discover/system/cpu: low -exec/cmd/pipe: medium exec/conditional/is_admin: medium exec/plugin: low exec/program: medium @@ -62,7 +61,6 @@ fs/file/create: medium fs/file/delete: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/write: low fs/path/dev: medium fs/path/etc: low @@ -97,10 +95,9 @@ net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/remote_control/vnc: medium -net/resolve/hostname: medium +net/resolve/hostname: low net/socket/listen: medium net/socket/local_addr: low -net/socket/options_set: medium net/socket/peer_address: low net/socket/receive: low net/socket/send: low diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 3b312d9c9..b57a915ed 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -33,5 +33,4 @@ net/url/request: medium os/signal/handle: low process/chdir: low process/create: low -process/multi: medium process/terminate: medium diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index c3a1cb378..a39b203d1 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -17,7 +17,6 @@ credential/browser/chromium_master_password: high credential/gaming/minecraft: medium credential/password: low crypto/aes: low -data/base64/decode: medium data/encoding/base64: low discover/ip/geo: high discover/ip/public: high diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index 1a4bd5d28..ebe810732 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -1,9 +1,5 @@ # windows/clean/Swashbuckle.AspNetCore.ReDoc.dll: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium -anti-static/obfuscation/math: medium -anti-static/obfuscation/strtoi: medium -anti-static/obfuscation/utf16: medium c2/client: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low @@ -30,7 +26,6 @@ discover/user/name_get: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/shell/SHELL: low exec/shell/TERM: low