From 3db201f9e1d2a6b128b74eb1b8db1c536f228031 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 10:34:03 -0500 Subject: [PATCH 01/18] Add file type support for report generation Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/scan.go | 2 +- pkg/action/testdata/scan_archive | 23 ++- pkg/action/testdata/scan_oci | 152 ++++++++++++++++++ pkg/programkind/programkind.go | 4 + pkg/report/report.go | 19 ++- rules/anti-behavior/LD_DEBUG.yara | 1 + rules/anti-behavior/LD_PROFILE.yara | 1 + rules/anti-behavior/anti-debugger.yara | 3 + rules/anti-behavior/process-check.yara | 3 + rules/anti-behavior/random_behavior.yara | 3 + rules/anti-static/base64/eval.yara | 6 + rules/anti-static/base64/exec.yara | 4 + rules/anti-static/base64/function_names.yara | 3 + rules/anti-static/base64/shell.yara | 1 + rules/anti-static/elf/content.yara | 1 + rules/anti-static/elf/entropy.yara | 4 + rules/anti-static/elf/header.yara | 7 +- rules/anti-static/elf/multiple.yara | 1 + rules/anti-static/elf/tiny.yara | 1 + rules/anti-static/macho/entropy.yara | 2 + rules/anti-static/macho/footer.yara | 2 +- rules/anti-static/macho/tiny.yara | 1 + rules/anti-static/obfuscation/bitwise.yara | 15 +- rules/anti-static/obfuscation/bool.yara | 1 + rules/anti-static/obfuscation/casing.yara | 9 ++ rules/anti-static/obfuscation/js.yara | 138 +++++++--------- rules/anti-static/obfuscation/math.yara | 2 + rules/anti-static/obfuscation/nodejs.yara | 2 + rules/anti-static/obfuscation/osascript.yara | 1 + rules/anti-static/obfuscation/padding.yara | 2 +- rules/anti-static/obfuscation/perl.yara | 2 +- rules/anti-static/obfuscation/php.yara | 19 ++- rules/anti-static/obfuscation/powershell.yara | 4 + rules/anti-static/obfuscation/python.yara | 120 ++++++++------ .../obfuscation/python_setuptools.yara | 20 +-- rules/anti-static/obfuscation/reverse.yara | 54 +------ rules/anti-static/obfuscation/sh.yara | 1 + rules/anti-static/obfuscation/strtoi.yara | 1 + rules/anti-static/obfuscation/syscall.yara | 1 + rules/anti-static/obfuscation/url.yara | 1 + rules/anti-static/obfuscation/utf16.yara | 4 +- rules/anti-static/packer/aes.yara | 3 +- rules/anti-static/packer/blankobf.yara | 3 +- rules/anti-static/packer/cx_freeze.yara | 1 + rules/anti-static/packer/decompyle.yara | 2 +- rules/anti-static/packer/ezuri.yara | 2 +- rules/anti-static/packer/kiteshield.yara | 1 + rules/anti-static/packer/nuitka.yara | 1 + rules/anti-static/packer/pe.yara | 1 + rules/anti-static/packer/py_kramer.yara | 6 +- rules/anti-static/packer/py_vare.yara | 2 +- rules/anti-static/packer/pycloak.yara | 1 + rules/anti-static/packer/pyobfuscate.yara | 1 + rules/anti-static/packer/upx.yara | 3 + rules/anti-static/unmarshal/marshal.yara | 2 + rules/c2/addr/ip.yara | 1 + rules/c2/addr/url.yara | 2 + rules/c2/connect/bash_tcp.yara | 1 + rules/c2/discovery/ip-dns_resolver.yara | 40 ++++- rules/c2/tool_transfer/chmod_dropper.yara | 4 +- rules/c2/tool_transfer/js.yara | 1 + rules/c2/tool_transfer/macos.yara | 5 +- rules/c2/tool_transfer/npm.yara | 1 + rules/c2/tool_transfer/osascript.yara | 1 + rules/c2/tool_transfer/php.yara | 3 +- rules/c2/tool_transfer/powershell.yara | 1 + rules/c2/tool_transfer/python.yara | 13 +- rules/c2/tool_transfer/ruby.yara | 1 + rules/c2/tool_transfer/shell.yara | 20 +++ rules/collect/archives/tar-command.yara | 3 + rules/collect/localstorage.yara | 1 + rules/data/builtin/kernel_module.yara | 2 +- rules/data/encoding/json-encode.yara | 2 +- rules/evasion/rootkit/kernel.yara | 6 +- rules/evasion/rootkit/userspace.yara | 12 +- rules/exec/cmd/cmd.yara | 8 +- rules/exec/cmd/npm_preinstall.yara | 9 +- rules/exec/dylib/replace.yara | 2 +- rules/exec/imports/python.yara | 6 +- .../exec/install_additional/pip_install.yara | 12 +- rules/exec/remote_commands/code_eval.yara | 109 ++++--------- rules/exec/shell/command.yara | 4 +- rules/exec/shell/exec.yara | 4 +- rules/exec/shell/shell32.yara | 2 +- rules/exfil/b64_zlib.yara | 4 +- rules/exfil/curl_elf.yara | 2 +- rules/exfil/stealer/keylogger.yara | 6 +- rules/exfil/stealer/python.yara | 4 +- rules/fs/attributes/chattr.yara | 4 +- rules/fs/directory/directory-list.yara | 6 +- rules/fs/file/file-make_executable.yara | 2 +- rules/fs/file/file-rename.yara | 2 +- rules/impact/cryptojacking/competitive.yara | 2 +- rules/impact/degrade/edr.yara | 4 +- rules/impact/degrade/firewall.yara | 2 +- rules/impact/degrade/panic.yara | 2 +- rules/impact/ransom/linux.yara | 3 +- rules/impact/registry.yara | 2 +- rules/impact/remote_access/net_shell.yara | 2 +- rules/impact/remote_access/open_base64.yara | 2 +- rules/impact/remote_access/remote_eval.yara | 4 +- rules/impact/remote_access/router.yara | 2 +- rules/impact/rootkit/rootkit.yara | 6 +- rules/malware/family/amos.yara | 8 +- rules/malware/family/applejeus.yara | 2 +- rules/malware/family/beaver_tail.yara | 3 +- rules/malware/family/beurk.yara | 5 +- rules/malware/family/emp3r0r.yara | 2 +- rules/malware/family/leet_hozer.yara | 3 +- rules/malware/family/lockscreen.yara | 2 +- rules/malware/family/lolminer.yara | 2 +- rules/malware/family/mirai.yara | 6 +- rules/malware/family/pawns.yara | 2 +- rules/malware/family/poseidon_stealer.yara | 4 +- rules/malware/family/rustdoor.yara | 6 +- rules/malware/framework/cobalt_strike.yara | 2 +- rules/malware/framework/silver.yara | 2 +- rules/net/download/fetch.yara | 2 +- rules/persist/kernel_module/module.yara | 3 +- .../persist/kernel_module/symbol-lookup.yara | 4 +- .../persist/systemd/execstart-elsewhere.yara | 2 + rules/persist/systemd/execstop-bin-sh.yara | 1 + rules/persist/systemd/execstop-elsewhere.yara | 1 + rules/persist/systemd/execstop-usr-bin.yara | 1 + rules/persist/systemd/no_blank_lines.yara | 3 +- .../persist/systemd/no_docs_or_comments.yara | 1 + rules/persist/systemd/no_output.yara | 1 + .../systemd/out_of_dependency_tree.yara | 2 +- rules/persist/systemd/restart-always.yara | 1 + rules/persist/systemd/short-description.yara | 1 + rules/privesc/osascript.yara | 2 + tests/c/clean/falco/ppm_events.c.simple | 1 - .../lottie-player.min.js.mdiff | 5 +- ...a7eec439cdcb4457150bbb330a829e7a.js.simple | 1 - ...7f0059f20ba0ca5853cdbde1f0b29e36.js.simple | 1 - .../clean/203.b7219352.chunk.js.simple | 1 - .../3937.844b09f50594ca2613b4.js.map.simple | 10 ++ ...4796BB27126E03A7E25DD5D589.cache.js.simple | 2 - ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 2 - tests/javascript/clean/connection.js.simple | 1 - tests/javascript/clean/faker.js.simple | 1 + .../javascript/clean/highlight.esm.js.simple | 3 - tests/javascript/clean/highlight.js.simple | 3 - tests/javascript/clean/index.js.map.simple | 17 ++ tests/javascript/clean/php.js.simple | 1 - .../clean/scripts.c88fecd373e21509.js.simple | 1 - .../clean/securityDashboards.plugin.js.simple | 1 - tests/javascript/clean/yarn-3.8.7.cjs.simple | 3 - tests/javascript/clean/zxcvbn.js.simple | 2 - tests/linux/2020.bdvl/bdvl.so.simple | 2 - tests/linux/2022.ez-pwnkit/PWN.so.simple | 1 - .../eight-nebraska-autumn-illinois.simple | 1 - tests/linux/2024.chisel/crondx.simple | 1 + tests/linux/2024.hadooken/drop1.sh.simple | 1 - tests/linux/2024.hadooken/drop2.sh.simple | 1 - tests/linux/2024.hadooken/ssh_worm.sh.simple | 1 - .../linux/2024.k4spreader/degrader.sh.simple | 1 - .../emp3r0r.agent.simple | 2 - .../2024.kworker_pretenders/gafgyt.simple | 1 - .../2024.melofee/2023.8d855c2874.elf.simple | 1 + tests/linux/2024.melofee/pskt.simple | 1 - tests/linux/2024.vncjew/__min__c.json | 63 +++----- tests/linux/clean/appsec-rules.json.simple | 77 +++++++++ .../aws-c-io-0.14.10-r0.spdx.json.simple | 4 + .../aws-c-io-0.14.11-r0.spdx.json.simple | 4 + tests/linux/clean/aws-c-io/aws-c-io.sdiff | 1 + tests/linux/clean/buildah.simple | 1 - tests/linux/clean/buildkitd.simple | 1 - tests/linux/clean/caddy.simple | 1 - tests/linux/clean/chezmoi.simple | 3 +- tests/linux/clean/chrome.simple | 1 - tests/linux/clean/clickhouse.simple | 4 +- tests/linux/clean/code-oss.md | 3 +- tests/linux/clean/containerd.simple | 2 +- tests/linux/clean/cpack.md | 1 - tests/linux/clean/default_config.json.simple | 77 +++++++++ ...758-4c5e-b57e-c735914ee32a_101.json.simple | 7 + ...67c-455a-afe4-de6183431d0d_111.json.simple | 11 ++ ...-9b70-456b-b6b8-007c7d246128_5.json.simple | 16 ++ ...348-47ba-9741-1202a09556ad_101.json.simple | 10 ++ ...735-4b24-9cc6-c78dfc9fc9c9_108.json.simple | 8 + ...-82ad-4a6c-82b8-296c1f691449_2.json.simple | 9 ++ ...399-4191-af1d-4feeac1f1f46_108.json.simple | 12 ++ ...f01-4f43-a872-605b678968b0_111.json.simple | 25 +++ ...cess_dumping_keychain_security.json.simple | 4 + ...ender_exclusion_via_powershell.json.simple | 8 + .../securitySolution.chunk.22.js.simple | 1 - .../kibana/securitySolution.chunk.9.js.simple | 2 - tests/linux/clean/kolide/launcher.simple | 2 +- tests/linux/clean/kolide/osqueryd.simple | 1 + tests/linux/clean/kuma-cp.simple | 2 +- tests/linux/clean/ld-2.27.so.simple | 4 - tests/linux/clean/libasan.so.8.0.0.simple | 1 - tests/linux/clean/libc.so.6.simple | 1 - tests/linux/clean/libgcj.so.17.0.0.simple | 3 - tests/linux/clean/libgcj.so.17.simple | 3 - tests/linux/clean/libsystemd.so.0.simple | 1 - tests/linux/clean/melange.simple | 4 +- .../linux/clean/misp_sample.ndjson.log.simple | 15 ++ tests/linux/clean/mongosh.simple | 2 - tests/linux/clean/opa.simple | 2 +- tests/linux/clean/pandoc.md | 2 +- tests/linux/clean/pulumi.simple | 3 +- .../clean/pypi_package_index.json.simple | 132 +++++++++++++++ tests/linux/clean/rules.json.simple | 78 +++++++++ .../clean/runtime-security-fentry.o.simple | 1 - .../runtime-security-syscall-wrapper.o.simple | 1 - tests/linux/clean/runtime-security.o.simple | 1 - .../rust_libtest-350a2b8f7a4551b7.so.simple | 1 - tests/linux/clean/searchindex.json.simple | 71 ++++++++ tests/linux/clean/slack.md | 3 +- .../clean/sonarlint-metadata.json.simple | 74 +++++++++ .../linux/clean/systemd-sysv-generator.simple | 1 - tests/linux/clean/tracer.o.aarch64.simple | 1 - .../clean/trino.linux-amd64.launcher.json | 46 ------ .../clean/trino.linux-arm64.launcher.json | 46 ------ .../clean/trino.linux-ppc64le.launcher.json | 46 ------ tests/linux/clean/trivy.simple | 2 - tests/linux/clean/trufflehog.md | 1 - .../wikiticker-2015-09-12-sampled.json.simple | 24 +++ tests/linux/clean/wolfictl.simple | 4 +- tests/linux/clean/x11vnc.simple | 1 - tests/linux/clean/zipdetails.md | 1 - .../linux/mimipenguin/bash/mimipenguin.simple | 3 +- .../mimipenguin/python/mimipenguin.simple | 1 - .../var_tmp_exe_starting2.simple | 1 - tests/macOS/2024.LightSpy/dropper.simple | 1 - tests/macOS/2024.Rustdoor/localfile.simple | 2 - tests/npm/2024.bugsnagmw/index.js.simple | 1 - .../npm/2024.depe-tool/preinstall.json.simple | 3 + .../package.json.simple | 2 - .../2024.next-react-notify/tocall.js.simple | 1 - tests/npm/2024.noblox/postinstall.js.json | 4 +- .../v1.95.7.index.browser.esm.js.simple | 2 - .../v1.95.8.index.browser.esm.js.simple | 1 - .../wp-engine-fast-action.php.simple | 1 - tests/php/clean/composer-2.7.7.simple | 2 - .../module.audio-video.quicktime.php.simple | 1 - tests/php/clean/run-tests.php.simple | 1 - .../valyrian_debug_setup.py.simple | 1 - tests/python/2024.Custom.RAT/output.py.simple | 1 - .../__init__.py.simple | 1 - ...cfb68895a84adaa173c543792be891ba.py.simple | 1 - ...68a78181c1976a4f72526c3085096f99.py.simple | 1 + ...a75a60f72ef26cf45670b31ffa92482e.py.simple | 1 + ...394e3a4bb349383cbc45786ae2b79b42.py.simple | 1 + .../v8.3.41/utils/downloads.py.simple | 1 - .../v8.3.46/__init__.py.simple | 1 - .../setup.py.simple | 1 - .../google-cloud-sdk/requests_setup.py.simple | 1 - tests/python/clean/numpy/misc_util.py.simple | 1 - tests/python/clean/requests/setup.py.simple | 1 - .../clean/setuptools/namespaces.py.simple | 1 - .../setuptools/test_pyprojecttoml.py.simple | 1 - tests/ruby/2021.vector/vector.rb.simple | 1 - tests/ruby/2024.Ruby_rootkit/Ruby.c.simple | 4 +- tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple | 1 - .../2024.GitHub.Clipper/main.exe.simple | 3 +- tests/windows/2024.aspdasdksa2/Nil.exe.md | 1 - .../windows/2024.aspdasdksa2/creal.exe.simple | 1 - .../Swashbuckle.AspNetCore.ReDoc.dll.simple | 4 - 261 files changed, 1403 insertions(+), 742 deletions(-) diff --git a/pkg/action/scan.go b/pkg/action/scan.go index ddd9a8763..644c4c73c 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -159,7 +159,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF return fr, nil } - fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc) + fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind) if err != nil { return nil, NewFileReportError(err, path, TypeGenerateError) } diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 9b97a8373..f0c1141e6 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -187,6 +187,17 @@ "ID": "c2/client", "RuleName": "clientID" }, + { + "Description": "contains Cloudflare DNS resolver IP", + "MatchStrings": [ + "1.1.1.1" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip", + "ID": "c2/discovery/ip_dns_resolver", + "RuleName": "cloudflare_dns_ip" + }, { "Description": "references a specific architecture", "MatchStrings": [ @@ -1070,15 +1081,15 @@ "RuleName": "go_file_read" }, { - "Description": "renames files", + "Description": "rename", "MatchStrings": [ - "os.rename" + "rename" ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename", + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#rename", "ID": "fs/file/rename", - "RuleName": "explicit_rename" + "RuleName": "rename" }, { "Description": "access filesystem metadata", diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci index 5f57f73dd..62482f5bf 100644 --- a/pkg/action/testdata/scan_oci +++ b/pkg/action/testdata/scan_oci @@ -69,6 +69,158 @@ "SHA256": "", "Size": 0, "RiskScore": 0 + }, + "/var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json": { + "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json", + "SHA256": "da392082c5abe93e62ac6b557fd1dae8aedb16851c76a8b0b942235c4f24fcf2", + "Size": 1768, + "Behaviors": [ + { + "Description": "references a specific architecture", + "MatchStrings": [ + "https://", + "x86_64" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", + "ID": "c2/tool_transfer/arch", + "RuleName": "arch_ref" + }, + { + "Description": "references a specific operating system", + "MatchStrings": [ + "https://", + "linux" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref", + "ID": "c2/tool_transfer/os", + "RuleName": "os_ref" + }, + { + "Description": "download files", + "MatchStrings": [ + "downloadLocation" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", + "ID": "net/download", + "RuleName": "download" + }, + { + "Description": "contains embedded HTTPS URLs", + "MatchStrings": [ + "https://spdx.org/spdxdocs/chainguard/melange/e8bb6c0f7fc0c77fe29111695575" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", + "ID": "net/url/embedded", + "RuleName": "https_url" + } + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM" + }, + "/var/lib/db/sbom/tzdata-2024b-r0.spdx.json": { + "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json", + "SHA256": "d30d9bc94854359f6e4164fca583b5a51e1a6625c7e8b4b0563364e676a5bcaf", + "Size": 1725, + "Behaviors": [ + { + "Description": "references a specific architecture", + "MatchStrings": [ + "https://", + "x86_64" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", + "ID": "c2/tool_transfer/arch", + "RuleName": "arch_ref" + }, + { + "Description": "download files", + "MatchStrings": [ + "downloadLocation" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", + "ID": "net/download", + "RuleName": "download" + }, + { + "Description": "contains embedded HTTPS URLs", + "MatchStrings": [ + "https://spdx.org/spdxdocs/chainguard/melange/7b86e6ff94c1f8dfe207a3ffaf7f" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", + "ID": "net/url/embedded", + "RuleName": "https_url" + }, + { + "Description": "Uses timezone information", + "MatchStrings": [ + "tzdata" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/tzinfo.yara#tzinfo", + "ID": "os/time/tzinfo", + "RuleName": "tzinfo" + } + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM" + }, + "/var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json": { + "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json", + "SHA256": "2553d473dbfb8842254573d68cd3e857b2e9546fb746d8ae7fc3c243c9eca8ca", + "Size": 1425, + "Behaviors": [ + { + "Description": "references a specific architecture", + "MatchStrings": [ + "https://", + "x86_64" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", + "ID": "c2/tool_transfer/arch", + "RuleName": "arch_ref" + }, + { + "Description": "download files", + "MatchStrings": [ + "downloadLocation" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", + "ID": "net/download", + "RuleName": "download" + }, + { + "Description": "contains embedded HTTPS URLs", + "MatchStrings": [ + "https://spdx.org/spdxdocs/chainguard/melange/568a7518ce6c3bdb5ddcf51a311c" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", + "ID": "net/url/embedded", + "RuleName": "https_url" + } + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM" } } } diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index d8bd98252..27ab55f22 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -71,13 +71,17 @@ var supportedKind = map[string]string{ "h": "text/x-h", "hh": "text/x-h", "html": "", + "jar": "application/java-archive", "java": "text/x-java", "js": "application/javascript", + "json": "application/json", + "ko": "application/x-object", "lnk": "application/x-ms-shortcut", "lua": "text/x-lua", "macho": "application/x-mach-binary", "md": "", "o": "application/octet-stream", + "pe": "application/vnd.microsoft.portable-executable", "php": "text/x-php", "pl": "text/x-perl", "pm": "text/x-script.perl-module", diff --git a/pkg/report/report.go b/pkg/report/report.go index b7130a262..2105efcff 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -17,6 +17,7 @@ import ( "github.com/chainguard-dev/clog" "github.com/chainguard-dev/malcontent/pkg/malcontent" + "github.com/chainguard-dev/malcontent/pkg/programkind" yarax "github.com/VirusTotal/yara-x/go" ) @@ -364,8 +365,20 @@ func TrimPrefixes(path string, prefixes []string) string { return path } +// fileMatchesRules checks the scanned file's type against a rule's defined filetypes +func fileMatchesRule(meta []yarax.Metadata, mime string) bool { + for _, m := range meta { + if m.Identifier() == "filetypes" { + filetypes := strings.Split(fmt.Sprintf("%s", m.Value()), ",") + return slices.Contains(filetypes, mime) + } + } + // Rules without filetype metadata are universal + return true +} + //nolint:cyclop // ignore complexity of 64 -func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte) (*malcontent.FileReport, error) { +func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte, kind *programkind.FileType) (*malcontent.FileReport, error) { if ctx.Err() != nil { return &malcontent.FileReport{}, ctx.Err() } @@ -425,6 +438,10 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon ignoreMalcontent = true } + if !fileMatchesRule(m.Metadata(), kind.MIME) { + continue + } + override := slices.Contains(m.Tags(), "override") risk = behaviorRisk(m.Namespace(), m.Identifier(), m.Tags()) diff --git a/rules/anti-behavior/LD_DEBUG.yara b/rules/anti-behavior/LD_DEBUG.yara index 84c21dd11..a96c44440 100644 --- a/rules/anti-behavior/LD_DEBUG.yara +++ b/rules/anti-behavior/LD_DEBUG.yara @@ -1,6 +1,7 @@ rule env_LD_DEBUG: medium { meta: description = "may check if dynamic linker debugging is enabled" + filetypes = "application/x-elf,application/x-mach-binary" strings: $val = "LD_DEBUG" fullword diff --git a/rules/anti-behavior/LD_PROFILE.yara b/rules/anti-behavior/LD_PROFILE.yara index 5e1aeff67..11bb37e23 100644 --- a/rules/anti-behavior/LD_PROFILE.yara +++ b/rules/anti-behavior/LD_PROFILE.yara @@ -1,6 +1,7 @@ rule env_LD_PROFILE: medium { meta: description = "may check if dynamic linker profiling is enabled" + filetypes = "application/x-elf,application/x-mach-binary" strings: $val = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara index 450f61828..c82253c5a 100644 --- a/rules/anti-behavior/anti-debugger.yara +++ b/rules/anti-behavior/anti-debugger.yara @@ -1,6 +1,7 @@ rule win_debugger_present: medium windows { meta: description = "Detects if process is being executed within a debugger" + filetypes = "text/x-powershell" strings: $debug_idp = "IsDebuggerPresent" @@ -13,6 +14,7 @@ rule win_debugger_present: medium windows { rule win_debugger_or_vm: medium windows { meta: description = "Detects if process is being executed within a debugger or VM" + filetypes = "text/x-powershell" strings: $cpu_pfp = "IsProcessorFeaturePresent" @@ -27,6 +29,7 @@ rule win_debugger_or_vm: medium windows { rule multiple_linux_methods: high linux { meta: description = "possible debugger detection across multiple methods" + filetypes = "application/x-elf" strings: $ld_profile = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/process-check.yara b/rules/anti-behavior/process-check.yara index 9cfeb71c4..cec89dcd0 100644 --- a/rules/anti-behavior/process-check.yara +++ b/rules/anti-behavior/process-check.yara @@ -1,6 +1,7 @@ rule activity_monitor_checker: high macos { meta: description = "checks if 'Activity Monitor' is running" + filetypes = "application/x-mach-binary" strings: $ps = "ps" fullword @@ -16,6 +17,7 @@ rule activity_monitor_checker: high macos { rule linux_monitors: high linux { meta: description = "checks if various process monitors are running" + filetypes = "application/x-elf" strings: $pgrep = "pgrep" fullword @@ -45,6 +47,7 @@ rule linux_monitors: high linux { rule anti_rootkit_hunter: high linux { meta: description = "checks if rootkit detectors are running" + filetypes = "application/x-elf" strings: $proc = "/proc/" diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara index 64fc20e42..acc68f1b8 100644 --- a/rules/anti-behavior/random_behavior.yara +++ b/rules/anti-behavior/random_behavior.yara @@ -20,6 +20,7 @@ private rule random_behavior_pythonSetup { rule setuptools_random: critical { meta: description = "Python library installer that exhibits random behavior" + filetypes = "text/x-python" strings: $ref = "import random" @@ -32,6 +33,7 @@ rule setuptools_random: critical { rule java_random: low { meta: description = "exhibits random behavior" + filetypes = "text/x-java" strings: $ref = "java/util/Random" @@ -43,6 +45,7 @@ rule java_random: low { rule rand_call: medium { meta: description = "exhibits random behavior" + filetypes = "text/x-c,text/x-php,text/x-perl" strings: $ref = "rand()" diff --git a/rules/anti-static/base64/eval.yara b/rules/anti-static/base64/eval.yara index 8aa1a4b3d..cc68e8ac1 100644 --- a/rules/anti-static/base64/eval.yara +++ b/rules/anti-static/base64/eval.yara @@ -3,6 +3,7 @@ import "math" rule eval_base64: high { meta: description = "Evaluates base64 content" + filetypes = "application/javascript" strings: $eval = /eval\(.{0,256}base64/ @@ -14,6 +15,7 @@ rule eval_base64: high { rule ruby_eval_base64_decode: critical { meta: description = "Evaluates base64 content" + filetypes = "text/x-ruby" strings: $eval_base64_decode = "eval(Base64." @@ -25,6 +27,7 @@ rule ruby_eval_base64_decode: critical { rule ruby_eval_near_enough: high { meta: description = "Evaluates base64 content" + filetypes = "text/x-ruby" strings: $eval = "eval(" @@ -37,6 +40,7 @@ rule ruby_eval_near_enough: high { rule ruby_eval2_near_enough: high { meta: description = "Evaluates base64 content" + filetypes = "text/x-ruby" strings: $eval = "eval(" @@ -49,6 +53,7 @@ rule ruby_eval2_near_enough: high { rule python_exec_near_enough_base64: high { meta: description = "Likely executes base64 content" + filetypes = "text/x-python" strings: $exec = "exec(" @@ -61,6 +66,7 @@ rule python_exec_near_enough_base64: high { rule python_base64_exec: critical { meta: description = "executes compressed base64 content" + filetypes = "text/x-python" strings: $dec_b64decode_exec = /.{0,8}\.decompress\(.{0,96}\.b64decode\(.{0,64}\Wexec\(.{0,16}/ diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara index 1a21ce293..8f5e12793 100644 --- a/rules/anti-static/base64/exec.yara +++ b/rules/anti-static/base64/exec.yara @@ -50,6 +50,7 @@ rule base64_suspicious_commands: critical { rule base64_exec: critical { meta: description = "executes base64 encoded commands" + filetypes = "text/x-python" strings: $os_system = /os\.system\(b64[\"\'\(\)\w\=]{3,96}/ fullword @@ -61,6 +62,7 @@ rule base64_exec: critical { rule echo_decode_bash: critical { meta: description = "executes base64 encoded shell commands" + filetypes = "application/x-sh,application/x-zsh" strings: $pipe = /base64 {0,2}(-d|--decode) {0,2}\| {0,2}(bash|zsh|sh)/ fullword @@ -75,6 +77,7 @@ import "math" rule echo_decode_bash_probable: high { meta: description = "likely pipes base64 into a shell" + filetypes = "application/x-sh,application/x-zsh" strings: $decode = /base64 {0,2}(-d|--decode)/ fullword @@ -87,6 +90,7 @@ rule echo_decode_bash_probable: high { rule ruby_system_near_enough: critical { meta: description = "Executes commands from base64 content" + filetypes = "text/x-ruby" strings: $system = /system\(["'\w\)]{0,16}/ diff --git a/rules/anti-static/base64/function_names.yara b/rules/anti-static/base64/function_names.yara index f7bbf513e..ae5c437a5 100644 --- a/rules/anti-static/base64/function_names.yara +++ b/rules/anti-static/base64/function_names.yara @@ -1,6 +1,7 @@ rule base64_php_functions: medium { meta: description = "References PHP functions in base64 form" + filetypes = "text/x-php" strings: $php = "6.95)" + filetypes = "application/x-elf" condition: normal_elf and math.entropy(1, filesize) >= 6.95 @@ -21,6 +22,7 @@ rule higher_elf_entropy_68: medium { rule normal_elf_high_entropy_7_4: high { meta: description = "high entropy ELF binary (>7.4)" + filetypes = "application/x-elf" strings: $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" @@ -33,6 +35,7 @@ rule normal_elf_high_entropy_7_4: high { rule normal_elf_high_entropy_footer_7_4: high { meta: description = "high entropy footer in ELF binary (>7.4)" + filetypes = "application/x-elf" condition: normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4 @@ -41,6 +44,7 @@ rule normal_elf_high_entropy_footer_7_4: high { rule normal_elf_high_entropy_footer_7_4_rc4: high { meta: description = "high entropy footer in ELF binary (>7.4), likely RC4 encrypted" + filetypes = "application/x-elf" strings: $cmp_e_x_256 = { 81 f? 00 01 00 00 } // cmp {ebx, ecx, edx}, 256 diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara index 91d1ed930..8e2e225d9 100644 --- a/rules/anti-static/elf/header.yara +++ b/rules/anti-static/elf/header.yara @@ -5,7 +5,7 @@ rule single_load_rwe: critical { meta: description = "Binary with a single LOAD segment marked RWE" family = "Stager" - filetype = "ELF" + filetypes = "application/x-elf" author = "Tenable" @@ -17,7 +17,7 @@ rule fake_section_headers_conflicting_entry_point_address: critical { meta: description = "binary with fake sections header" family = "Obfuscation" - filetype = "ELF" + filetypes = "application/x-elf" author = "Tenable" @@ -29,7 +29,7 @@ rule fake_dynamic_symbols: critical { meta: description = "binary with fake dynamic symbol table" family = "Obfuscation" - filetype = "ELF" + filetypes = "application/x-elf" author = "Tenable" condition: @@ -39,6 +39,7 @@ rule fake_dynamic_symbols: critical { rule high_entropy_header: high { meta: description = "high entropy ELF header (>7)" + filetypes = "application/x-elf" strings: $not_pyinst = "pyi-bootloader-ignore-signals" diff --git a/rules/anti-static/elf/multiple.yara b/rules/anti-static/elf/multiple.yara index db1efd6c1..b4da19bb8 100644 --- a/rules/anti-static/elf/multiple.yara +++ b/rules/anti-static/elf/multiple.yara @@ -3,6 +3,7 @@ import "elf" rule multiple_elf: medium { meta: description = "multiple ELF binaries within an ELF binary" + filetypes = "application/x-elf" strings: $elf_head = "\x7fELF" diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara index 48edec212..6316b7571 100644 --- a/rules/anti-static/elf/tiny.yara +++ b/rules/anti-static/elf/tiny.yara @@ -3,6 +3,7 @@ import "elf" rule impossibly_small_elf_program: high { meta: description = "ELF binary is unusually small" + filetypes = "application/x-elf" strings: $not_hello_c = "hello.c" diff --git a/rules/anti-static/macho/entropy.yara b/rules/anti-static/macho/entropy.yara index a10a1fe47..380c97349 100644 --- a/rules/anti-static/macho/entropy.yara +++ b/rules/anti-static/macho/entropy.yara @@ -8,6 +8,7 @@ private rule smaller_macho { rule higher_entropy_6_9: medium { meta: description = "higher entropy binary (>6.9)" + filetypes = "application/x-mach-binary" condition: smaller_macho and math.entropy(1, filesize) >= 6.9 @@ -16,6 +17,7 @@ rule higher_entropy_6_9: medium { rule high_entropy_7_2: high { meta: description = "high entropy binary (>7.2)" + filetypes = "application/x-mach-binary" strings: // prevent bazel false positive diff --git a/rules/anti-static/macho/footer.yara b/rules/anti-static/macho/footer.yara index 71f6c8a47..9f1e40fab 100644 --- a/rules/anti-static/macho/footer.yara +++ b/rules/anti-static/macho/footer.yara @@ -9,6 +9,7 @@ rule high_entropy_trailer: high { meta: description = "higher-entropy machO trailer (normally NULL) - possible viral infection" ref = "https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness" + filetypes = "application/x-mach-binary" strings: $page_zero = "_PAGEZERO" @@ -16,4 +17,3 @@ rule high_entropy_trailer: high { condition: filesize < 10MB and anti_static_macho and $page_zero and math.entropy(filesize - 1024, filesize - 1) >= 4 } - diff --git a/rules/anti-static/macho/tiny.yara b/rules/anti-static/macho/tiny.yara index 05bb6d6c5..8c5faad5a 100644 --- a/rules/anti-static/macho/tiny.yara +++ b/rules/anti-static/macho/tiny.yara @@ -1,6 +1,7 @@ rule impossibly_small_macho_program: medium { meta: description = "machO binary is unusually small" + filetypes = "application/x-mach-binary" strings: $stub_helper = "__stub_helper" diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index a40b71e8b..d1ba108bb 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -41,6 +41,7 @@ rule excessive_bitwise_math: high { rule bitwise_math: low { meta: description = "uses bitwise math" + filetypes = "text/x-python" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -54,6 +55,7 @@ rule bidirectional_bitwise_math: medium { meta: description = "uses bitwise math in both directions" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "text/x-python" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -67,6 +69,7 @@ rule bitwise_python_string: medium { meta: description = "creates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "text/x-python" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -79,6 +82,7 @@ rule bitwise_python_string_exec_eval: high { meta: description = "creates and evaluates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "text/x-python" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -93,6 +97,7 @@ rule bitwise_python_string_exec_eval_nearby: critical { meta: description = "creates and executes string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" + filetypes = "text/x-python" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -107,7 +112,7 @@ rule unsigned_bitwise_math: medium { meta: description = "uses unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" @@ -124,7 +129,7 @@ rule unsigned_bitwise_math_excess: high { meta: description = "uses an excessive amount of unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" @@ -142,7 +147,7 @@ rule unsigned_bitwise_math_excess: high { rule charAtBitwise: high { meta: description = "converts manipulated numbers into characters" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" @@ -157,7 +162,7 @@ rule bidirectional_bitwise_math_php: high { meta: description = "uses bitwise math in both directions" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "php" + filetypes = "text/x-php" strings: $php = "= 6 + filesize < 1MB and all of them and math.entropy(1, filesize) >= 6 } rule ebe: critical { meta: description = "highly obfuscated javascript (eBe)" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" @@ -113,13 +66,13 @@ rule ebe: critical { $ref = /eBe\([-]?\d{1,3}\)/ condition: - obfs_probably_js and filesize < 5MB and $function and $charCodeAt and #ref > 10 + filesize < 5MB and $function and $charCodeAt and #ref > 10 } rule ebe_generic: high { meta: description = "highly obfuscated javascript" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" @@ -130,12 +83,13 @@ rule ebe_generic: high { $ref3 = /\>\w{1,3}\(\d{1,3}\)\);\w\[\w{1,3}\(\d{1,3}\)\]\=/ condition: - obfs_probably_js and filesize < 5MB and #function > 0 and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5) + filesize < 5MB and #function > 0 and $charCodeAt and (#ref > 5 or #ref2 > 5 or #ref3 > 5) } rule exec_console_log: critical { meta: description = "evaluates the return of console.log()" + filetypes = "application/javascript" strings: $ref = ".exec(console.log(" @@ -147,6 +101,7 @@ rule exec_console_log: critical { rule js_const_func_obfuscation: medium { meta: description = "javascript obfuscation (excessive const functions)" + filetypes = "application/javascript" strings: $const = "const " @@ -154,65 +109,82 @@ rule js_const_func_obfuscation: medium { $return = "{return" condition: - obfs_probably_js and filesize < 256KB and #const > 32 and #function > 48 and #return > 64 + filesize < 256KB and #const > 32 and #function > 48 and #return > 64 } -rule js_hex_eval_obfuscation: critical { +rule js_hex_eval_obfuscation: high { meta: description = "javascript eval obfuscation (hex)" + filetypes = "application/javascript" strings: $return = /\(eval, _{0,4}0x[\w]{0,32}[\(\[]/ condition: - obfs_probably_js and filesize < 128KB and any of them + filesize < 128KB and any of them +} + +rule js_hex_obfuscation: high { + meta: + description = "javascript function obfuscation (hex)" + filetypes = "application/javascript" + + strings: + $return = /return _{0,4}0x[\w]{0,32}[\(\w]{0,32}/ + $const = /const _{0,4}0x[\w]{0,32}\s*=[\w]{0,32}/ + + condition: + filesize < 1MB and any of them } -rule js_hex_obfuscation: critical { +rule multiple_js_hex_obfuscation: critical { meta: description = "javascript function obfuscation (hex)" + filetypes = "application/javascript" strings: $return = /return _{0,4}0x[\w]{0,32}[\(\w]{0,32}/ $const = /const _{0,4}0x[\w]{0,32}\s*=[\w]{0,32}/ condition: - obfs_probably_js and filesize < 1MB and any of them + filesize < 1MB and #return > 5 and #const > 5 } rule high_entropy: medium { meta: description = "high entropy javascript (>6)" + filetypes = "application/javascript" condition: - obfs_probably_js and math.entropy(1, filesize) >= 6 + math.entropy(1, filesize) >= 6 } rule very_high_entropy: critical { meta: description = "very high entropy javascript (>7)" + filetypes = "application/javascript" condition: - obfs_probably_js and math.entropy(1, filesize) >= 7 + math.entropy(1, filesize) >= 7 } rule charCodeAtIncrement: medium { meta: description = "converts incremented numbers into characters" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = "function(" $increment = /charCodeAt\(\+\+\w{0,4}\)/ condition: - obfs_probably_js and filesize < 4MB and $function and #increment > 1 + filesize < 4MB and $function and #increment > 1 } rule js_many_parseInt: high { meta: description = "javascript obfuscation (integer parsing)" - filetypes = "javascript" + filetypes = "application/javascript" strings: $const = "const " @@ -221,13 +193,13 @@ rule js_many_parseInt: high { $parseInt = "parseInt" condition: - obfs_probably_js and filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32 + filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32 } rule over_powered_arrays: high { meta: description = "uses many powered array elements (>25)" - filetypes = "javascript" + filetypes = "application/javascript" strings: $function = /function\(\w,/ @@ -235,12 +207,13 @@ rule over_powered_arrays: high { $power_array = /\w\[\d{1,4}\]\^\w\[\d{1,4}\]/ condition: - obfs_probably_js and filesize < 5MB and $function and $charAt and #power_array > 25 + filesize < 5MB and $function and $charAt and #power_array > 25 } rule string_prototype_function: high { meta: description = "obfuscates function calls via string prototypes" + filetypes = "application/javascript" strings: $ref = /String\["prototype"\].{1,32} = function\(\) \{ eval\(this\.toString\(\)\)\;/ @@ -253,17 +226,19 @@ rule string_prototype_function: high { rule unicode_prototype: critical { meta: description = "sets obfuscated Array.prototype attribute" + filetypes = "application/javascript" strings: $ref = /Array\.prototype\.\\[\w\\]{2,256}\s{0,2}=.{0,64}/ condition: - obfs_probably_js and any of them + any of them } rule var_filler: high { meta: description = "header is filled with excessive variable declarations" + filetypes = "application/javascript" strings: $ref = /[a-z]{2,8}\d{1,5} = "[a-z]{2,8}\d{1,5}"/ fullword @@ -275,73 +250,80 @@ rule var_filler: high { rule large_random_variables: high { meta: description = "contains large random variable names" + filetypes = "application/javascript" strings: $ref = /var [a-zA-Z_]{32,256} = '.{4}/ fullword condition: - obfs_probably_js and #ref > 1 + #ref > 1 } rule many_complex_var: medium { meta: description = "defines multiple complex variables" + filetypes = "application/javascript" strings: $ref = /var [a-zA-Z_]{1,256} = \(/ condition: - obfs_probably_js and #ref > 64 + #ref > 64 } rule many_complex_var_high: high { meta: description = "excessive complex variable declarations" + filetypes = "application/javascript" strings: $ref = /var [a-zA-Z_]{1,256} = \(.{1,64}/ condition: - obfs_probably_js and #ref > 400 + #ref > 400 } rule many_static_map_lookups: medium { meta: description = "contains large number of static map lookups" + filetypes = "application/javascript" strings: $ref = /\[[\"\'][a-z]{1,32}[\"\']\]/ condition: - obfs_probably_js and #ref > 128 + #ref > 128 } rule obfuscated_map_to_array_conversions: high { meta: description = "obfuscated map to array conversions" + filetypes = "application/javascript" strings: $ref = /\[[\"\'a-z]{1,32}\]\s{0,2}\+\s{0,2}\[\]\)\[\d{1,4}\]/ condition: - obfs_probably_js and #ref > 32 + #ref > 32 } rule large_obfuscated_array: high { meta: description = "contains large obfuscated arrays" + filetypes = "application/javascript" strings: $ref = /[a-z]{32,256}=\[\]/ fullword $ref2 = /[a-z]{1,256}\[\'\w{32,2048}\'\]/ fullword condition: - obfs_probably_js and all of them + all of them } rule high_entropy_charAt: medium { meta: description = "high entropy javascript (>5.37) that uses charAt/substr/join loops" + filetypes = "application/javascript" strings: $ = "charAt(" @@ -351,5 +333,5 @@ rule high_entropy_charAt: medium { $ = "for(" condition: - obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them + math.entropy(1, filesize) >= 5.37 and all of them } diff --git a/rules/anti-static/obfuscation/math.yara b/rules/anti-static/obfuscation/math.yara index 9a59fea3d..6a028e7a2 100644 --- a/rules/anti-static/obfuscation/math.yara +++ b/rules/anti-static/obfuscation/math.yara @@ -1,6 +1,7 @@ rule js_long_math: high { meta: description = "performs multiple rounds of long integer math" + filetypes = "application/javascript" strings: $f_function = "function" @@ -17,6 +18,7 @@ rule js_long_math: high { rule js_long_dumb_math: critical { meta: description = "performs multiple rounds of long dumb integer math" + filetypes = "application/javascript" strings: $f_function = "function" diff --git a/rules/anti-static/obfuscation/nodejs.yara b/rules/anti-static/obfuscation/nodejs.yara index 87517b991..b9b0fff55 100644 --- a/rules/anti-static/obfuscation/nodejs.yara +++ b/rules/anti-static/obfuscation/nodejs.yara @@ -1,6 +1,7 @@ rule nodejs_buffer_from: medium { meta: description = "loads arbitrary bytes from a buffer" + filetypes = "application/javascript,application/typescript" strings: $ref = /Buffer\.from\(\[[\d,]{8,63}\)/ @@ -12,6 +13,7 @@ rule nodejs_buffer_from: medium { rule nodejs_buffer_from_many: high { meta: description = "loads many arbitrary bytes from a buffer" + filetypes = "application/javascript,application/typescript" strings: $ref = /Buffer\.from\(\[[\d,]{63,2048}/ diff --git a/rules/anti-static/obfuscation/osascript.yara b/rules/anti-static/obfuscation/osascript.yara index e933d1d36..b0d1247f7 100644 --- a/rules/anti-static/obfuscation/osascript.yara +++ b/rules/anti-static/obfuscation/osascript.yara @@ -1,6 +1,7 @@ rule compiled_osascript: medium { meta: description = "compiled osascript" + filetypes = "application/x-applescript" strings: $s_sysoexec = "sysoexecTEXT" diff --git a/rules/anti-static/obfuscation/padding.yara b/rules/anti-static/obfuscation/padding.yara index 75da779f2..1973a3bb5 100644 --- a/rules/anti-static/obfuscation/padding.yara +++ b/rules/anti-static/obfuscation/padding.yara @@ -45,7 +45,7 @@ rule gzinflate_str_replace: critical { rule funky_function: critical { meta: description = "creatively hidden forms of the term 'function'" - filetypes = "php" + filetypes = "text/x-php" strings: $a = "'fu'.'nct'.'ion'" diff --git a/rules/anti-static/obfuscation/perl.yara b/rules/anti-static/obfuscation/perl.yara index b3774aa79..c914dff51 100644 --- a/rules/anti-static/obfuscation/perl.yara +++ b/rules/anti-static/obfuscation/perl.yara @@ -2,7 +2,7 @@ rule generic_obfuscated_perl: medium { meta: description = "Obfuscated PERL code" - filetypes = "pl" + filetypes = "text/x-perl" strings: $unpack_nospace = "pack'" fullword diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara index a892daf0a..f0cffbe5f 100644 --- a/rules/anti-static/obfuscation/php.yara +++ b/rules/anti-static/obfuscation/php.yara @@ -3,7 +3,7 @@ rule php_obfuscation: high { description = "obfuscated PHP code" credit = "Ported from https://github.com/jvoisin/php-malware-finder" - filetypes = "php" + filetypes = "text/x-php" strings: $php = " 100 and none of ($not*) + filesize < 10MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) } rule dumb_int_compares: high { meta: description = "compares arbitrary integers, likely encoding something" - filetypes = "py" + filetypes = "text/x-python" strings: $import = "import" fullword $decode_or_b64decode = /if \d{2,16} == \d{2,16}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule py_lib_alias_val: medium { @@ -256,54 +251,57 @@ rule py_lib_alias_val: medium { rule multi_decode_3: high { meta: description = "multiple (3+) levels of decoding" - filetypes = "py" + filetypes = "text/x-python" strings: $return = "return" $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule multi_decode: medium { meta: description = "multiple (2) levels of decoding" - filetypes = "py" + filetypes = "text/x-python" strings: $return = "return" $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,32}\.[b64]{0,3}decode\(/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_requests: medium { meta: description = "imports 'requests' library and gives it another name" + filetypes = "text/x-python" strings: $ref = /import requests as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_requests_2char: high { meta: description = "imports 'requests' library and gives it a shorter name" + filetypes = "text/x-python" strings: $ref = /import requests as \w{1,2}/ fullword condition: - obfs_probably_python and filesize < 32KB and all of them + filesize < 32KB and all of them } rule rename_os: high { meta: description = "imports 'os' library and gives it another name" + filetypes = "text/x-python" strings: $ref = /import os as \w{0,64}/ @@ -317,17 +315,19 @@ rule rename_os: high { rule rename_marshal: critical { meta: description = "imports 'marshal' library and gives it another name" + filetypes = "text/x-python" strings: $ref = /import marshal as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule rename_base64: critical { meta: description = "imports 'base64' library and gives it another name" + filetypes = "text/x-python" strings: $ref = /import base64 as \w{0,64}/ @@ -346,17 +346,19 @@ rule rename_base64: critical { rule rename_zlib: high { meta: description = "imports 'base64' library and gives it another name" + filetypes = "text/x-python" strings: $ref = /import zlib as \w{0,64}/ condition: - obfs_probably_python and filesize < 10MB and all of them + filesize < 10MB and all of them } rule too_many_lambdas_small: high { meta: description = "lambda based obfuscation" + filetypes = "text/x-python" strings: $ref = /lambda \W: \W [\+\-\*]/ @@ -368,17 +370,19 @@ rule too_many_lambdas_small: high { rule too_many_lambdas_large: high { meta: description = "lambda based obfuscation" + filetypes = "text/x-python" strings: $ref = /lambda \W: \W [\+\-\*]/ condition: - obfs_probably_python and filesize < 10MB and #ref > 100 + filesize < 10MB and #ref > 100 } rule lambda_funk: high { meta: description = "likely obfuscated with lambda functions" + filetypes = "text/x-python" strings: $ = "__builtins__.__dict__" @@ -389,12 +393,13 @@ rule lambda_funk: high { $ = ".decode('utf-8'))" condition: - obfs_probably_python and filesize < 10MB and 80 % of them + filesize < 10MB and 80 % of them } rule lambda_funk_high: high { meta: description = "obfuscated with lambda expressions" + filetypes = "text/x-python" strings: $ = "__builtins__.__dict__" @@ -411,6 +416,7 @@ rule lambda_funk_high: high { rule confusing_function_name: high { meta: description = "obfuscated with confusing function names" + filetypes = "text/x-python" strings: $def = /def [Il]{6,64}/ @@ -426,6 +432,7 @@ rule confusing_function_name: high { rule decompress_base64_entropy: high { meta: description = "hidden base64-encoded compressed content" + filetypes = "text/x-python" strings: $k_lzma = "lzma" @@ -439,36 +446,39 @@ rule decompress_base64_entropy: high { $b64decode_long = /b64decode\(\"[\+\=\w\/]{96}/ condition: - obfs_probably_python and filesize < 10MB and any of ($k*) and $b64decode_long and any of ($f*) + filesize < 10MB and any of ($k*) and $b64decode_long and any of ($f*) } rule join: low { meta: description = "joins array together with an empty delimiter" + filetypes = "text/x-python" strings: $join = "''.join(" $join_double = "\"\".join(" condition: - obfs_probably_python and any of them + any of them } rule join_chr_array: medium { meta: description = "joins lengthy character array" + filetypes = "text/x-python" strings: $ref = /[a-z]{1,64}\s{0,2}=\s{0,2}\[\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}\d{1,5},\s{0,2}/ $chr_int = "chr(int(" condition: - obfs_probably_python and join and all of them + join and all of them } rule join_chr_array_exec: high { meta: description = "joins lengthy character array and executes arbitrary code" + filetypes = "text/x-python" strings: $val = /exec\(\w{1,32}\)/ fullword @@ -480,6 +490,7 @@ rule join_chr_array_exec: high { rule join_chr_array_math: high { meta: description = "joins obfuscated character array" + filetypes = "text/x-python" strings: $ref2 = /chr\(int\([a-z]{1,32}\)\s{0,2}[\-\*\+\^]\s{0,2}\w{1,32}/ @@ -491,6 +502,7 @@ rule join_chr_array_math: high { rule join_chr_array_exec_math: critical { meta: description = "joins obfuscated character array and executes arbitrary code" + filetypes = "text/x-python" strings: $val = /exec\(\w{1,32}\)/ fullword @@ -508,12 +520,13 @@ rule urllib_as_int_array: critical { $urllib_dot2 = "117, 114, 108, 108, 105, 98, 46" condition: - obfs_probably_python and filesize < 10MB and any of them + filesize < 10MB and any of them } rule import_manipulator: critical { meta: description = "manipulates globals and imports into executing obfuscated code" + filetypes = "text/x-python" strings: $import = "__import__(" @@ -528,12 +541,13 @@ rule import_manipulator: critical { condition: // a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6 is the sha256 hash // for https://github.com/pypy/pypy/blob/main/lib-python/2.7/pickle.py - obfs_probably_python and filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them + filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them } rule bloated_hex_python: high { meta: description = "python script bloated with obfuscated content" + filetypes = "text/x-python" strings: $f_unhexlify = "unhexlify" fullword @@ -551,5 +565,5 @@ rule bloated_hex_python: high { $not_highlight = "highlight" condition: - obfs_probably_python and filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*) + filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*) } diff --git a/rules/anti-static/obfuscation/python_setuptools.yara b/rules/anti-static/obfuscation/python_setuptools.yara index ef38dd83f..167ae1c27 100644 --- a/rules/anti-static/obfuscation/python_setuptools.yara +++ b/rules/anti-static/obfuscation/python_setuptools.yara @@ -1,29 +1,13 @@ import "math" -private rule obfuscation_pythonSetup { - strings: - $if_distutils = /from distutils.core import .{0,32}setup/ - $if_setuptools = /from setuptools import .{0,32}setup/ - $i_setuptools = "import setuptools" - $setup = "setup(" - - $not_setup_example = ">>> setup(" - $not_setup_todict = "setup(**config.todict()" - $not_import_quoted = "\"from setuptools import setup" - $not_setup_quoted = "\"setup(name=" - $not_distutils = "from distutils.errors import" - - condition: - filesize < 128KB and $setup and any of ($i*) and none of ($not*) -} - rule setuptools_builtins: medium { meta: description = "Python library installer that references builtins" + filetypes = "text/x-python" strings: $ref = "__builtins__" fullword condition: - obfuscation_pythonSetup and $ref + any of them } diff --git a/rules/anti-static/obfuscation/reverse.yara b/rules/anti-static/obfuscation/reverse.yara index abc8c211a..169c64ac3 100644 --- a/rules/anti-static/obfuscation/reverse.yara +++ b/rules/anti-static/obfuscation/reverse.yara @@ -1,54 +1,7 @@ -private rule reverse_probably_js { - strings: - $f_Array = "Array.prototype" fullword - $f_async = "async function" - $f_await = "await" - $f_catch = "} catch" - $f_class = "@class" - $f_const = /\bconst\s/ - $f_define = "define(" - $f_false = "false);" - $f_function = /function\(\w{0,32}\)/ - $f_function2 = "function()" - $f_method = "@method" - $f_namespace = "@namespace" - $f_Object = "Object." - $f_param = "@param" - $f_private = "@private" - $f_promise = "Promise" - $f_prototype = ".prototype" - $f_require = "require(" - $f_return = /\breturn\s/ - $f_Run = ".Run(" - $f_run = ".run(" - $f_strict = " === " - $f_this = "this." - $f_this2 = "this[" - $f_true = "true);" - $f_try = "try {" - $f_var = /\bvar\s/ - - $not_asyncio = "await asyncio" - $not_class = /class \w{1,32}\(/ fullword - $not_def = /def [a-zA-Z_][a-zA-Z0-9_]{1,32} \(/ ascii - $not_equals_comment = "// ===" - $not_error = "err error" - $not_header = /^#ifndef\s/ - $not_header2 = /^#define\s/ - $not_header3 = /^#include\s/ - $not_import = /^import \(/ - $not_package = /^package\s/ - $not_self_assert_equal = "self.assertEqual(" - $not_struct = /^type \w{1,32} struct \{/ fullword - $not_typedef = "typedef typename" - - condition: - filesize < 5MB and 4 of ($f*) and none of ($not*) -} - rule string_reversal: medium { meta: description = "reverses strings" + filetypes = "text/x-python" strings: $ref = ".reverse().join(\"\")" @@ -68,14 +21,15 @@ rule function_reversal: high { filesize < 1MB and any of them } -rule js_reversal: critical { +rule js_reversal: high { meta: description = "multiple reversed javascript calls" + filetypes = "application/javascript" strings: $ref = /n.{0,3}o.{0,3}i.{0,3}t.{0,3}c.{0,3}n.{0,3}u.{0,3}f/ $ref2 = /n.{0,3}r.{0,3}u.{0,3}t.{0,3}e.{0,3}r/ condition: - reverse_probably_js and filesize < 1MB and all of them + filesize < 1MB and all of them } diff --git a/rules/anti-static/obfuscation/sh.yara b/rules/anti-static/obfuscation/sh.yara index ce376313f..22b68c126 100644 --- a/rules/anti-static/obfuscation/sh.yara +++ b/rules/anti-static/obfuscation/sh.yara @@ -1,6 +1,7 @@ rule echo_base64_decode: high { meta: description = "echo and decode base64 text" + filetypes = "application/x-sh" strings: $ref = /echo [\w=\$]{2,256} {0,2}\| {0,2}base64 {0,2}(-d|--decode)/ fullword diff --git a/rules/anti-static/obfuscation/strtoi.yara b/rules/anti-static/obfuscation/strtoi.yara index 21e8806b2..f966d47fa 100644 --- a/rules/anti-static/obfuscation/strtoi.yara +++ b/rules/anti-static/obfuscation/strtoi.yara @@ -1,6 +1,7 @@ rule sketchy_parseint_math: medium { meta: description = "complex math and string to integer conversion" + filetypes = "application/javascript" strings: $m1 = /\d{2,16}[\-\+\*\^]\w{1,8}/ diff --git a/rules/anti-static/obfuscation/syscall.yara b/rules/anti-static/obfuscation/syscall.yara index 93f9ac006..123894e97 100644 --- a/rules/anti-static/obfuscation/syscall.yara +++ b/rules/anti-static/obfuscation/syscall.yara @@ -1,6 +1,7 @@ rule syscall: medium { meta: description = "directly invokes syscalls" + filetypes = "text/x-ruby" strings: $ruby = "ruby" fullword diff --git a/rules/anti-static/obfuscation/url.yara b/rules/anti-static/obfuscation/url.yara index a9a4f946e..e3937b28c 100644 --- a/rules/anti-static/obfuscation/url.yara +++ b/rules/anti-static/obfuscation/url.yara @@ -3,6 +3,7 @@ import "math" rule decode_url_component_char_code: critical { meta: description = "decodes obfuscated URL components" + filetypes = "application/javascript" strings: $ref = "decodeURIComponent" diff --git a/rules/anti-static/obfuscation/utf16.yara b/rules/anti-static/obfuscation/utf16.yara index bfc819549..aaeaac502 100644 --- a/rules/anti-static/obfuscation/utf16.yara +++ b/rules/anti-static/obfuscation/utf16.yara @@ -1,6 +1,7 @@ rule sketchy_fromCharCode_math: medium { meta: description = "complex math and utf16 code unit conversion" + filetypes = "application/javascript" strings: $m1 = /\d{2,16}[\-\+\*\^]\w{1,8}/ @@ -11,9 +12,10 @@ rule sketchy_fromCharCode_math: medium { filesize < 1MB and any of ($f*) and ((#m1 > 5) or (#m2 > 5)) } -rule static_charcode_math: critical { +rule static_charcode_math: high { meta: description = "assembles strings from character codes and static integers" + filetypes = "application/javascript" strings: $ref = /fromCharCode\(\d{1,16}\s{0,2}[\-\+\*\^]{1,2}\d{1,16}/ diff --git a/rules/anti-static/packer/aes.yara b/rules/anti-static/packer/aes.yara index 0c2cd6c6c..08e9b4b40 100644 --- a/rules/anti-static/packer/aes.yara +++ b/rules/anti-static/packer/aes.yara @@ -9,7 +9,7 @@ private rule smallBinary { rule go_aes: high { meta: description = "go binary packed with AES" - filetypes = "macho,elf" + filetypes = "application/x-mach-binary,application/x-elf" strings: $aes = "crypto/aes" @@ -19,4 +19,3 @@ rule go_aes: high { condition: smallBinary and math.entropy(1, filesize) >= 7 and all of them } - diff --git a/rules/anti-static/packer/blankobf.yara b/rules/anti-static/packer/blankobf.yara index a0ee0769c..3e19e4aaa 100644 --- a/rules/anti-static/packer/blankobf.yara +++ b/rules/anti-static/packer/blankobf.yara @@ -1,7 +1,7 @@ rule blankOBF: critical { meta: description = "packed with https://github.com/Blank-c/BlankOBF" - filetypes = "py" + filetypes = "text/x-python" strings: $obfus = "Obfuscated with BlankOBF" @@ -14,4 +14,3 @@ rule blankOBF: critical { condition: filesize < 1MB and any of them } - diff --git a/rules/anti-static/packer/cx_freeze.yara b/rules/anti-static/packer/cx_freeze.yara index 8b7adaea8..5831261f7 100644 --- a/rules/anti-static/packer/cx_freeze.yara +++ b/rules/anti-static/packer/cx_freeze.yara @@ -1,6 +1,7 @@ rule cxFreeze_Python_executable: high { meta: description = "uses cxFreeze packer" + filetypes = "text/x-python" strings: $cxfreeze = "cx_Freeze" diff --git a/rules/anti-static/packer/decompyle.yara b/rules/anti-static/packer/decompyle.yara index ff81480b8..bf10c24f0 100644 --- a/rules/anti-static/packer/decompyle.yara +++ b/rules/anti-static/packer/decompyle.yara @@ -2,7 +2,7 @@ rule py_kramer_packer: critical python { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "py" + filetypes = "text/x-python" strings: $ = "Source Generated with Decompyle++" diff --git a/rules/anti-static/packer/ezuri.yara b/rules/anti-static/packer/ezuri.yara index 903a69e78..d56cecf6f 100644 --- a/rules/anti-static/packer/ezuri.yara +++ b/rules/anti-static/packer/ezuri.yara @@ -2,7 +2,7 @@ rule ezuri: critical { meta: description = "packed with Ezuri (AES)" hash = "3020810ea859787a9730de3df822caad3178a7179d587d6a96e303a3c159e714" - filetypes = "elf,macho" + filetypes = "application/x-mach-binary,application/x-elf" strings: $runFromMemory = "main.runFromMemory" fullword diff --git a/rules/anti-static/packer/kiteshield.yara b/rules/anti-static/packer/kiteshield.yara index ce3b029c8..4063f68d1 100644 --- a/rules/anti-static/packer/kiteshield.yara +++ b/rules/anti-static/packer/kiteshield.yara @@ -7,6 +7,7 @@ rule kiteshield: high { reference = "https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors" tool = "Kiteshield" tool_repository = "https://github.com/GunshipPenguin/kiteshield" + filetypes = "application/x-elf" strings: $loader_jmp = { 31 D2 31 C0 31 C9 31 F6 31 FF 31 ED 45 31 C0 45 31 C9 45 31 D2 45 31 DB 45 31 E4 45 31 ED 45 31 F6 45 31 FF 5B FF E3 } diff --git a/rules/anti-static/packer/nuitka.yara b/rules/anti-static/packer/nuitka.yara index 5bcec14c5..b2a9fe68f 100644 --- a/rules/anti-static/packer/nuitka.yara +++ b/rules/anti-static/packer/nuitka.yara @@ -3,6 +3,7 @@ import "math" rule nuitka: critical { meta: description = "packed with Nuitka (Python compiler)" + filetypes = "text/x-python" strings: $old = "onefile_%PID%_%TIME%" diff --git a/rules/anti-static/packer/pe.yara b/rules/anti-static/packer/pe.yara index b17c434cd..c5d170e68 100644 --- a/rules/anti-static/packer/pe.yara +++ b/rules/anti-static/packer/pe.yara @@ -3,6 +3,7 @@ import "math" rule pe_packed: high windows { meta: description = "packed PE file (Windows EXE) with high entropy (>7)" + filetype = "application/vnd.microsoft.portable-executable" condition: uint16(0) == 0x5a4d and math.entropy(0, filesize) > 7 diff --git a/rules/anti-static/packer/py_kramer.yara b/rules/anti-static/packer/py_kramer.yara index c5e5aae4c..4e8af5ac2 100644 --- a/rules/anti-static/packer/py_kramer.yara +++ b/rules/anti-static/packer/py_kramer.yara @@ -2,7 +2,7 @@ rule kramer: critical { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "py" + filetypes = "text/x-python" strings: $ = ".__init__...." @@ -21,7 +21,7 @@ rule py_kramer_packer2: critical python { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "py" + filetypes = "text/x-python" strings: $ = "class Kramer():" @@ -38,7 +38,7 @@ rule py_kramer_packer3: critical python { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "py" + filetypes = "text/x-python" strings: $ = "Kramer.__decode__" diff --git a/rules/anti-static/packer/py_vare.yara b/rules/anti-static/packer/py_vare.yara index fb53abc5a..251bfed96 100644 --- a/rules/anti-static/packer/py_vare.yara +++ b/rules/anti-static/packer/py_vare.yara @@ -1,7 +1,7 @@ rule Vare_Obfuscator: critical { meta: description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" - filetype = "py" + filetypes = "text/x-python" strings: $var = "__VareObfuscator__" diff --git a/rules/anti-static/packer/pycloak.yara b/rules/anti-static/packer/pycloak.yara index 73d8bba7c..13beeabb8 100644 --- a/rules/anti-static/packer/pycloak.yara +++ b/rules/anti-static/packer/pycloak.yara @@ -2,6 +2,7 @@ rule pycloak: critical { meta: description = "packed with pycloak" ref = "https://github.com/addi00000/pycloak" + filetypes = "text/x-python" strings: $ = "__builtins__.__dict__[__builtins__.__dict__" diff --git a/rules/anti-static/packer/pyobfuscate.yara b/rules/anti-static/packer/pyobfuscate.yara index a65759570..58ab681d7 100644 --- a/rules/anti-static/packer/pyobfuscate.yara +++ b/rules/anti-static/packer/pyobfuscate.yara @@ -1,6 +1,7 @@ rule pyobfuscate: high { meta: description = "uses 'pyobfuscate' packer" + filetypes = "text/x-python" strings: $def = "def" fullword diff --git a/rules/anti-static/packer/upx.yara b/rules/anti-static/packer/upx.yara index 762ceb7d4..e6dd78a6d 100644 --- a/rules/anti-static/packer/upx.yara +++ b/rules/anti-static/packer/upx.yara @@ -1,6 +1,7 @@ rule upx: high { meta: description = "Binary is packed with UPX" + filetype = "application/x-upx" strings: $u_upx_sig = "UPX!" @@ -15,6 +16,7 @@ rule upx: high { rule upx_elf: high { meta: description = "Linux ELF binary packed with UPX" + filetype = "application/x-upx" strings: $proc_self = "/proc/self/exe" @@ -28,6 +30,7 @@ rule upx_elf: high { rule upx_elf_tampered: critical { meta: description = "Linux ELF binary packed with modified UPX" + filetype = "application/x-upx" strings: $prot_exec = "PROT_EXEC|PROT_WRITE failed" diff --git a/rules/anti-static/unmarshal/marshal.yara b/rules/anti-static/unmarshal/marshal.yara index 4ce767fc6..86df4127e 100644 --- a/rules/anti-static/unmarshal/marshal.yara +++ b/rules/anti-static/unmarshal/marshal.yara @@ -14,6 +14,7 @@ private rule pySetup { rule unmarshal_py_marshal: medium { meta: description = "reads python values from binary content" + filetypes = "text/x-python" strings: $ref = "import marshal" @@ -25,6 +26,7 @@ rule unmarshal_py_marshal: medium { rule setuptools_py_marshal: suspicious { meta: description = "Python library installer that reads values from binary content" + filetypes = "text/x-python" condition: pySetup and unmarshal_py_marshal diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index d2e074f92..bc6576577 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -27,6 +27,7 @@ private rule ip_elf_or_macho { rule bin_hardcoded_ip: high { meta: description = "ELF with hardcoded IP address" + filetypes = "application/x-mach-binary,application/x-elf" strings: // stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google) diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 7b1595e08..941e09269 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -80,6 +80,7 @@ rule http_url_with_question: medium { rule binary_with_url: low { meta: description = "binary contains hardcoded URL" + filetypes = "application/x-mach-binary,application/x-elf" strings: $ref = /https*:\/\/[\w\.\/]{8,160}[\/\w\=\&]{0,32}/ @@ -91,6 +92,7 @@ rule binary_with_url: low { rule binary_url_with_question: high { meta: description = "binary contains hardcoded URL with question mark" + filetypes = "application/x-mach-binary,application/x-elf" strings: $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{1,32}/ diff --git a/rules/c2/connect/bash_tcp.yara b/rules/c2/connect/bash_tcp.yara index fbb80a505..6ebc77599 100644 --- a/rules/c2/connect/bash_tcp.yara +++ b/rules/c2/connect/bash_tcp.yara @@ -1,6 +1,7 @@ rule bash_tcp: high { meta: description = "sends data via /dev/tcp (bash)" + filetypes = "application/x-sh,application/x-zsh" strings: $ref = /[\w \-\\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ diff --git a/rules/c2/discovery/ip-dns_resolver.yara b/rules/c2/discovery/ip-dns_resolver.yara index c48923497..0689e72ca 100644 --- a/rules/c2/discovery/ip-dns_resolver.yara +++ b/rules/c2/discovery/ip-dns_resolver.yara @@ -3,8 +3,32 @@ rule google_dns_ip: medium { description = "contains Google Public DNS resolver IP" strings: - $primary = "8.8.8.8" - $secondary = "8.8.4.4" + $primary = "8.8.8.8" + $secondary = "8.8.4.4" + $primary_6 = "2001:4860:4860::8888" + $secondary_6 = "2001:4860:4860::8844" + + condition: + any of them +} + +rule cloudflare_dns_ip: medium { + meta: + description = "contains Cloudflare DNS resolver IP" + + strings: + $primary = "1.1.1.1" + $primary_6 = "2606:4700:4700::1111" + $secondary = "1.0.0.1" + $secondary_6 = "2606:4700:4700::1001" + $tertiary = "1.1.1.2" + $tertiary_6 = "2606:4700:4700::1112" + $quaternary = "1.0.0.2" + $quaternary_6 = "2606:4700:4700::1002" + $quinary = "1.1.1.3" + $quinary_6 = "2606:4700:4700::1113" + $senary = "1.0.0.3" + $senary_6 = "2606:4700:4700::1003" condition: any of them @@ -27,8 +51,10 @@ rule ctrld_ip: high { description = "contains 'Control D' DNS resolver IP" strings: - $primary = "76.76.2.0" - $secondary = "76.76.10.0" + $primary = "76.76.2.0" + $primary_6 = "2606:1a40::" + $secondary = "76.76.10.0" + $secondary_6 = "2606:1a40:1::" condition: any of them @@ -39,8 +65,10 @@ rule quad9_ip: medium { description = "contains Quad9 DNS resolver IP" strings: - $primary = "9.9.9.9" - $secondary = "149.112.112.112" + $primary = "9.9.9.9" + $primary_6 = "2620:fe::fe" + $secondary = "149.112.112.112" + $seconday_6 = "2620:fe::9" condition: any of them diff --git a/rules/c2/tool_transfer/chmod_dropper.yara b/rules/c2/tool_transfer/chmod_dropper.yara index c07e33e44..825b62ced 100644 --- a/rules/c2/tool_transfer/chmod_dropper.yara +++ b/rules/c2/tool_transfer/chmod_dropper.yara @@ -1,7 +1,7 @@ rule chmod_77x_dropper: critical { meta: description = "transfers program, uses dangerous permissions, and possibly runs a binary" - filetypes = "macho,elf" + filetypes = "application/x-mach-binary,application/x-elf" strings: $chmod = /chmod [\-\w ]{0,3}77[750] [ \$\@\w\/\.]{0,64}/ @@ -21,7 +21,7 @@ rule chmod_77x_dropper: critical { rule chmod_executable_shell_binary: high { meta: description = "executable makes another file executable" - filetypes = "macho,elf" + filetypes = "application/x-mach-binary,application/x-elf" strings: $chmod = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ diff --git a/rules/c2/tool_transfer/js.yara b/rules/c2/tool_transfer/js.yara index 97c8ea8d2..6cf41982c 100644 --- a/rules/c2/tool_transfer/js.yara +++ b/rules/c2/tool_transfer/js.yara @@ -1,6 +1,7 @@ rule javascript_dropper: critical { meta: description = "Javascript dropper" + filetypes = "application/javascript" strings: $lh = /require\(['"]https{0,1}['"]\)/ diff --git a/rules/c2/tool_transfer/macos.yara b/rules/c2/tool_transfer/macos.yara index 7c46ca6c1..f86a5cc2a 100644 --- a/rules/c2/tool_transfer/macos.yara +++ b/rules/c2/tool_transfer/macos.yara @@ -12,7 +12,7 @@ rule macos_chflags_hidden: critical { meta: description = "dropper that hides it's payload using chflags" hash = "e064158742c9a5f451e69b02e83eea9fb888623fafe34ff5b38036901d8419b4" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $c_curl = "curl" fullword @@ -26,7 +26,8 @@ rule macos_chflags_hidden: critical { rule cocoa_bundle_dropper: critical { meta: - ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" + ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" + filetypes = "application/x-mach-binary" strings: $bundle = "NSBundle" fullword diff --git a/rules/c2/tool_transfer/npm.yara b/rules/c2/tool_transfer/npm.yara index 07988bddb..237515560 100644 --- a/rules/c2/tool_transfer/npm.yara +++ b/rules/c2/tool_transfer/npm.yara @@ -2,6 +2,7 @@ rule npm_dropper: critical { meta: description = "NPM binary dropper" ref = "https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks" + filetypes = "application/javascript,application/typescript" strings: $npm_format = /"format":/ diff --git a/rules/c2/tool_transfer/osascript.yara b/rules/c2/tool_transfer/osascript.yara index 50e78c0ca..85116a2bb 100644 --- a/rules/c2/tool_transfer/osascript.yara +++ b/rules/c2/tool_transfer/osascript.yara @@ -1,6 +1,7 @@ rule osascript_dropper: high { meta: description = "osascript dropper" + filetypes = "application/x-applescript" strings: $c_osascript = "osascript" fullword diff --git a/rules/c2/tool_transfer/php.yara b/rules/c2/tool_transfer/php.yara index 599a8a437..b3217718b 100644 --- a/rules/c2/tool_transfer/php.yara +++ b/rules/c2/tool_transfer/php.yara @@ -1,6 +1,7 @@ rule php_copy_url: high { meta: - ref = "kinsing" + ref = "kinsing" + filetypes = "text/x-php" strings: $php = "]{0,64} &/ @@ -109,6 +124,7 @@ rule nohup_bash_background: high { rule fetch_pipe_shell_value: medium { meta: description = "fetches content and pipes it to a shell" + filetypes = "application/x-sh,application/x-zsh" strings: $wget_bash = /wget .{8,128}\| {0,2}bash/ @@ -123,6 +139,7 @@ rule fetch_pipe_shell_value: medium { rule fetch_chmod_execute: high { meta: description = "single line fetch, chmod, execute" + filetypes = "application/x-sh,application/x-zsh" strings: $wget = /wget .{8,64} \&\&.{0,64} chmod .{3,16} \&\& \.\/[\.\w]{1,16}/ @@ -135,6 +152,7 @@ rule fetch_chmod_execute: high { rule possible_dropper: high { meta: description = "download and execute a program" + filetypes = "application/x-sh,application/x-zsh" strings: $http = /https{0,1}:\/\/[\.\w\/\?\=\-]{1,64}/ @@ -154,6 +172,7 @@ rule possible_dropper: high { rule nohup_dropper: critical { meta: description = "downloads and executes a program with nohup" + filetypes = "application/x-sh,application/x-zsh" strings: $nohup = "nohup" fullword @@ -165,6 +184,7 @@ rule nohup_dropper: critical { rule obsessive_dropper: high { meta: description = "invokes multiple tools to download and execute a program" + filetypes = "application/x-sh,application/x-zsh" strings: $http = "http://" diff --git a/rules/collect/archives/tar-command.yara b/rules/collect/archives/tar-command.yara index 400297f39..a910b0b34 100644 --- a/rules/collect/archives/tar-command.yara +++ b/rules/collect/archives/tar-command.yara @@ -1,6 +1,7 @@ rule tar_script: medium { meta: description = "script shells out to tar" + filetypes = "application/x-sh,application/x-zsh" strings: $a_tar_rX = /tar -r -X[\|\-\\\"\$\w\; ]{0,64}/ @@ -14,6 +15,7 @@ rule tar_script: medium { rule local_tar: medium { meta: description = "command archives current directory" + filetypes = "application/x-sh,application/x-zsh" strings: $a_tar_c = /tar -c\w{0,8} \. [\|\-\\\"\$\w\; ]{0,64}/ @@ -25,6 +27,7 @@ rule local_tar: medium { rule collect_executable_calls_archive_tool: high { meta: description = "command shells out to tar" + filetypes = "application/x-sh,application/x-zsh" strings: $a_tar_c = /tar -c\w{0,8} \. [\|\-\\\"\$\w\; ]{0,64}/ diff --git a/rules/collect/localstorage.yara b/rules/collect/localstorage.yara index 6048f1bbf..1d95ddddc 100644 --- a/rules/collect/localstorage.yara +++ b/rules/collect/localstorage.yara @@ -1,6 +1,7 @@ rule localstorage: medium { meta: description = "accesses browser local storage" + filetypes = "application/javascript" strings: $ref = "localStorage.get" diff --git a/rules/data/builtin/kernel_module.yara b/rules/data/builtin/kernel_module.yara index 6cc4b3420..754cbef40 100644 --- a/rules/data/builtin/kernel_module.yara +++ b/rules/data/builtin/kernel_module.yara @@ -2,7 +2,7 @@ rule kmod: medium linux { meta: description = "Linux kernel module source code" - filetypes = "c,h" + filetypes = "text/x-c,text/x-h" strings: $ref = "" diff --git a/rules/data/encoding/json-encode.yara b/rules/data/encoding/json-encode.yara index cc7a5b5e3..04802aee5 100644 --- a/rules/data/encoding/json-encode.yara +++ b/rules/data/encoding/json-encode.yara @@ -24,7 +24,7 @@ rule MarshalJSON: harmless { rule json_dumps: low { meta: description = "encodes JSON" - filetypes = "py" + filetypes = "text/x-python" strings: $jsone = "json" fullword diff --git a/rules/evasion/rootkit/kernel.yara b/rules/evasion/rootkit/kernel.yara index 3c7848893..a7c39658b 100644 --- a/rules/evasion/rootkit/kernel.yara +++ b/rules/evasion/rootkit/kernel.yara @@ -3,7 +3,7 @@ rule linux_kernel_module_getdents64: critical linux { description = "kernel module that intercepts directory listing" ref = "https://github.com/m0nad/Diamorphine" - filetypes = "elf,so" + filetypes = "application/x-elf,application/x-sharedlib" strings: $getdents64 = "getdents64" @@ -17,7 +17,7 @@ rule linux_kernel_module_getdents64: critical linux { rule linux_kernel_module_orig: high linux { meta: description = "kernel module that intercepts directory listing and signals" - filetypes = "elf,so" + filetypes = "application/x-elf,application/x-sharedlib" strings: $getdents64 = "orig_getdents64" @@ -43,7 +43,7 @@ rule lkm_dirent: high { meta: description = "kernel rootkit designed to hide files (linux_dirent)" - filetypes = "so" + filetypes = "application/x-sharedlib" strings: $l_dirent = "linux_dirent" diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara index 5ec94043e..7669564c7 100644 --- a/rules/evasion/rootkit/userspace.yara +++ b/rules/evasion/rootkit/userspace.yara @@ -1,7 +1,7 @@ rule readdir_intercept_source: high { meta: description = "userland rootkit source designed to hide files (DECLARE_READDIR)" - filetypes = "so,c" + filetypes = "application/x-sharedlib,text/x-c" strings: $declare = "DECLARE_READDIR" @@ -14,7 +14,7 @@ rule readdir_intercept_source: high { rule hide_dir_contents: high { meta: description = "userland rootkit source designed to hide files" - filetypes = "so,c" + filetypes = "application/x-sharedlib,text/x-c" strings: $readdir64 = "readdir64" @@ -32,7 +32,7 @@ rule readdir_intercept: high { meta: description = "userland rootkit designed to hide files (readdir64)" - filetypes = "so,c" + filetypes = "application/x-sharedlib,text/x-c" strings: $r_new65 = "readdir64" fullword @@ -50,7 +50,7 @@ rule readdir_dlsym_interceptor: high { meta: description = "userland rootkit designed to hide files (readdir64+readlink)" - filetypes = "so,c" + filetypes = "application/x-sharedlib,text/x-c" strings: $f_dlsym = "dlsym" fullword @@ -68,7 +68,7 @@ rule readdir_tcp_wrapper_intercept: high { meta: description = "userland rootkit designed to hide files and bypass tcp-wrappers" ref = "https://github.com/ldpreload/Medusa" - filetypes = "so,c" + filetypes = "application/x-sharedlib,text/x-c" strings: $r_new65 = "readdir64" fullword @@ -105,7 +105,7 @@ rule medusa_like_ld_preload: critical linux { rule linux_rootkit_terms: critical linux { meta: description = "appears to be a Linux rootkit" - filetypes = "elf,so" + filetypes = "application/x-elf,application/x-sharedlib" strings: $s_Rootkit = "Rootkit" diff --git a/rules/exec/cmd/cmd.yara b/rules/exec/cmd/cmd.yara index 59f397835..0ccdb4ac3 100644 --- a/rules/exec/cmd/cmd.yara +++ b/rules/exec/cmd/cmd.yara @@ -15,7 +15,7 @@ rule exec: medium { rule ruby_exec: medium { meta: description = "executes a command" - filetypes = "rb" + filetypes = "text/x-ruby" strings: $require = "require" fullword @@ -28,7 +28,7 @@ rule ruby_exec: medium { rule ruby_run_exe: high { meta: description = "runs an executable program" - filetypes = "rb" + filetypes = "text/x-ruby" strings: $require = "require" fullword @@ -41,7 +41,7 @@ rule ruby_run_exe: high { rule java_process_builder: medium { meta: description = "runs an external program" - filetypes = "java,jar" + filetypes = "text/x-java,application/java-archive" strings: $lang = "java/lang/Process" @@ -55,7 +55,7 @@ rule java_process_builder: medium { rule java_exec: medium { meta: description = "runs an external program" - filetypes = "java,jar" + filetypes = "text/x-java,application/java-archive" strings: $lang = "java/lang/Runtime" diff --git a/rules/exec/cmd/npm_preinstall.yara b/rules/exec/cmd/npm_preinstall.yara index 5fdfbb25b..278e2f643 100644 --- a/rules/exec/cmd/npm_preinstall.yara +++ b/rules/exec/cmd/npm_preinstall.yara @@ -1,7 +1,7 @@ rule npm_node_preinstall: medium { meta: description = "preinstall is run under a separate node process" - filetypes = "json" + filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{0,256}node \.\/preinstall\.js.{1,32}/ @@ -13,7 +13,7 @@ rule npm_node_preinstall: medium { rule npm_preinstall_command: high { meta: description = "NPM preinstall runs an external command" - filetypes = "json" + filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}/ @@ -24,7 +24,7 @@ rule npm_preinstall_command: high { rule npm_preinstall_command_dev_null: high { meta: - filetypes = "json" + filetypes = "application/json" description = "NPM preinstall runs an external command, hiding output" strings: @@ -37,7 +37,7 @@ rule npm_preinstall_command_dev_null: high { rule npm_preinstall_curl: critical { meta: description = "NPM preinstall runs curl" - filetypes = "json" + filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}curl .{12,256}/ @@ -45,4 +45,3 @@ rule npm_preinstall_curl: critical { condition: filesize < 1KB and $ref } - diff --git a/rules/exec/dylib/replace.yara b/rules/exec/dylib/replace.yara index c9065c57f..48ecc626f 100644 --- a/rules/exec/dylib/replace.yara +++ b/rules/exec/dylib/replace.yara @@ -1,7 +1,7 @@ rule java_replacement_class: medium java { meta: description = "runtime override of a class" - filetypes = "class,java" + filetypes = "application/java-vm,text/x-jav" strings: $replace = "loadReplacementClass" diff --git a/rules/exec/imports/python.yara b/rules/exec/imports/python.yara index ad0b44153..e33609b38 100644 --- a/rules/exec/imports/python.yara +++ b/rules/exec/imports/python.yara @@ -26,7 +26,7 @@ rule python_code_as_chr_int: critical { rule single_line_import: medium { meta: description = "imports built-in and executes more code on the same line" - filetypes = "python" + filetypes = "text/x-python" strings: $ref = /import [a-z0-9]{0,8};/ @@ -38,7 +38,7 @@ rule single_line_import: medium { rule single_line_import_multiple: high { meta: description = "imports multiple built-ins on the same line" - filetypes = "python" + filetypes = "text/x-python" strings: $ref = /import [a-z0-9]{0,8}; {0,2}import [a-z0-9]{0,8}; {0,2}/ @@ -50,7 +50,7 @@ rule single_line_import_multiple: high { rule single_line_import_multiple_comma: medium { meta: description = "imports multiple comma spearated built-ins" - filetypes = "python" + filetypes = "text/x-python" strings: $ref2 = /import \w{2,8},\w{2,8},\w{2,8},[\w,]{0,64}/ diff --git a/rules/exec/install_additional/pip_install.yara b/rules/exec/install_additional/pip_install.yara index cde6c1c1f..937a198fe 100644 --- a/rules/exec/install_additional/pip_install.yara +++ b/rules/exec/install_additional/pip_install.yara @@ -26,7 +26,7 @@ rule pip_installer: medium { meta: description = "Installs software using pip from python" - filetypes = "py,pyc,sh" + filetypes = "text/x-python,application/x-python-code,application/x-sh" strings: $ref = /pip3{0,1}[ \'\"\,]{0,5}install[ \'\"\,]{0,5}[\w\-\_\%]{0,32}/ @@ -39,7 +39,7 @@ rule pip_installer_fernet: critical { meta: description = "Installs fernet crypto package using pip" ref = "https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/" - filetypes = "py,pyc" + filetypes = "text/x-python,application/x-python-code" strings: $ref = /pip.{1,5}install.{1,4}fernet/ @@ -52,7 +52,7 @@ rule pip_installer_url: critical { meta: description = "Installs Python package from hardcoded URL" ref = "https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/" - filetypes = "py,pyc,sh" + filetypes = "text/x-python,application/x-python-code,application/x-sh" strings: $ref = /pip.{1,5}install.{1,4}https{0,1}:\/\/.{0,64}/ @@ -64,7 +64,7 @@ rule pip_installer_url: critical { rule pip_installer_socket: critical { meta: description = "Installs socket library using pip" - filetypes = "py,pyc" + filetypes = "text/x-python,application/x-python-code" strings: $ref = /pip.{1,5}install.{1,4}socket/ @@ -76,7 +76,7 @@ rule pip_installer_socket: critical { rule pip_installer_requests: high { meta: description = "Installs requests library using pip" - filetypes = "py,pyc" + filetypes = "text/x-python,application/x-python-code" strings: $ref = /pip.{1,5}install.{1,4}requests/ @@ -88,7 +88,7 @@ rule pip_installer_requests: high { rule pip_installer_sus: high { meta: description = "Installs libraries using pip" - filetypes = "py,pyc" + filetypes = "text/x-python,application/x-python-code" strings: $crypto = "Crypto.Cipher" diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index b8622527b..4a7d7031e 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -1,71 +1,9 @@ import "math" -private rule eval_probably_js { - strings: - $f_Array = "Array.prototype" fullword - $f_async = "async function" - $f_await = "await" - $f_catch = "} catch" - $f_class = "@class" - $f_const = /\bconst\s/ - $f_define = "define(" - $f_false = "false);" - $f_function = /function\(\w{0,32}\)/ - $f_function2 = "function()" - $f_method = "@method" - $f_namespace = "@namespace" - $f_Object = "Object." - $f_param = "@param" - $f_private = "@private" - $f_promise = "Promise" - $f_prototype = ".prototype" - $f_require = "require(" - $f_return = /\breturn\s/ - $f_Run = ".Run(" - $f_run = ".run(" - $f_strict = " === " - $f_this = "this." - $f_this2 = "this[" - $f_true = "true);" - $f_try = "try {" - $f_var = /\bvar\s/ - - $not_asyncio = "await asyncio" - $not_class = /class \w{1,32}\(/ fullword - $not_def = /def [a-zA-Z_][a-zA-Z0-9_]{1,32} \(/ ascii - $not_equals_comment = "// ===" - $not_error = "err error" - $not_header = /^#ifndef\s/ - $not_header2 = /^#define\s/ - $not_header3 = /^#include\s/ - $not_import = /^import \(/ - $not_package = /^package\s/ - $not_self_assert_equal = "self.assertEqual(" - $not_struct = /^type \w{1,32} struct \{/ fullword - $not_typedef = "typedef typename" - - condition: - filesize < 5MB and 4 of ($f*) and none of ($not*) -} - -private rule eval_probably_python { - strings: - $import = "import " - $f_common = /\s(def|if|with|else|try|except:) / - $f_exotic = /exec\(|b64decode|bytes\(/ - $f_for = /for [a-z] in/ - $f_join = ".join(" - $f_requests = /(from|import) requests/ - $f_requests2 = "requests." - $f_subprocess = /subprocess.(Popen|run)/ - - condition: - filesize < 10MB and ($import in (1..1024) or any of ($f*)) -} - rule js_eval: medium { meta: description = "evaluate code dynamically using eval()" + filetypes = "application/javascript" strings: $val = /eval\([\.\+ _a-zA-Z\"\'\(\,\)]{1,32}/ fullword @@ -73,69 +11,75 @@ rule js_eval: medium { $not_empty = "eval()" condition: - eval_probably_js and filesize < 1MB and any of ($val*) and none of ($not*) + filesize < 1MB and any of ($val*) and none of ($not*) } rule js_eval_fx_str: high { meta: description = "evaluate processed string using eval()" + filetypes = "application/javascript" strings: $val = /eval\(\w{0,16}\([\"\'].{0,16}/ condition: - eval_probably_js and filesize < 1MB and any of ($val*) + filesize < 1MB and any of ($val*) } rule js_eval_fx_str_multiple: critical { meta: description = "multiple evaluations of processed string using eval()" + filetypes = "application/javascript" strings: $val = /eval\(\w{0,16}\([\"\'].{0,16}/ condition: - eval_probably_js and filesize < 1MB and #val > 1 + filesize < 1MB and #val > 1 } rule js_eval_response: critical { meta: description = "executes code directly from HTTP response" + filetypes = "application/javascript" strings: $val = /eval\(\w{0,16}\.responseText\)/ condition: - eval_probably_js and filesize < 1MB and any of ($val*) + filesize < 1MB and any of ($val*) } rule js_eval_near_enough_fromChar: high { meta: description = "Likely executes encrypted content" + filetypes = "application/javascript" strings: $exec = /[\s\{]eval\(/ $decrypt = "String.fromCharCode" condition: - eval_probably_js and filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 + filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 } rule js_eval_obfuscated_fromChar: critical { meta: description = "Likely executes encrypted content" + filetypes = "application/javascript" strings: $exec = /[\s\{]eval\(/ $ref = /fromCharCode\(\w{0,16}\s{0,2}[\-\+\*\^]{0,2}\w{0,16}/ condition: - eval_probably_js and filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 + filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 } rule python_exec: medium { meta: description = "evaluate code dynamically using exec()" + filetypes = "text/x-python" strings: $f_import = "import" fullword @@ -147,70 +91,76 @@ rule python_exec: medium { $empty = "exec()" condition: - eval_probably_python and filesize < 1MB and any of ($f*) and $val and not $empty + filesize < 1MB and any of ($f*) and $val and not $empty } rule python_exec_near_enough_chr: high { meta: description = "Likely executes encoded character content" + filetypes = "text/x-python" strings: $exec = "exec(" $chr = "chr(" condition: - eval_probably_python and all of them and math.abs(@chr - @exec) < 768 + all of them and math.abs(@chr - @exec) < 768 } rule python_exec_near_enough_fernet: high { meta: description = "Likely executes Fernet encrypted content" + filetypes = "text/x-python" strings: $exec = "exec(" $fernet = "Fernet(" condition: - eval_probably_python and all of them and math.abs(@exec - @fernet) < 768 + all of them and math.abs(@exec - @fernet) < 768 } rule python_exec_near_enough_decrypt: high { meta: description = "Likely executes encrypted content" + filetypes = "text/x-python" strings: $exec = /\bexec\(/ $decrypt = "decrypt(" condition: - eval_probably_python and all of them and math.abs(@exec - @decrypt) < 768 + all of them and math.abs(@exec - @decrypt) < 768 } rule python_exec_chr: critical { meta: description = "Executes encoded character content" + filetypes = "text/x-python" strings: $exec = /exec\(.{0,16}chr\(.{0,16}\[\d[\d\, ]{0,64}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule python_exec_bytes: critical { meta: description = "Executes a transformed bytestream" + filetypes = "text/x-python" strings: $exec = /exec\([\w\.\(]{0,16}\(b['"].{8,16}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule python_exec_complex: high { meta: description = "Executes code from a complex expression" + filetypes = "text/x-python" strings: $exec = /exec\([\w\. =]{1,32}\(.{0,8192}\)\)/ fullword @@ -219,23 +169,25 @@ rule python_exec_complex: high { $not_versioneer = "exec(VERSIONEER.decode(), globals())" condition: - eval_probably_python and filesize < 512KB and $exec and none of ($not*) + filesize < 512KB and $exec and none of ($not*) } rule python_exec_fernet: critical { meta: description = "Executes Fernet encrypted content" + filetypes = "text/x-python" strings: $exec = /exec\(.{0,16}Fernet\(.{0,64}/ condition: - eval_probably_python and filesize < 512KB and all of them + filesize < 512KB and all of them } rule shell_eval: medium { meta: description = "evaluate shell code dynamically using eval" + filetypes = "application/x-sh,application/x-zsh" strings: $val = /eval \$\w{0,64}/ fullword @@ -248,6 +200,7 @@ rule shell_eval: medium { rule php_create_function_no_args: high { meta: description = "dynamically creates PHP functions without arguments" + filetypes = "text/x-php" strings: $val = /create_function\([\'\"]{2},\$/ @@ -259,6 +212,7 @@ rule php_create_function_no_args: high { rule php_at_eval: critical { meta: description = "evaluates code in a way that suppresses errors" + filetypes = "text/x-php" strings: $at_eval = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/ @@ -271,6 +225,7 @@ rule php_at_eval: critical { rule npm_preinstall_eval: critical { meta: description = "NPM preinstall evaluates arbitrary code" + filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}eval\([\w\.]{1,32}\).{0,256}"/ diff --git a/rules/exec/shell/command.yara b/rules/exec/shell/command.yara index e5f337286..4e08ce006 100644 --- a/rules/exec/shell/command.yara +++ b/rules/exec/shell/command.yara @@ -4,7 +4,7 @@ rule system: medium { syscalls = "fork,execl" ref = "https://man7.org/linux/man-pages/man3/system.3.html" - filetypes = "elf,macho" + filetypes = "application/x-elf,application/x-mach-binary" strings: $system = "system" fullword @@ -41,7 +41,7 @@ rule php_shell_exec: medium php { description = "execute a shell command" syscalls = "fork,execl" - filetypes = "php" + filetypes = "text/x-php" strings: $php = " 1MB and all of them } - diff --git a/rules/malware/family/lockscreen.yara b/rules/malware/family/lockscreen.yara index 7a3602333..8bed4ca2f 100644 --- a/rules/malware/family/lockscreen.yara +++ b/rules/malware/family/lockscreen.yara @@ -1,7 +1,7 @@ rule lockscreen_lol_miner: critical { meta: description = "Python/ScreenLocker" - filetypes = "py,pyc" + filetypes = "text/x-python,application/x-python-code" strings: $ = "Your computer has been locked!" diff --git a/rules/malware/family/lolminer.yara b/rules/malware/family/lolminer.yara index 9bf5f0fa3..6fd9765d9 100644 --- a/rules/malware/family/lolminer.yara +++ b/rules/malware/family/lolminer.yara @@ -1,7 +1,7 @@ rule lol_miner: critical { meta: description = "lolMiner (cryptocurrency miner)" - filetypes = "elf" + filetypes = "application/x-elf" ref = "https://github.com/Lolliedieb/lolMiner-releases" strings: diff --git a/rules/malware/family/mirai.yara b/rules/malware/family/mirai.yara index 5360c2575..a17632b96 100644 --- a/rules/malware/family/mirai.yara +++ b/rules/malware/family/mirai.yara @@ -1,7 +1,7 @@ rule mirai: critical linux { meta: description = "Mirai" - filetypes = "elf" + filetypes = "application/x-elf" ref = "https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/" strings: @@ -26,7 +26,7 @@ rule mirai: critical linux { rule mirai2: critical linux { meta: description = "Mirai" - filetypes = "elf" + filetypes = "application/x-elf" ref = "https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/" strings: @@ -48,7 +48,7 @@ rule mirai2: critical linux { rule mirai_helper: critical linux { meta: description = "Mirai DVR helper" - filetypes = "elf" + filetypes = "application/x-elf" ref = "https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/" strings: diff --git a/rules/malware/family/pawns.yara b/rules/malware/family/pawns.yara index 51cec05f4..3cb6667c2 100644 --- a/rules/malware/family/pawns.yara +++ b/rules/malware/family/pawns.yara @@ -2,7 +2,7 @@ rule iproyal_pawns: high { meta: description = "IPRoyal.Pawns (potentially unwanted application)" ref = "https://asec.ahnlab.com/en/37276/" - filetypes = "elf" + filetypes = "application/x-elf" strings: $gitlab = "gitlab.iproyal.dev/pawns/" diff --git a/rules/malware/family/poseidon_stealer.yara b/rules/malware/family/poseidon_stealer.yara index 82952ffa5..626094679 100644 --- a/rules/malware/family/poseidon_stealer.yara +++ b/rules/malware/family/poseidon_stealer.yara @@ -14,7 +14,7 @@ rule poseidon: high macos { meta: description = "Possible Poseidon infostealer" ref = "https://www.intego.com/mac-security-blog/poseidon-macos-malware-employs-new-tricks-targets-swiss-mac-users/" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $le = "cEEE8max_sizeB8ue170006IS2_vEEmRKS2_" fullword @@ -31,7 +31,7 @@ rule poseidon_url: high macos { meta: description = "Poseidon Infostealer" ref = "https://www.intego.com/mac-security-blog/poseidon-macos-malware-employs-new-tricks-targets-swiss-mac-users/" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $ref = "https://forked-project.com/check_updates" diff --git a/rules/malware/family/rustdoor.yara b/rules/malware/family/rustdoor.yara index a69e208d0..182203ec4 100644 --- a/rules/malware/family/rustdoor.yara +++ b/rules/malware/family/rustdoor.yara @@ -2,7 +2,7 @@ rule rustdoor: critical macos { meta: description = "Rustdoor" ref = "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" - filetypes = "macho" + filetypes = "application/x-mach-binary" hash = "20b986b24d86d9a06746bdb0c25e21a24cb477acb36e7427a8c465c08d51c1e4" strings: @@ -19,7 +19,7 @@ rule rustdoor_v2: critical macos { meta: description = "Rustdoor v2" ref = "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $cfg_daemonize = { 64 61 65 6D 6F 6E 69 7A 65 } @@ -37,7 +37,7 @@ rule rustdoor_maybe: high { meta: description = "Possibly Rustdoor" ref = "https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $botkill = { 62 6F 74 6B 69 6C 6C } diff --git a/rules/malware/framework/cobalt_strike.yara b/rules/malware/framework/cobalt_strike.yara index 25dcc9372..d0ac916a1 100644 --- a/rules/malware/framework/cobalt_strike.yara +++ b/rules/malware/framework/cobalt_strike.yara @@ -17,7 +17,7 @@ rule macho_cobaltstrike_beacon_syscalls: high darwin { ref = "https://www.virustotal.com/gui/file/5ab6f81898fb32e74bf9e6538713fc838f0c127f2bedb581f60623e8404ae4b1/community" sha256 = "5ab6f81898fb32e74bf9e6538713fc838f0c127f2bedb581f60623e8404ae4b1" description = "possible CobaltStrike beacon" - filetypes = "macho" + filetypes = "application/x-mach-binary" strings: $_atol = "@_atol" fullword diff --git a/rules/malware/framework/silver.yara b/rules/malware/framework/silver.yara index 46bf4f276..e5f2c2400 100644 --- a/rules/malware/framework/silver.yara +++ b/rules/malware/framework/silver.yara @@ -16,7 +16,7 @@ rule c2_implant_sliver_proto: critical { rule c2_implant_sliver_obfuscated: high { meta: description = "Possible Sliver Linux implant" - filetypes = "elf" + filetypes = "application/x-elf" strings: $coredump = ".CoreDump" diff --git a/rules/net/download/fetch.yara b/rules/net/download/fetch.yara index 31d7dacdf..5315b0e64 100644 --- a/rules/net/download/fetch.yara +++ b/rules/net/download/fetch.yara @@ -104,7 +104,7 @@ rule fetch_tool: medium { rule binary_calls_fetch_tool: high { meta: description = "binary calls fetch tool" - filetypes = "macho,elf" + filetypes = "application/x-mach-binary,application/x-elf" strings: $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.\"]{0,32}/ diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara index 464e7b174..4ec698b45 100644 --- a/rules/persist/kernel_module/module.yara +++ b/rules/persist/kernel_module/module.yara @@ -43,7 +43,7 @@ rule init_module: medium linux { syscall = "init_module" capability = "CAP_SYS_MODULE" - filetypes = "ko,elf,so" + filetypes = "application/x-object,application/x-elf,application/x-sharedlib" strings: $ref = "init_module" fullword @@ -51,4 +51,3 @@ rule init_module: medium linux { condition: filesize < 1MB and all of them } - diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara index 62e0ecba3..38c214346 100644 --- a/rules/persist/kernel_module/symbol-lookup.yara +++ b/rules/persist/kernel_module/symbol-lookup.yara @@ -3,7 +3,7 @@ rule kallsyms_lookup: high linux { description = "access unexported kernel symbols" ref = "https://lwn.net/Articles/813350/" - filetypes = "so,elf" + filetypes = "application/x-sharedlib,application/x-elf" strings: $ref = "kallsyms_lookup_name" fullword @@ -29,7 +29,7 @@ rule kallsyms: medium linux { rule bpftrace: override linux { meta: description = "bpftrace" - filetypes = "so,elf" + filetypes = "application/x-sharedlib,application/x-elf" kallsyms = "medium" strings: diff --git a/rules/persist/systemd/execstart-elsewhere.yara b/rules/persist/systemd/execstart-elsewhere.yara index 8afad89bd..4a6f9c29b 100644 --- a/rules/persist/systemd/execstart-elsewhere.yara +++ b/rules/persist/systemd/execstart-elsewhere.yara @@ -2,6 +2,7 @@ rule execstart_danger_path_val: high { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" description = "Starts from a dangerous-looking path" + filetypes = "text/x-systemd" strings: $awkward = /ExecStart=\/(boot|var|tmp|dev|root)\/[\.\w\-\/]{0,32}/ @@ -14,6 +15,7 @@ rule execstart_unexpected_dir_val: medium { meta: description = "Starts from an unusual path" ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + filetypes = "text/x-systemd" strings: $execstart = /ExecStart=\/[\w\/]{1,128}/ diff --git a/rules/persist/systemd/execstop-bin-sh.yara b/rules/persist/systemd/execstop-bin-sh.yara index ec1fc9353..c2a24e178 100644 --- a/rules/persist/systemd/execstop-bin-sh.yara +++ b/rules/persist/systemd/execstop-bin-sh.yara @@ -2,6 +2,7 @@ rule bin_sh_execstop: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs shell script at stop" + filetypes = "text/x-systemd" strings: $execstop = /ExecStop=\/bin\/sh\/[\w\. \-\'\"]{0,64}/ diff --git a/rules/persist/systemd/execstop-elsewhere.yara b/rules/persist/systemd/execstop-elsewhere.yara index 28a43fab0..06c43651e 100644 --- a/rules/persist/systemd/execstop-elsewhere.yara +++ b/rules/persist/systemd/execstop-elsewhere.yara @@ -2,6 +2,7 @@ rule execstop_elsewhere: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from unexpected directory at stop" + filetypes = "text/x-systemd" strings: $execstop = /ExecStop=\/[\w\.\_\-]{2,64}/ diff --git a/rules/persist/systemd/execstop-usr-bin.yara b/rules/persist/systemd/execstop-usr-bin.yara index 122e6d29d..605de41f6 100644 --- a/rules/persist/systemd/execstop-usr-bin.yara +++ b/rules/persist/systemd/execstop-usr-bin.yara @@ -2,6 +2,7 @@ rule usr_bin_execstop: medium { meta: ref = "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" description = "Runs program from /usr/bin at stop" + filetypes = "text/x-systemd" strings: $execstop = /ExecStop=\/usr\/bin\/[\w\.]{0,32}/ diff --git a/rules/persist/systemd/no_blank_lines.yara b/rules/persist/systemd/no_blank_lines.yara index 628fcda24..c7cf2e11b 100644 --- a/rules/persist/systemd/no_blank_lines.yara +++ b/rules/persist/systemd/no_blank_lines.yara @@ -1,6 +1,7 @@ rule systemd_no_blank_lines: high { meta: - ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" + filetypes = "text/x-systemd" strings: $execstart = "ExecStart" diff --git a/rules/persist/systemd/no_docs_or_comments.yara b/rules/persist/systemd/no_docs_or_comments.yara index 024968ab7..1470219fe 100644 --- a/rules/persist/systemd/no_docs_or_comments.yara +++ b/rules/persist/systemd/no_docs_or_comments.yara @@ -2,6 +2,7 @@ rule systemd_no_comments_or_documentation: medium { meta: ref = "https://sandflysecurity.com/blog/log4j-kinsing-linux-malware-in-the-wild/" description = "systemd unit is undocumented" + filetypes = "text/x-systemd" strings: $execstart = "ExecStart=" diff --git a/rules/persist/systemd/no_output.yara b/rules/persist/systemd/no_output.yara index af22a6f16..c6f33379e 100644 --- a/rules/persist/systemd/no_output.yara +++ b/rules/persist/systemd/no_output.yara @@ -1,6 +1,7 @@ rule systemd_no_output: high { meta: description = "Discards all logging output" + filetypes = "text/x-systemd" strings: $discard_stdout = "StandardOutput=null" diff --git a/rules/persist/systemd/out_of_dependency_tree.yara b/rules/persist/systemd/out_of_dependency_tree.yara index 553b239a2..44002e611 100644 --- a/rules/persist/systemd/out_of_dependency_tree.yara +++ b/rules/persist/systemd/out_of_dependency_tree.yara @@ -2,7 +2,7 @@ rule systemd_not_in_dependency_tree: medium { meta: description = "Relies on nothing, nothing relies on it" - filetypes = "service" + filetypes = "text/x-systemd" strings: $execstart = "ExecStart=" diff --git a/rules/persist/systemd/restart-always.yara b/rules/persist/systemd/restart-always.yara index b7eaa5694..82420cb34 100644 --- a/rules/persist/systemd/restart-always.yara +++ b/rules/persist/systemd/restart-always.yara @@ -1,6 +1,7 @@ rule systemd_restart_always: medium { meta: description = "service restarts no matter how many times it crashes" + filetypes = "text/x-systemd" strings: $restart = "Restart=always" diff --git a/rules/persist/systemd/short-description.yara b/rules/persist/systemd/short-description.yara index 5b9308976..474206c59 100644 --- a/rules/persist/systemd/short-description.yara +++ b/rules/persist/systemd/short-description.yara @@ -1,6 +1,7 @@ rule systemd_short_description { meta: description = "Short or no description" + filetypes = "text/x-systemd" strings: $execstart = "ExecStart=" diff --git a/rules/privesc/osascript.yara b/rules/privesc/osascript.yara index dbfab7cf7..ed23068fd 100644 --- a/rules/privesc/osascript.yara +++ b/rules/privesc/osascript.yara @@ -1,6 +1,7 @@ rule osascript_shell_as_admin: medium { meta: description = "uses osascript with admin privileges" + filetypes = "application/x-applescript" strings: $do_shell = "do shell script" @@ -15,6 +16,7 @@ rule osascript_shell_as_admin: medium { rule osascript_fake_password: critical { meta: description = "uses osascript to prompt for a sudo password" + filetypes = "application/x-applescript" strings: $osascript = "osascript" diff --git a/tests/c/clean/falco/ppm_events.c.simple b/tests/c/clean/falco/ppm_events.c.simple index 3a5bb5439..20ef71b3c 100644 --- a/tests/c/clean/falco/ppm_events.c.simple +++ b/tests/c/clean/falco/ppm_events.c.simple @@ -7,4 +7,3 @@ net/http/post: medium net/socket/connect: medium net/socket/send: low net/url/embedded: low -persist/kernel_module/symbol_lookup: low diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 1faf87ff2..09f014d08 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,13 +1,12 @@ -## Changed (51 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] +## Changed (50 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 51 new behaviors +### 50 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | +CRITICAL | **[anti-static/obfuscation/js](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#ebe)** | highly obfuscated javascript (eBe) | [charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[eBe(113)](https://github.com/search?q=eBe%28113%29&type=code)
[eBe(182)](https://github.com/search?q=eBe%28182%29&type=code)
[eBe(-30)](https://github.com/search?q=eBe%28-30%29&type=code)
[eBe(-31)](https://github.com/search?q=eBe%28-31%29&type=code)
[eBe(-32)](https://github.com/search?q=eBe%28-32%29&type=code)
[eBe(168)](https://github.com/search?q=eBe%28168%29&type=code)
[eBe(-24)](https://github.com/search?q=eBe%28-24%29&type=code)
[eBe(-28)](https://github.com/search?q=eBe%28-28%29&type=code)
[eBe(681)](https://github.com/search?q=eBe%28681%29&type=code)
[eBe(-11)](https://github.com/search?q=eBe%28-11%29&type=code)
[eBe(-29)](https://github.com/search?q=eBe%28-29%29&type=code)
[eBe(-27)](https://github.com/search?q=eBe%28-27%29&type=code)
[eBe(371)](https://github.com/search?q=eBe%28371%29&type=code)
[eBe(267)](https://github.com/search?q=eBe%28267%29&type=code)
[eBe(-23)](https://github.com/search?q=eBe%28-23%29&type=code)
[eBe(-26)](https://github.com/search?q=eBe%28-26%29&type=code)
[eBe(-21)](https://github.com/search?q=eBe%28-21%29&type=code)
[eBe(-25)](https://github.com/search?q=eBe%28-25%29&type=code)
[eBe(685)](https://github.com/search?q=eBe%28685%29&type=code)
[eBe(-22)](https://github.com/search?q=eBe%28-22%29&type=code)
[eBe(212)](https://github.com/search?q=eBe%28212%29&type=code)
[eBe(150)](https://github.com/search?q=eBe%28150%29&type=code)
[eBe(175)](https://github.com/search?q=eBe%28175%29&type=code)
[eBe(-18)](https://github.com/search?q=eBe%28-18%29&type=code)
[eBe(-17)](https://github.com/search?q=eBe%28-17%29&type=code)
[eBe(-16)](https://github.com/search?q=eBe%28-16%29&type=code)
[eBe(204)](https://github.com/search?q=eBe%28204%29&type=code)
[eBe(-15)](https://github.com/search?q=eBe%28-15%29&type=code)
[eBe(-14)](https://github.com/search?q=eBe%28-14%29&type=code)
[eBe(-13)](https://github.com/search?q=eBe%28-13%29&type=code)
[eBe(-12)](https://github.com/search?q=eBe%28-12%29&type=code)
[eBe(-20)](https://github.com/search?q=eBe%28-20%29&type=code)
[eBe(-19)](https://github.com/search?q=eBe%28-19%29&type=code)
[eBe(220)](https://github.com/search?q=eBe%28220%29&type=code)
[eBe(-10)](https://github.com/search?q=eBe%28-10%29&type=code)
[eBe(129)](https://github.com/search?q=eBe%28129%29&type=code)
[eBe(130)](https://github.com/search?q=eBe%28130%29&type=code)
[eBe(198)](https://github.com/search?q=eBe%28198%29&type=code)
[eBe(133)](https://github.com/search?q=eBe%28133%29&type=code)
[eBe(140)](https://github.com/search?q=eBe%28140%29&type=code)
[eBe(169)](https://github.com/search?q=eBe%28169%29&type=code)
[eBe(160)](https://github.com/search?q=eBe%28160%29&type=code)
[eBe(236)](https://github.com/search?q=eBe%28236%29&type=code)
[eBe(241)](https://github.com/search?q=eBe%28241%29&type=code)
[eBe(209)](https://github.com/search?q=eBe%28209%29&type=code)
[eBe(684)](https://github.com/search?q=eBe%28684%29&type=code)
[eBe(248)](https://github.com/search?q=eBe%28248%29&type=code)
[eBe(164)](https://github.com/search?q=eBe%28164%29&type=code)
[eBe(680)](https://github.com/search?q=eBe%28680%29&type=code)
[eBe(683)](https://github.com/search?q=eBe%28683%29&type=code)
[eBe(682)](https://github.com/search?q=eBe%28682%29&type=code)
[eBe(147)](https://github.com/search?q=eBe%28147%29&type=code)
[eBe(134)](https://github.com/search?q=eBe%28134%29&type=code)
[eBe(135)](https://github.com/search?q=eBe%28135%29&type=code)
[eBe(156)](https://github.com/search?q=eBe%28156%29&type=code)
[eBe(234)](https://github.com/search?q=eBe%28234%29&type=code)
[eBe(668)](https://github.com/search?q=eBe%28668%29&type=code)
[eBe(219)](https://github.com/search?q=eBe%28219%29&type=code)
[eBe(667)](https://github.com/search?q=eBe%28667%29&type=code)
[eBe(665)](https://github.com/search?q=eBe%28665%29&type=code)
[eBe(166)](https://github.com/search?q=eBe%28166%29&type=code)
[eBe(678)](https://github.com/search?q=eBe%28678%29&type=code)
[eBe(677)](https://github.com/search?q=eBe%28677%29&type=code)
[eBe(669)](https://github.com/search?q=eBe%28669%29&type=code)
[eBe(676)](https://github.com/search?q=eBe%28676%29&type=code)
[eBe(675)](https://github.com/search?q=eBe%28675%29&type=code)
[eBe(660)](https://github.com/search?q=eBe%28660%29&type=code)
[eBe(671)](https://github.com/search?q=eBe%28671%29&type=code)
[eBe(126)](https://github.com/search?q=eBe%28126%29&type=code)
[eBe(249)](https://github.com/search?q=eBe%28249%29&type=code)
[eBe(132)](https://github.com/search?q=eBe%28132%29&type=code)
[eBe(131)](https://github.com/search?q=eBe%28131%29&type=code)
[eBe(239)](https://github.com/search?q=eBe%28239%29&type=code)
[eBe(674)](https://github.com/search?q=eBe%28674%29&type=code)
[eBe(673)](https://github.com/search?q=eBe%28673%29&type=code)
[eBe(672)](https://github.com/search?q=eBe%28672%29&type=code)
[eBe(122)](https://github.com/search?q=eBe%28122%29&type=code)
[eBe(670)](https://github.com/search?q=eBe%28670%29&type=code)
[eBe(137)](https://github.com/search?q=eBe%28137%29&type=code)
[eBe(679)](https://github.com/search?q=eBe%28679%29&type=code)
[eBe(294)](https://github.com/search?q=eBe%28294%29&type=code)
[eBe(485)](https://github.com/search?q=eBe%28485%29&type=code)
[eBe(316)](https://github.com/search?q=eBe%28316%29&type=code)
[eBe(105)](https://github.com/search?q=eBe%28105%29&type=code)
[eBe(254)](https://github.com/search?q=eBe%28254%29&type=code)
[eBe(114)](https://github.com/search?q=eBe%28114%29&type=code)
[eBe(181)](https://github.com/search?q=eBe%28181%29&type=code)
[eBe(256)](https://github.com/search?q=eBe%28256%29&type=code)
[eBe(666)](https://github.com/search?q=eBe%28666%29&type=code)
[eBe(115)](https://github.com/search?q=eBe%28115%29&type=code)
[eBe(151)](https://github.com/search?q=eBe%28151%29&type=code)
[eBe(136)](https://github.com/search?q=eBe%28136%29&type=code)
[eBe(157)](https://github.com/search?q=eBe%28157%29&type=code)
[eBe(159)](https://github.com/search?q=eBe%28159%29&type=code)
[eBe(802)](https://github.com/search?q=eBe%28802%29&type=code)
[eBe(174)](https://github.com/search?q=eBe%28174%29&type=code)
[eBe(664)](https://github.com/search?q=eBe%28664%29&type=code)
[eBe(119)](https://github.com/search?q=eBe%28119%29&type=code)
[eBe(121)](https://github.com/search?q=eBe%28121%29&type=code)
[eBe(120)](https://github.com/search?q=eBe%28120%29&type=code)
[eBe(152)](https://github.com/search?q=eBe%28152%29&type=code)
[eBe(127)](https://github.com/search?q=eBe%28127%29&type=code)
[eBe(456)](https://github.com/search?q=eBe%28456%29&type=code)
[eBe(128)](https://github.com/search?q=eBe%28128%29&type=code)
[eBe(334)](https://github.com/search?q=eBe%28334%29&type=code)
[eBe(230)](https://github.com/search?q=eBe%28230%29&type=code)
[eBe(455)](https://github.com/search?q=eBe%28455%29&type=code)
[eBe(454)](https://github.com/search?q=eBe%28454%29&type=code)
[eBe(107)](https://github.com/search?q=eBe%28107%29&type=code)
[eBe(110)](https://github.com/search?q=eBe%28110%29&type=code)
[eBe(266)](https://github.com/search?q=eBe%28266%29&type=code)
[eBe(106)](https://github.com/search?q=eBe%28106%29&type=code)
[eBe(104)](https://github.com/search?q=eBe%28104%29&type=code)
[eBe(155)](https://github.com/search?q=eBe%28155%29&type=code)
[eBe(125)](https://github.com/search?q=eBe%28125%29&type=code)
[eBe(139)](https://github.com/search?q=eBe%28139%29&type=code)
[eBe(149)](https://github.com/search?q=eBe%28149%29&type=code)
[eBe(269)](https://github.com/search?q=eBe%28269%29&type=code)
[eBe(100)](https://github.com/search?q=eBe%28100%29&type=code)
[eBe(153)](https://github.com/search?q=eBe%28153%29&type=code)
[eBe(108)](https://github.com/search?q=eBe%28108%29&type=code)
[eBe(109)](https://github.com/search?q=eBe%28109%29&type=code)
[eBe(453)](https://github.com/search?q=eBe%28453%29&type=code)
[eBe(452)](https://github.com/search?q=eBe%28452%29&type=code)
[eBe(451)](https://github.com/search?q=eBe%28451%29&type=code)
[eBe(101)](https://github.com/search?q=eBe%28101%29&type=code)
[eBe(102)](https://github.com/search?q=eBe%28102%29&type=code)
[eBe(450)](https://github.com/search?q=eBe%28450%29&type=code)
[eBe(255)](https://github.com/search?q=eBe%28255%29&type=code)
[eBe(449)](https://github.com/search?q=eBe%28449%29&type=code)
[eBe(448)](https://github.com/search?q=eBe%28448%29&type=code)
[eBe(494)](https://github.com/search?q=eBe%28494%29&type=code)
[eBe(447)](https://github.com/search?q=eBe%28447%29&type=code)
[eBe(472)](https://github.com/search?q=eBe%28472%29&type=code)
[eBe(443)](https://github.com/search?q=eBe%28443%29&type=code)
[eBe(331)](https://github.com/search?q=eBe%28331%29&type=code)
[eBe(466)](https://github.com/search?q=eBe%28466%29&type=code)
[eBe(423)](https://github.com/search?q=eBe%28423%29&type=code)
[eBe(352)](https://github.com/search?q=eBe%28352%29&type=code)
[eBe(425)](https://github.com/search?q=eBe%28425%29&type=code)
[eBe(700)](https://github.com/search?q=eBe%28700%29&type=code)
[eBe(263)](https://github.com/search?q=eBe%28263%29&type=code)
[eBe(305)](https://github.com/search?q=eBe%28305%29&type=code)
[eBe(411)](https://github.com/search?q=eBe%28411%29&type=code)
[eBe(416)](https://github.com/search?q=eBe%28416%29&type=code)
[eBe(260)](https://github.com/search?q=eBe%28260%29&type=code)
[eBe(446)](https://github.com/search?q=eBe%28446%29&type=code)
[eBe(430)](https://github.com/search?q=eBe%28430%29&type=code)
[eBe(262)](https://github.com/search?q=eBe%28262%29&type=code)
[eBe(418)](https://github.com/search?q=eBe%28418%29&type=code)
[eBe(445)](https://github.com/search?q=eBe%28445%29&type=code)
[eBe(180)](https://github.com/search?q=eBe%28180%29&type=code)
[eBe(384)](https://github.com/search?q=eBe%28384%29&type=code)
[eBe(163)](https://github.com/search?q=eBe%28163%29&type=code)
[eBe(687)](https://github.com/search?q=eBe%28687%29&type=code)
[eBe(207)](https://github.com/search?q=eBe%28207%29&type=code)
[eBe(277)](https://github.com/search?q=eBe%28277%29&type=code)
[eBe(414)](https://github.com/search?q=eBe%28414%29&type=code)
[eBe(444)](https://github.com/search?q=eBe%28444%29&type=code)
[eBe(442)](https://github.com/search?q=eBe%28442%29&type=code)
[eBe(441)](https://github.com/search?q=eBe%28441%29&type=code)
[eBe(407)](https://github.com/search?q=eBe%28407%29&type=code)
[eBe(440)](https://github.com/search?q=eBe%28440%29&type=code)
[eBe(293)](https://github.com/search?q=eBe%28293%29&type=code)
[eBe(439)](https://github.com/search?q=eBe%28439%29&type=code)
[eBe(141)](https://github.com/search?q=eBe%28141%29&type=code)
[eBe(688)](https://github.com/search?q=eBe%28688%29&type=code)
[eBe(103)](https://github.com/search?q=eBe%28103%29&type=code)
[eBe(408)](https://github.com/search?q=eBe%28408%29&type=code)
[eBe(726)](https://github.com/search?q=eBe%28726%29&type=code)
[eBe(438)](https://github.com/search?q=eBe%28438%29&type=code)
[eBe(437)](https://github.com/search?q=eBe%28437%29&type=code)
[eBe(257)](https://github.com/search?q=eBe%28257%29&type=code)
[eBe(487)](https://github.com/search?q=eBe%28487%29&type=code)
[eBe(436)](https://github.com/search?q=eBe%28436%29&type=code)
[eBe(435)](https://github.com/search?q=eBe%28435%29&type=code)
[eBe(223)](https://github.com/search?q=eBe%28223%29&type=code)
[eBe(434)](https://github.com/search?q=eBe%28434%29&type=code)
[eBe(243)](https://github.com/search?q=eBe%28243%29&type=code)
[eBe(433)](https://github.com/search?q=eBe%28433%29&type=code)
[eBe(618)](https://github.com/search?q=eBe%28618%29&type=code)
[eBe(217)](https://github.com/search?q=eBe%28217%29&type=code)
[eBe(118)](https://github.com/search?q=eBe%28118%29&type=code)
[eBe(432)](https://github.com/search?q=eBe%28432%29&type=code)
[eBe(431)](https://github.com/search?q=eBe%28431%29&type=code)
[eBe(111)](https://github.com/search?q=eBe%28111%29&type=code)
[eBe(112)](https://github.com/search?q=eBe%28112%29&type=code)
[eBe(124)](https://github.com/search?q=eBe%28124%29&type=code)
[eBe(116)](https://github.com/search?q=eBe%28116%29&type=code)
[eBe(617)](https://github.com/search?q=eBe%28617%29&type=code)
[eBe(123)](https://github.com/search?q=eBe%28123%29&type=code)
[eBe(117)](https://github.com/search?q=eBe%28117%29&type=code)
[eBe(639)](https://github.com/search?q=eBe%28639%29&type=code)
[eBe(154)](https://github.com/search?q=eBe%28154%29&type=code)
[eBe(429)](https://github.com/search?q=eBe%28429%29&type=code)
[eBe(624)](https://github.com/search?q=eBe%28624%29&type=code)
[eBe(185)](https://github.com/search?q=eBe%28185%29&type=code)
[eBe(428)](https://github.com/search?q=eBe%28428%29&type=code)
[eBe(138)](https://github.com/search?q=eBe%28138%29&type=code)
[eBe(145)](https://github.com/search?q=eBe%28145%29&type=code)
[eBe(142)](https://github.com/search?q=eBe%28142%29&type=code)
[eBe(148)](https://github.com/search?q=eBe%28148%29&type=code)
[eBe(143)](https://github.com/search?q=eBe%28143%29&type=code)
[eBe(146)](https://github.com/search?q=eBe%28146%29&type=code)
[eBe(144)](https://github.com/search?q=eBe%28144%29&type=code)
[eBe(427)](https://github.com/search?q=eBe%28427%29&type=code)
[eBe(421)](https://github.com/search?q=eBe%28421%29&type=code)
[eBe(426)](https://github.com/search?q=eBe%28426%29&type=code)
[eBe(214)](https://github.com/search?q=eBe%28214%29&type=code)
[eBe(179)](https://github.com/search?q=eBe%28179%29&type=code)
[eBe(158)](https://github.com/search?q=eBe%28158%29&type=code)
[eBe(497)](https://github.com/search?q=eBe%28497%29&type=code)
[eBe(200)](https://github.com/search?q=eBe%28200%29&type=code)
[eBe(369)](https://github.com/search?q=eBe%28369%29&type=code)
[eBe(203)](https://github.com/search?q=eBe%28203%29&type=code)
[eBe(211)](https://github.com/search?q=eBe%28211%29&type=code)
[eBe(202)](https://github.com/search?q=eBe%28202%29&type=code)
[eBe(208)](https://github.com/search?q=eBe%28208%29&type=code)
[eBe(213)](https://github.com/search?q=eBe%28213%29&type=code)
[eBe(367)](https://github.com/search?q=eBe%28367%29&type=code)
[eBe(216)](https://github.com/search?q=eBe%28216%29&type=code)
[eBe(215)](https://github.com/search?q=eBe%28215%29&type=code)
[eBe(353)](https://github.com/search?q=eBe%28353%29&type=code)
[eBe(218)](https://github.com/search?q=eBe%28218%29&type=code)
[eBe(252)](https://github.com/search?q=eBe%28252%29&type=code)
[eBe(177)](https://github.com/search?q=eBe%28177%29&type=code)
[eBe(191)](https://github.com/search?q=eBe%28191%29&type=code)
[eBe(222)](https://github.com/search?q=eBe%28222%29&type=code)
[eBe(227)](https://github.com/search?q=eBe%28227%29&type=code)
[eBe(226)](https://github.com/search?q=eBe%28226%29&type=code)
[eBe(225)](https://github.com/search?q=eBe%28225%29&type=code)
[eBe(194)](https://github.com/search?q=eBe%28194%29&type=code)
[eBe(229)](https://github.com/search?q=eBe%28229%29&type=code)
[eBe(206)](https://github.com/search?q=eBe%28206%29&type=code)
[eBe(205)](https://github.com/search?q=eBe%28205%29&type=code)
[eBe(172)](https://github.com/search?q=eBe%28172%29&type=code)
[eBe(324)](https://github.com/search?q=eBe%28324%29&type=code)
[eBe(232)](https://github.com/search?q=eBe%28232%29&type=code)
[eBe(231)](https://github.com/search?q=eBe%28231%29&type=code)
[eBe(233)](https://github.com/search?q=eBe%28233%29&type=code)
[eBe(244)](https://github.com/search?q=eBe%28244%29&type=code)
[eBe(235)](https://github.com/search?q=eBe%28235%29&type=code)
[eBe(189)](https://github.com/search?q=eBe%28189%29&type=code)
[eBe(238)](https://github.com/search?q=eBe%28238%29&type=code)
[eBe(237)](https://github.com/search?q=eBe%28237%29&type=code)
[eBe(242)](https://github.com/search?q=eBe%28242%29&type=code)
[eBe(240)](https://github.com/search?q=eBe%28240%29&type=code)
[eBe(271)](https://github.com/search?q=eBe%28271%29&type=code)
[eBe(361)](https://github.com/search?q=eBe%28361%29&type=code)
[eBe(162)](https://github.com/search?q=eBe%28162%29&type=code)
[eBe(165)](https://github.com/search?q=eBe%28165%29&type=code)
[eBe(178)](https://github.com/search?q=eBe%28178%29&type=code)
[eBe(176)](https://github.com/search?q=eBe%28176%29&type=code)
[eBe(171)](https://github.com/search?q=eBe%28171%29&type=code)
[eBe(170)](https://github.com/search?q=eBe%28170%29&type=code)
[eBe(173)](https://github.com/search?q=eBe%28173%29&type=code)
[eBe(379)](https://github.com/search?q=eBe%28379%29&type=code)
[eBe(630)](https://github.com/search?q=eBe%28630%29&type=code)
[eBe(290)](https://github.com/search?q=eBe%28290%29&type=code)
[eBe(464)](https://github.com/search?q=eBe%28464%29&type=code)
[eBe(291)](https://github.com/search?q=eBe%28291%29&type=code)
[eBe(326)](https://github.com/search?q=eBe%28326%29&type=code)
[eBe(297)](https://github.com/search?q=eBe%28297%29&type=code)
[eBe(739)](https://github.com/search?q=eBe%28739%29&type=code)
[eBe(253)](https://github.com/search?q=eBe%28253%29&type=code)
[eBe(183)](https://github.com/search?q=eBe%28183%29&type=code)
[eBe(520)](https://github.com/search?q=eBe%28520%29&type=code)
[eBe(190)](https://github.com/search?q=eBe%28190%29&type=code)
[eBe(188)](https://github.com/search?q=eBe%28188%29&type=code)
[eBe(184)](https://github.com/search?q=eBe%28184%29&type=code)
[eBe(186)](https://github.com/search?q=eBe%28186%29&type=code)
[eBe(264)](https://github.com/search?q=eBe%28264%29&type=code)
[eBe(268)](https://github.com/search?q=eBe%28268%29&type=code)
[eBe(278)](https://github.com/search?q=eBe%28278%29&type=code)
[eBe(195)](https://github.com/search?q=eBe%28195%29&type=code)
[eBe(193)](https://github.com/search?q=eBe%28193%29&type=code)
[eBe(196)](https://github.com/search?q=eBe%28196%29&type=code)
[eBe(197)](https://github.com/search?q=eBe%28197%29&type=code)
[eBe(351)](https://github.com/search?q=eBe%28351%29&type=code)
[eBe(192)](https://github.com/search?q=eBe%28192%29&type=code)
[eBe(245)](https://github.com/search?q=eBe%28245%29&type=code)
[eBe(307)](https://github.com/search?q=eBe%28307%29&type=code)
[eBe(298)](https://github.com/search?q=eBe%28298%29&type=code)
[eBe(274)](https://github.com/search?q=eBe%28274%29&type=code)
[eBe(251)](https://github.com/search?q=eBe%28251%29&type=code)
[eBe(299)](https://github.com/search?q=eBe%28299%29&type=code)
[eBe(762)](https://github.com/search?q=eBe%28762%29&type=code)
[eBe(302)](https://github.com/search?q=eBe%28302%29&type=code)
[eBe(303)](https://github.com/search?q=eBe%28303%29&type=code)
[eBe(300)](https://github.com/search?q=eBe%28300%29&type=code)
[eBe(306)](https://github.com/search?q=eBe%28306%29&type=code)
[eBe(304)](https://github.com/search?q=eBe%28304%29&type=code)
[eBe(311)](https://github.com/search?q=eBe%28311%29&type=code)
[eBe(301)](https://github.com/search?q=eBe%28301%29&type=code)
[eBe(308)](https://github.com/search?q=eBe%28308%29&type=code)
[eBe(187)](https://github.com/search?q=eBe%28187%29&type=code)
[eBe(724)](https://github.com/search?q=eBe%28724%29&type=code)
[eBe(375)](https://github.com/search?q=eBe%28375%29&type=code)
[eBe(339)](https://github.com/search?q=eBe%28339%29&type=code)
[eBe(309)](https://github.com/search?q=eBe%28309%29&type=code)
[eBe(376)](https://github.com/search?q=eBe%28376%29&type=code)
[eBe(551)](https://github.com/search?q=eBe%28551%29&type=code)
[eBe(542)](https://github.com/search?q=eBe%28542%29&type=code)
[eBe(780)](https://github.com/search?q=eBe%28780%29&type=code)
[eBe(315)](https://github.com/search?q=eBe%28315%29&type=code)
[eBe(312)](https://github.com/search?q=eBe%28312%29&type=code)
[eBe(484)](https://github.com/search?q=eBe%28484%29&type=code)
[eBe(614)](https://github.com/search?q=eBe%28614%29&type=code)
[eBe(310)](https://github.com/search?q=eBe%28310%29&type=code)
[eBe(313)](https://github.com/search?q=eBe%28313%29&type=code)
[eBe(261)](https://github.com/search?q=eBe%28261%29&type=code)
[eBe(314)](https://github.com/search?q=eBe%28314%29&type=code)
[eBe(317)](https://github.com/search?q=eBe%28317%29&type=code)
[eBe(321)](https://github.com/search?q=eBe%28321%29&type=code)
[eBe(319)](https://github.com/search?q=eBe%28319%29&type=code)
[eBe(320)](https://github.com/search?q=eBe%28320%29&type=code)
[eBe(318)](https://github.com/search?q=eBe%28318%29&type=code)
[eBe(388)](https://github.com/search?q=eBe%28388%29&type=code)
[eBe(199)](https://github.com/search?q=eBe%28199%29&type=code)
[eBe(394)](https://github.com/search?q=eBe%28394%29&type=code)
[eBe(337)](https://github.com/search?q=eBe%28337%29&type=code)
[eBe(322)](https://github.com/search?q=eBe%28322%29&type=code)
[eBe(167)](https://github.com/search?q=eBe%28167%29&type=code)
[eBe(323)](https://github.com/search?q=eBe%28323%29&type=code)
[eBe(386)](https://github.com/search?q=eBe%28386%29&type=code)
[eBe(389)](https://github.com/search?q=eBe%28389%29&type=code)
[eBe(285)](https://github.com/search?q=eBe%28285%29&type=code)
[eBe(559)](https://github.com/search?q=eBe%28559%29&type=code)
[eBe(362)](https://github.com/search?q=eBe%28362%29&type=code)
[eBe(566)](https://github.com/search?q=eBe%28566%29&type=code)
[eBe(325)](https://github.com/search?q=eBe%28325%29&type=code)
[eBe(329)](https://github.com/search?q=eBe%28329%29&type=code)
[eBe(327)](https://github.com/search?q=eBe%28327%29&type=code)
[eBe(330)](https://github.com/search?q=eBe%28330%29&type=code)
[eBe(328)](https://github.com/search?q=eBe%28328%29&type=code)
[eBe(332)](https://github.com/search?q=eBe%28332%29&type=code)
[eBe(342)](https://github.com/search?q=eBe%28342%29&type=code)
[eBe(341)](https://github.com/search?q=eBe%28341%29&type=code)
[eBe(161)](https://github.com/search?q=eBe%28161%29&type=code)
[eBe(335)](https://github.com/search?q=eBe%28335%29&type=code)
[eBe(336)](https://github.com/search?q=eBe%28336%29&type=code)
[eBe(275)](https://github.com/search?q=eBe%28275%29&type=code)
[eBe(333)](https://github.com/search?q=eBe%28333%29&type=code)
[eBe(338)](https://github.com/search?q=eBe%28338%29&type=code)
[eBe(246)](https://github.com/search?q=eBe%28246%29&type=code)
[eBe(340)](https://github.com/search?q=eBe%28340%29&type=code)
[eBe(344)](https://github.com/search?q=eBe%28344%29&type=code)
[eBe(495)](https://github.com/search?q=eBe%28495%29&type=code)
[eBe(711)](https://github.com/search?q=eBe%28711%29&type=code)
[eBe(343)](https://github.com/search?q=eBe%28343%29&type=code)
[eBe(345)](https://github.com/search?q=eBe%28345%29&type=code)
[eBe(347)](https://github.com/search?q=eBe%28347%29&type=code)
[eBe(346)](https://github.com/search?q=eBe%28346%29&type=code)
[eBe(348)](https://github.com/search?q=eBe%28348%29&type=code)
[eBe(349)](https://github.com/search?q=eBe%28349%29&type=code)
[eBe(360)](https://github.com/search?q=eBe%28360%29&type=code)
[eBe(558)](https://github.com/search?q=eBe%28558%29&type=code)
[eBe(462)](https://github.com/search?q=eBe%28462%29&type=code)
[eBe(546)](https://github.com/search?q=eBe%28546%29&type=code)
[eBe(382)](https://github.com/search?q=eBe%28382%29&type=code)
[eBe(385)](https://github.com/search?q=eBe%28385%29&type=code)
[eBe(365)](https://github.com/search?q=eBe%28365%29&type=code)
[eBe(366)](https://github.com/search?q=eBe%28366%29&type=code)
[eBe(259)](https://github.com/search?q=eBe%28259%29&type=code)
[eBe(282)](https://github.com/search?q=eBe%28282%29&type=code)
[eBe(368)](https://github.com/search?q=eBe%28368%29&type=code)
[eBe(370)](https://github.com/search?q=eBe%28370%29&type=code)
[eBe(373)](https://github.com/search?q=eBe%28373%29&type=code)
[eBe(374)](https://github.com/search?q=eBe%28374%29&type=code)
[eBe(372)](https://github.com/search?q=eBe%28372%29&type=code)
[eBe(693)](https://github.com/search?q=eBe%28693%29&type=code)
[eBe(409)](https://github.com/search?q=eBe%28409%29&type=code)
[eBe(732)](https://github.com/search?q=eBe%28732%29&type=code)
[eBe(828)](https://github.com/search?q=eBe%28828%29&type=code)
[eBe(279)](https://github.com/search?q=eBe%28279%29&type=code)
[eBe(486)](https://github.com/search?q=eBe%28486%29&type=code)
[eBe(488)](https://github.com/search?q=eBe%28488%29&type=code)
[eBe(502)](https://github.com/search?q=eBe%28502%29&type=code)
[eBe(489)](https://github.com/search?q=eBe%28489%29&type=code)
[eBe(491)](https://github.com/search?q=eBe%28491%29&type=code)
[eBe(493)](https://github.com/search?q=eBe%28493%29&type=code)
[eBe(490)](https://github.com/search?q=eBe%28490%29&type=code)
[eBe(609)](https://github.com/search?q=eBe%28609%29&type=code)
[eBe(492)](https://github.com/search?q=eBe%28492%29&type=code)
[eBe(270)](https://github.com/search?q=eBe%28270%29&type=code)
[eBe(519)](https://github.com/search?q=eBe%28519%29&type=code)
[eBe(510)](https://github.com/search?q=eBe%28510%29&type=code)
[eBe(295)](https://github.com/search?q=eBe%28295%29&type=code)
[eBe(512)](https://github.com/search?q=eBe%28512%29&type=code)
[eBe(496)](https://github.com/search?q=eBe%28496%29&type=code)
[eBe(387)](https://github.com/search?q=eBe%28387%29&type=code)
[eBe(498)](https://github.com/search?q=eBe%28498%29&type=code)
[eBe(499)](https://github.com/search?q=eBe%28499%29&type=code)
[eBe(500)](https://github.com/search?q=eBe%28500%29&type=code)
[eBe(501)](https://github.com/search?q=eBe%28501%29&type=code)
[eBe(359)](https://github.com/search?q=eBe%28359%29&type=code)
[eBe(516)](https://github.com/search?q=eBe%28516%29&type=code)
[eBe(686)](https://github.com/search?q=eBe%28686%29&type=code)
[eBe(694)](https://github.com/search?q=eBe%28694%29&type=code)
[eBe(820)](https://github.com/search?q=eBe%28820%29&type=code)
[eBe(748)](https://github.com/search?q=eBe%28748%29&type=code)
[eBe(689)](https://github.com/search?q=eBe%28689%29&type=code)
[eBe(690)](https://github.com/search?q=eBe%28690%29&type=code)
[eBe(691)](https://github.com/search?q=eBe%28691%29&type=code)
[eBe(692)](https://github.com/search?q=eBe%28692%29&type=code)
[eBe(695)](https://github.com/search?q=eBe%28695%29&type=code)
[eBe(696)](https://github.com/search?q=eBe%28696%29&type=code)
[eBe(697)](https://github.com/search?q=eBe%28697%29&type=code)
[eBe(698)](https://github.com/search?q=eBe%28698%29&type=code)
[eBe(538)](https://github.com/search?q=eBe%28538%29&type=code)
[eBe(715)](https://github.com/search?q=eBe%28715%29&type=code)
[eBe(534)](https://github.com/search?q=eBe%28534%29&type=code)
[eBe(540)](https://github.com/search?q=eBe%28540%29&type=code)
[eBe(575)](https://github.com/search?q=eBe%28575%29&type=code)
[eBe(550)](https://github.com/search?q=eBe%28550%29&type=code)
[eBe(699)](https://github.com/search?q=eBe%28699%29&type=code)
[eBe(701)](https://github.com/search?q=eBe%28701%29&type=code)
[eBe(702)](https://github.com/search?q=eBe%28702%29&type=code)
[eBe(703)](https://github.com/search?q=eBe%28703%29&type=code)
[eBe(709)](https://github.com/search?q=eBe%28709%29&type=code)
[eBe(508)](https://github.com/search?q=eBe%28508%29&type=code)
[eBe(704)](https://github.com/search?q=eBe%28704%29&type=code)
[eBe(745)](https://github.com/search?q=eBe%28745%29&type=code)
[eBe(706)](https://github.com/search?q=eBe%28706%29&type=code)
[eBe(705)](https://github.com/search?q=eBe%28705%29&type=code)
[eBe(221)](https://github.com/search?q=eBe%28221%29&type=code)
[eBe(707)](https://github.com/search?q=eBe%28707%29&type=code)
[eBe(708)](https://github.com/search?q=eBe%28708%29&type=code)
[eBe(710)](https://github.com/search?q=eBe%28710%29&type=code)
[eBe(420)](https://github.com/search?q=eBe%28420%29&type=code)
[eBe(419)](https://github.com/search?q=eBe%28419%29&type=code)
[eBe(521)](https://github.com/search?q=eBe%28521%29&type=code)
[eBe(412)](https://github.com/search?q=eBe%28412%29&type=code)
[eBe(569)](https://github.com/search?q=eBe%28569%29&type=code)
[eBe(712)](https://github.com/search?q=eBe%28712%29&type=code)
[eBe(713)](https://github.com/search?q=eBe%28713%29&type=code)
[eBe(714)](https://github.com/search?q=eBe%28714%29&type=code)
[eBe(800)](https://github.com/search?q=eBe%28800%29&type=code)
[eBe(556)](https://github.com/search?q=eBe%28556%29&type=code)
[eBe(579)](https://github.com/search?q=eBe%28579%29&type=code)
[eBe(716)](https://github.com/search?q=eBe%28716%29&type=code)
[eBe(572)](https://github.com/search?q=eBe%28572%29&type=code)
[eBe(470)](https://github.com/search?q=eBe%28470%29&type=code)
[eBe(725)](https://github.com/search?q=eBe%28725%29&type=code)
[eBe(737)](https://github.com/search?q=eBe%28737%29&type=code)
[eBe(554)](https://github.com/search?q=eBe%28554%29&type=code)
[eBe(720)](https://github.com/search?q=eBe%28720%29&type=code)
[eBe(717)](https://github.com/search?q=eBe%28717%29&type=code)
[eBe(718)](https://github.com/search?q=eBe%28718%29&type=code)
[eBe(553)](https://github.com/search?q=eBe%28553%29&type=code)
[eBe(735)](https://github.com/search?q=eBe%28735%29&type=code)
[eBe(719)](https://github.com/search?q=eBe%28719%29&type=code)
[eBe(721)](https://github.com/search?q=eBe%28721%29&type=code)
[eBe(753)](https://github.com/search?q=eBe%28753%29&type=code)
[eBe(399)](https://github.com/search?q=eBe%28399%29&type=code)
[eBe(722)](https://github.com/search?q=eBe%28722%29&type=code)
[eBe(723)](https://github.com/search?q=eBe%28723%29&type=code)
[eBe(751)](https://github.com/search?q=eBe%28751%29&type=code)
[eBe(641)](https://github.com/search?q=eBe%28641%29&type=code)
[eBe(749)](https://github.com/search?q=eBe%28749%29&type=code)
[eBe(524)](https://github.com/search?q=eBe%28524%29&type=code)
[eBe(727)](https://github.com/search?q=eBe%28727%29&type=code)
[eBe(728)](https://github.com/search?q=eBe%28728%29&type=code)
[eBe(729)](https://github.com/search?q=eBe%28729%29&type=code)
[eBe(801)](https://github.com/search?q=eBe%28801%29&type=code)
[eBe(730)](https://github.com/search?q=eBe%28730%29&type=code)
[eBe(731)](https://github.com/search?q=eBe%28731%29&type=code)
[eBe(733)](https://github.com/search?q=eBe%28733%29&type=code)
[eBe(381)](https://github.com/search?q=eBe%28381%29&type=code)
[eBe(734)](https://github.com/search?q=eBe%28734%29&type=code)
[eBe(736)](https://github.com/search?q=eBe%28736%29&type=code)
[eBe(738)](https://github.com/search?q=eBe%28738%29&type=code)
[eBe(458)](https://github.com/search?q=eBe%28458%29&type=code)
[eBe(740)](https://github.com/search?q=eBe%28740%29&type=code)
[eBe(383)](https://github.com/search?q=eBe%28383%29&type=code)
[eBe(741)](https://github.com/search?q=eBe%28741%29&type=code)
[eBe(611)](https://github.com/search?q=eBe%28611%29&type=code)
[eBe(742)](https://github.com/search?q=eBe%28742%29&type=code)
[eBe(743)](https://github.com/search?q=eBe%28743%29&type=code)
[eBe(357)](https://github.com/search?q=eBe%28357%29&type=code)
[eBe(744)](https://github.com/search?q=eBe%28744%29&type=code)
[eBe(571)](https://github.com/search?q=eBe%28571%29&type=code)
[eBe(750)](https://github.com/search?q=eBe%28750%29&type=code)
[eBe(746)](https://github.com/search?q=eBe%28746%29&type=code)
[eBe(747)](https://github.com/search?q=eBe%28747%29&type=code)
[eBe(795)](https://github.com/search?q=eBe%28795%29&type=code)
[eBe(752)](https://github.com/search?q=eBe%28752%29&type=code)
[eBe(354)](https://github.com/search?q=eBe%28354%29&type=code)
[eBe(819)](https://github.com/search?q=eBe%28819%29&type=code)
[eBe(807)](https://github.com/search?q=eBe%28807%29&type=code)
[eBe(355)](https://github.com/search?q=eBe%28355%29&type=code)
[eBe(754)](https://github.com/search?q=eBe%28754%29&type=code)
[eBe(755)](https://github.com/search?q=eBe%28755%29&type=code)
[eBe(777)](https://github.com/search?q=eBe%28777%29&type=code)
[eBe(756)](https://github.com/search?q=eBe%28756%29&type=code)
[eBe(518)](https://github.com/search?q=eBe%28518%29&type=code)
[eBe(555)](https://github.com/search?q=eBe%28555%29&type=code)
[eBe(757)](https://github.com/search?q=eBe%28757%29&type=code)
[eBe(760)](https://github.com/search?q=eBe%28760%29&type=code)
[eBe(785)](https://github.com/search?q=eBe%28785%29&type=code)
[eBe(758)](https://github.com/search?q=eBe%28758%29&type=code)
[eBe(759)](https://github.com/search?q=eBe%28759%29&type=code)
[eBe(761)](https://github.com/search?q=eBe%28761%29&type=code)
[eBe(778)](https://github.com/search?q=eBe%28778%29&type=code)
[eBe(547)](https://github.com/search?q=eBe%28547%29&type=code)
[eBe(763)](https://github.com/search?q=eBe%28763%29&type=code)
[eBe(766)](https://github.com/search?q=eBe%28766%29&type=code)
[eBe(764)](https://github.com/search?q=eBe%28764%29&type=code)
[eBe(767)](https://github.com/search?q=eBe%28767%29&type=code)
[eBe(765)](https://github.com/search?q=eBe%28765%29&type=code)
[eBe(768)](https://github.com/search?q=eBe%28768%29&type=code)
[eBe(770)](https://github.com/search?q=eBe%28770%29&type=code)
[eBe(769)](https://github.com/search?q=eBe%28769%29&type=code)
[eBe(771)](https://github.com/search?q=eBe%28771%29&type=code)
[eBe(773)](https://github.com/search?q=eBe%28773%29&type=code)
[eBe(772)](https://github.com/search?q=eBe%28772%29&type=code)
[eBe(776)](https://github.com/search?q=eBe%28776%29&type=code)
[eBe(774)](https://github.com/search?q=eBe%28774%29&type=code)
[eBe(810)](https://github.com/search?q=eBe%28810%29&type=code)
[eBe(775)](https://github.com/search?q=eBe%28775%29&type=code)
[eBe(779)](https://github.com/search?q=eBe%28779%29&type=code)
[eBe(781)](https://github.com/search?q=eBe%28781%29&type=code)
[eBe(792)](https://github.com/search?q=eBe%28792%29&type=code)
[eBe(782)](https://github.com/search?q=eBe%28782%29&type=code)
[eBe(783)](https://github.com/search?q=eBe%28783%29&type=code)
[eBe(784)](https://github.com/search?q=eBe%28784%29&type=code)
[eBe(280)](https://github.com/search?q=eBe%28280%29&type=code)
[eBe(787)](https://github.com/search?q=eBe%28787%29&type=code)
[eBe(786)](https://github.com/search?q=eBe%28786%29&type=code)
[eBe(789)](https://github.com/search?q=eBe%28789%29&type=code)
[eBe(790)](https://github.com/search?q=eBe%28790%29&type=code)
[eBe(788)](https://github.com/search?q=eBe%28788%29&type=code)
[eBe(288)](https://github.com/search?q=eBe%28288%29&type=code)
[eBe(791)](https://github.com/search?q=eBe%28791%29&type=code)
[eBe(793)](https://github.com/search?q=eBe%28793%29&type=code)
[eBe(626)](https://github.com/search?q=eBe%28626%29&type=code)
[eBe(794)](https://github.com/search?q=eBe%28794%29&type=code)
[eBe(796)](https://github.com/search?q=eBe%28796%29&type=code)
[eBe(797)](https://github.com/search?q=eBe%28797%29&type=code)
[eBe(798)](https://github.com/search?q=eBe%28798%29&type=code)
[eBe(799)](https://github.com/search?q=eBe%28799%29&type=code)
[eBe(576)](https://github.com/search?q=eBe%28576%29&type=code)
[eBe(286)](https://github.com/search?q=eBe%28286%29&type=code)
[eBe(803)](https://github.com/search?q=eBe%28803%29&type=code)
[eBe(522)](https://github.com/search?q=eBe%28522%29&type=code)
[eBe(804)](https://github.com/search?q=eBe%28804%29&type=code)
[eBe(805)](https://github.com/search?q=eBe%28805%29&type=code)
[eBe(806)](https://github.com/search?q=eBe%28806%29&type=code)
[eBe(808)](https://github.com/search?q=eBe%28808%29&type=code)
[eBe(265)](https://github.com/search?q=eBe%28265%29&type=code)
[eBe(607)](https://github.com/search?q=eBe%28607%29&type=code)
[eBe(809)](https://github.com/search?q=eBe%28809%29&type=code)
[eBe(417)](https://github.com/search?q=eBe%28417%29&type=code)
[eBe(413)](https://github.com/search?q=eBe%28413%29&type=code)
[eBe(811)](https://github.com/search?q=eBe%28811%29&type=code)
[eBe(812)](https://github.com/search?q=eBe%28812%29&type=code)
[eBe(592)](https://github.com/search?q=eBe%28592%29&type=code)
[eBe(813)](https://github.com/search?q=eBe%28813%29&type=code)
[eBe(247)](https://github.com/search?q=eBe%28247%29&type=code)
[eBe(814)](https://github.com/search?q=eBe%28814%29&type=code)
[eBe(815)](https://github.com/search?q=eBe%28815%29&type=code)
[eBe(364)](https://github.com/search?q=eBe%28364%29&type=code)
[eBe(816)](https://github.com/search?q=eBe%28816%29&type=code)
[eBe(817)](https://github.com/search?q=eBe%28817%29&type=code)
[eBe(818)](https://github.com/search?q=eBe%28818%29&type=code)
[eBe(573)](https://github.com/search?q=eBe%28573%29&type=code)
[eBe(564)](https://github.com/search?q=eBe%28564%29&type=code)
[eBe(535)](https://github.com/search?q=eBe%28535%29&type=code)
[eBe(377)](https://github.com/search?q=eBe%28377%29&type=code)
[eBe(296)](https://github.com/search?q=eBe%28296%29&type=code)
[eBe(823)](https://github.com/search?q=eBe%28823%29&type=code)
[eBe(824)](https://github.com/search?q=eBe%28824%29&type=code)
[eBe(821)](https://github.com/search?q=eBe%28821%29&type=code)
[eBe(822)](https://github.com/search?q=eBe%28822%29&type=code)
[eBe(827)](https://github.com/search?q=eBe%28827%29&type=code)
[eBe(826)](https://github.com/search?q=eBe%28826%29&type=code)
[eBe(825)](https://github.com/search?q=eBe%28825%29&type=code)
[eBe(829)](https://github.com/search?q=eBe%28829%29&type=code)
[eBe(250)](https://github.com/search?q=eBe%28250%29&type=code)
[eBe(258)](https://github.com/search?q=eBe%28258%29&type=code)
[eBe(292)](https://github.com/search?q=eBe%28292%29&type=code)
[eBe(272)](https://github.com/search?q=eBe%28272%29&type=code)
[eBe(273)](https://github.com/search?q=eBe%28273%29&type=code)
[eBe(276)](https://github.com/search?q=eBe%28276%29&type=code)
[eBe(283)](https://github.com/search?q=eBe%28283%29&type=code)
[eBe(284)](https://github.com/search?q=eBe%28284%29&type=code)
[eBe(281)](https://github.com/search?q=eBe%28281%29&type=code)
[eBe(287)](https://github.com/search?q=eBe%28287%29&type=code)
[eBe(461)](https://github.com/search?q=eBe%28461%29&type=code)
[eBe(289)](https://github.com/search?q=eBe%28289%29&type=code)
[eBe(465)](https://github.com/search?q=eBe%28465%29&type=code)
[eBe(350)](https://github.com/search?q=eBe%28350%29&type=code)
[eBe(552)](https://github.com/search?q=eBe%28552%29&type=code)
[eBe(356)](https://github.com/search?q=eBe%28356%29&type=code)
[eBe(358)](https://github.com/search?q=eBe%28358%29&type=code)
[eBe(482)](https://github.com/search?q=eBe%28482%29&type=code)
[eBe(415)](https://github.com/search?q=eBe%28415%29&type=code)
[eBe(545)](https://github.com/search?q=eBe%28545%29&type=code)
[eBe(628)](https://github.com/search?q=eBe%28628%29&type=code)
[eBe(565)](https://github.com/search?q=eBe%28565%29&type=code)
[eBe(584)](https://github.com/search?q=eBe%28584%29&type=code)
[eBe(543)](https://github.com/search?q=eBe%28543%29&type=code)
[eBe(636)](https://github.com/search?q=eBe%28636%29&type=code)
[eBe(378)](https://github.com/search?q=eBe%28378%29&type=code)
[eBe(228)](https://github.com/search?q=eBe%28228%29&type=code)
[eBe(380)](https://github.com/search?q=eBe%28380%29&type=code)
[eBe(460)](https://github.com/search?q=eBe%28460%29&type=code)
[eBe(648)](https://github.com/search?q=eBe%28648%29&type=code)
[eBe(567)](https://github.com/search?q=eBe%28567%29&type=code)
[eBe(615)](https://github.com/search?q=eBe%28615%29&type=code)
[eBe(403)](https://github.com/search?q=eBe%28403%29&type=code)
[eBe(390)](https://github.com/search?q=eBe%28390%29&type=code)
[eBe(391)](https://github.com/search?q=eBe%28391%29&type=code)
[eBe(392)](https://github.com/search?q=eBe%28392%29&type=code)
[eBe(393)](https://github.com/search?q=eBe%28393%29&type=code)
[eBe(395)](https://github.com/search?q=eBe%28395%29&type=code)
[eBe(561)](https://github.com/search?q=eBe%28561%29&type=code)
[eBe(398)](https://github.com/search?q=eBe%28398%29&type=code)
[eBe(396)](https://github.com/search?q=eBe%28396%29&type=code)
[eBe(397)](https://github.com/search?q=eBe%28397%29&type=code)
[eBe(568)](https://github.com/search?q=eBe%28568%29&type=code)
[eBe(578)](https://github.com/search?q=eBe%28578%29&type=code)
[eBe(400)](https://github.com/search?q=eBe%28400%29&type=code)
[eBe(401)](https://github.com/search?q=eBe%28401%29&type=code)
[eBe(483)](https://github.com/search?q=eBe%28483%29&type=code)
[eBe(402)](https://github.com/search?q=eBe%28402%29&type=code)
[eBe(404)](https://github.com/search?q=eBe%28404%29&type=code)
[eBe(405)](https://github.com/search?q=eBe%28405%29&type=code)
[eBe(457)](https://github.com/search?q=eBe%28457%29&type=code)
[eBe(459)](https://github.com/search?q=eBe%28459%29&type=code)
[eBe(577)](https://github.com/search?q=eBe%28577%29&type=code)
[eBe(463)](https://github.com/search?q=eBe%28463%29&type=code)
[eBe(574)](https://github.com/search?q=eBe%28574%29&type=code)
[eBe(467)](https://github.com/search?q=eBe%28467%29&type=code)
[eBe(469)](https://github.com/search?q=eBe%28469%29&type=code)
[eBe(468)](https://github.com/search?q=eBe%28468%29&type=code)
[eBe(526)](https://github.com/search?q=eBe%28526%29&type=code)
[eBe(410)](https://github.com/search?q=eBe%28410%29&type=code)
[eBe(480)](https://github.com/search?q=eBe%28480%29&type=code)
[eBe(475)](https://github.com/search?q=eBe%28475%29&type=code)
[eBe(477)](https://github.com/search?q=eBe%28477%29&type=code)
[eBe(473)](https://github.com/search?q=eBe%28473%29&type=code)
[eBe(476)](https://github.com/search?q=eBe%28476%29&type=code)
[eBe(471)](https://github.com/search?q=eBe%28471%29&type=code)
[eBe(474)](https://github.com/search?q=eBe%28474%29&type=code)
[eBe(657)](https://github.com/search?q=eBe%28657%29&type=code)
[eBe(478)](https://github.com/search?q=eBe%28478%29&type=code)
[eBe(479)](https://github.com/search?q=eBe%28479%29&type=code)
[eBe(544)](https://github.com/search?q=eBe%28544%29&type=code)
[eBe(481)](https://github.com/search?q=eBe%28481%29&type=code)
[eBe(525)](https://github.com/search?q=eBe%28525%29&type=code)
[eBe(539)](https://github.com/search?q=eBe%28539%29&type=code)
[eBe(612)](https://github.com/search?q=eBe%28612%29&type=code)
[eBe(549)](https://github.com/search?q=eBe%28549%29&type=code)
[eBe(580)](https://github.com/search?q=eBe%28580%29&type=code)
[eBe(599)](https://github.com/search?q=eBe%28599%29&type=code)
[eBe(581)](https://github.com/search?q=eBe%28581%29&type=code)
[eBe(582)](https://github.com/search?q=eBe%28582%29&type=code)
[eBe(585)](https://github.com/search?q=eBe%28585%29&type=code)
[eBe(583)](https://github.com/search?q=eBe%28583%29&type=code)
[eBe(606)](https://github.com/search?q=eBe%28606%29&type=code)
[eBe(586)](https://github.com/search?q=eBe%28586%29&type=code)
[eBe(587)](https://github.com/search?q=eBe%28587%29&type=code)
[eBe(588)](https://github.com/search?q=eBe%28588%29&type=code)
[eBe(595)](https://github.com/search?q=eBe%28595%29&type=code)
[eBe(589)](https://github.com/search?q=eBe%28589%29&type=code)
[eBe(590)](https://github.com/search?q=eBe%28590%29&type=code)
[eBe(591)](https://github.com/search?q=eBe%28591%29&type=code)
[eBe(593)](https://github.com/search?q=eBe%28593%29&type=code)
[eBe(594)](https://github.com/search?q=eBe%28594%29&type=code)
[eBe(600)](https://github.com/search?q=eBe%28600%29&type=code)
[eBe(596)](https://github.com/search?q=eBe%28596%29&type=code)
[eBe(620)](https://github.com/search?q=eBe%28620%29&type=code)
[eBe(597)](https://github.com/search?q=eBe%28597%29&type=code)
[eBe(598)](https://github.com/search?q=eBe%28598%29&type=code)
[eBe(601)](https://github.com/search?q=eBe%28601%29&type=code)
[eBe(604)](https://github.com/search?q=eBe%28604%29&type=code)
[eBe(605)](https://github.com/search?q=eBe%28605%29&type=code)
[eBe(650)](https://github.com/search?q=eBe%28650%29&type=code)
[eBe(602)](https://github.com/search?q=eBe%28602%29&type=code)
[eBe(603)](https://github.com/search?q=eBe%28603%29&type=code)
[eBe(608)](https://github.com/search?q=eBe%28608%29&type=code)
[eBe(533)](https://github.com/search?q=eBe%28533%29&type=code)
[eBe(610)](https://github.com/search?q=eBe%28610%29&type=code)
[eBe(613)](https://github.com/search?q=eBe%28613%29&type=code)
[eBe(616)](https://github.com/search?q=eBe%28616%29&type=code)
[eBe(623)](https://github.com/search?q=eBe%28623%29&type=code)
[eBe(619)](https://github.com/search?q=eBe%28619%29&type=code)
[eBe(661)](https://github.com/search?q=eBe%28661%29&type=code)
[eBe(621)](https://github.com/search?q=eBe%28621%29&type=code)
[eBe(663)](https://github.com/search?q=eBe%28663%29&type=code)
[eBe(622)](https://github.com/search?q=eBe%28622%29&type=code)
[eBe(625)](https://github.com/search?q=eBe%28625%29&type=code)
[eBe(504)](https://github.com/search?q=eBe%28504%29&type=code)
[eBe(503)](https://github.com/search?q=eBe%28503%29&type=code)
[eBe(506)](https://github.com/search?q=eBe%28506%29&type=code)
[eBe(505)](https://github.com/search?q=eBe%28505%29&type=code)
[eBe(507)](https://github.com/search?q=eBe%28507%29&type=code)
[eBe(513)](https://github.com/search?q=eBe%28513%29&type=code)
[eBe(511)](https://github.com/search?q=eBe%28511%29&type=code)
[eBe(509)](https://github.com/search?q=eBe%28509%29&type=code)
[eBe(514)](https://github.com/search?q=eBe%28514%29&type=code)
[eBe(515)](https://github.com/search?q=eBe%28515%29&type=code)
[eBe(531)](https://github.com/search?q=eBe%28531%29&type=code)
[eBe(517)](https://github.com/search?q=eBe%28517%29&type=code)
[eBe(523)](https://github.com/search?q=eBe%28523%29&type=code)
[eBe(629)](https://github.com/search?q=eBe%28629%29&type=code)
[eBe(631)](https://github.com/search?q=eBe%28631%29&type=code)
[eBe(635)](https://github.com/search?q=eBe%28635%29&type=code)
[eBe(634)](https://github.com/search?q=eBe%28634%29&type=code)
[eBe(633)](https://github.com/search?q=eBe%28633%29&type=code)
[eBe(632)](https://github.com/search?q=eBe%28632%29&type=code)
[eBe(627)](https://github.com/search?q=eBe%28627%29&type=code)
[eBe(637)](https://github.com/search?q=eBe%28637%29&type=code)
[eBe(638)](https://github.com/search?q=eBe%28638%29&type=code)
[eBe(640)](https://github.com/search?q=eBe%28640%29&type=code)
[eBe(527)](https://github.com/search?q=eBe%28527%29&type=code)
[eBe(529)](https://github.com/search?q=eBe%28529%29&type=code)
[eBe(528)](https://github.com/search?q=eBe%28528%29&type=code)
[eBe(530)](https://github.com/search?q=eBe%28530%29&type=code)
[eBe(532)](https://github.com/search?q=eBe%28532%29&type=code)
[eBe(536)](https://github.com/search?q=eBe%28536%29&type=code)
[eBe(541)](https://github.com/search?q=eBe%28541%29&type=code)
[eBe(537)](https://github.com/search?q=eBe%28537%29&type=code)
[eBe(424)](https://github.com/search?q=eBe%28424%29&type=code)
[eBe(562)](https://github.com/search?q=eBe%28562%29&type=code)
[eBe(548)](https://github.com/search?q=eBe%28548%29&type=code)
[eBe(560)](https://github.com/search?q=eBe%28560%29&type=code)
[eBe(557)](https://github.com/search?q=eBe%28557%29&type=code)
[eBe(570)](https://github.com/search?q=eBe%28570%29&type=code)
[eBe(563)](https://github.com/search?q=eBe%28563%29&type=code)
[eBe(643)](https://github.com/search?q=eBe%28643%29&type=code)
[eBe(644)](https://github.com/search?q=eBe%28644%29&type=code)
[eBe(645)](https://github.com/search?q=eBe%28645%29&type=code)
[eBe(646)](https://github.com/search?q=eBe%28646%29&type=code)
[eBe(647)](https://github.com/search?q=eBe%28647%29&type=code)
[eBe(642)](https://github.com/search?q=eBe%28642%29&type=code)
[eBe(649)](https://github.com/search?q=eBe%28649%29&type=code)
[eBe(662)](https://github.com/search?q=eBe%28662%29&type=code)
[eBe(652)](https://github.com/search?q=eBe%28652%29&type=code)
[eBe(651)](https://github.com/search?q=eBe%28651%29&type=code)
[eBe(653)](https://github.com/search?q=eBe%28653%29&type=code)
[eBe(654)](https://github.com/search?q=eBe%28654%29&type=code)
[eBe(655)](https://github.com/search?q=eBe%28655%29&type=code)
[eBe(656)](https://github.com/search?q=eBe%28656%29&type=code)
[eBe(658)](https://github.com/search?q=eBe%28658%29&type=code)
[eBe(659)](https://github.com/search?q=eBe%28659%29&type=code)
[eBe(363)](https://github.com/search?q=eBe%28363%29&type=code)
[eBe(406)](https://github.com/search?q=eBe%28406%29&type=code)
[eBe(422)](https://github.com/search?q=eBe%28422%29&type=code)
[eBe(54)](https://github.com/search?q=eBe%2854%29&type=code)
[eBe(25)](https://github.com/search?q=eBe%2825%29&type=code)
[eBe(-9)](https://github.com/search?q=eBe%28-9%29&type=code)
[eBe(27)](https://github.com/search?q=eBe%2827%29&type=code)
[eBe(72)](https://github.com/search?q=eBe%2872%29&type=code)
[eBe(59)](https://github.com/search?q=eBe%2859%29&type=code)
[eBe(90)](https://github.com/search?q=eBe%2890%29&type=code)
[eBe(23)](https://github.com/search?q=eBe%2823%29&type=code)
[eBe(-6)](https://github.com/search?q=eBe%28-6%29&type=code)
[eBe(48)](https://github.com/search?q=eBe%2848%29&type=code)
[eBe(45)](https://github.com/search?q=eBe%2845%29&type=code)
[eBe(-7)](https://github.com/search?q=eBe%28-7%29&type=code)
[eBe(37)](https://github.com/search?q=eBe%2837%29&type=code)
[eBe(56)](https://github.com/search?q=eBe%2856%29&type=code)
[eBe(-8)](https://github.com/search?q=eBe%28-8%29&type=code)
[eBe(44)](https://github.com/search?q=eBe%2844%29&type=code)
[eBe(92)](https://github.com/search?q=eBe%2892%29&type=code)
[eBe(10)](https://github.com/search?q=eBe%2810%29&type=code)
[eBe(78)](https://github.com/search?q=eBe%2878%29&type=code)
[eBe(99)](https://github.com/search?q=eBe%2899%29&type=code)
[eBe(98)](https://github.com/search?q=eBe%2898%29&type=code)
[eBe(53)](https://github.com/search?q=eBe%2853%29&type=code)
[eBe(95)](https://github.com/search?q=eBe%2895%29&type=code)
[eBe(96)](https://github.com/search?q=eBe%2896%29&type=code)
[eBe(51)](https://github.com/search?q=eBe%2851%29&type=code)
[eBe(52)](https://github.com/search?q=eBe%2852%29&type=code)
[eBe(94)](https://github.com/search?q=eBe%2894%29&type=code)
[eBe(62)](https://github.com/search?q=eBe%2862%29&type=code)
[eBe(93)](https://github.com/search?q=eBe%2893%29&type=code)
[eBe(86)](https://github.com/search?q=eBe%2886%29&type=code)
[eBe(91)](https://github.com/search?q=eBe%2891%29&type=code)
[eBe(89)](https://github.com/search?q=eBe%2889%29&type=code)
[eBe(88)](https://github.com/search?q=eBe%2888%29&type=code)
[eBe(81)](https://github.com/search?q=eBe%2881%29&type=code)
[eBe(87)](https://github.com/search?q=eBe%2887%29&type=code)
[eBe(85)](https://github.com/search?q=eBe%2885%29&type=code)
[eBe(66)](https://github.com/search?q=eBe%2866%29&type=code)
[eBe(84)](https://github.com/search?q=eBe%2884%29&type=code)
[eBe(83)](https://github.com/search?q=eBe%2883%29&type=code)
[eBe(82)](https://github.com/search?q=eBe%2882%29&type=code)
[eBe(70)](https://github.com/search?q=eBe%2870%29&type=code)
[eBe(69)](https://github.com/search?q=eBe%2869%29&type=code)
[eBe(71)](https://github.com/search?q=eBe%2871%29&type=code)
[eBe(68)](https://github.com/search?q=eBe%2868%29&type=code)
[eBe(80)](https://github.com/search?q=eBe%2880%29&type=code)
[eBe(-1)](https://github.com/search?q=eBe%28-1%29&type=code)
[eBe(79)](https://github.com/search?q=eBe%2879%29&type=code)
[eBe(73)](https://github.com/search?q=eBe%2873%29&type=code)
[eBe(77)](https://github.com/search?q=eBe%2877%29&type=code)
[eBe(39)](https://github.com/search?q=eBe%2839%29&type=code)
[eBe(76)](https://github.com/search?q=eBe%2876%29&type=code)
[eBe(75)](https://github.com/search?q=eBe%2875%29&type=code)
[eBe(74)](https://github.com/search?q=eBe%2874%29&type=code)
[eBe(64)](https://github.com/search?q=eBe%2864%29&type=code)
[eBe(67)](https://github.com/search?q=eBe%2867%29&type=code)
[eBe(97)](https://github.com/search?q=eBe%2897%29&type=code)
[eBe(65)](https://github.com/search?q=eBe%2865%29&type=code)
[eBe(63)](https://github.com/search?q=eBe%2863%29&type=code)
[eBe(61)](https://github.com/search?q=eBe%2861%29&type=code)
[eBe(60)](https://github.com/search?q=eBe%2860%29&type=code)
[eBe(58)](https://github.com/search?q=eBe%2858%29&type=code)
[eBe(57)](https://github.com/search?q=eBe%2857%29&type=code)
[eBe(55)](https://github.com/search?q=eBe%2855%29&type=code)
[eBe(30)](https://github.com/search?q=eBe%2830%29&type=code)
[eBe(50)](https://github.com/search?q=eBe%2850%29&type=code)
[eBe(49)](https://github.com/search?q=eBe%2849%29&type=code)
[eBe(29)](https://github.com/search?q=eBe%2829%29&type=code)
[eBe(14)](https://github.com/search?q=eBe%2814%29&type=code)
[eBe(47)](https://github.com/search?q=eBe%2847%29&type=code)
[eBe(46)](https://github.com/search?q=eBe%2846%29&type=code)
[eBe(43)](https://github.com/search?q=eBe%2843%29&type=code)
[eBe(42)](https://github.com/search?q=eBe%2842%29&type=code)
[eBe(41)](https://github.com/search?q=eBe%2841%29&type=code)
[eBe(40)](https://github.com/search?q=eBe%2840%29&type=code)
[eBe(38)](https://github.com/search?q=eBe%2838%29&type=code)
[eBe(36)](https://github.com/search?q=eBe%2836%29&type=code)
[eBe(35)](https://github.com/search?q=eBe%2835%29&type=code)
[eBe(34)](https://github.com/search?q=eBe%2834%29&type=code)
[eBe(33)](https://github.com/search?q=eBe%2833%29&type=code)
[eBe(32)](https://github.com/search?q=eBe%2832%29&type=code)
[eBe(31)](https://github.com/search?q=eBe%2831%29&type=code)
[eBe(28)](https://github.com/search?q=eBe%2828%29&type=code)
[eBe(26)](https://github.com/search?q=eBe%2826%29&type=code)
[eBe(24)](https://github.com/search?q=eBe%2824%29&type=code)
[eBe(22)](https://github.com/search?q=eBe%2822%29&type=code)
[eBe(-3)](https://github.com/search?q=eBe%28-3%29&type=code)
[eBe(21)](https://github.com/search?q=eBe%2821%29&type=code)
[eBe(20)](https://github.com/search?q=eBe%2820%29&type=code)
[eBe(19)](https://github.com/search?q=eBe%2819%29&type=code)
[eBe(18)](https://github.com/search?q=eBe%2818%29&type=code)
[eBe(17)](https://github.com/search?q=eBe%2817%29&type=code)
[eBe(16)](https://github.com/search?q=eBe%2816%29&type=code)
[eBe(15)](https://github.com/search?q=eBe%2815%29&type=code)
[eBe(13)](https://github.com/search?q=eBe%2813%29&type=code)
[eBe(12)](https://github.com/search?q=eBe%2812%29&type=code)
[eBe(11)](https://github.com/search?q=eBe%2811%29&type=code)
[eBe(-4)](https://github.com/search?q=eBe%28-4%29&type=code)
[eBe(-5)](https://github.com/search?q=eBe%28-5%29&type=code)
[eBe(-2)](https://github.com/search?q=eBe%28-2%29&type=code)
[eBe(7)](https://github.com/search?q=eBe%287%29&type=code)
[eBe(8)](https://github.com/search?q=eBe%288%29&type=code)
[eBe(2)](https://github.com/search?q=eBe%282%29&type=code)
[eBe(3)](https://github.com/search?q=eBe%283%29&type=code)
[eBe(6)](https://github.com/search?q=eBe%286%29&type=code)
[eBe(0)](https://github.com/search?q=eBe%280%29&type=code)
[eBe(4)](https://github.com/search?q=eBe%284%29&type=code)
[eBe(1)](https://github.com/search?q=eBe%281%29&type=code)
[eBe(9)](https://github.com/search?q=eBe%289%29&type=code)
[eBe(5)](https://github.com/search?q=eBe%285%29&type=code) | | +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)
[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)
[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)
[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)
[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)
[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)
[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)
[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)
[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)
[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)
[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)
[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)
[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)
[BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) | | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) | -| +HIGH | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#multi_decode_3)** | multiple (3+) levels of decoding | [.decode(n);return o._baseCache.set(i,t),o}},jE=(e,t)=>{switch(e[0]){case"Q":{let r=t||N_;return[N_.prefix,r.decode(`${N_.prefix}${e}`)]}case N_.prefix:{let r=t||N_;return[N_.prefix,r.decode(e)]}case y_.prefix:{let r=t||y_;return[y_.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CjE%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28%60%24%7BN_.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+N_.prefix%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28e%29%5D%7Dcase+y_.prefix%3A%7Blet+r%3Dt%7C%7Cy_%3Breturn%5By_.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code)
[.decode(n);return o._baseCache.set(i,t),o}},vB=(e,t)=>{switch(e[0]){case"Q":{let r=t||fN;return[fN.prefix,r.decode(`${fN.prefix}${e}`)]}case fN.prefix:{let r=t||fN;return[fN.prefix,r.decode(e)]}case JO.prefix:{let r=t||JO;return[JO.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CvB%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28%60%24%7BfN.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+fN.prefix%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28e%29%5D%7Dcase+JO.prefix%3A%7Blet+r%3Dt%7C%7CJO%3Breturn%5BJO.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | contains a large hexadecimal string variable | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | diff --git a/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple b/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple index cdd2d3395..59f5eb615 100644 --- a/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple +++ b/tests/javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js.simple @@ -1,6 +1,5 @@ # javascript/2024.obfuscated/04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a.js: critical anti-static/obfuscation/js: high -anti-static/obfuscation/reverse: medium exec/script/activex: medium exec/script/wsh: high exfil/stealer/vmware: high diff --git a/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple b/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple index 76992366a..9c16b2be4 100644 --- a/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple +++ b/tests/javascript/2024.obfuscated/0619bf6e9a2151b1b37360cbdd7e46fc7f0059f20ba0ca5853cdbde1f0b29e36.js.simple @@ -3,5 +3,4 @@ anti-static/obfuscation/js: high c2/addr/url: medium data/encoding/json_decode: low exec/plugin: low -exec/remote_commands/code_eval: medium net/url/encode: medium diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index 6d0e38267..4d1cafb23 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -23,7 +23,6 @@ discover/user/name_get: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low -exec/remote_commands/code_eval: medium exec/shell/SHELL: low exec/shell/TERM: low exec/shell/power: medium diff --git a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple index e69de29bb..f0d609c89 100644 --- a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple +++ b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple @@ -0,0 +1,10 @@ +# javascript/clean/3937.844b09f50594ca2613b4.js.map: medium +c2/addr/url: medium +c2/tool_transfer/os: low +exec/shell/power: medium +false-positives/mattermost: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: medium +net/download/fetch: medium +net/url/embedded: low diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index ec7da6fc4..94b355942 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -1,7 +1,6 @@ # javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium @@ -48,7 +47,6 @@ exec/conditional/LANG: low exec/plugin: low exec/program: medium exec/program/background: low -exec/remote_commands/code_eval: medium exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 70e0d9ba7..37372af6b 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -1,7 +1,6 @@ # javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium @@ -48,7 +47,6 @@ exec/cmd: medium exec/plugin: low exec/program: medium exec/program/background: low -exec/remote_commands/code_eval: medium exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index 6fc3fb6b4..20fee0617 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -11,7 +11,6 @@ data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low discover/system/hostname: low -exec/remote_commands/code_eval: medium net/dns: low net/http: low net/ip/host_port: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index 457e7d865..6c1986368 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -1,6 +1,7 @@ # javascript/clean/faker.js: medium anti-behavior/blocklist/user: low anti-behavior/random_behavior: low +anti-static/obfuscation/js: medium anti-static/obfuscation/obfuscate: low c2/addr/ip: medium c2/tool_transfer/arch: low diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index d777c618e..6cb32ca4c 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -6,7 +6,6 @@ c2/addr/ip: medium c2/connect/ping_pong: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -c2/tool_transfer/python: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -38,7 +37,6 @@ exec/cmd: medium exec/plugin: low exec/program/background: low exec/program/hidden: medium -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/script/osa: medium exec/shell/SHELL: low @@ -52,7 +50,6 @@ fs/file/copy: medium fs/file/create: medium fs/file/delete: medium fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index 7067d2a38..e270f46ef 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -6,7 +6,6 @@ c2/addr/ip: medium c2/connect/ping_pong: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -c2/tool_transfer/python: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -38,7 +37,6 @@ exec/cmd: medium exec/plugin: low exec/program/background: low exec/program/hidden: medium -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/script/osa: medium exec/shell/SHELL: low @@ -52,7 +50,6 @@ fs/file/copy: medium fs/file/create: medium fs/file/delete: medium fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/javascript/clean/index.js.map.simple b/tests/javascript/clean/index.js.map.simple index e69de29bb..5116bd200 100644 --- a/tests/javascript/clean/index.js.map.simple +++ b/tests/javascript/clean/index.js.map.simple @@ -0,0 +1,17 @@ +# javascript/clean/index.js.map: medium +anti-behavior/random_behavior: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/encrypt: medium +crypto/public_key: low +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +net/http: low +net/http/accept: low +net/http/auth: low +net/http/form_upload: medium +net/http/post: medium +net/url/embedded: low +net/url/parse: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index c3bb3324d..54b37dca4 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -32,7 +32,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/remote_commands/code_eval: medium exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low diff --git a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple index 8bff3b37b..5bebf00b5 100644 --- a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple +++ b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple @@ -18,7 +18,6 @@ discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium exec/plugin: low -exec/remote_commands/code_eval: medium exec/shell/SHELL: low exec/shell/TERM: low exec/shell/power: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index 1813f43d6..2855cc3e3 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -2,7 +2,6 @@ anti-behavior/random_behavior: low anti-static/obfuscation/bitwise: medium anti-static/obfuscation/js: medium -anti-static/obfuscation/reverse: medium anti-static/xor/functions: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: medium diff --git a/tests/javascript/clean/yarn-3.8.7.cjs.simple b/tests/javascript/clean/yarn-3.8.7.cjs.simple index 2a6ec7d89..e8bc2ba3c 100644 --- a/tests/javascript/clean/yarn-3.8.7.cjs.simple +++ b/tests/javascript/clean/yarn-3.8.7.cjs.simple @@ -1,8 +1,6 @@ # javascript/clean/yarn-3.8.7.cjs: medium anti-behavior/random_behavior: low -anti-static/obfuscation/bitwise: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: medium c2/addr/ip: medium c2/tool_transfer/arch: low c2/tool_transfer/github: medium @@ -34,7 +32,6 @@ exec/program: medium exec/shell/TERM: low exec/shell/exec: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/append: low fs/file/copy: medium diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index 760219d54..e1429eb5e 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -1,6 +1,5 @@ # javascript/clean/zxcvbn.js: medium anti-behavior/random_behavior: low -anti-static/obfuscation/reverse: medium anti-static/obfuscation/strtoi: medium anti-static/xor/functions: medium c2/tool_transfer/dropper: medium @@ -11,7 +10,6 @@ crypto/cipher: medium data/encoding/int: low discover/user/name_get: medium exec/plugin: low -exec/remote_commands/code_eval: medium fs/lock_update: low fs/mount: low fs/path/relative: medium diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple index 9a080d05f..11e734c80 100644 --- a/tests/linux/2020.bdvl/bdvl.so.simple +++ b/tests/linux/2020.bdvl/bdvl.so.simple @@ -1,7 +1,5 @@ # linux/2020.bdvl/bdvl.so: critical 3P/elastic/rootkit_bedevil: critical -anti-behavior/LD_DEBUG: medium -anti-behavior/process_check: high credential/password: low credential/sniffer/pcap: high credential/ssh/d: high diff --git a/tests/linux/2022.ez-pwnkit/PWN.so.simple b/tests/linux/2022.ez-pwnkit/PWN.so.simple index 0bc280048..8bc0fbe71 100644 --- a/tests/linux/2022.ez-pwnkit/PWN.so.simple +++ b/tests/linux/2022.ez-pwnkit/PWN.so.simple @@ -1,6 +1,5 @@ # linux/2022.ez-pwnkit/PWN.so: critical exec/program: medium -exec/shell/command: medium exec/shell/exec: medium fs/file/delete_forcibly: low fs/path/home: low diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index c01d45caf..3570f7764 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -43,7 +43,6 @@ fs/file/delete_forcibly: low fs/file/make_executable: high fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: low fs/link_read: low fs/lock_update: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index c6e45839e..6ee4ff9a2 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -3,6 +3,7 @@ anti-behavior/random_behavior: low c2/addr/ip: high c2/addr/url: low +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low collect/archives/zip: medium diff --git a/tests/linux/2024.hadooken/drop1.sh.simple b/tests/linux/2024.hadooken/drop1.sh.simple index c6189e33b..6b58da099 100644 --- a/tests/linux/2024.hadooken/drop1.sh.simple +++ b/tests/linux/2024.hadooken/drop1.sh.simple @@ -1,6 +1,5 @@ # linux/2024.hadooken/drop1.sh: critical anti-static/base64/exec: critical -anti-static/base64/function_names: critical c2/addr/ip: high c2/addr/url: medium c2/tool_transfer/shell: high diff --git a/tests/linux/2024.hadooken/drop2.sh.simple b/tests/linux/2024.hadooken/drop2.sh.simple index a474440a3..6f6340f4e 100644 --- a/tests/linux/2024.hadooken/drop2.sh.simple +++ b/tests/linux/2024.hadooken/drop2.sh.simple @@ -2,7 +2,6 @@ c2/addr/ip: high c2/addr/url: medium exec/imports/python: low -exec/remote_commands/code_eval: high impact/remote_access/remote_eval: critical net/http: low net/url/embedded: low diff --git a/tests/linux/2024.hadooken/ssh_worm.sh.simple b/tests/linux/2024.hadooken/ssh_worm.sh.simple index 82e8fee78..b30e81876 100644 --- a/tests/linux/2024.hadooken/ssh_worm.sh.simple +++ b/tests/linux/2024.hadooken/ssh_worm.sh.simple @@ -1,6 +1,5 @@ # linux/2024.hadooken/ssh_worm.sh: critical anti-static/base64/exec: critical -anti-static/base64/function_names: critical c2/addr/ip: high c2/addr/url: medium c2/tool_transfer/shell: medium diff --git a/tests/linux/2024.k4spreader/degrader.sh.simple b/tests/linux/2024.k4spreader/degrader.sh.simple index 5da701263..626cb23a7 100644 --- a/tests/linux/2024.k4spreader/degrader.sh.simple +++ b/tests/linux/2024.k4spreader/degrader.sh.simple @@ -2,6 +2,5 @@ evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium evasion/hijack_execution/etc_ld.so.preload: high -fs/attributes/chattr: medium fs/path/etc: low impact/degrade/firewall: high diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 9cd9771f6..054180f7e 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -64,7 +64,6 @@ exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/plugin: low exec/program: medium -exec/remote_commands/code_eval: medium exec/script/shell: medium exec/shell/SHELL: low exec/shell/TERM: low @@ -80,7 +79,6 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: low fs/file/write: low fs/link_create: low diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index cc6d21815..c778faeaf 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -1,6 +1,5 @@ # linux/2024.kworker_pretenders/gafgyt: critical 3P/elastic/mirai: critical -anti-static/base64/exec: critical anti-static/elf/content: high c2/addr/url: medium credential/ssh/d: medium diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple index c35626373..1572748c9 100644 --- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple +++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple @@ -1,6 +1,7 @@ # linux/2024.melofee/2023.8d855c2874.elf: critical anti-behavior/random_behavior: low c2/addr/ip: medium +c2/discovery/ip_dns_resolver: medium credential/password: low credential/ssl/private_key: low crypto/aes: low diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple index 0d28e950b..0f0acd2da 100644 --- a/tests/linux/2024.melofee/pskt.simple +++ b/tests/linux/2024.melofee/pskt.simple @@ -5,7 +5,6 @@ anti-behavior/LD_PROFILE: medium anti-behavior/random_behavior: low anti-static/elf/entropy: high anti-static/elf/multiple: medium -anti-static/obfuscation/js: medium c2/addr/ip: medium c2/addr/url: low c2/tool_transfer/arch: low diff --git a/tests/linux/2024.vncjew/__min__c.json b/tests/linux/2024.vncjew/__min__c.json index 980a5ea5f..b084e84a4 100644 --- a/tests/linux/2024.vncjew/__min__c.json +++ b/tests/linux/2024.vncjew/__min__c.json @@ -81,6 +81,17 @@ "ID": "c2/addr/url", "RuleName": "binary_with_url" }, + { + "Description": "contains Cloudflare DNS resolver IP", + "MatchStrings": [ + "1.1.1.1" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip", + "ID": "c2/discovery/ip_dns_resolver", + "RuleName": "cloudflare_dns_ip" + }, { "Description": "references a specific architecture", "MatchStrings": [ @@ -954,33 +965,6 @@ "stdio" ], "Behaviors": [ - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -995,26 +979,15 @@ "RuleName": "upx" }, { - "Description": "ELF with hardcoded IP address", + "Description": "hardcoded IP address", "MatchStrings": [ "2.5.4.3" ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#bin_hardcoded_ip", + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip", "ID": "c2/addr/ip", - "RuleName": "bin_hardcoded_ip" - }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" + "RuleName": "hardcoded_ip" }, { "Description": "references a specific architecture", @@ -1099,8 +1072,8 @@ "RuleName": "http_url" } ], - "RiskScore": 4, - "RiskLevel": "CRITICAL" + "RiskScore": 3, + "RiskLevel": "HIGH" } } } diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index e69de29bb..f7f33d7b4 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -0,0 +1,77 @@ +# linux/clean/appsec-rules.json: medium +c2/addr/url: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/os/gshadow: medium +credential/os/shadow: medium +credential/password: low +credential/server/htpasswd: medium +credential/shell/bash_history: medium +credential/ssh: medium +credential/ssh/authorized_hosts: medium +credential/ssh/d: medium +crypto/openssl: medium +data/base64/decode: medium +data/base64/external: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/encoding/base64: low +data/encoding/utf16: medium +discover/multiple: medium +discover/system/dmesg: low +discover/system/platform: low +discover/user/USER: low +discover/user/name_get: medium +evasion/bypass_security/linux/iptables: medium +evasion/bypass_security/linux/ufw: medium +evasion/file/prefix: medium +evasion/logging/acct: low +evasion/process_injection/readelf: medium +exec/plugin: low +exec/shell/bash_dev_udp: medium +exec/shell/command: medium +exec/shell/nohup: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +exec/tty/pathname: medium +exfil: medium +fs/fifo_create: low +fs/file/times_set: medium +fs/lock_update: low +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/home: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/var: low +fs/permission/modify: medium +fs/tempfile: low +hw/hardware_enumeration: medium +hw/wireless: low +impact/exploit: medium +impact/exploit/cve: medium +impact/remote_access/iptables: medium +net/dns/servers: low +net/download: medium +net/ftp/t: low +net/http: low +net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium +net/socket/connect: medium +net/tcp/sftp: medium +persist/cron/tab: medium +persist/daemon: medium +persist/shell/bash: medium +persist/shell/zsh: medium +persist/ssh_authorized_keys: medium +process/chroot: low +process/unshare: low +sec-tool/net/nmap: medium diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple index e69de29bb..fbced9d33 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple +++ b/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple @@ -0,0 +1,4 @@ +# linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json: medium +c2/tool_transfer/arch: low +net/download: medium +net/url/embedded: low diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple index e69de29bb..5d3094c8a 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple +++ b/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple @@ -0,0 +1,4 @@ +# linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json: medium +c2/tool_transfer/arch: low +net/download: medium +net/url/embedded: low diff --git a/tests/linux/clean/aws-c-io/aws-c-io.sdiff b/tests/linux/clean/aws-c-io/aws-c-io.sdiff index e69de29bb..2d5409150 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io.sdiff +++ b/tests/linux/clean/aws-c-io/aws-c-io.sdiff @@ -0,0 +1 @@ +>>> moved: linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.988000) diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index 8309b1ab8..d938cc03c 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -70,7 +70,6 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index 408ec2432..a2d321506 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -57,7 +57,6 @@ fs/file/copy: medium fs/file/delete: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/write: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index d8ac38919..26a2d5f0d 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -77,7 +77,6 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 7877cc66c..865b9b1a8 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -7,6 +7,7 @@ c2/addr/ip: medium c2/addr/telegram: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium @@ -77,7 +78,6 @@ exec/shell/background_sleep: medium exec/shell/exec: medium exec/system_controls/systemd: low exfil/upload: medium -fs/attributes/chattr: medium fs/directory/create: low fs/directory/list: low fs/directory/remove: low @@ -87,7 +87,6 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/write: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index ff2ba0080..9f34331cb 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -86,7 +86,6 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 81cd05639..0cc00235c 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -7,6 +7,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/client: medium c2/discovery/dyndns: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium @@ -16,7 +17,6 @@ collect/databases/leveldb: medium collect/databases/mysql: medium collect/databases/postgresql: medium collect/databases/sqlite: medium -collect/localstorage: medium credential/cloud/aws: medium credential/cloud/g: medium credential/gaming/minecraft: medium @@ -95,7 +95,6 @@ exec/system_controls/systemd: low exfil/collection: medium exfil/proxy: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/capabilities_set: low fs/file/copy: medium @@ -104,7 +103,6 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 51d4d266d..3a93aaa76 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -11,7 +11,7 @@ | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [message_port](https://github.com/search?q=message_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [2001:4860:4860::8888](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8888&type=code)
[2001:4860:4860::8844](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8844&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[darwin](https://github.com/search?q=darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | @@ -139,7 +139,6 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index 9737111dd..a118d6058 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -4,6 +4,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/archives/zip: medium @@ -56,7 +57,6 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_create: low diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index d478dff40..41d8b52b5 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -88,7 +88,6 @@ | LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm -f $TARGET_FILE](https://github.com/search?q=rm+-f+%24TARGET_FILE&type=code) | | LOW | [fs/file/flags_change](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-flags-change.yara#chflags) | [May update file flags using chflags](https://man.freebsd.org/cgi/man.cgi?chflags(1)) | [chflags](https://github.com/search?q=chflags&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index e69de29bb..618311bb1 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -0,0 +1,77 @@ +# linux/clean/default_config.json: medium +c2/addr/url: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/os/gshadow: medium +credential/os/shadow: medium +credential/password: low +credential/server/htpasswd: medium +credential/shell/bash_history: medium +credential/ssh: medium +credential/ssh/authorized_hosts: medium +credential/ssh/d: medium +crypto/openssl: medium +data/base64/decode: medium +data/base64/external: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/encoding/base64: low +data/encoding/utf16: medium +discover/multiple: medium +discover/system/dmesg: low +discover/system/platform: low +discover/user/USER: low +discover/user/name_get: medium +evasion/bypass_security/linux/iptables: medium +evasion/bypass_security/linux/ufw: medium +evasion/file/prefix: medium +evasion/logging/acct: low +evasion/process_injection/readelf: medium +exec/plugin: low +exec/shell/bash_dev_udp: medium +exec/shell/command: medium +exec/shell/nohup: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +exec/tty/pathname: medium +exfil: medium +fs/fifo_create: low +fs/file/times_set: medium +fs/lock_update: low +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/home: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/var: low +fs/permission/modify: medium +fs/tempfile: low +hw/hardware_enumeration: medium +hw/wireless: low +impact/exploit: medium +impact/exploit/cve: medium +impact/remote_access/iptables: medium +net/dns/servers: low +net/download: medium +net/ftp/t: low +net/http: low +net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium +net/socket/connect: medium +net/tcp/sftp: medium +persist/cron/tab: medium +persist/daemon: medium +persist/shell/bash: medium +persist/shell/zsh: medium +persist/ssh_authorized_keys: medium +process/chroot: low +process/unshare: low +sec-tool/net/nmap: medium diff --git a/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple b/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple index e69de29bb..2647ee2ae 100644 --- a/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple +++ b/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple @@ -0,0 +1,7 @@ +# linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: low +exec/shell/power: medium +impact/degrade/win_defender: low +net/download: medium +net/url/embedded: low diff --git a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple index e69de29bb..f5c69d915 100644 --- a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple +++ b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple @@ -0,0 +1,11 @@ +# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: high +3P/sig_base/hacktool_strings_p0wnedshell: low +c2/tool_transfer/exe_url: high +c2/tool_transfer/os: low +exec/shell/power: medium +impact/infection/infected: medium +malware/ref: medium +mem/protect: low +net/download: medium +net/url/embedded: low +sus/malicious: medium diff --git a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple index e69de29bb..6f7680fd9 100644 --- a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple +++ b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple @@ -0,0 +1,16 @@ +# linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: medium +c2/tool_transfer/os: low +evasion/file/location/dev_shm: medium +evasion/file/prefix: low +exec/system_controls/systemd: low +fs/path/etc: low +fs/path/etc_initd: medium +fs/path/home: low +fs/path/home_config: low +fs/path/root: medium +fs/path/usr_local: medium +fs/path/var: low +net/url/embedded: low +persist/shell/bash: medium +persist/shell/zsh: medium +privesc/sudoers: medium diff --git a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple index e69de29bb..507b9d252 100644 --- a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple +++ b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple @@ -0,0 +1,10 @@ +# linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: medium +c2/addr/url: medium +c2/tool_transfer/os: low +exec/shell/power: medium +false-positives/kibana: low +malware/ref: medium +net/download: medium +net/download/fetch: medium +net/http: low +net/url/embedded: low diff --git a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple index e69de29bb..497650f83 100644 --- a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple +++ b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple @@ -0,0 +1,8 @@ +# linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium +c2/tool_transfer/os: low +impact/exploit: medium +impact/exploit/cve: medium +impact/exploit/pwnkit: low +impact/remote_access/agent: medium +net/url/embedded: low +os/fd/multiplex: low diff --git a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple index e69de29bb..432344dfc 100644 --- a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple +++ b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple @@ -0,0 +1,9 @@ +# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: high +3P/sig_base/p0wnedpotato: low +c2/tool_transfer/exe_url: high +c2/tool_transfer/os: low +exec/shell/power: medium +net/download: medium +net/rpc/ntlm: medium +net/url/embedded: low +sus/intercept: medium diff --git a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple index e69de29bb..5fb237fee 100644 --- a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple +++ b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple @@ -0,0 +1,12 @@ +# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: high +3P/sig_base/hacktool_strings_p0wnedshell: low +c2/addr/url: medium +c2/tool_transfer/exe_url: high +c2/tool_transfer/os: low +credential/password: low +exec/shell/power: medium +impact/infection/infected: medium +malware/ref: medium +net/url/embedded: low +sec-tool/credentials/mimikatz: low +sus/malicious: medium diff --git a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple index e69de29bb..c61ff66ea 100644 --- a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple +++ b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple @@ -0,0 +1,25 @@ +# linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json: high +3P/sig_base/hacktool_strings_p0wnedshell: low +3P/sig_base/hktl_domainpasswordspray: low +3P/sig_base/p0wnedpotato: low +3P/sig_base/wmimplant: low +c2/addr/ip: medium +c2/tool_transfer/os: low +credential/password: low +crypto/decrypt: low +exec/cmd: medium +exec/plugin: low +exec/shell/power: medium +exfil/collection: medium +exfil/upload: medium +impact/infection/infected: medium +impact/remote_access/backdoor: medium +impact/remote_access/implant: medium +impact/remote_access/reverse_shell: high +malware/ref: medium +net/dns/txt: low +net/download: medium +net/http: low +net/ip/addr: medium +net/url/embedded: low +sus/malicious: medium diff --git a/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple b/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple index e69de29bb..a48e6914e 100644 --- a/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple +++ b/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple @@ -0,0 +1,4 @@ +# linux/clean/kibana/credential_access_dumping_keychain_security.json: low +c2/tool_transfer/os: low +credential/password: low +net/url/embedded: low diff --git a/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple b/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple index e69de29bb..d735b35e5 100644 --- a/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple +++ b/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple @@ -0,0 +1,8 @@ +# linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json: medium +c2/tool_transfer/os: low +exec/shell/power: medium +impact/degrade/win_defender: low +impact/exploit: medium +malware/ref: medium +net/url/embedded: low +sus/malicious: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple index 3a0f3a713..15320452a 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple @@ -16,7 +16,6 @@ crypto/openssl: medium data/encoding/json_decode: low evasion/file/prefix: medium evasion/rootkit/refs: medium -evasion/rootkit/userspace: low exec/plugin: low exec/shell/power: medium exfil/upload: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 8cd56a89c..fdc9c1dbc 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -1,7 +1,6 @@ # linux/clean/kibana/securitySolution.chunk.9.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium -anti-static/obfuscation/reverse: medium c2/addr/ip: medium c2/addr/url: low c2/discovery/dyndns: medium @@ -29,7 +28,6 @@ discover/process/name: medium discover/process/parent: low evasion/file/prefix: medium evasion/rootkit/refs: medium -evasion/rootkit/userspace: low exec/cmd: medium exec/plugin: low exec/shell/power: medium diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple index 886d41a3c..60d1b354f 100644 --- a/tests/linux/clean/kolide/launcher.simple +++ b/tests/linux/clean/kolide/launcher.simple @@ -3,6 +3,7 @@ anti-behavior/random_behavior: low c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/archives/zip: medium @@ -52,7 +53,6 @@ fs/file/create: medium fs/file/delete: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/kolide/osqueryd.simple b/tests/linux/clean/kolide/osqueryd.simple index 0d99df3ce..686ae629c 100644 --- a/tests/linux/clean/kolide/osqueryd.simple +++ b/tests/linux/clean/kolide/osqueryd.simple @@ -6,6 +6,7 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium collect/databases/leveldb: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 49d9de332..320b32242 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -5,6 +5,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -71,7 +72,6 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index 0180d38ee..654f30a3d 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -1,8 +1,4 @@ # linux/clean/ld-2.27.so: medium -anti-behavior/LD_DEBUG: medium -anti-behavior/LD_PROFILE: medium -anti-static/elf/multiple: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: low discover/process/runtime_deps: medium diff --git a/tests/linux/clean/libasan.so.8.0.0.simple b/tests/linux/clean/libasan.so.8.0.0.simple index 07c61174b..4f7172862 100644 --- a/tests/linux/clean/libasan.so.8.0.0.simple +++ b/tests/linux/clean/libasan.so.8.0.0.simple @@ -1,6 +1,5 @@ # linux/clean/libasan.so.8.0.0: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium data/compression/lzma: low diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple index dfffdc8b8..76ed71448 100644 --- a/tests/linux/clean/libc.so.6.simple +++ b/tests/linux/clean/libc.so.6.simple @@ -1,7 +1,6 @@ # linux/clean/libc.so.6: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: low credential/os/gshadow: medium credential/os/shadow: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index fc3b19135..2ae9cc7bc 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -2,7 +2,6 @@ 3P/JPCERT/cobaltstrike_v3v4: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium credential/password: low credential/ssl/private_key: low @@ -43,12 +42,10 @@ exec/shell/SHELL: low exec/shell/command: medium exfil/office_file_ext: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/copy: medium fs/file/delete: medium fs/file/open: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index c524275b6..cb6241d1f 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -2,7 +2,6 @@ 3P/JPCERT/cobaltstrike_v3v4: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium credential/password: low credential/ssl/private_key: low @@ -43,12 +42,10 @@ exec/shell/SHELL: low exec/shell/command: medium exfil/office_file_ext: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/copy: medium fs/file/delete: medium fs/file/open: low -fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple index 429baf58d..a0d121da0 100644 --- a/tests/linux/clean/libsystemd.so.0.simple +++ b/tests/linux/clean/libsystemd.so.0.simple @@ -1,6 +1,5 @@ # linux/clean/libsystemd.so.0: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: low crypto/rc4: low diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index 8564f28ec..9ed15b561 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -5,10 +5,10 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/refs: medium c2/tool_transfer/arch: low c2/tool_transfer/os: medium -collect/archives/tar_command: medium collect/archives/zip: medium collect/code/github_api: low credential/cloud/g: medium @@ -60,7 +60,6 @@ evasion/file/location/system_directory: medium evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium exec/cmd: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/shell/TERM: low @@ -78,7 +77,6 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/write: low fs/link_create: low fs/link_read: low diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index e69de29bb..1dbf6bfc4 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -0,0 +1,15 @@ +# linux/clean/misp_sample.ndjson.log: high +c2/addr/ip: medium +c2/addr/url: medium +c2/tool_transfer/download: high +c2/tool_transfer/os: low +crypto/aes: low +crypto/decrypt: low +evasion/rootkit/refs: low +impact/ransom/decryptor: medium +impact/remote_access/backdoor: medium +malware/ref: medium +net/http: low +net/ip/host_port: medium +net/url/embedded: medium +os/fd/multiplex: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index f02bb8d2d..46ba770a7 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -90,7 +90,6 @@ exec/tty/pathname: medium exfil/office_file_ext: medium exfil/stealer/credit_card: medium fs/directory/create: low -fs/directory/list: low fs/directory/remove: low fs/file/append: low fs/file/capabilities_set: low @@ -100,7 +99,6 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 9e54af885..dca24341a 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -4,6 +4,7 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -45,7 +46,6 @@ fs/file/copy: medium fs/file/delete: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: low fs/file/write: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 012c36023..4df6e59af 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -7,6 +7,7 @@ | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) | | MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip) | contains Cloudflare DNS resolver IP | [1.1.1.1](https://github.com/search?q=1.1.1.1&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | @@ -129,7 +130,6 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [renameFile](https://github.com/search?q=renameFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 523e8dda2..4f07889fd 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -5,6 +5,7 @@ c2/addr/ip: medium c2/addr/server: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium @@ -61,7 +62,6 @@ discover/user/name_get: medium evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/program/background: low @@ -82,7 +82,6 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index e69de29bb..75ca179be 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -0,0 +1,132 @@ +# linux/clean/pypi_package_index.json: medium +anti-behavior/random_behavior: low +anti-static/obfuscation/obfuscate: low +c2/discovery/dyndns: medium +c2/refs: medium +c2/tool_transfer/download: medium +c2/tool_transfer/dropper: medium +collect/archives/unarchive: medium +collect/archives/zip: medium +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/gaming/minecraft: medium +credential/keychain: medium +credential/keylogger: medium +credential/password: low +credential/password/hashcat: medium +credential/sniffer/bpf: medium +credential/ssh/d: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/blockchain: medium +crypto/cipher: medium +crypto/ed25519: low +crypto/encrypt: medium +crypto/fernet: medium +crypto/openssl: medium +crypto/public_key: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/encoding/base64: low +data/hash/blake2b: low +data/random/insecure: low +discover/network/interface_list: medium +discover/network/netstat: medium +discover/processes/list: medium +discover/processes/pgrep: medium +discover/system/cpu: low +discover/system/machine_id: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/name_get: medium +evasion/bypass_security/linux/iptables: medium +evasion/bypass_security/linux/ufw: medium +evasion/logging/acct: low +evasion/process_injection/ptrace: medium +evasion/process_injection/readelf: medium +evasion/rootkit/refs: medium +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/script/osa: medium +exec/shell/power: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: medium +exec/tty/getpass: low +exfil/office_file_ext: medium +fs/directory/create: low +fs/file/delete: low +fs/file/times_set: medium +fs/link_create: low +fs/lock_update: low +fs/mount: low +fs/permission/modify: medium +fs/proc/pid_cmdline: low +fs/symlink_resolve: low +fs/tempdir/TEMP: low +fs/tempfile: low +fs/watch: low +hw/dev/mem: medium +hw/hardware_enumeration: medium +hw/wireless: low +impact/cryptojacking/monero_pool: medium +impact/exploit: medium +impact/exploit/cve: medium +impact/infection/worm: medium +impact/ransom/decryptor: medium +impact/remote_access/crypto_listen_socks: medium +impact/remote_access/heartbeat: medium +impact/remote_access/implant: medium +impact/remote_access/iptables: medium +impact/remote_access/trojan: medium +impact/ui/x11_auth: medium +lateral/scan/brute_force: low +malware/ref: medium +net/dns/over_https: medium +net/download: medium +net/http: low +net/http/auth: low +net/http/oauth2: low +net/http/request: low +net/http/webhook: medium +net/ip/host_port: medium +net/ip/multicast_send: low +net/ip/spoof: medium +net/proxy/reverse: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/rpc/ntlm: medium +net/socket/listen: medium +net/socket/pair: medium +net/socket/receive: low +net/socket/send: low +net/tcp/sftp: medium +net/tcp/synflood: medium +net/url/encode: medium +net/url/parse: low +os/env/get: low +os/fd/sendfile: low +os/kernel/hardware_locality: low +os/kernel/key_management: low +os/kernel/netlink: low +os/time/tzinfo: low +persist/cron/tab: medium +persist/daemon: medium +persist/daemon/detach: medium +persist/launchd/launch_agent: medium +privesc/sudo: medium +process/chroot: low +process/multi: medium +process/terminate/taskkill: medium +process/unshare: low +sec-tool/net/masscan: medium +sec-tool/net/nmap: medium +sec-tool/pentest/metasploit_ref: medium +sus/intercept: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index e69de29bb..dc46d2098 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -0,0 +1,78 @@ +# linux/clean/rules.json: medium +anti-static/obfuscation/hex: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/os/gshadow: medium +credential/os/shadow: medium +credential/password: low +credential/server/htpasswd: medium +credential/shell/bash_history: medium +credential/ssh: medium +credential/ssh/authorized_hosts: medium +credential/ssh/d: medium +crypto/openssl: medium +data/base64/decode: medium +data/base64/external: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/encoding/base64: low +data/encoding/utf16: medium +discover/multiple: medium +discover/system/dmesg: low +discover/system/platform: low +discover/user/USER: low +discover/user/name_get: medium +evasion/bypass_security/linux/iptables: medium +evasion/bypass_security/linux/ufw: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium +evasion/logging/acct: low +evasion/process_injection/readelf: medium +exec/plugin: low +exec/shell/bash_dev_udp: medium +exec/shell/command: medium +exec/shell/nohup: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +exec/tty/pathname: medium +exfil: medium +fs/fifo_create: low +fs/file/times_set: medium +fs/lock_update: low +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/home: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/var: low +fs/permission/modify: medium +fs/tempfile: low +hw/hardware_enumeration: medium +hw/wireless: low +impact/exploit: medium +impact/exploit/cve: medium +impact/remote_access/iptables: medium +net/dns/servers: low +net/download: medium +net/ftp/t: low +net/http: low +net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium +net/socket/connect: medium +net/tcp/sftp: medium +persist/cron/tab: medium +persist/daemon: medium +persist/shell/bash: medium +persist/shell/zsh: medium +persist/ssh_authorized_keys: medium +process/chroot: low +process/unshare: low +sec-tool/net/nmap: medium diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple index 1701e8e43..8af37c436 100644 --- a/tests/linux/clean/runtime-security-fentry.o.simple +++ b/tests/linux/clean/runtime-security-fentry.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security-fentry.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium credential/sniffer/bpf: medium diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple index 1aaa19aad..3ae956816 100644 --- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security-syscall-wrapper.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium credential/sniffer/bpf: medium diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple index 1874f178a..0e9cede2d 100644 --- a/tests/linux/clean/runtime-security.o.simple +++ b/tests/linux/clean/runtime-security.o.simple @@ -1,7 +1,6 @@ # linux/clean/runtime-security.o: medium anti-behavior/random_behavior: low c2/addr/ip: medium -c2/addr/url: low c2/tool_transfer/os: medium credential/sniffer/bpf: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple index 84d027a7b..12c5ebb50 100644 --- a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple +++ b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple @@ -1,6 +1,5 @@ # linux/clean/rust_libtest-350a2b8f7a4551b7.so: medium anti-behavior/random_behavior: low -c2/addr/url: low c2/tool_transfer/arch: low c2/tool_transfer/os: medium discover/process/runtime_deps: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index e69de29bb..43e2a146f 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -0,0 +1,71 @@ +# linux/clean/searchindex.json: medium +anti-behavior/random_behavior: low +anti-static/obfuscation/obfuscate: low +c2/addr/discord: medium +c2/tool_transfer/arch: low +c2/tool_transfer/dropper: medium +c2/tool_transfer/os: medium +credential/keylogger: medium +credential/password: low +crypto/encrypt: medium +crypto/openssl: medium +crypto/public_key: low +data/compression/bzip2: low +data/compression/zlib: low +data/embedded/html: medium +data/random/insecure: low +discover/components/docker: medium +discover/system/platform: low +discover/system/sysinfo: medium +evasion/file/location/chdir_unusual: medium +evasion/file/location/system_directory: medium +evasion/rootkit/refs: medium +exec/install_additional/package_install: medium +exec/plugin: low +exec/program: medium +exec/shell/exec: medium +exec/system_controls/systemd: low +exfil/stealer/credit_card: medium +fs/directory/create: low +fs/file/delete: low +fs/file/delete_forcibly: medium +fs/file/times_set: medium +fs/mount: low +fs/path/boot: medium +fs/path/dev: medium +fs/path/etc: low +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_local: medium +fs/path/var: low +fs/path/var_log: medium +fs/watch: low +impact/exploit: medium +impact/infection/infected: medium +impact/remote_access/agent: medium +impact/remote_access/backdoor: medium +impact/remote_access/reverse_shell: medium +impact/remote_access/trojan: medium +malware/ref: medium +net/dns/servers: low +net/dns/txt: low +net/download/fetch: medium +net/http: low +net/ip/addr: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/spoof: medium +net/socket/listen: medium +net/socket/send: low +net/tcp/ssh: medium +net/url/embedded: medium +persist/cron/tab: medium +persist/daemon: medium +persist/service/start: low +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/executable_path: low +sus/malicious: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index f6fc384ef..f953b8f07 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -10,7 +10,7 @@ | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [2001:4860:4860::8888](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8888&type=code)
[2001:4860:4860::8844](https://github.com/search?q=2001%3A4860%3A4860%3A%3A8844&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code)
[8.8.4.4](https://github.com/search?q=8.8.4.4&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[darwin](https://github.com/search?q=darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | @@ -141,7 +141,6 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index e69de29bb..89605235f 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -0,0 +1,74 @@ +# linux/clean/sonarlint-metadata.json: medium +anti-behavior/random_behavior: low +c2/addr/ip: medium +c2/tool_transfer/dropper: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/mysql: medium +credential/password: low +credential/shell/bash_history: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/uuid: medium +data/encoding/int: low +data/encoding/json_decode: low +data/encoding/json_encode: low +discover/network/interface_list: medium +discover/process/working_directory: low +discover/user/USER: low +evasion/file/location/dev_mqueue: medium +evasion/file/prefix: medium +exec/plugin: low +exfil/stealer/credit_card: medium +false-positives/sonarqube: low +fs/directory/create: low +fs/file/copy: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/write: low +fs/path/dev: medium +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/home: low +fs/path/relative: medium +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/var: low +fs/permission/modify: medium +fs/tempdir: low +impact/ddos: medium +impact/exploit: medium +impact/infection/infected: medium +impact/remote_access/agent: medium +lateral/scan/brute_force: low +malware/ref: medium +net/download: medium +net/http: low +net/http/2: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/request: low +net/http/websocket: medium +net/ip/addr: medium +net/ip/host_port: medium +net/ip/spoof: medium +net/socket/listen: medium +net/socket/send: low +net/tcp/sftp: medium +net/tcp/ssh: medium +net/url/embedded: medium +net/url/encode: medium +os/env/get: low +os/fd/read: low +os/fd/write: low +persist/writeable_dir: medium +sus/intercept: medium +sus/malicious: medium diff --git a/tests/linux/clean/systemd-sysv-generator.simple b/tests/linux/clean/systemd-sysv-generator.simple index b21c771f0..16de84002 100644 --- a/tests/linux/clean/systemd-sysv-generator.simple +++ b/tests/linux/clean/systemd-sysv-generator.simple @@ -5,7 +5,6 @@ c2/tool_transfer/os: low credential/password: low evasion/file/prefix: medium exec/system_controls/systemd: low -false-positives/systemd: low fs/file/delete: low fs/path/etc: low impact/remote_access/agent: medium diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 3a4ae229e..cd41cb4dd 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -16,4 +16,3 @@ net/socket/listen: medium net/socket/receive: low net/socket/send: low net/tcp/synflood: medium -persist/kernel_module/symbol_lookup: low diff --git a/tests/linux/clean/trino.linux-amd64.launcher.json b/tests/linux/clean/trino.linux-amd64.launcher.json index b3bc272fc..1f31ce84e 100644 --- a/tests/linux/clean/trino.linux-amd64.launcher.json +++ b/tests/linux/clean/trino.linux-amd64.launcher.json @@ -823,41 +823,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -871,17 +836,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "references a specific architecture", "MatchStrings": [ diff --git a/tests/linux/clean/trino.linux-arm64.launcher.json b/tests/linux/clean/trino.linux-arm64.launcher.json index 91aff2032..4bd4e58f1 100644 --- a/tests/linux/clean/trino.linux-arm64.launcher.json +++ b/tests/linux/clean/trino.linux-arm64.launcher.json @@ -807,41 +807,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Linux ELF binary packed with UPX", "MatchStrings": [ @@ -855,17 +820,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "Supports AES (Advanced Encryption Standard)", "MatchStrings": [ diff --git a/tests/linux/clean/trino.linux-ppc64le.launcher.json b/tests/linux/clean/trino.linux-ppc64le.launcher.json index b83924a48..fcc7497bc 100644 --- a/tests/linux/clean/trino.linux-ppc64le.launcher.json +++ b/tests/linux/clean/trino.linux-ppc64le.launcher.json @@ -816,41 +816,6 @@ "ID": "anti-behavior/random_behavior", "RuleName": "random" }, - { - "Description": "Obfuscated ELF binary (missing symbols)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf", - "ID": "anti-static/elf/content", - "RuleName": "obfuscated_elf" - }, - { - "Description": "high entropy footer in ELF binary (\u003e7.4)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4", - "ID": "anti-static/elf/entropy", - "RuleName": "normal_elf_high_entropy_7_4" - }, - { - "Description": "high entropy ELF header (\u003e7)", - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header", - "ID": "anti-static/elf/header", - "RuleName": "high_entropy_header" - }, - { - "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", - "ID": "anti-static/elf/multiple", - "RuleName": "multiple_elf" - }, { "Description": "Binary is packed with UPX", "MatchStrings": [ @@ -864,17 +829,6 @@ "ID": "anti-static/packer/upx", "RuleName": "upx" }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://upx.sf.net" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, { "Description": "Uses DNS TXT (text) records", "MatchStrings": [ diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 724b4c0ad..0c4ccc82d 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -79,7 +79,6 @@ exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/install_additional/package_install: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/script/osa: medium @@ -101,7 +100,6 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index c48eb0edb..6d39abd7f 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -141,7 +141,6 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code)
[ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | diff --git a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple index e69de29bb..330fb1884 100644 --- a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple +++ b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple @@ -0,0 +1,24 @@ +# linux/clean/wikiticker-2015-09-12-sampled.json: high +anti-behavior/blocklist/user: medium +anti-behavior/random_behavior: low +c2/addr/ip: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +credential/gaming/minecraft: medium +crypto/aes: low +crypto/fernet: medium +exfil/stealer/wallet: medium +fs/file/delete_forcibly: low +fs/path/relative: medium +impact/infection/worm: medium +impact/remote_access/agent: medium +impact/remote_access/botnet: high +impact/remote_access/implant: medium +impact/remote_access/trojan: medium +net/download: medium +net/http: low +net/http/cookies: medium +net/http/post: medium +net/url/embedded: medium +persist/daemon: medium +sus/exclamation: medium diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index 495fd3dd7..f23c4e272 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -5,11 +5,11 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/client: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: medium -collect/archives/tar_command: medium collect/archives/unarchive: medium collect/archives/zip: medium collect/code/github_api: low @@ -71,7 +71,6 @@ evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium -exec/install_additional/pip_install: medium exec/plugin: low exec/program: medium exec/shell/TERM: low @@ -91,7 +90,6 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/x11vnc.simple b/tests/linux/clean/x11vnc.simple index 00874b2cc..7ccd6eab8 100644 --- a/tests/linux/clean/x11vnc.simple +++ b/tests/linux/clean/x11vnc.simple @@ -1,6 +1,5 @@ # linux/clean/x11vnc: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md index 2295e5695..00cf228d8 100644 --- a/tests/linux/clean/zipdetails.md +++ b/tests/linux/clean/zipdetails.md @@ -2,7 +2,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code) | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[http://](http://)
[Windows](https://github.com/search?q=Windows&type=code)
[Darwin](https://github.com/search?q=Darwin&type=code)
[linux](https://github.com/search?q=linux&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip files](https://github.com/search?q=zip+files&type=code)
[zipfile](https://github.com/search?q=zipfile&type=code)
[ZIP64](https://github.com/search?q=ZIP64&type=code) | diff --git a/tests/linux/mimipenguin/bash/mimipenguin.simple b/tests/linux/mimipenguin/bash/mimipenguin.simple index 59dbb2298..9baabad83 100644 --- a/tests/linux/mimipenguin/bash/mimipenguin.simple +++ b/tests/linux/mimipenguin/bash/mimipenguin.simple @@ -9,8 +9,7 @@ credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low discover/system/platform: medium -exec/imports/python: medium -exec/shell/command: medium +exec/imports/python: low exec/shell/exec: medium exec/shell/ignore_output: medium exfil/stealer/password: critical diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 885da105d..e7b0bebdb 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -14,7 +14,6 @@ discover/processes/list: medium discover/system/platform: medium exec/imports/python: low exfil/stealer/password: critical -fs/directory/list: low fs/file/open: low fs/path/etc: low fs/path/usr_bin: low diff --git a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple index aa4703747..633722371 100644 --- a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple +++ b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple @@ -1,6 +1,5 @@ # macOS/2024.79-137-192-4/var_tmp_exe_starting2: critical anti-static/xor/certs: high -c2/tool_transfer/osascript: high evasion/file/location/var_tmp: medium exec/script/osa: high exec/shell/exec: medium diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index f28462f3b..87a5ff237 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -21,7 +21,6 @@ exec/shell/TERM: low fs/attributes/remove: medium fs/attributes/set: medium fs/directory/create: low -fs/file/rename: low fs/file/stat: low fs/file/write: low fs/lock_update: low diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 528766345..30dad65cf 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -4,7 +4,6 @@ c2/addr/url: low c2/tool_transfer/chmod_dropper: high c2/tool_transfer/macos: critical c2/tool_transfer/os: medium -c2/tool_transfer/shell: critical collect/archives/zip: medium collect/databases/mysql: medium collect/databases/sqlite: medium @@ -80,7 +79,6 @@ os/kernel/dispatch_semaphore: low os/sync/semaphore_user: low persist/daemon: medium persist/launchd/launch_agent: medium -privesc/osascript: critical privesc/setuid: low process/chdir: low process/create: low diff --git a/tests/npm/2024.bugsnagmw/index.js.simple b/tests/npm/2024.bugsnagmw/index.js.simple index dd2e4817a..b0ce9227a 100644 --- a/tests/npm/2024.bugsnagmw/index.js.simple +++ b/tests/npm/2024.bugsnagmw/index.js.simple @@ -2,7 +2,6 @@ anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium anti-static/obfuscation/js: critical -anti-static/obfuscation/python: critical c2/addr/url: medium data/encoding/int: medium discover/ip/public: high diff --git a/tests/npm/2024.depe-tool/preinstall.json.simple b/tests/npm/2024.depe-tool/preinstall.json.simple index e69de29bb..26c5ea823 100644 --- a/tests/npm/2024.depe-tool/preinstall.json.simple +++ b/tests/npm/2024.depe-tool/preinstall.json.simple @@ -0,0 +1,3 @@ +# npm/2024.depe-tool/preinstall.json: high +anti-static/obfuscation/hex: medium +impact/remote_access/payload: high diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple index 48288dd05..ab69cbf72 100644 --- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple +++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple @@ -1,7 +1,5 @@ # npm/2024.legacyreact-aws-s3-typescript/package.json: critical c2/addr/url: medium -c2/tool_transfer/npm: critical -c2/tool_transfer/shell: high exec/program/hidden: medium exec/shell/background_launcher: high exfil/npm: high diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index cba2c1153..8612abaf5 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -1,5 +1,4 @@ # npm/2024.next-react-notify/tocall.js: critical -anti-static/obfuscation/powershell: critical c2/addr/ip: high c2/addr/url: high c2/tool_transfer/os: low diff --git a/tests/npm/2024.noblox/postinstall.js.json b/tests/npm/2024.noblox/postinstall.js.json index 59180be5e..0c5b40830 100644 --- a/tests/npm/2024.noblox/postinstall.js.json +++ b/tests/npm/2024.noblox/postinstall.js.json @@ -2048,9 +2048,9 @@ ], "RiskScore": 4, "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#js_hex_obfuscation", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#multiple_js_hex_obfuscation", "ID": "anti-static/obfuscation/js", - "RuleName": "js_hex_obfuscation" + "RuleName": "multiple_js_hex_obfuscation" }, { "Description": "complex math and string to integer conversion", diff --git a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple index fa91f7f11..a5558a3e5 100644 --- a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple @@ -1,7 +1,6 @@ # npm/2024.solana_web3/v1.95.7.index.browser.esm.js: critical anti-behavior/random_behavior: low anti-static/obfuscation/hex: medium -anti-static/obfuscation/reverse: medium anti-static/obfuscation/strtoi: medium c2/addr/url: high credential/ssl/key: high @@ -26,4 +25,3 @@ net/ip/host_port: medium net/socket/send: low net/url/embedded: low os/time/clock_sleep: medium -persist/kernel_module/symbol_lookup: low diff --git a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple index 35f5c169d..c1b0e004b 100644 --- a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple @@ -22,4 +22,3 @@ net/ip/host_port: medium net/socket/send: low net/url/embedded: low os/time/clock_sleep: medium -persist/kernel_module/symbol_lookup: low diff --git a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple index 866f2ac9c..5a2065702 100644 --- a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple +++ b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple @@ -1,6 +1,5 @@ # php/2024.WordFence.evasion/wp-engine-fast-action.php: critical anti-static/obfuscation/php: high -anti-static/obfuscation/python: critical c2/addr/url: medium data/embedded/base64: medium data/encoding/reverse: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 094fbe11f..10c593bf5 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -1,7 +1,5 @@ # php/clean/composer-2.7.7: medium -anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium anti-static/obfuscation/php: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/php/clean/module.audio-video.quicktime.php.simple b/tests/php/clean/module.audio-video.quicktime.php.simple index 2006ce124..04f7eccd8 100644 --- a/tests/php/clean/module.audio-video.quicktime.php.simple +++ b/tests/php/clean/module.audio-video.quicktime.php.simple @@ -1,7 +1,6 @@ # php/clean/module.audio-video.quicktime.php: medium anti-static/obfuscation/bitwise: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: medium c2/addr/url: medium c2/tool_transfer/os: low crypto/encrypt: medium diff --git a/tests/php/clean/run-tests.php.simple b/tests/php/clean/run-tests.php.simple index 0aea22157..759ccce80 100644 --- a/tests/php/clean/run-tests.php.simple +++ b/tests/php/clean/run-tests.php.simple @@ -10,7 +10,6 @@ data/encoding/base64: low discover/system/platform: low discover/user/USER: low evasion/time/php_no_limit: medium -exec/cmd: medium exec/shell/command: medium exec/shell/exec: medium exec/shell/ignore_output: medium diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index d528b0935..fb346fcae 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -13,7 +13,6 @@ evasion/file/prefix/tmp: high exec/cmd/pipe: medium exec/imports/python: low exec/program: medium -exec/shell/command: medium exfil/curl_post: medium exfil/whoami_hostname: high fs/file/read: low diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index 556edcbaa..451bfeed4 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -31,7 +31,6 @@ exec/dylib/windll: medium exec/imports/python: low exec/program: medium exec/script/wsh: medium -exec/shell/command: medium exec/shell/power: medium exfil/discord: critical exfil/stealer/browser: high diff --git a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple index c5c8cd7b9..ed4218304 100644 --- a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple +++ b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple @@ -6,7 +6,6 @@ data/encoding/base64: low discover/system/platform: medium exec/imports/python: low exec/program: medium -exec/shell/command: medium fs/file/open: low fs/file/write: low fs/tempdir: low diff --git a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple index 23b23685e..924a77c8e 100644 --- a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple +++ b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple @@ -2,6 +2,5 @@ c2/addr/url: medium credential/password: low exec/imports/python: low -exec/shell/command: medium impact/ransom/locked: high malware/family/lockscreen: critical diff --git a/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple index 957ffa370..a9e4df5ad 100644 --- a/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple +++ b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple @@ -4,6 +4,7 @@ anti-static/obfuscation/python: medium c2/addr/ip: medium c2/addr/url: medium c2/connect/ping_pong: medium +c2/discovery/ip_dns_resolver: medium c2/refs: high c2/tool_transfer/os: low credential/password: low diff --git a/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple b/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple index ed7b7cf7c..f663251f2 100644 --- a/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple +++ b/tests/python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py.simple @@ -1,5 +1,6 @@ # python/2024.obfuscation/03c5d13d880ac4db8f9b45bda438e286a75a60f72ef26cf45670b31ffa92482e.py: critical anti-static/obfuscation/python: high +anti-static/obfuscation/python_setuptools: medium anti-static/packer/pycloak: critical data/base64/decode: medium data/compression/lzma: low diff --git a/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple index 136721bd0..469d0ceb7 100644 --- a/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple +++ b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple @@ -1,5 +1,6 @@ # python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py: critical anti-static/obfuscation/obfuscate: low anti-static/obfuscation/python: critical +anti-static/obfuscation/python_setuptools: medium anti-static/packer/pyobfuscate: high net/url/embedded: low diff --git a/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple b/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple index 5a741366a..110b904a7 100644 --- a/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple +++ b/tests/python/2024.ultralytics/v8.3.41/utils/downloads.py.simple @@ -10,7 +10,6 @@ collect/code/github_api: low evasion/self_deletion/run_and_delete: high exec/imports/python: low exec/program: medium -exec/shell/command: medium exfil/stealer/browser: medium exfil/upload: medium fs/directory/create: low diff --git a/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple b/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple index 914ca03aa..185594f6a 100644 --- a/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple +++ b/tests/python/2024.ultralytics/v8.3.46/__init__.py.simple @@ -2,7 +2,6 @@ 3P/sig_base/pua_crypto_mining: critical c2/addr/url: medium c2/tool_transfer/os: low -c2/tool_transfer/shell: high discover/system/platform: medium exec/imports/python: low exec/program: medium diff --git a/tests/python/clean/google-auth-library-python/setup.py.simple b/tests/python/clean/google-auth-library-python/setup.py.simple index 6650c36a7..65580a047 100644 --- a/tests/python/clean/google-auth-library-python/setup.py.simple +++ b/tests/python/clean/google-auth-library-python/setup.py.simple @@ -5,7 +5,6 @@ crypto/openssl: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/file/read: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple index c1338be9c..b6788ffe3 100644 --- a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple +++ b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple @@ -3,7 +3,6 @@ c2/addr/url: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index 54f55725d..6552ad016 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -6,7 +6,6 @@ discover/system/platform: medium evasion/file/prefix: medium exec/install_additional/pip_install: medium exec/program: medium -exec/shell/command: medium fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low diff --git a/tests/python/clean/requests/setup.py.simple b/tests/python/clean/requests/setup.py.simple index 4daf15fe0..41e324429 100644 --- a/tests/python/clean/requests/setup.py.simple +++ b/tests/python/clean/requests/setup.py.simple @@ -4,7 +4,6 @@ c2/tool_transfer/download: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low impact/remote_access/py_setuptools: medium diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple index a648d0b48..a362049c2 100644 --- a/tests/python/clean/setuptools/namespaces.py.simple +++ b/tests/python/clean/setuptools/namespaces.py.simple @@ -2,6 +2,5 @@ c2/addr/url: medium data/encoding/json_encode: low exec/imports/python: low -exec/shell/command: medium false-positives/setuptools: low fs/directory/create: low diff --git a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple index 1cc32dcdc..d98d3e6ec 100644 --- a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple +++ b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple @@ -3,7 +3,6 @@ c2/addr/url: medium c2/tool_transfer/os: low discover/system/platform: medium exec/imports/python: low -exec/shell/command: medium fs/file/open: low net/url/embedded: low os/fd/write: low diff --git a/tests/ruby/2021.vector/vector.rb.simple b/tests/ruby/2021.vector/vector.rb.simple index 1677777db..a0dfd9ebf 100644 --- a/tests/ruby/2021.vector/vector.rb.simple +++ b/tests/ruby/2021.vector/vector.rb.simple @@ -4,6 +4,5 @@ crypto/decrypt: low crypto/encrypt: medium exec/program: medium exec/script/ruby: medium -exec/shell/command: medium fs/file/write: medium net/url/embedded: medium diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple index 7da3aff6d..0fb588c0f 100644 --- a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple +++ b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple @@ -1,7 +1,5 @@ -# ruby/2024.Ruby_rootkit/Ruby.c: critical +# ruby/2024.Ruby_rootkit/Ruby.c: high 3P/elastic/rootkit: high c2/refs: medium -evasion/rootkit/kernel: critical evasion/rootkit/refs: high malware/ref: medium -persist/kernel_module/symbol_lookup: high diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple index 5deb219c4..758024416 100644 --- a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple +++ b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple @@ -2,7 +2,6 @@ c2/addr/url: medium c2/refs: high evasion/rootkit/refs: high -exec/shell/command: medium exec/shell/exec: medium impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index e5a2aea4c..ab0f9b550 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -4,11 +4,11 @@ 3P/ditekshen/vm_evasion_macaddrcomb: critical 3P/elastic/infostealer_wallets: critical 3P/elastic/multi_threat: high -anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/discovery/ip_dns_resolver: medium c2/tool_transfer/arch: low c2/tool_transfer/download: high c2/tool_transfer/github: medium @@ -61,7 +61,6 @@ fs/file/create: medium fs/file/delete: medium fs/file/open: low fs/file/read: low -fs/file/rename: low fs/file/write: low fs/path/dev: medium fs/path/etc: low diff --git a/tests/windows/2024.aspdasdksa2/Nil.exe.md b/tests/windows/2024.aspdasdksa2/Nil.exe.md index 29a700021..f81cf9aa3 100644 --- a/tests/windows/2024.aspdasdksa2/Nil.exe.md +++ b/tests/windows/2024.aspdasdksa2/Nil.exe.md @@ -3,7 +3,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | CRITICAL | [impact/degrade/win_defender](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/win_defender.yara#win_defender_exclusion) | Uses powershell to define Windows Defender exclusions | [powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"](https://github.com/search?q=powershell+-Command+%22Add-MpPreference+-ExclusionPath+%27C%3A%5C%27%22&type=code) | -| MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code) | | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)
[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell -Command](https://github.com/search?q=powershell+-Command&type=code) | | MEDIUM | [impact/degrade/edr](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/edr.yara#win_kill_proc) | may be able to bypass or kill EDR software | [IsProcessorFeaturePresent](https://github.com/search?q=IsProcessorFeaturePresent&type=code)
[UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[GetSystemTimeAsFileTime](https://github.com/search?q=GetSystemTimeAsFileTime&type=code)
[QueryPerformanceCounter](https://github.com/search?q=QueryPerformanceCounter&type=code)
[GetCurrentProcess](https://github.com/search?q=GetCurrentProcess&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code)
[GetCurrentThread](https://github.com/search?q=GetCurrentThread&type=code)
[TerminateProcess](https://github.com/search?q=TerminateProcess&type=code)
[GetModuleHandle](https://github.com/search?q=GetModuleHandle&type=code) | diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 52fd991e8..81c04f34e 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -1,6 +1,5 @@ # windows/2024.aspdasdksa2/creal.exe: critical 3P/bartblaze/pyinstaller: high -anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low anti-static/packer/pe: high c2/tool_transfer/arch: low diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index 00fa966b1..ebe810732 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -1,8 +1,5 @@ # windows/clean/Swashbuckle.AspNetCore.ReDoc.dll: medium anti-behavior/random_behavior: low -anti-static/obfuscation/js: medium -anti-static/obfuscation/strtoi: medium -anti-static/obfuscation/utf16: medium c2/client: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low @@ -29,7 +26,6 @@ discover/user/name_get: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low -exec/remote_commands/code_eval: medium exec/script/activex: medium exec/shell/SHELL: low exec/shell/TERM: low From 7e71eff2f2edabef3c4b94f6c60b6ff5d8534a61 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 11:21:01 -0500 Subject: [PATCH 02/18] More rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/c2/tool_transfer/download.yara | 1 + rules/data/builtin/multiple.yara | 1 + rules/discover/user/username-get.yara | 1 + .../evasion/indicator_blocking/hidden_window.yara | 2 ++ .../indicator_blocking/mask_exceptions.yara | 3 +++ rules/evasion/net/hide_ports.yara | 1 + rules/evasion/self_deletion/run_and_delete.yara | 2 ++ rules/exec/program/opaque.yara | 2 ++ rules/exfil/discord.yara | 1 + rules/exfil/nodejs.yara | 8 ++++++++ rules/exfil/php.yara | 1 + rules/exfil/zip.yara | 2 +- rules/impact/remote_access/backdoor.yara | 3 ++- rules/impact/remote_access/py_setuptools.yara | 14 ++++++++++++++ rules/malware/family/clapzok.yara | 2 +- rules/sus/compiler.yara | 4 ++++ rules/sus/entitlement.yara | 1 + tests/linux/2020.bdvl/bdvl.so.simple | 1 - tests/linux/2022.Symbiote/kerneldev.so.bkp.simple | 2 -- tests/linux/clean/trufflehog.md | 1 - .../build/stealer.js.simple | 1 - .../src/stealer.ts.simple | 1 - 22 files changed, 46 insertions(+), 9 deletions(-) diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara index a66a2b4e6..54400eb26 100644 --- a/rules/c2/tool_transfer/download.yara +++ b/rules/c2/tool_transfer/download.yara @@ -119,6 +119,7 @@ private rule smallerBinary { rule http_archive_url_higher: high { meta: description = "accesses hardcoded archive file endpoint" + filetypes = "application/x-elf,application/x-mach-binary" strings: $ref = /https{0,1}:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword diff --git a/rules/data/builtin/multiple.yara b/rules/data/builtin/multiple.yara index e76018435..383b26ec6 100644 --- a/rules/data/builtin/multiple.yara +++ b/rules/data/builtin/multiple.yara @@ -30,6 +30,7 @@ private rule _bundled_glibc: medium { rule elf_with_bundled_glibc_and_openssl: high { meta: description = "includes bundled copy of glibc and OpenSSL" + filetypes = "application/x-elf" condition: _bundled_openssl and _bundled_glibc diff --git a/rules/discover/user/username-get.yara b/rules/discover/user/username-get.yara index 22b9052db..99e77e805 100644 --- a/rules/discover/user/username-get.yara +++ b/rules/discover/user/username-get.yara @@ -47,6 +47,7 @@ private rule user_pythonSetup { rule pysetup_gets_login: high { meta: description = "Python library installer gets login information" + filetypes = "text/x-python" strings: $ref = "os.getlogin" fullword diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara index a5a1c57ca..9695a90d7 100644 --- a/rules/evasion/indicator_blocking/hidden_window.yara +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -30,6 +30,7 @@ private rule hidden_window_pythonSetup { rule subprocess_CREATE_NO_WINDOW_setuptools: high { meta: description = "runs commands, hides windows" + filetypes = "text/x-python" strings: $sub = "subprocess" @@ -42,6 +43,7 @@ rule subprocess_CREATE_NO_WINDOW_setuptools: high { rule subprocess_CREATE_NO_WINDOW_high: high { meta: description = "runs commands, hides windows" + filetypes = "text/x-python" strings: $s_sub = "subprocess" diff --git a/rules/evasion/indicator_blocking/mask_exceptions.yara b/rules/evasion/indicator_blocking/mask_exceptions.yara index ce502bc49..858915d89 100644 --- a/rules/evasion/indicator_blocking/mask_exceptions.yara +++ b/rules/evasion/indicator_blocking/mask_exceptions.yara @@ -19,6 +19,7 @@ private rule indicator_blocking_pythonSetup { rule py_no_fail: medium { meta: description = "Python code that hides exceptions" + filetypes = "text/x-python" strings: $e_short = /except:.{0,4}pass/ fullword @@ -31,6 +32,7 @@ rule py_no_fail: medium { rule setuptools_no_fail: suspicious { meta: description = "Python library installer that hides exceptions" + filetypes = "text/x-python" condition: indicator_blocking_pythonSetup and py_no_fail @@ -39,6 +41,7 @@ rule setuptools_no_fail: suspicious { rule php_disable_errors: medium { meta: description = "PHP code that disables error reporting" + filetypes = "text/x-php" strings: $err_rep = "error_reporting(0)" diff --git a/rules/evasion/net/hide_ports.yara b/rules/evasion/net/hide_ports.yara index 7082c6233..ac8df80cb 100644 --- a/rules/evasion/net/hide_ports.yara +++ b/rules/evasion/net/hide_ports.yara @@ -11,6 +11,7 @@ private rule net_elf { rule hides_ports: high { meta: description = "may hide ports" + filetypes = "application/x-mach-binary,application/x-elf" strings: $bin_ss = "/usr/bin/ss" diff --git a/rules/evasion/self_deletion/run_and_delete.yara b/rules/evasion/self_deletion/run_and_delete.yara index fe9092357..3a56bbd03 100644 --- a/rules/evasion/self_deletion/run_and_delete.yara +++ b/rules/evasion/self_deletion/run_and_delete.yara @@ -39,6 +39,7 @@ rule fetch_run_sleep_delete: critical { private rule run_delete_py_fetcher: medium { meta: description = "fetches content" + filetypes = "text/x-python" strings: $http_requests = "requests.get" fullword @@ -56,6 +57,7 @@ private rule run_delete_py_fetcher: medium { rule python_setsid_remove: high { meta: description = "fetch, run in background, delete" + filetypes = "text/x-python" strings: $subprocess = /subprocess.\w{1,32}\([\"\'\/\w\ \-\)]{0,64}/ diff --git a/rules/exec/program/opaque.yara b/rules/exec/program/opaque.yara index 0a05e692d..6e03dda7f 100644 --- a/rules/exec/program/opaque.yara +++ b/rules/exec/program/opaque.yara @@ -11,6 +11,7 @@ import "math" rule macho_opaque_binary: high { meta: description = "opaque binary executes mystery command-lines" + filetypes = "application/x-mach-binary" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword @@ -29,6 +30,7 @@ rule macho_opaque_binary: high { rule macho_opaque_binary_long_str: high { meta: description = "opaque binary executes mystery command-lines, contains large alphanumeric string" + filetypes = "application/x-mach-binary" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword diff --git a/rules/exfil/discord.yara b/rules/exfil/discord.yara index 15ec6b44e..480cb70ed 100644 --- a/rules/exfil/discord.yara +++ b/rules/exfil/discord.yara @@ -2,6 +2,7 @@ rule discord_bot: high { meta: description = "Uses the Discord webhooks API" ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706" + filetypes = "text/x-python" strings: $ = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ diff --git a/rules/exfil/nodejs.yara b/rules/exfil/nodejs.yara index 6b55b0c10..b41f78887 100644 --- a/rules/exfil/nodejs.yara +++ b/rules/exfil/nodejs.yara @@ -3,6 +3,7 @@ import "math" rule nodejs_sysinfoexfil: high { meta: description = "may gather and exfiltrate system information" + filetypes = "application/javascript" strings: $proc1 = "process.platform" @@ -20,6 +21,7 @@ rule nodejs_sysinfoexfil: high { rule nodejs_phone_home: high { meta: description = "accesses system information and reports back" + filetypes = "application/javascript" strings: $f_homedir = "os.homedir" @@ -45,6 +47,7 @@ rule nodejs_phone_home: high { rule nodejs_phone_home_obscure: critical { meta: description = "accesses system information and uploads it" + filetypes = "application/javascript" strings: $f_homedir = "homedir" @@ -73,6 +76,7 @@ rule nodejs_phone_home_obscure: critical { rule nodejs_phone_home_interact_sh: critical { meta: description = "accesses system information and uploads it to a known site" + filetypes = "application/javascript" strings: $ref = /[\w]{8,32}\.interactsh\.com/ @@ -88,6 +92,7 @@ rule nodejs_phone_home_interact_sh: critical { rule nodejs_phone_home_hardcoded_host: critical { meta: description = "accesses system information and uploads it to hardcoded host" + filetypes = "application/javascript" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -99,6 +104,7 @@ rule nodejs_phone_home_hardcoded_host: critical { rule post_hardcoded_hardcoded_host: medium { meta: description = "posts content to a hardcoded host" + filetypes = "application/javascript" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -112,6 +118,7 @@ rule post_hardcoded_hardcoded_host: medium { rule post_hardcoded_hardcoded_host_os: high { meta: description = "posts content to a hardcoded host" + filetypes = "application/javascript" strings: $ref = /hostname: "[\w\.\-]{5,63}",/ @@ -151,6 +158,7 @@ private rule nodejs_iplookup_website: high { rule get_hardcoded_hardcoded_host_os: critical { meta: description = "leaks host information to a hardcoded host" + filetypes = "application/javascript" strings: $ref = /get\([\"']https{0,1}:\/\/[\w\.\-]{5,63}.{0,64}\?.{0,16}=[\'"]\s{0,2}\+/ diff --git a/rules/exfil/php.yara b/rules/exfil/php.yara index a651a618d..613296509 100644 --- a/rules/exfil/php.yara +++ b/rules/exfil/php.yara @@ -1,6 +1,7 @@ rule python_sysinfo_http: high { meta: description = "exfiltrate system information" + filetypes = "text/x-php" strings: $r_user = "getpass.getuser" diff --git a/rules/exfil/zip.yara b/rules/exfil/zip.yara index 2d4bd5412..7b269e9ba 100644 --- a/rules/exfil/zip.yara +++ b/rules/exfil/zip.yara @@ -2,6 +2,7 @@ rule zip_a_folder: medium { meta: description = "may zip up a local directory for exiltration" ref = "https://www.npmjs.com/package/zip-a-folder" + filetypes = "application/javascript" strings: $zip_a_fold = /zip-a-fold[a-z]{0,2}/ @@ -10,4 +11,3 @@ rule zip_a_folder: medium { condition: any of them } - diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index 9dd9d4a0b..8eb80a2b3 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -112,6 +112,7 @@ private rule backdoor_small_macho { rule macho_backdoor_libc_signature: high { meta: description = "executes libc functions common to backdoors" + filetypes = "application/x-mach-binary" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword @@ -155,7 +156,7 @@ rule macho_backdoor_libc_signature: high { rule minecraft_load_fetch_class_backdoor: critical { meta: description = "likely minecraft backdoor" - filetypes = "class,java" + filetypes = "application/java-vm,text/x-java" strings: $minecraft = "minecraft" diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index ad325cd2d..f9b5a662d 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -24,6 +24,7 @@ private rule remote_access_pythonSetup { rule setuptools_oslogin: medium { meta: description = "Python library installer that accesses user information" + filetypes = "text/x-python" strings: $oslogin = "os.login()" @@ -35,6 +36,7 @@ rule setuptools_oslogin: medium { rule setuptools_homedir: high { meta: description = "Python library installer that users home directory" + filetypes = "text/x-python" strings: $oslogin = "C:\\Users\\.{0,64}os.login()" @@ -46,6 +48,7 @@ rule setuptools_homedir: high { rule setuptools_cmd_exec: high { meta: description = "Python library installer that executes external commands" + filetypes = "text/x-python" strings: $f_os_system = /os.system\([\"\'\.:\\\{\w\ \-\)\/]{0,64}/ @@ -65,6 +68,7 @@ rule setuptools_cmd_exec: high { rule setuptools_cmd_exec_start: critical { meta: description = "Python library installer that executes the Windows 'start' command" + filetypes = "text/x-python" strings: $f_os_system = /os.system\([f\"\']{0,2}start .{0,64}/ @@ -79,6 +83,7 @@ rule setuptools_cmd_exec_start: critical { rule setuptools_eval: medium { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "text/x-python" strings: $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -90,6 +95,7 @@ rule setuptools_eval: medium { rule setuptools_eval_high: high { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "text/x-python" strings: $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -102,6 +108,7 @@ rule setuptools_eval_high: high { rule setuptools_exec: medium { meta: description = "Python library installer that executes arbitrary code" + filetypes = "text/x-python" strings: $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -115,6 +122,7 @@ rule setuptools_exec: medium { rule setuptools_exec_high: high { meta: description = "Python library installer that evaluates arbitrary code" + filetypes = "text/x-python" strings: $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword @@ -136,6 +144,7 @@ rule setuptools_exec_high: high { rule setuptools_b64decode: suspicious { meta: description = "Python library installer that does base64 decoding" + filetypes = "text/x-python" strings: $base64 = "b64decode" @@ -147,6 +156,7 @@ rule setuptools_b64decode: suspicious { rule setuptools_preinstall: suspicious { meta: description = "Python library installer that imports a pre_install script" + filetypes = "text/x-python" strings: $preinstall = "import preinstall" @@ -161,6 +171,7 @@ rule setuptools_preinstall: suspicious { rule setuptools_b64encode: suspicious { meta: description = "Python library installer that does base64 encoding" + filetypes = "text/x-python" strings: $base64 = "b64encode" @@ -172,6 +183,7 @@ rule setuptools_b64encode: suspicious { rule setuptools_exec_powershell: critical windows { meta: description = "Python library installer that runs powershell" + filetypes = "text/x-python" strings: $powershell = "powershell" fullword @@ -185,6 +197,7 @@ rule setuptools_exec_powershell: critical windows { rule setuptools_os_path_exists: medium { meta: description = "Python library installer that checks for file existence" + filetypes = "text/x-python" strings: $ref = /[\w\.]{0,8}path.exists\([\"\'\w\ \-\)\/]{0,32}/ @@ -199,6 +212,7 @@ rule setuptools_os_path_exists: medium { rule setuptools_excessive_bitwise_math: critical { meta: description = "Python library installer that makes heavy use of bitwise math" + filetypes = "text/x-python" strings: $x = /\-{0,1}\d{1,8} \<\< \-{0,1}\d{1,8}/ diff --git a/rules/malware/family/clapzok.yara b/rules/malware/family/clapzok.yara index 09e5c7551..f4aa1a542 100644 --- a/rules/malware/family/clapzok.yara +++ b/rules/malware/family/clapzok.yara @@ -7,6 +7,7 @@ rule clapzok_macho: critical { meta: description = "likely infected with Clapzok" ref = "https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness" + filetypes = "application/x-mach-binary" strings: $ref = "SfcIsFileProtected" @@ -14,4 +15,3 @@ rule clapzok_macho: critical { condition: filesize < 10MB and is_macho and $ref in (filesize - 2200..filesize - 100) } - diff --git a/rules/sus/compiler.yara b/rules/sus/compiler.yara index 3cc659682..8a446d887 100644 --- a/rules/sus/compiler.yara +++ b/rules/sus/compiler.yara @@ -1,6 +1,7 @@ rule archaic_gcc: medium { meta: description = "built by an ancient version of GCC" + filetypes = "application/x-mach-binary,application/x-elf" strings: $gcc_v4 = /GCC: \([\w \.\-\~]{1,128}\) 4\.\d{1,16}\.\d{1,128}/ @@ -13,6 +14,7 @@ rule archaic_gcc: medium { rule small_opaque_archaic_gcc: high linux { meta: description = "small and built by an ancient version of GCC" + filetypes = "application/x-mach-binary,application/x-elf" strings: $gcc_v4 = /GCC: \([\w \.\-\~]{1,128}\) 4\.\d{1,16}\.\d{1,128}/ @@ -35,6 +37,7 @@ private rule binary { rule multiple_gcc: medium { meta: description = "built with multiple versions of GCC" + filetypes = "application/x-mach-binary,application/x-elf" strings: $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword @@ -46,6 +49,7 @@ rule multiple_gcc: medium { rule multiple_gcc_high: high { meta: description = "built with multiple versions of GCC" + filetypes = "application/x-mach-binary,application/x-elf" strings: $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword diff --git a/rules/sus/entitlement.yara b/rules/sus/entitlement.yara index 9a5e05dc7..23d0a045e 100644 --- a/rules/sus/entitlement.yara +++ b/rules/sus/entitlement.yara @@ -11,6 +11,7 @@ private rule entitlement_macho { rule com_apple_get_task_allow: medium { meta: description = "debug binary" + filetypes = "application/x-mach-binary" strings: $get_task_allow = "com.apple.security.get-task-allow" diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple index 11e734c80..3a5e61a98 100644 --- a/tests/linux/2020.bdvl/bdvl.so.simple +++ b/tests/linux/2020.bdvl/bdvl.so.simple @@ -13,7 +13,6 @@ evasion/hijack_execution/etc_ld.so.preload: medium evasion/indicator_blocking/process: high evasion/logging/acct: low evasion/logging/hide_shell_history: high -evasion/net/hide_ports: high evasion/process_injection/dlsym: high evasion/process_injection/ptrace: medium evasion/rootkit/userspace: high diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple index 97fb0e7bd..daf2493d1 100644 --- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -7,7 +7,6 @@ discover/network/interface_list: medium discover/system/platform: low evasion/bypass_security/linux/pam: medium evasion/indicator_blocking/process: high -evasion/net/hide_ports: high evasion/rootkit/userspace: critical exec/dylib/symbol_address: medium exfil/stealer/pam: critical @@ -25,4 +24,3 @@ net/ip/byte_order: medium net/ip/parse: medium net/socket/receive: low net/socket/send: low -sus/compiler: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 6d39abd7f..ad4cd66f8 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -45,7 +45,6 @@ | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | -| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | | MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | | MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code)
[History](https://github.com/search?q=History&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Atomic](https://github.com/search?q=Atomic&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code) | | MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [file.io](https://github.com/search?q=file.io&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple index 65173d59a..024e24c53 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple @@ -5,7 +5,6 @@ c2/tool_transfer/os: low collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium -exfil/discord: high exfil/stealer: high exfil/stealer/browser: high fs/file/read: low diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple index 73d8357ea..e0fa9b5f8 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple @@ -5,7 +5,6 @@ c2/tool_transfer/os: low collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium -exfil/discord: high exfil/stealer: high exfil/stealer/browser: high fs/file/read: low From 76da51ea91a08e1f7962284462a7c08c2515c178 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 11:49:53 -0500 Subject: [PATCH 03/18] Tweak Discord rule Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/exfil/discord.yara | 25 ++++++++++++++----- tests/linux/clean/trufflehog.md | 1 + .../build/stealer.js.simple | 1 + .../src/stealer.ts.simple | 1 + 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/rules/exfil/discord.yara b/rules/exfil/discord.yara index 480cb70ed..f63b7c3d5 100644 --- a/rules/exfil/discord.yara +++ b/rules/exfil/discord.yara @@ -1,16 +1,29 @@ rule discord_bot: high { meta: description = "Uses the Discord webhooks API" - ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706" - filetypes = "text/x-python" strings: - $ = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ - $ = /discord.com\/api\/webhooks[\/\d]{0,32}/ - $ = "import discord" + $webhook_endpoint = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ + $webhook_endpoint2 = /discord.com\/api\/webhooks[\/\d]{0,32}/ + $l_discordjs = "discord.js" + $l_discord4j = "discord4j" + $l_discordgo = "discordgo" + $l_discord = "import discord" + $l_disnake = "import disnake" + $l_hikari = "import hikari" + $l_interactions = "import interactions" + $l_nextcord = "import nextcord" + $l_jda = "net.dv8tion:JDA" + $l_discordia = "discordia" + $l_eris = /require\(("|')eris("|')\);/ + $l_oceanic = /require\(("|')oceanic.js("|')\);/ + $l_discordphp = "use Discord\\Discord;" + + $not_pypi_index = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/ + $not_pypi_index2 = "\"package_names\"" condition: - any of them + any of them and none of ($not*) } private rule iplookup_website_value_copy: high { diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index ad4cd66f8..31f6f5063 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -45,6 +45,7 @@ | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | +| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | Uses the Discord webhooks API | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | | MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | | MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code)
[History](https://github.com/search?q=History&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Atomic](https://github.com/search?q=Atomic&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code) | | MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [file.io](https://github.com/search?q=file.io&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple index 024e24c53..65173d59a 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple @@ -5,6 +5,7 @@ c2/tool_transfer/os: low collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium +exfil/discord: high exfil/stealer: high exfil/stealer/browser: high fs/file/read: low diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple index e0fa9b5f8..73d8357ea 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple @@ -5,6 +5,7 @@ c2/tool_transfer/os: low collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium +exfil/discord: high exfil/stealer: high exfil/stealer/browser: high fs/file/read: low From d42cc8d0cd9413c2d463cc8132853d7f146e697b Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 12:03:24 -0500 Subject: [PATCH 04/18] Fix up tests Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind_test.go | 2 +- pkg/report/report.go | 2 +- rules/c2/tool_transfer/download.yara | 5 +++- rules/c2/tool_transfer/exe_url.yara | 21 +++++++++---- rules/exfil/discord.yara | 30 +++++++++---------- rules/impact/remote_access/botnet.yara | 9 +++--- rules/impact/remote_access/reverse_shell.yara | 2 ++ ...67c-455a-afe4-de6183431d0d_111.json.simple | 3 +- ...-82ad-4a6c-82b8-296c1f691449_2.json.simple | 3 +- ...399-4191-af1d-4feeac1f1f46_108.json.simple | 3 +- ...f01-4f43-a872-605b678968b0_111.json.simple | 3 +- .../linux/clean/misp_sample.ndjson.log.simple | 3 +- .../wikiticker-2015-09-12-sampled.json.simple | 3 +- 13 files changed, 50 insertions(+), 39 deletions(-) diff --git a/pkg/programkind/programkind_test.go b/pkg/programkind/programkind_test.go index c1c19d27a..0810332f3 100644 --- a/pkg/programkind/programkind_test.go +++ b/pkg/programkind/programkind_test.go @@ -49,7 +49,7 @@ func TestPath(t *testing.T) { {"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}}, {"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}}, {"/home/yeti/.hidden/package.json", &FileType{MIME: "application/json", Ext: "json"}}, - {"unknown.json", nil}, + {"unknown.json", &FileType{MIME: "application/json", Ext: "json"}}, } for _, tt := range tests { t.Run(tt.in, func(t *testing.T) { diff --git a/pkg/report/report.go b/pkg/report/report.go index 2105efcff..5e5aa037c 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -365,7 +365,7 @@ func TrimPrefixes(path string, prefixes []string) string { return path } -// fileMatchesRules checks the scanned file's type against a rule's defined filetypes +// fileMatchesRules checks the scanned file's type against a rule's defined filetypes. func fileMatchesRule(meta []yarax.Metadata, mime string) bool { for _, m := range meta { if m.Identifier() == "filetypes" { diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara index 54400eb26..3c1ddeb39 100644 --- a/rules/c2/tool_transfer/download.yara +++ b/rules/c2/tool_transfer/download.yara @@ -26,6 +26,7 @@ rule download_sites: high { $not_manual = "manually upload" $not_paste_go = "paste.go" $not_netlify = "netlify.app" + $not_misp_galaxy = "misp-galaxy:" condition: any of ($d_*) and none of ($not*) @@ -56,8 +57,10 @@ rule pastebin: medium { strings: $d_pastebin = /[\w\.]{1,128}astebin[\w\.\/]{1,128}/ + $not_misp_galaxy = "misp-galaxy:" + condition: - any of ($d_*) + any of ($d_*) and none of ($not*) } rule program_dropper_url: medium { diff --git a/rules/c2/tool_transfer/exe_url.yara b/rules/c2/tool_transfer/exe_url.yara index 0b1e35d1a..4a13bf471 100644 --- a/rules/c2/tool_transfer/exe_url.yara +++ b/rules/c2/tool_transfer/exe_url.yara @@ -5,6 +5,7 @@ rule http_url_with_exe: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.exe/ $not_mongodb_404 = "https://docs.mongodb.com/manual/reference/method/Bulk.exe" + $not_elastic = "\"license\": \"Elastic License v2\"" condition: any of ($exe*) and none of ($not*) @@ -17,8 +18,10 @@ rule http_ip_url_with_exe: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.exe/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_url_with_msi: high { @@ -28,8 +31,10 @@ rule http_url_with_msi: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.msi/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_ip_url_with_msi: critical { @@ -39,8 +44,10 @@ rule http_ip_url_with_msi: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.msi/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_url_with_powershell: high { @@ -50,8 +57,10 @@ rule http_url_with_powershell: high { strings: $exe_url = /https*:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.ps1/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } rule http_ip_url_with_powershell: critical { @@ -61,6 +70,8 @@ rule http_ip_url_with_powershell: critical { strings: $exe_url = /https*:\/\/[\d\.\:\[\]]{8,64}[:\/\w\_\-\?\@=]{6,160}\.ps1/ + $not_elastic = "\"license\": \"Elastic License v2\"" + condition: - any of ($exe*) + any of ($exe*) and none of ($not*) } diff --git a/rules/exfil/discord.yara b/rules/exfil/discord.yara index f63b7c3d5..6c15d1f9d 100644 --- a/rules/exfil/discord.yara +++ b/rules/exfil/discord.yara @@ -3,23 +3,23 @@ rule discord_bot: high { description = "Uses the Discord webhooks API" strings: - $webhook_endpoint = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ + $webhook_endpoint = /discordapp.com\/api\/webhooks[\/\d]{0,32}/ $webhook_endpoint2 = /discord.com\/api\/webhooks[\/\d]{0,32}/ - $l_discordjs = "discord.js" - $l_discord4j = "discord4j" - $l_discordgo = "discordgo" - $l_discord = "import discord" - $l_disnake = "import disnake" - $l_hikari = "import hikari" - $l_interactions = "import interactions" - $l_nextcord = "import nextcord" - $l_jda = "net.dv8tion:JDA" - $l_discordia = "discordia" - $l_eris = /require\(("|')eris("|')\);/ - $l_oceanic = /require\(("|')oceanic.js("|')\);/ - $l_discordphp = "use Discord\\Discord;" + $l_discordjs = "discord.js" + $l_discord4j = "discord4j" + $l_discordgo = "discordgo" + $l_discord = "import discord" + $l_disnake = "import disnake" + $l_hikari = "import hikari" + $l_interactions = "import interactions" + $l_nextcord = "import nextcord" + $l_jda = "net.dv8tion:JDA" + $l_discordia = "discordia" + $l_eris = /require\(("|')eris("|')\);/ + $l_oceanic = /require\(("|')oceanic.js("|')\);/ + $l_discordphp = "use Discord\\Discord;" - $not_pypi_index = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/ + $not_pypi_index = /\"index_date\":\"\d{4}-\d{2}\d{2}\"/ $not_pypi_index2 = "\"package_names\"" condition: diff --git a/rules/impact/remote_access/botnet.yara b/rules/impact/remote_access/botnet.yara index cee3ce7fe..0e47f334e 100644 --- a/rules/impact/remote_access/botnet.yara +++ b/rules/impact/remote_access/botnet.yara @@ -28,10 +28,11 @@ rule botnet_high: high { description = "References a 'botnet'" strings: - $bot_deployed = "bot deployed" - $botnet = "Botnet" - $not_phishing = "phishing" - $not_keylogger = "keylogger" + $bot_deployed = "bot deployed" + $botnet = "Botnet" + $not_phishing = "phishing" + $not_keylogger = "keylogger" + $not_wikiticker_contribution = "Undid revision 680586363 by" condition: filesize < 20MB and any of ($bot*) and none of ($not*) diff --git a/rules/impact/remote_access/reverse_shell.yara b/rules/impact/remote_access/reverse_shell.yara index 2f8daa864..51074e67e 100644 --- a/rules/impact/remote_access/reverse_shell.yara +++ b/rules/impact/remote_access/reverse_shell.yara @@ -9,6 +9,7 @@ rule reverse_shell: high { $r_reverse_space_shell = "reverse shell" nocase fullword $r_revshell = "revshell" $r_stdin_redir = "0>&1" fullword + $not_elastic = "\"license\": \"Elastic License v2\"" $not_ref_1 = "reverse shellConf" $not_ref_2 = "reverse shellshare" $not_pypi_index = "testpack-id-lb001" @@ -27,6 +28,7 @@ rule possible_reverse_shell: medium { $sh_bash = "/bin/bash" $sh = "/bin/sh" + $not_elastic = "\"license\": \"Elastic License v2\"" $not_uc2 = "ucs2reverse" $not_pypi_index = "testpack-id-lb001" diff --git a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple index f5c69d915..91bdb6920 100644 --- a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple +++ b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple @@ -1,6 +1,5 @@ -# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: high +# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium 3P/sig_base/hacktool_strings_p0wnedshell: low -c2/tool_transfer/exe_url: high c2/tool_transfer/os: low exec/shell/power: medium impact/infection/infected: medium diff --git a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple index 432344dfc..58be526e4 100644 --- a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple +++ b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple @@ -1,6 +1,5 @@ -# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: high +# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium 3P/sig_base/p0wnedpotato: low -c2/tool_transfer/exe_url: high c2/tool_transfer/os: low exec/shell/power: medium net/download: medium diff --git a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple index 5fb237fee..c67526075 100644 --- a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple +++ b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple @@ -1,7 +1,6 @@ -# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: high +# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium 3P/sig_base/hacktool_strings_p0wnedshell: low c2/addr/url: medium -c2/tool_transfer/exe_url: high c2/tool_transfer/os: low credential/password: low exec/shell/power: medium diff --git a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple index c61ff66ea..6a395f6ad 100644 --- a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple +++ b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple @@ -1,4 +1,4 @@ -# linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json: high +# linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json: medium 3P/sig_base/hacktool_strings_p0wnedshell: low 3P/sig_base/hktl_domainpasswordspray: low 3P/sig_base/p0wnedpotato: low @@ -15,7 +15,6 @@ exfil/upload: medium impact/infection/infected: medium impact/remote_access/backdoor: medium impact/remote_access/implant: medium -impact/remote_access/reverse_shell: high malware/ref: medium net/dns/txt: low net/download: medium diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index 1dbf6bfc4..d1f3449c3 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -1,7 +1,6 @@ -# linux/clean/misp_sample.ndjson.log: high +# linux/clean/misp_sample.ndjson.log: medium c2/addr/ip: medium c2/addr/url: medium -c2/tool_transfer/download: high c2/tool_transfer/os: low crypto/aes: low crypto/decrypt: low diff --git a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple index 330fb1884..6b8d859f8 100644 --- a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple +++ b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple @@ -1,4 +1,4 @@ -# linux/clean/wikiticker-2015-09-12-sampled.json: high +# linux/clean/wikiticker-2015-09-12-sampled.json: medium anti-behavior/blocklist/user: medium anti-behavior/random_behavior: low c2/addr/ip: medium @@ -12,7 +12,6 @@ fs/file/delete_forcibly: low fs/path/relative: medium impact/infection/worm: medium impact/remote_access/agent: medium -impact/remote_access/botnet: high impact/remote_access/implant: medium impact/remote_access/trojan: medium net/download: medium From 48ba623de238ec3155a0559755a27f49ef202ccd Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 12:34:43 -0500 Subject: [PATCH 05/18] Fix up Windows samples Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/anti-behavior/anti-debugger.yara | 4 ++-- tests/windows/2024.GitHub.Clipper/main.exe.simple | 1 + tests/windows/2024.aspdasdksa2/Nil.exe.md | 1 + tests/windows/2024.aspdasdksa2/creal.exe.simple | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara index c82253c5a..1fbcb97c2 100644 --- a/rules/anti-behavior/anti-debugger.yara +++ b/rules/anti-behavior/anti-debugger.yara @@ -1,7 +1,7 @@ rule win_debugger_present: medium windows { meta: description = "Detects if process is being executed within a debugger" - filetypes = "text/x-powershell" + filetypes = "text/x-powershell,application/octet-stream,application/vnd.microsoft.portable-executable" strings: $debug_idp = "IsDebuggerPresent" @@ -14,7 +14,7 @@ rule win_debugger_present: medium windows { rule win_debugger_or_vm: medium windows { meta: description = "Detects if process is being executed within a debugger or VM" - filetypes = "text/x-powershell" + filetypes = "text/x-powershell,application/octet-stream,application/vnd.microsoft.portable-executable" strings: $cpu_pfp = "IsProcessorFeaturePresent" diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index ab0f9b550..0dbd1351f 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -4,6 +4,7 @@ 3P/ditekshen/vm_evasion_macaddrcomb: critical 3P/elastic/infostealer_wallets: critical 3P/elastic/multi_threat: high +anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low c2/addr/discord: medium c2/addr/http_dynamic: medium diff --git a/tests/windows/2024.aspdasdksa2/Nil.exe.md b/tests/windows/2024.aspdasdksa2/Nil.exe.md index f81cf9aa3..29a700021 100644 --- a/tests/windows/2024.aspdasdksa2/Nil.exe.md +++ b/tests/windows/2024.aspdasdksa2/Nil.exe.md @@ -3,6 +3,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | CRITICAL | [impact/degrade/win_defender](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/win_defender.yara#win_defender_exclusion) | Uses powershell to define Windows Defender exclusions | [powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"](https://github.com/search?q=powershell+-Command+%22Add-MpPreference+-ExclusionPath+%27C%3A%5C%27%22&type=code) | +| MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code) | | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)
[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell -Command](https://github.com/search?q=powershell+-Command&type=code) | | MEDIUM | [impact/degrade/edr](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/edr.yara#win_kill_proc) | may be able to bypass or kill EDR software | [IsProcessorFeaturePresent](https://github.com/search?q=IsProcessorFeaturePresent&type=code)
[UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[GetSystemTimeAsFileTime](https://github.com/search?q=GetSystemTimeAsFileTime&type=code)
[QueryPerformanceCounter](https://github.com/search?q=QueryPerformanceCounter&type=code)
[GetCurrentProcess](https://github.com/search?q=GetCurrentProcess&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code)
[GetCurrentThread](https://github.com/search?q=GetCurrentThread&type=code)
[TerminateProcess](https://github.com/search?q=TerminateProcess&type=code)
[GetModuleHandle](https://github.com/search?q=GetModuleHandle&type=code) | diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 81c04f34e..52fd991e8 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -1,5 +1,6 @@ # windows/2024.aspdasdksa2/creal.exe: critical 3P/bartblaze/pyinstaller: high +anti-behavior/anti_debugger: medium anti-behavior/random_behavior: low anti-static/packer/pe: high c2/tool_transfer/arch: low From bdba3bfcdc8afd1f19aacf83ba48b652ec9f789e Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Thu, 1 May 2025 12:50:06 -0500 Subject: [PATCH 06/18] Run make yara-x-fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/impact/remote_access/reverse_shell.yara | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/impact/remote_access/reverse_shell.yara b/rules/impact/remote_access/reverse_shell.yara index 51074e67e..a26223c30 100644 --- a/rules/impact/remote_access/reverse_shell.yara +++ b/rules/impact/remote_access/reverse_shell.yara @@ -9,7 +9,7 @@ rule reverse_shell: high { $r_reverse_space_shell = "reverse shell" nocase fullword $r_revshell = "revshell" $r_stdin_redir = "0>&1" fullword - $not_elastic = "\"license\": \"Elastic License v2\"" + $not_elastic = "\"license\": \"Elastic License v2\"" $not_ref_1 = "reverse shellConf" $not_ref_2 = "reverse shellshare" $not_pypi_index = "testpack-id-lb001" From 47e875a4ea41313199c5d81612d52d504ffc6fd7 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 07:05:15 -0500 Subject: [PATCH 07/18] Fix merge conflict artifacts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/anti-static/obfuscation/js.yara | 37 +++++++++++-------- rules/anti-static/obfuscation/python.yara | 15 +------- rules/exec/remote_commands/code_eval.yara | 2 +- .../lottie-player.min.js.mdiff | 5 +-- .../3937.844b09f50594ca2613b4.js.map.simple | 1 - ...4796BB27126E03A7E25DD5D589.cache.js.simple | 2 + ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 1 + .../clean/securityDashboards.plugin.js.simple | 1 + tests/javascript/clean/yarn-3.8.7.cjs.simple | 1 + tests/linux/clean/appsec-rules.json.simple | 1 - tests/linux/clean/default_config.json.simple | 1 - ...348-47ba-9741-1202a09556ad_101.json.simple | 1 - ...399-4191-af1d-4feeac1f1f46_108.json.simple | 1 - .../kibana/securitySolution.chunk.9.js.simple | 1 + tests/linux/clean/melange.simple | 1 + .../linux/clean/misp_sample.ndjson.log.simple | 1 - .../clean/pypi_package_index.json.simple | 1 - tests/npm/2024.bugsnagmw/index.js.simple | 3 +- .../package.json.simple | 1 - tests/npm/2024.noblox/postinstall.js.json | 8 ++-- .../wp-engine-fast-action.php.simple | 1 - .../module.audio-video.quicktime.php.simple | 1 - .../clean/setuptools/namespaces.py.simple | 2 +- .../Swashbuckle.AspNetCore.ReDoc.dll.simple | 1 + 24 files changed, 39 insertions(+), 51 deletions(-) diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara index f1a2a24bb..bee2dd95f 100644 --- a/rules/anti-static/obfuscation/js.yara +++ b/rules/anti-static/obfuscation/js.yara @@ -1,5 +1,20 @@ import "math" +rule js_var_misdirection: medium { + meta: + description = "multiple layers of variable misdirection" + filetypes = "application/javascript" + + strings: + $short_mix_high = /var [a-z]{0,2}[A-Z]{1,2}[a-z]\w{1,2}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/ + $empty = /var [a-z]{1,3}[A-Z][a-z]{0,2}\s{0,2}=\s{0,2}"";/ + $short_mix_low = /var [a-z][A-Z]{1,6}\w{1,2}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/ + $short_low = /var [a-z]{1,3}\s{0,2}=\s{0,2}\w{0,2}[A-Z]\w{1,2}[\;\(\[]/ + + condition: + filesize < 4MB and 3 of them +} + rule character_obfuscation: medium { meta: description = "obfuscated javascript that relies on character manipulation" @@ -137,19 +152,6 @@ rule js_hex_obfuscation: high { filesize < 1MB and any of them } -rule js_hex_obfuscation: high { - meta: - description = "javascript function obfuscation (hex)" - filetypes = "application/javascript" - - strings: - $return = /return _{0,4}0x[\w]{0,32}[\(\w]{0,32}/ - $const = /const _{0,4}0x[\w]{0,32}\s*=[\w]{0,32}/ - - condition: - filesize < 1MB and #return > 5 and #const > 5 -} - rule high_entropy: medium { meta: description = "high entropy javascript (>6)" @@ -333,12 +335,13 @@ rule high_entropy_charAt: medium { $s_for = /for\s{0,2}\(/ condition: - obfs_probably_js and math.entropy(1, filesize) >= 5.37 and all of them + math.entropy(1, filesize) >= 5.37 and all of them } rule charAt_long_string: medium { meta: description = "uses charAt/substr/join loops with a long variable" + filetypes = "application/javascript" strings: $s_charAt = "charAt(" @@ -351,12 +354,13 @@ rule charAt_long_string: medium { $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/ condition: - obfs_probably_js and all of ($s*) and any of ($long*) + all of ($s*) and any of ($long*) } rule charAt_long_vars: medium { meta: description = "uses charAt/substr/join loops with long variables" + filetypes = "application/javascript" strings: $s_charAt = "charAt(" @@ -369,12 +373,13 @@ rule charAt_long_vars: medium { $long_garbage = /['"][\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{16,256}[\s\%\$]{1,2}[\w\~\!\@\#\$\%\^\&\*\(\)\{\}\?\+\/\/\=\-\;\[\]\.><\,\`\'\"_\\:]{0,256}/ condition: - obfs_probably_js and all of ($s*) and (#long_string + #long_garbage) > 3 + all of ($s*) and (#long_string + #long_garbage) > 3 } rule obfuscated_require: high { meta: description = "sets variable to the 'require' keyword" + filetypes = "application/javascript" strings: $ = /global\[\"\w{1,16}\"\]\s{0,2}=\s{0,2}require;/ diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index c2e8fd8e3..34fc9d3c4 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -248,7 +248,7 @@ rule py_lib_alias_val: medium { $val } -rule multi_decode_3: medium { +rule multi_decode_3: high { meta: description = "multiple (3+) levels of decoding" filetypes = "text/x-python" @@ -261,19 +261,6 @@ rule multi_decode_3: medium { filesize < 10MB and all of them } -rule multi_decode_3_smaller_file: high { - meta: - description = "multiple (3+) levels of decoding" - filetypes = "py" - - strings: - $return = "return" - $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ - - condition: - obfs_probably_python and filesize < 256KB and all of them -} - rule multi_decode: medium { meta: description = "multiple (2) levels of decoding" diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index 0458291d1..e400d9524 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -85,7 +85,7 @@ rule js_anonymous_function: medium { $run = /\n\s{0,8}\}\)\(\);/ condition: - eval_probably_js and filesize < 5MB and all of them and (@run - @func) > 384 + filesize < 5MB and all of them and (@run - @func) > 384 } rule python_exec: medium { diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index ebf6c067b..13bc2cd8c 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,6 +1,6 @@ -## Changed (50 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] +## Changed (49 added, 5 removed): javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 50 new behaviors +### 49 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| @@ -9,7 +9,6 @@ | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | contains a large hexadecimal string variable | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | -| +MEDIUM | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#multi_decode_3)** | multiple (3+) levels of decoding | [.decode(n);return o._baseCache.set(i,t),o}},jE=(e,t)=>{switch(e[0]){case"Q":{let r=t||N_;return[N_.prefix,r.decode(`${N_.prefix}${e}`)]}case N_.prefix:{let r=t||N_;return[N_.prefix,r.decode(e)]}case y_.prefix:{let r=t||y_;return[y_.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CjE%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28%60%24%7BN_.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+N_.prefix%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28e%29%5D%7Dcase+y_.prefix%3A%7Blet+r%3Dt%7C%7Cy_%3Breturn%5By_.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code)
[.decode(n);return o._baseCache.set(i,t),o}},vB=(e,t)=>{switch(e[0]){case"Q":{let r=t||fN;return[fN.prefix,r.decode(`${fN.prefix}${e}`)]}case fN.prefix:{let r=t||fN;return[fN.prefix,r.decode(e)]}case JO.prefix:{let r=t||JO;return[JO.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CvB%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28%60%24%7BfN.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+fN.prefix%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28e%29%5D%7Dcase+JO.prefix%3A%7Blet+r%3Dt%7C%7CJO%3Breturn%5BJO.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code) | | +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [https://](https://)
[http://](http://)
[Windows](https://github.com/search?q=Windows&type=code)
[windows](https://github.com/search?q=windows&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[linux](https://github.com/search?q=linux&type=code) | diff --git a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple index f0d609c89..4f256c367 100644 --- a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple +++ b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple @@ -1,5 +1,4 @@ # javascript/clean/3937.844b09f50594ca2613b4.js.map: medium -c2/addr/url: medium c2/tool_transfer/os: low exec/shell/power: medium false-positives/mattermost: low diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 94b355942..38f50a1c8 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -1,6 +1,7 @@ # javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium @@ -47,6 +48,7 @@ exec/conditional/LANG: low exec/plugin: low exec/program: medium exec/program/background: low +exec/remote_commands/code_eval: medium exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 37372af6b..89e3f52d7 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -1,6 +1,7 @@ # javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium c2/addr/ip: medium c2/addr/server: medium c2/client: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index 2855cc3e3..31054d0cc 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -2,6 +2,7 @@ anti-behavior/random_behavior: low anti-static/obfuscation/bitwise: medium anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium anti-static/xor/functions: medium c2/tool_transfer/dropper: medium c2/tool_transfer/os: medium diff --git a/tests/javascript/clean/yarn-3.8.7.cjs.simple b/tests/javascript/clean/yarn-3.8.7.cjs.simple index e8bc2ba3c..dd2d6c8d5 100644 --- a/tests/javascript/clean/yarn-3.8.7.cjs.simple +++ b/tests/javascript/clean/yarn-3.8.7.cjs.simple @@ -1,6 +1,7 @@ # javascript/clean/yarn-3.8.7.cjs: medium anti-behavior/random_behavior: low anti-static/obfuscation/hex: medium +anti-static/obfuscation/math: medium c2/addr/ip: medium c2/tool_transfer/arch: low c2/tool_transfer/github: medium diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index f7f33d7b4..3c29eaf37 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -1,5 +1,4 @@ # linux/clean/appsec-rules.json: medium -c2/addr/url: medium collect/databases/mysql: medium collect/databases/postgresql: medium collect/databases/sqlite: medium diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index 618311bb1..699e01598 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -1,5 +1,4 @@ # linux/clean/default_config.json: medium -c2/addr/url: medium collect/databases/mysql: medium collect/databases/postgresql: medium collect/databases/sqlite: medium diff --git a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple index 507b9d252..8c4083204 100644 --- a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple +++ b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple @@ -1,5 +1,4 @@ # linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: medium -c2/addr/url: medium c2/tool_transfer/os: low exec/shell/power: medium false-positives/kibana: low diff --git a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple index c67526075..8f1441792 100644 --- a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple +++ b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple @@ -1,6 +1,5 @@ # linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium 3P/sig_base/hacktool_strings_p0wnedshell: low -c2/addr/url: medium c2/tool_transfer/os: low credential/password: low exec/shell/power: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index fdc9c1dbc..f15927b14 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -1,6 +1,7 @@ # linux/clean/kibana/securitySolution.chunk.9.js: medium anti-behavior/random_behavior: low anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium c2/addr/ip: medium c2/addr/url: low c2/discovery/dyndns: medium diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index a5e9bb384..bad04c5ba 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -61,6 +61,7 @@ evasion/file/location/system_directory: medium evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium exec/cmd: medium +exec/cmd/pipe: medium exec/plugin: low exec/program: medium exec/shell/TERM: low diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index d1f3449c3..bc411c8bf 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -1,6 +1,5 @@ # linux/clean/misp_sample.ndjson.log: medium c2/addr/ip: medium -c2/addr/url: medium c2/tool_transfer/os: low crypto/aes: low crypto/decrypt: low diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index 75ca179be..0998fd517 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -16,7 +16,6 @@ credential/keychain: medium credential/keylogger: medium credential/password: low credential/password/hashcat: medium -credential/sniffer/bpf: medium credential/ssh/d: medium credential/ssl/private_key: low crypto/aes: low diff --git a/tests/npm/2024.bugsnagmw/index.js.simple b/tests/npm/2024.bugsnagmw/index.js.simple index b0ce9227a..3a4c38a79 100644 --- a/tests/npm/2024.bugsnagmw/index.js.simple +++ b/tests/npm/2024.bugsnagmw/index.js.simple @@ -1,8 +1,7 @@ # npm/2024.bugsnagmw/index.js: critical anti-static/obfuscation/bool: medium anti-static/obfuscation/hex: medium -anti-static/obfuscation/js: critical -c2/addr/url: medium +anti-static/obfuscation/js: high data/encoding/int: medium discover/ip/public: high net/http: low diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple index ab69cbf72..6a9780a25 100644 --- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple +++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple @@ -1,5 +1,4 @@ # npm/2024.legacyreact-aws-s3-typescript/package.json: critical -c2/addr/url: medium exec/program/hidden: medium exec/shell/background_launcher: high exfil/npm: high diff --git a/tests/npm/2024.noblox/postinstall.js.json b/tests/npm/2024.noblox/postinstall.js.json index db604c7d5..60139b677 100644 --- a/tests/npm/2024.noblox/postinstall.js.json +++ b/tests/npm/2024.noblox/postinstall.js.json @@ -2046,11 +2046,11 @@ "return _0xc65b7", "return _0xa137f" ], - "RiskScore": 4, - "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#multiple_js_hex_obfuscation", + "RiskScore": 3, + "RiskLevel": "HIGH", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#js_hex_obfuscation", "ID": "anti-static/obfuscation/js", - "RuleName": "multiple_js_hex_obfuscation" + "RuleName": "js_hex_obfuscation" }, { "Description": "complex math and string to integer conversion", diff --git a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple index 5a2065702..c52c7bb02 100644 --- a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple +++ b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple @@ -1,5 +1,4 @@ # php/2024.WordFence.evasion/wp-engine-fast-action.php: critical anti-static/obfuscation/php: high -c2/addr/url: medium data/embedded/base64: medium data/encoding/reverse: low diff --git a/tests/php/clean/module.audio-video.quicktime.php.simple b/tests/php/clean/module.audio-video.quicktime.php.simple index 04f7eccd8..5eb215b39 100644 --- a/tests/php/clean/module.audio-video.quicktime.php.simple +++ b/tests/php/clean/module.audio-video.quicktime.php.simple @@ -1,7 +1,6 @@ # php/clean/module.audio-video.quicktime.php: medium anti-static/obfuscation/bitwise: medium anti-static/obfuscation/hex: medium -c2/addr/url: medium c2/tool_transfer/os: low crypto/encrypt: medium data/compression/zlib: low diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple index 07ed4ff63..28aedf1ae 100644 --- a/tests/python/clean/setuptools/namespaces.py.simple +++ b/tests/python/clean/setuptools/namespaces.py.simple @@ -1,4 +1,4 @@ -# python/clean/setuptools/namespaces.py: medium +# python/clean/setuptools/namespaces.py: low data/encoding/json_encode: low exec/imports/python: low false-positives/setuptools: low diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index ebe810732..75d428cc6 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -1,5 +1,6 @@ # windows/clean/Swashbuckle.AspNetCore.ReDoc.dll: medium anti-behavior/random_behavior: low +anti-static/obfuscation/math: medium c2/client: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low From 81c9d1f8c1f62e1728da01a104331e92dbd24af7 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 07:08:16 -0500 Subject: [PATCH 08/18] Remove JSON from map Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/testdata/scan_oci | 152 ------------------ pkg/programkind/programkind.go | 1 - rules/exec/cmd/npm_preinstall.yara | 4 - rules/exec/remote_commands/code_eval.yara | 1 - .../3937.844b09f50594ca2613b4.js.map.simple | 9 -- tests/javascript/clean/index.js.map.simple | 17 -- tests/linux/clean/appsec-rules.json.simple | 76 --------- .../aws-c-io-0.14.10-r0.spdx.json.simple | 4 - .../aws-c-io-0.14.11-r0.spdx.json.simple | 4 - tests/linux/clean/aws-c-io/aws-c-io.sdiff | 1 - tests/linux/clean/default_config.json.simple | 76 --------- ...758-4c5e-b57e-c735914ee32a_101.json.simple | 7 - ...67c-455a-afe4-de6183431d0d_111.json.simple | 10 -- ...-9b70-456b-b6b8-007c7d246128_5.json.simple | 16 -- ...348-47ba-9741-1202a09556ad_101.json.simple | 9 -- ...735-4b24-9cc6-c78dfc9fc9c9_108.json.simple | 8 - ...-82ad-4a6c-82b8-296c1f691449_2.json.simple | 8 - ...399-4191-af1d-4feeac1f1f46_108.json.simple | 10 -- ...f01-4f43-a872-605b678968b0_111.json.simple | 24 --- ...cess_dumping_keychain_security.json.simple | 4 - ...ender_exclusion_via_powershell.json.simple | 8 - .../linux/clean/misp_sample.ndjson.log.simple | 13 -- .../clean/pypi_package_index.json.simple | 131 --------------- tests/linux/clean/rules.json.simple | 78 --------- tests/linux/clean/searchindex.json.simple | 71 -------- .../clean/sonarlint-metadata.json.simple | 74 --------- .../wikiticker-2015-09-12-sampled.json.simple | 23 --- .../npm/2024.depe-tool/preinstall.json.simple | 3 - 28 files changed, 842 deletions(-) diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci index 62482f5bf..5f57f73dd 100644 --- a/pkg/action/testdata/scan_oci +++ b/pkg/action/testdata/scan_oci @@ -69,158 +69,6 @@ "SHA256": "", "Size": 0, "RiskScore": 0 - }, - "/var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json": { - "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json", - "SHA256": "da392082c5abe93e62ac6b557fd1dae8aedb16851c76a8b0b942235c4f24fcf2", - "Size": 1768, - "Behaviors": [ - { - "Description": "references a specific architecture", - "MatchStrings": [ - "https://", - "x86_64" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", - "ID": "c2/tool_transfer/arch", - "RuleName": "arch_ref" - }, - { - "Description": "references a specific operating system", - "MatchStrings": [ - "https://", - "linux" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref", - "ID": "c2/tool_transfer/os", - "RuleName": "os_ref" - }, - { - "Description": "download files", - "MatchStrings": [ - "downloadLocation" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", - "ID": "net/download", - "RuleName": "download" - }, - { - "Description": "contains embedded HTTPS URLs", - "MatchStrings": [ - "https://spdx.org/spdxdocs/chainguard/melange/e8bb6c0f7fc0c77fe29111695575" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", - "ID": "net/url/embedded", - "RuleName": "https_url" - } - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM" - }, - "/var/lib/db/sbom/tzdata-2024b-r0.spdx.json": { - "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json", - "SHA256": "d30d9bc94854359f6e4164fca583b5a51e1a6625c7e8b4b0563364e676a5bcaf", - "Size": 1725, - "Behaviors": [ - { - "Description": "references a specific architecture", - "MatchStrings": [ - "https://", - "x86_64" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", - "ID": "c2/tool_transfer/arch", - "RuleName": "arch_ref" - }, - { - "Description": "download files", - "MatchStrings": [ - "downloadLocation" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", - "ID": "net/download", - "RuleName": "download" - }, - { - "Description": "contains embedded HTTPS URLs", - "MatchStrings": [ - "https://spdx.org/spdxdocs/chainguard/melange/7b86e6ff94c1f8dfe207a3ffaf7f" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", - "ID": "net/url/embedded", - "RuleName": "https_url" - }, - { - "Description": "Uses timezone information", - "MatchStrings": [ - "tzdata" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/tzinfo.yara#tzinfo", - "ID": "os/time/tzinfo", - "RuleName": "tzinfo" - } - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM" - }, - "/var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json": { - "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json", - "SHA256": "2553d473dbfb8842254573d68cd3e857b2e9546fb746d8ae7fc3c243c9eca8ca", - "Size": 1425, - "Behaviors": [ - { - "Description": "references a specific architecture", - "MatchStrings": [ - "https://", - "x86_64" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", - "ID": "c2/tool_transfer/arch", - "RuleName": "arch_ref" - }, - { - "Description": "download files", - "MatchStrings": [ - "downloadLocation" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", - "ID": "net/download", - "RuleName": "download" - }, - { - "Description": "contains embedded HTTPS URLs", - "MatchStrings": [ - "https://spdx.org/spdxdocs/chainguard/melange/568a7518ce6c3bdb5ddcf51a311c" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", - "ID": "net/url/embedded", - "RuleName": "https_url" - } - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM" } } } diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index 27ab55f22..5f8e6aee9 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -74,7 +74,6 @@ var supportedKind = map[string]string{ "jar": "application/java-archive", "java": "text/x-java", "js": "application/javascript", - "json": "application/json", "ko": "application/x-object", "lnk": "application/x-ms-shortcut", "lua": "text/x-lua", diff --git a/rules/exec/cmd/npm_preinstall.yara b/rules/exec/cmd/npm_preinstall.yara index 278e2f643..d77e491d5 100644 --- a/rules/exec/cmd/npm_preinstall.yara +++ b/rules/exec/cmd/npm_preinstall.yara @@ -1,7 +1,6 @@ rule npm_node_preinstall: medium { meta: description = "preinstall is run under a separate node process" - filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{0,256}node \.\/preinstall\.js.{1,32}/ @@ -13,7 +12,6 @@ rule npm_node_preinstall: medium { rule npm_preinstall_command: high { meta: description = "NPM preinstall runs an external command" - filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}/ @@ -24,7 +22,6 @@ rule npm_preinstall_command: high { rule npm_preinstall_command_dev_null: high { meta: - filetypes = "application/json" description = "NPM preinstall runs an external command, hiding output" strings: @@ -37,7 +34,6 @@ rule npm_preinstall_command_dev_null: high { rule npm_preinstall_curl: critical { meta: description = "NPM preinstall runs curl" - filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}curl .{12,256}/ diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index e400d9524..839d586de 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -237,7 +237,6 @@ rule php_at_eval: critical { rule npm_preinstall_eval: critical { meta: description = "NPM preinstall evaluates arbitrary code" - filetypes = "application/json" strings: $ref = /\s{2,8}"preinstall": ".{12,256}eval\([\w\.]{1,32}\).{0,256}"/ diff --git a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple index 4f256c367..e69de29bb 100644 --- a/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple +++ b/tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple @@ -1,9 +0,0 @@ -# javascript/clean/3937.844b09f50594ca2613b4.js.map: medium -c2/tool_transfer/os: low -exec/shell/power: medium -false-positives/mattermost: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/delete: medium -net/download/fetch: medium -net/url/embedded: low diff --git a/tests/javascript/clean/index.js.map.simple b/tests/javascript/clean/index.js.map.simple index 5116bd200..e69de29bb 100644 --- a/tests/javascript/clean/index.js.map.simple +++ b/tests/javascript/clean/index.js.map.simple @@ -1,17 +0,0 @@ -# javascript/clean/index.js.map: medium -anti-behavior/random_behavior: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/encrypt: medium -crypto/public_key: low -data/encoding/base64: low -data/encoding/json_decode: low -data/encoding/json_encode: low -net/http: low -net/http/accept: low -net/http/auth: low -net/http/form_upload: medium -net/http/post: medium -net/url/embedded: low -net/url/parse: low diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 3c29eaf37..e69de29bb 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -1,76 +0,0 @@ -# linux/clean/appsec-rules.json: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/os/gshadow: medium -credential/os/shadow: medium -credential/password: low -credential/server/htpasswd: medium -credential/shell/bash_history: medium -credential/ssh: medium -credential/ssh/authorized_hosts: medium -credential/ssh/d: medium -crypto/openssl: medium -data/base64/decode: medium -data/base64/external: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/encoding/base64: low -data/encoding/utf16: medium -discover/multiple: medium -discover/system/dmesg: low -discover/system/platform: low -discover/user/USER: low -discover/user/name_get: medium -evasion/bypass_security/linux/iptables: medium -evasion/bypass_security/linux/ufw: medium -evasion/file/prefix: medium -evasion/logging/acct: low -evasion/process_injection/readelf: medium -exec/plugin: low -exec/shell/bash_dev_udp: medium -exec/shell/command: medium -exec/shell/nohup: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -exec/tty/pathname: medium -exfil: medium -fs/fifo_create: low -fs/file/times_set: medium -fs/lock_update: low -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/home: low -fs/path/home_config: low -fs/path/tmp: medium -fs/path/var: low -fs/permission/modify: medium -fs/tempfile: low -hw/hardware_enumeration: medium -hw/wireless: low -impact/exploit: medium -impact/exploit/cve: medium -impact/remote_access/iptables: medium -net/dns/servers: low -net/download: medium -net/ftp/t: low -net/http: low -net/http/cookies: medium -net/http/webhook: medium -net/ip/host_port: medium -net/socket/connect: medium -net/tcp/sftp: medium -persist/cron/tab: medium -persist/daemon: medium -persist/shell/bash: medium -persist/shell/zsh: medium -persist/ssh_authorized_keys: medium -process/chroot: low -process/unshare: low -sec-tool/net/nmap: medium diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple index fbced9d33..e69de29bb 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple +++ b/tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple @@ -1,4 +0,0 @@ -# linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json: medium -c2/tool_transfer/arch: low -net/download: medium -net/url/embedded: low diff --git a/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple b/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple index 5d3094c8a..e69de29bb 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple +++ b/tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple @@ -1,4 +0,0 @@ -# linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json: medium -c2/tool_transfer/arch: low -net/download: medium -net/url/embedded: low diff --git a/tests/linux/clean/aws-c-io/aws-c-io.sdiff b/tests/linux/clean/aws-c-io/aws-c-io.sdiff index 2d5409150..e69de29bb 100644 --- a/tests/linux/clean/aws-c-io/aws-c-io.sdiff +++ b/tests/linux/clean/aws-c-io/aws-c-io.sdiff @@ -1 +0,0 @@ ->>> moved: linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.988000) diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index 699e01598..e69de29bb 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -1,76 +0,0 @@ -# linux/clean/default_config.json: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/os/gshadow: medium -credential/os/shadow: medium -credential/password: low -credential/server/htpasswd: medium -credential/shell/bash_history: medium -credential/ssh: medium -credential/ssh/authorized_hosts: medium -credential/ssh/d: medium -crypto/openssl: medium -data/base64/decode: medium -data/base64/external: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/encoding/base64: low -data/encoding/utf16: medium -discover/multiple: medium -discover/system/dmesg: low -discover/system/platform: low -discover/user/USER: low -discover/user/name_get: medium -evasion/bypass_security/linux/iptables: medium -evasion/bypass_security/linux/ufw: medium -evasion/file/prefix: medium -evasion/logging/acct: low -evasion/process_injection/readelf: medium -exec/plugin: low -exec/shell/bash_dev_udp: medium -exec/shell/command: medium -exec/shell/nohup: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -exec/tty/pathname: medium -exfil: medium -fs/fifo_create: low -fs/file/times_set: medium -fs/lock_update: low -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/home: low -fs/path/home_config: low -fs/path/tmp: medium -fs/path/var: low -fs/permission/modify: medium -fs/tempfile: low -hw/hardware_enumeration: medium -hw/wireless: low -impact/exploit: medium -impact/exploit/cve: medium -impact/remote_access/iptables: medium -net/dns/servers: low -net/download: medium -net/ftp/t: low -net/http: low -net/http/cookies: medium -net/http/webhook: medium -net/ip/host_port: medium -net/socket/connect: medium -net/tcp/sftp: medium -persist/cron/tab: medium -persist/daemon: medium -persist/shell/bash: medium -persist/shell/zsh: medium -persist/ssh_authorized_keys: medium -process/chroot: low -process/unshare: low -sec-tool/net/nmap: medium diff --git a/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple b/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple index 2647ee2ae..e69de29bb 100644 --- a/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple +++ b/tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple @@ -1,7 +0,0 @@ -# linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: low -exec/shell/power: medium -impact/degrade/win_defender: low -net/download: medium -net/url/embedded: low diff --git a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple index 91bdb6920..e69de29bb 100644 --- a/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple +++ b/tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple @@ -1,10 +0,0 @@ -# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium -3P/sig_base/hacktool_strings_p0wnedshell: low -c2/tool_transfer/os: low -exec/shell/power: medium -impact/infection/infected: medium -malware/ref: medium -mem/protect: low -net/download: medium -net/url/embedded: low -sus/malicious: medium diff --git a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple index 6f7680fd9..e69de29bb 100644 --- a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple +++ b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple @@ -1,16 +0,0 @@ -# linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: medium -c2/tool_transfer/os: low -evasion/file/location/dev_shm: medium -evasion/file/prefix: low -exec/system_controls/systemd: low -fs/path/etc: low -fs/path/etc_initd: medium -fs/path/home: low -fs/path/home_config: low -fs/path/root: medium -fs/path/usr_local: medium -fs/path/var: low -net/url/embedded: low -persist/shell/bash: medium -persist/shell/zsh: medium -privesc/sudoers: medium diff --git a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple index 8c4083204..e69de29bb 100644 --- a/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple +++ b/tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple @@ -1,9 +0,0 @@ -# linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: medium -c2/tool_transfer/os: low -exec/shell/power: medium -false-positives/kibana: low -malware/ref: medium -net/download: medium -net/download/fetch: medium -net/http: low -net/url/embedded: low diff --git a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple index 497650f83..e69de29bb 100644 --- a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple +++ b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple @@ -1,8 +0,0 @@ -# linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium -c2/tool_transfer/os: low -impact/exploit: medium -impact/exploit/cve: medium -impact/exploit/pwnkit: low -impact/remote_access/agent: medium -net/url/embedded: low -os/fd/multiplex: low diff --git a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple index 58be526e4..e69de29bb 100644 --- a/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple +++ b/tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple @@ -1,8 +0,0 @@ -# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium -3P/sig_base/p0wnedpotato: low -c2/tool_transfer/os: low -exec/shell/power: medium -net/download: medium -net/rpc/ntlm: medium -net/url/embedded: low -sus/intercept: medium diff --git a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple index 8f1441792..e69de29bb 100644 --- a/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple +++ b/tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple @@ -1,10 +0,0 @@ -# linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium -3P/sig_base/hacktool_strings_p0wnedshell: low -c2/tool_transfer/os: low -credential/password: low -exec/shell/power: medium -impact/infection/infected: medium -malware/ref: medium -net/url/embedded: low -sec-tool/credentials/mimikatz: low -sus/malicious: medium diff --git a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple index 6a395f6ad..e69de29bb 100644 --- a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple +++ b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple @@ -1,24 +0,0 @@ -# linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json: medium -3P/sig_base/hacktool_strings_p0wnedshell: low -3P/sig_base/hktl_domainpasswordspray: low -3P/sig_base/p0wnedpotato: low -3P/sig_base/wmimplant: low -c2/addr/ip: medium -c2/tool_transfer/os: low -credential/password: low -crypto/decrypt: low -exec/cmd: medium -exec/plugin: low -exec/shell/power: medium -exfil/collection: medium -exfil/upload: medium -impact/infection/infected: medium -impact/remote_access/backdoor: medium -impact/remote_access/implant: medium -malware/ref: medium -net/dns/txt: low -net/download: medium -net/http: low -net/ip/addr: medium -net/url/embedded: low -sus/malicious: medium diff --git a/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple b/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple index a48e6914e..e69de29bb 100644 --- a/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple +++ b/tests/linux/clean/kibana/credential_access_dumping_keychain_security.json.simple @@ -1,4 +0,0 @@ -# linux/clean/kibana/credential_access_dumping_keychain_security.json: low -c2/tool_transfer/os: low -credential/password: low -net/url/embedded: low diff --git a/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple b/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple index d735b35e5..e69de29bb 100644 --- a/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple +++ b/tests/linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json.simple @@ -1,8 +0,0 @@ -# linux/clean/kibana/defense_evasion_defender_exclusion_via_powershell.json: medium -c2/tool_transfer/os: low -exec/shell/power: medium -impact/degrade/win_defender: low -impact/exploit: medium -malware/ref: medium -net/url/embedded: low -sus/malicious: medium diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index bc411c8bf..e69de29bb 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -1,13 +0,0 @@ -# linux/clean/misp_sample.ndjson.log: medium -c2/addr/ip: medium -c2/tool_transfer/os: low -crypto/aes: low -crypto/decrypt: low -evasion/rootkit/refs: low -impact/ransom/decryptor: medium -impact/remote_access/backdoor: medium -malware/ref: medium -net/http: low -net/ip/host_port: medium -net/url/embedded: medium -os/fd/multiplex: low diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index 0998fd517..e69de29bb 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -1,131 +0,0 @@ -# linux/clean/pypi_package_index.json: medium -anti-behavior/random_behavior: low -anti-static/obfuscation/obfuscate: low -c2/discovery/dyndns: medium -c2/refs: medium -c2/tool_transfer/download: medium -c2/tool_transfer/dropper: medium -collect/archives/unarchive: medium -collect/archives/zip: medium -collect/databases/leveldb: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/gaming/minecraft: medium -credential/keychain: medium -credential/keylogger: medium -credential/password: low -credential/password/hashcat: medium -credential/ssh/d: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/blockchain: medium -crypto/cipher: medium -crypto/ed25519: low -crypto/encrypt: medium -crypto/fernet: medium -crypto/openssl: medium -crypto/public_key: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/encoding/base64: low -data/hash/blake2b: low -data/random/insecure: low -discover/network/interface_list: medium -discover/network/netstat: medium -discover/processes/list: medium -discover/processes/pgrep: medium -discover/system/cpu: low -discover/system/machine_id: low -discover/system/platform: low -discover/system/sysinfo: medium -discover/user/name_get: medium -evasion/bypass_security/linux/iptables: medium -evasion/bypass_security/linux/ufw: medium -evasion/logging/acct: low -evasion/process_injection/ptrace: medium -evasion/process_injection/readelf: medium -evasion/rootkit/refs: medium -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/script/osa: medium -exec/shell/power: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: medium -exec/tty/getpass: low -exfil/office_file_ext: medium -fs/directory/create: low -fs/file/delete: low -fs/file/times_set: medium -fs/link_create: low -fs/lock_update: low -fs/mount: low -fs/permission/modify: medium -fs/proc/pid_cmdline: low -fs/symlink_resolve: low -fs/tempdir/TEMP: low -fs/tempfile: low -fs/watch: low -hw/dev/mem: medium -hw/hardware_enumeration: medium -hw/wireless: low -impact/cryptojacking/monero_pool: medium -impact/exploit: medium -impact/exploit/cve: medium -impact/infection/worm: medium -impact/ransom/decryptor: medium -impact/remote_access/crypto_listen_socks: medium -impact/remote_access/heartbeat: medium -impact/remote_access/implant: medium -impact/remote_access/iptables: medium -impact/remote_access/trojan: medium -impact/ui/x11_auth: medium -lateral/scan/brute_force: low -malware/ref: medium -net/dns/over_https: medium -net/download: medium -net/http: low -net/http/auth: low -net/http/oauth2: low -net/http/request: low -net/http/webhook: medium -net/ip/host_port: medium -net/ip/multicast_send: low -net/ip/spoof: medium -net/proxy/reverse: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/rpc/ntlm: medium -net/socket/listen: medium -net/socket/pair: medium -net/socket/receive: low -net/socket/send: low -net/tcp/sftp: medium -net/tcp/synflood: medium -net/url/encode: medium -net/url/parse: low -os/env/get: low -os/fd/sendfile: low -os/kernel/hardware_locality: low -os/kernel/key_management: low -os/kernel/netlink: low -os/time/tzinfo: low -persist/cron/tab: medium -persist/daemon: medium -persist/daemon/detach: medium -persist/launchd/launch_agent: medium -privesc/sudo: medium -process/chroot: low -process/multi: medium -process/terminate/taskkill: medium -process/unshare: low -sec-tool/net/masscan: medium -sec-tool/net/nmap: medium -sec-tool/pentest/metasploit_ref: medium -sus/intercept: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index dc46d2098..e69de29bb 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -1,78 +0,0 @@ -# linux/clean/rules.json: medium -anti-static/obfuscation/hex: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/os/gshadow: medium -credential/os/shadow: medium -credential/password: low -credential/server/htpasswd: medium -credential/shell/bash_history: medium -credential/ssh: medium -credential/ssh/authorized_hosts: medium -credential/ssh/d: medium -crypto/openssl: medium -data/base64/decode: medium -data/base64/external: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/encoding/base64: low -data/encoding/utf16: medium -discover/multiple: medium -discover/system/dmesg: low -discover/system/platform: low -discover/user/USER: low -discover/user/name_get: medium -evasion/bypass_security/linux/iptables: medium -evasion/bypass_security/linux/ufw: medium -evasion/file/location/var_run: medium -evasion/file/prefix: medium -evasion/logging/acct: low -evasion/process_injection/readelf: medium -exec/plugin: low -exec/shell/bash_dev_udp: medium -exec/shell/command: medium -exec/shell/nohup: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -exec/tty/pathname: medium -exfil: medium -fs/fifo_create: low -fs/file/times_set: medium -fs/lock_update: low -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/home: low -fs/path/home_config: low -fs/path/tmp: medium -fs/path/var: low -fs/permission/modify: medium -fs/tempfile: low -hw/hardware_enumeration: medium -hw/wireless: low -impact/exploit: medium -impact/exploit/cve: medium -impact/remote_access/iptables: medium -net/dns/servers: low -net/download: medium -net/ftp/t: low -net/http: low -net/http/cookies: medium -net/http/webhook: medium -net/ip/host_port: medium -net/socket/connect: medium -net/tcp/sftp: medium -persist/cron/tab: medium -persist/daemon: medium -persist/shell/bash: medium -persist/shell/zsh: medium -persist/ssh_authorized_keys: medium -process/chroot: low -process/unshare: low -sec-tool/net/nmap: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index 43e2a146f..e69de29bb 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -1,71 +0,0 @@ -# linux/clean/searchindex.json: medium -anti-behavior/random_behavior: low -anti-static/obfuscation/obfuscate: low -c2/addr/discord: medium -c2/tool_transfer/arch: low -c2/tool_transfer/dropper: medium -c2/tool_transfer/os: medium -credential/keylogger: medium -credential/password: low -crypto/encrypt: medium -crypto/openssl: medium -crypto/public_key: low -data/compression/bzip2: low -data/compression/zlib: low -data/embedded/html: medium -data/random/insecure: low -discover/components/docker: medium -discover/system/platform: low -discover/system/sysinfo: medium -evasion/file/location/chdir_unusual: medium -evasion/file/location/system_directory: medium -evasion/rootkit/refs: medium -exec/install_additional/package_install: medium -exec/plugin: low -exec/program: medium -exec/shell/exec: medium -exec/system_controls/systemd: low -exfil/stealer/credit_card: medium -fs/directory/create: low -fs/file/delete: low -fs/file/delete_forcibly: medium -fs/file/times_set: medium -fs/mount: low -fs/path/boot: medium -fs/path/dev: medium -fs/path/etc: low -fs/path/etc_resolv.conf: low -fs/path/home: low -fs/path/tmp: medium -fs/path/users: medium -fs/path/usr_local: medium -fs/path/var: low -fs/path/var_log: medium -fs/watch: low -impact/exploit: medium -impact/infection/infected: medium -impact/remote_access/agent: medium -impact/remote_access/backdoor: medium -impact/remote_access/reverse_shell: medium -impact/remote_access/trojan: medium -malware/ref: medium -net/dns/servers: low -net/dns/txt: low -net/download/fetch: medium -net/http: low -net/ip/addr: medium -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/spoof: medium -net/socket/listen: medium -net/socket/send: low -net/tcp/ssh: medium -net/url/embedded: medium -persist/cron/tab: medium -persist/daemon: medium -persist/service/start: low -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/executable_path: low -sus/malicious: medium diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index 89605235f..e69de29bb 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -1,74 +0,0 @@ -# linux/clean/sonarlint-metadata.json: medium -anti-behavior/random_behavior: low -c2/addr/ip: medium -c2/tool_transfer/dropper: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/mysql: medium -credential/password: low -credential/shell/bash_history: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/uuid: medium -data/encoding/int: low -data/encoding/json_decode: low -data/encoding/json_encode: low -discover/network/interface_list: medium -discover/process/working_directory: low -discover/user/USER: low -evasion/file/location/dev_mqueue: medium -evasion/file/prefix: medium -exec/plugin: low -exfil/stealer/credit_card: medium -false-positives/sonarqube: low -fs/directory/create: low -fs/file/copy: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/write: low -fs/path/dev: medium -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/home: low -fs/path/relative: medium -fs/path/tmp: medium -fs/path/users: medium -fs/path/usr_bin: low -fs/path/var: low -fs/permission/modify: medium -fs/tempdir: low -impact/ddos: medium -impact/exploit: medium -impact/infection/infected: medium -impact/remote_access/agent: medium -lateral/scan/brute_force: low -malware/ref: medium -net/download: medium -net/http: low -net/http/2: low -net/http/cookies: medium -net/http/form_upload: medium -net/http/post: medium -net/http/request: low -net/http/websocket: medium -net/ip/addr: medium -net/ip/host_port: medium -net/ip/spoof: medium -net/socket/listen: medium -net/socket/send: low -net/tcp/sftp: medium -net/tcp/ssh: medium -net/url/embedded: medium -net/url/encode: medium -os/env/get: low -os/fd/read: low -os/fd/write: low -persist/writeable_dir: medium -sus/intercept: medium -sus/malicious: medium diff --git a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple index 6b8d859f8..e69de29bb 100644 --- a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple +++ b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple @@ -1,23 +0,0 @@ -# linux/clean/wikiticker-2015-09-12-sampled.json: medium -anti-behavior/blocklist/user: medium -anti-behavior/random_behavior: low -c2/addr/ip: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -credential/gaming/minecraft: medium -crypto/aes: low -crypto/fernet: medium -exfil/stealer/wallet: medium -fs/file/delete_forcibly: low -fs/path/relative: medium -impact/infection/worm: medium -impact/remote_access/agent: medium -impact/remote_access/implant: medium -impact/remote_access/trojan: medium -net/download: medium -net/http: low -net/http/cookies: medium -net/http/post: medium -net/url/embedded: medium -persist/daemon: medium -sus/exclamation: medium diff --git a/tests/npm/2024.depe-tool/preinstall.json.simple b/tests/npm/2024.depe-tool/preinstall.json.simple index 26c5ea823..e69de29bb 100644 --- a/tests/npm/2024.depe-tool/preinstall.json.simple +++ b/tests/npm/2024.depe-tool/preinstall.json.simple @@ -1,3 +0,0 @@ -# npm/2024.depe-tool/preinstall.json: high -anti-static/obfuscation/hex: medium -impact/remote_access/payload: high From fa35cac01839d8bb5042d1816969765b5c12de19 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 07:17:24 -0500 Subject: [PATCH 09/18] Fix test Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/programkind/programkind_test.go b/pkg/programkind/programkind_test.go index 0810332f3..c1c19d27a 100644 --- a/pkg/programkind/programkind_test.go +++ b/pkg/programkind/programkind_test.go @@ -49,7 +49,7 @@ func TestPath(t *testing.T) { {"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}}, {"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}}, {"/home/yeti/.hidden/package.json", &FileType{MIME: "application/json", Ext: "json"}}, - {"unknown.json", &FileType{MIME: "application/json", Ext: "json"}}, + {"unknown.json", nil}, } for _, tt := range tests { t.Run(tt.in, func(t *testing.T) { From 24b9bf2d1a69e487c5a5df8fcb33fcbf022be7eb Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 09:52:35 -0500 Subject: [PATCH 10/18] Use kind.Ext instead of kind.MIME Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/testdata/scan_archive | 32 ++++++-- pkg/report/report.go | 6 +- rules/anti-behavior/LD_DEBUG.yara | 2 +- rules/anti-behavior/LD_PROFILE.yara | 2 +- rules/anti-behavior/anti-debugger.yara | 6 +- rules/anti-behavior/process-check.yara | 6 +- rules/anti-behavior/random_behavior.yara | 7 +- rules/anti-static/base64/eval.yara | 12 +-- rules/anti-static/base64/exec.yara | 8 +- rules/anti-static/base64/function_names.yara | 6 +- rules/anti-static/base64/shell.yara | 3 +- rules/anti-static/elf/content.yara | 2 +- rules/anti-static/elf/entropy.yara | 8 +- rules/anti-static/elf/header.yara | 8 +- rules/anti-static/elf/multiple.yara | 2 +- rules/anti-static/elf/tiny.yara | 2 +- rules/anti-static/macho/entropy.yara | 4 +- rules/anti-static/macho/footer.yara | 2 +- rules/anti-static/macho/tiny.yara | 2 +- rules/anti-static/obfuscation/bitwise.yara | 20 ++--- rules/anti-static/obfuscation/bool.yara | 2 +- rules/anti-static/obfuscation/casing.yara | 18 ++--- rules/anti-static/obfuscation/hex.yara | 4 + rules/anti-static/obfuscation/js.yara | 56 +++++++------- rules/anti-static/obfuscation/math.yara | 25 ++----- rules/anti-static/obfuscation/nodejs.yara | 4 +- rules/anti-static/obfuscation/osascript.yara | 2 +- rules/anti-static/obfuscation/padding.yara | 2 +- rules/anti-static/obfuscation/perl.yara | 2 +- rules/anti-static/obfuscation/php.yara | 8 +- rules/anti-static/obfuscation/powershell.yara | 8 +- rules/anti-static/obfuscation/python.yara | 75 ++++++++++--------- .../obfuscation/python_setuptools.yara | 2 +- rules/anti-static/obfuscation/reverse.yara | 5 +- rules/anti-static/obfuscation/sh.yara | 2 +- rules/anti-static/obfuscation/strtoi.yara | 2 +- rules/anti-static/obfuscation/syscall.yara | 2 +- rules/anti-static/obfuscation/url.yara | 2 +- rules/anti-static/obfuscation/utf16.yara | 4 +- rules/anti-static/packer/aes.yara | 2 +- rules/anti-static/packer/blankobf.yara | 2 +- rules/anti-static/packer/cx_freeze.yara | 2 +- rules/anti-static/packer/decompyle.yara | 2 +- rules/anti-static/packer/ezuri.yara | 2 +- rules/anti-static/packer/kiteshield.yara | 2 +- rules/anti-static/packer/nuitka.yara | 2 +- rules/anti-static/packer/pe.yara | 2 +- rules/anti-static/packer/py_kramer.yara | 6 +- rules/anti-static/packer/py_vare.yara | 2 +- rules/anti-static/packer/pycloak.yara | 2 +- rules/anti-static/packer/pyobfuscate.yara | 2 +- rules/anti-static/packer/upx.yara | 6 +- rules/anti-static/unmarshal/marshal.yara | 4 +- rules/c2/addr/ip.yara | 2 +- rules/c2/addr/url.yara | 4 +- rules/c2/connect/bash_tcp.yara | 2 +- rules/c2/tool_transfer/chmod_dropper.yara | 4 +- rules/c2/tool_transfer/download.yara | 2 +- rules/c2/tool_transfer/js.yara | 2 +- rules/c2/tool_transfer/macos.yara | 4 +- rules/c2/tool_transfer/npm.yara | 2 +- rules/c2/tool_transfer/osascript.yara | 2 +- rules/c2/tool_transfer/php.yara | 2 +- rules/c2/tool_transfer/powershell.yara | 2 +- rules/c2/tool_transfer/python.yara | 24 +++--- rules/c2/tool_transfer/ruby.yara | 2 +- rules/c2/tool_transfer/shell.yara | 20 ++--- rules/collect/archives/tar-command.yara | 6 +- rules/collect/localstorage.yara | 2 +- rules/data/builtin/kernel_module.yara | 2 +- rules/data/builtin/multiple.yara | 2 +- rules/data/encoding/json-encode.yara | 2 +- rules/discover/user/username-get.yara | 2 +- .../indicator_blocking/hidden_window.yara | 4 +- .../indicator_blocking/mask_exceptions.yara | 4 +- rules/evasion/net/hide_ports.yara | 2 +- rules/evasion/rootkit/kernel.yara | 6 +- rules/evasion/rootkit/userspace.yara | 12 +-- .../evasion/self_deletion/run_and_delete.yara | 4 +- rules/exec/cmd/cmd.yara | 8 +- rules/exec/dylib/replace.yara | 2 +- rules/exec/imports/python.yara | 12 ++- .../exec/install_additional/pip_install.yara | 12 +-- rules/exec/program/opaque.yara | 4 +- rules/exec/remote_commands/code_eval.yara | 34 ++++----- rules/exec/shell/command.yara | 6 +- rules/exec/shell/exec.yara | 4 +- rules/exec/shell/shell32.yara | 2 +- rules/exfil/b64_zlib.yara | 4 +- rules/exfil/nodejs.yara | 16 ++-- rules/exfil/php.yara | 2 +- rules/exfil/stealer/keylogger.yara | 6 +- rules/exfil/stealer/python.yara | 4 +- rules/exfil/zip.yara | 2 +- rules/fs/attributes/chattr.yara | 4 +- rules/fs/directory/directory-list.yara | 6 +- rules/fs/file/file-make_executable.yara | 2 +- rules/fs/file/file-rename.yara | 2 +- rules/impact/cryptojacking/competitive.yara | 2 +- rules/impact/degrade/edr.yara | 4 +- rules/impact/degrade/firewall.yara | 2 +- rules/impact/degrade/panic.yara | 2 +- rules/impact/ransom/linux.yara | 2 +- rules/impact/registry.yara | 2 +- rules/impact/remote_access/backdoor.yara | 4 +- rules/impact/remote_access/net_shell.yara | 2 +- rules/impact/remote_access/open_base64.yara | 2 +- rules/impact/remote_access/py_setuptools.yara | 28 +++---- rules/impact/remote_access/remote_eval.yara | 11 ++- rules/impact/remote_access/router.yara | 2 +- rules/impact/rootkit/rootkit.yara | 6 +- rules/malware/family/amos.yara | 8 +- rules/malware/family/applejeus.yara | 2 +- rules/malware/family/beaver_tail.yara | 2 +- rules/malware/family/beurk.yara | 4 +- rules/malware/family/clapzok.yara | 2 +- rules/malware/family/emp3r0r.yara | 2 +- rules/malware/family/leet_hozer.yara | 2 +- rules/malware/family/lockscreen.yara | 2 +- rules/malware/family/lolminer.yara | 2 +- rules/malware/family/mirai.yara | 6 +- rules/malware/family/pawns.yara | 2 +- rules/malware/family/poseidon_stealer.yara | 4 +- rules/malware/family/rustdoor.yara | 6 +- rules/malware/framework/cobalt_strike.yara | 2 +- rules/malware/framework/silver.yara | 2 +- rules/net/download/fetch.yara | 2 +- rules/persist/kernel_module/module.yara | 2 +- .../persist/kernel_module/symbol-lookup.yara | 4 +- .../persist/systemd/execstart-elsewhere.yara | 4 +- rules/persist/systemd/execstop-bin-sh.yara | 2 +- rules/persist/systemd/execstop-elsewhere.yara | 2 +- rules/persist/systemd/execstop-usr-bin.yara | 2 +- rules/persist/systemd/no_blank_lines.yara | 2 +- .../persist/systemd/no_docs_or_comments.yara | 2 +- rules/persist/systemd/no_output.yara | 2 +- .../systemd/out_of_dependency_tree.yara | 2 +- rules/persist/systemd/restart-always.yara | 2 +- rules/persist/systemd/short-description.yara | 2 +- rules/privesc/osascript.yara | 4 +- rules/sus/compiler.yara | 8 +- rules/sus/entitlement.yara | 2 +- .../2022.an-instance.99.10.9/index.js.simple | 1 - .../lottie-player.min.js.mdiff | 2 +- ...4796BB27126E03A7E25DD5D589.cache.js.simple | 1 - ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 1 - tests/javascript/clean/connection.js.simple | 1 - tests/javascript/clean/faker.js.simple | 1 + tests/javascript/clean/mode-php.js.simple | 1 - .../clean/mode-php_laravel_blade.js.simple | 1 - tests/javascript/clean/php.js.simple | 1 - tests/javascript/clean/yarn-3.8.7.cjs.simple | 1 - .../eight-nebraska-autumn-illinois.simple | 2 +- .../uranus-ack-mike-cat.simple | 2 +- tests/linux/2024.chisel/crondx.simple | 2 +- ...4084b7471bc5aed1c81803054f017240a72.simple | 2 +- tests/linux/2024.hadooken/drop2.sh.simple | 4 +- .../2024.kworker_pretenders/aclocal.m4.simple | 3 +- .../emp3r0r.agent.simple | 2 +- tests/linux/2024.vncjew/__min__c.json | 27 +++++-- tests/linux/clean/buildah.simple | 2 +- tests/linux/clean/buildkitd.simple | 2 +- tests/linux/clean/caddy.simple | 2 +- tests/linux/clean/chezmoi.simple | 2 +- tests/linux/clean/chrome.simple | 1 + tests/linux/clean/clickhouse.simple | 1 + tests/linux/clean/code-oss.md | 2 +- tests/linux/clean/containerd.simple | 2 +- tests/linux/clean/kolide/launcher.simple | 2 +- tests/linux/clean/kuma-cp.simple | 1 + tests/linux/clean/melange.simple | 2 +- tests/linux/clean/mongosh.simple | 2 +- tests/linux/clean/opa.simple | 2 +- tests/linux/clean/pulumi.simple | 2 +- tests/linux/clean/slack.md | 4 +- .../linux/clean/systemd-sysv-generator.simple | 1 + tests/linux/clean/tracer.o.aarch64.simple | 1 + .../clean/trino.linux-amd64.launcher.json | 19 +++-- .../clean/trino.linux-arm64.launcher.json | 19 +++-- .../clean/trino.linux-ppc64le.launcher.json | 19 +++-- .../linux/mimipenguin/bash/mimipenguin.simple | 1 - .../mimipenguin/python/mimipenguin.simple | 1 - .../cnc-dns-over-https.aarch64.simple | 2 +- tests/npm/2024.hlwgirl/index.js.simple | 1 - .../2024.persona-tool/preinstall.js.simple | 1 - .../v1.95.7.index.browser.esm.js.simple | 1 - .../v1.95.8.index.browser.esm.js.simple | 1 - tests/php/2024.Inull-Studio/err.php.simple | 2 - tests/php/2024.S3RV4N7-SHELL/crot.php.simple | 1 - .../wp-engine-fast-action.php.simple | 3 +- tests/php/2024.sagsooz/2024.php.simple | 2 - .../ruby/2018.CMD_Backdoor/connect.rb.simple | 1 - .../2024.GitHub.Clipper/main.exe.simple | 2 +- 193 files changed, 510 insertions(+), 470 deletions(-) diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index dc869c1e6..bbd38846b 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -79,15 +79,31 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", - "MatchStrings": [ - "math/rand" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "Description": "uses a random number generator", + "MatchStrings": [ + "getrandomUnsupported", + "nonZeroRandomBytes", + "startupRandomData", + "readRandomUint32", + "rand_getrandom", + "portRandomizer", + "random_vectors", + "getRandomData", + "extendRandom", + "altGetRandom", + "randomOrder", + "randomPoint", + "urandom_dev", + "randomEnum", + "nextRandom", + "randomized", + "randomsbom" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "Contains a table that may be used for XOR decryption", diff --git a/pkg/report/report.go b/pkg/report/report.go index 5e5aa037c..82012dd21 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -366,11 +366,11 @@ func TrimPrefixes(path string, prefixes []string) string { } // fileMatchesRules checks the scanned file's type against a rule's defined filetypes. -func fileMatchesRule(meta []yarax.Metadata, mime string) bool { +func fileMatchesRule(meta []yarax.Metadata, ext string) bool { for _, m := range meta { if m.Identifier() == "filetypes" { filetypes := strings.Split(fmt.Sprintf("%s", m.Value()), ",") - return slices.Contains(filetypes, mime) + return slices.Contains(filetypes, ext) } } // Rules without filetype metadata are universal @@ -438,7 +438,7 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon ignoreMalcontent = true } - if !fileMatchesRule(m.Metadata(), kind.MIME) { + if !fileMatchesRule(m.Metadata(), kind.Ext) { continue } diff --git a/rules/anti-behavior/LD_DEBUG.yara b/rules/anti-behavior/LD_DEBUG.yara index a96c44440..c3aed0493 100644 --- a/rules/anti-behavior/LD_DEBUG.yara +++ b/rules/anti-behavior/LD_DEBUG.yara @@ -1,7 +1,7 @@ rule env_LD_DEBUG: medium { meta: description = "may check if dynamic linker debugging is enabled" - filetypes = "application/x-elf,application/x-mach-binary" + filetypes = "elf,macho" strings: $val = "LD_DEBUG" fullword diff --git a/rules/anti-behavior/LD_PROFILE.yara b/rules/anti-behavior/LD_PROFILE.yara index 11bb37e23..bcb9c09b6 100644 --- a/rules/anti-behavior/LD_PROFILE.yara +++ b/rules/anti-behavior/LD_PROFILE.yara @@ -1,7 +1,7 @@ rule env_LD_PROFILE: medium { meta: description = "may check if dynamic linker profiling is enabled" - filetypes = "application/x-elf,application/x-mach-binary" + filetypes = "elf,macho" strings: $val = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara index 1fbcb97c2..ad8893453 100644 --- a/rules/anti-behavior/anti-debugger.yara +++ b/rules/anti-behavior/anti-debugger.yara @@ -1,7 +1,7 @@ rule win_debugger_present: medium windows { meta: description = "Detects if process is being executed within a debugger" - filetypes = "text/x-powershell,application/octet-stream,application/vnd.microsoft.portable-executable" + filetypes = "ps1,exe,pe" strings: $debug_idp = "IsDebuggerPresent" @@ -14,7 +14,7 @@ rule win_debugger_present: medium windows { rule win_debugger_or_vm: medium windows { meta: description = "Detects if process is being executed within a debugger or VM" - filetypes = "text/x-powershell,application/octet-stream,application/vnd.microsoft.portable-executable" + filetypes = "ps1,exe,pe" strings: $cpu_pfp = "IsProcessorFeaturePresent" @@ -29,7 +29,7 @@ rule win_debugger_or_vm: medium windows { rule multiple_linux_methods: high linux { meta: description = "possible debugger detection across multiple methods" - filetypes = "application/x-elf" + filetypes = "elf" strings: $ld_profile = "LD_PROFILE" fullword diff --git a/rules/anti-behavior/process-check.yara b/rules/anti-behavior/process-check.yara index cec89dcd0..ab8b972a3 100644 --- a/rules/anti-behavior/process-check.yara +++ b/rules/anti-behavior/process-check.yara @@ -1,7 +1,7 @@ rule activity_monitor_checker: high macos { meta: description = "checks if 'Activity Monitor' is running" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $ps = "ps" fullword @@ -17,7 +17,7 @@ rule activity_monitor_checker: high macos { rule linux_monitors: high linux { meta: description = "checks if various process monitors are running" - filetypes = "application/x-elf" + filetypes = "elf" strings: $pgrep = "pgrep" fullword @@ -47,7 +47,7 @@ rule linux_monitors: high linux { rule anti_rootkit_hunter: high linux { meta: description = "checks if rootkit detectors are running" - filetypes = "application/x-elf" + filetypes = "elf" strings: $proc = "/proc/" diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara index f771dc84c..ff1eec6f8 100644 --- a/rules/anti-behavior/random_behavior.yara +++ b/rules/anti-behavior/random_behavior.yara @@ -20,7 +20,7 @@ private rule random_behavior_pythonSetup { rule setuptools_random: critical { meta: description = "Python library installer that exhibits random behavior" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = "import random" @@ -33,7 +33,7 @@ rule setuptools_random: critical { rule java_random: low { meta: description = "exhibits random behavior" - filetypes = "text/x-java" + filetypes = "java" strings: $ref = "java/util/Random" @@ -45,6 +45,7 @@ rule java_random: low { rule go_rand: medium { meta: description = "exhibits random behavior" + filetypes = "go" strings: $ref = "math/rand" @@ -56,7 +57,7 @@ rule go_rand: medium { rule rand_call: medium { meta: description = "exhibits random behavior" - filetypes = "text/x-c,text/x-php,text/x-perl" + filetypes = "c,perl,php" strings: $ref = "rand()" diff --git a/rules/anti-static/base64/eval.yara b/rules/anti-static/base64/eval.yara index cc68e8ac1..8c13d3ea7 100644 --- a/rules/anti-static/base64/eval.yara +++ b/rules/anti-static/base64/eval.yara @@ -3,7 +3,7 @@ import "math" rule eval_base64: high { meta: description = "Evaluates base64 content" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $eval = /eval\(.{0,256}base64/ @@ -15,7 +15,7 @@ rule eval_base64: high { rule ruby_eval_base64_decode: critical { meta: description = "Evaluates base64 content" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $eval_base64_decode = "eval(Base64." @@ -27,7 +27,7 @@ rule ruby_eval_base64_decode: critical { rule ruby_eval_near_enough: high { meta: description = "Evaluates base64 content" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $eval = "eval(" @@ -40,7 +40,7 @@ rule ruby_eval_near_enough: high { rule ruby_eval2_near_enough: high { meta: description = "Evaluates base64 content" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $eval = "eval(" @@ -53,7 +53,7 @@ rule ruby_eval2_near_enough: high { rule python_exec_near_enough_base64: high { meta: description = "Likely executes base64 content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = "exec(" @@ -66,7 +66,7 @@ rule python_exec_near_enough_base64: high { rule python_base64_exec: critical { meta: description = "executes compressed base64 content" - filetypes = "text/x-python" + filetypes = "py" strings: $dec_b64decode_exec = /.{0,8}\.decompress\(.{0,96}\.b64decode\(.{0,64}\Wexec\(.{0,16}/ diff --git a/rules/anti-static/base64/exec.yara b/rules/anti-static/base64/exec.yara index 903bd3ca3..7c989e370 100644 --- a/rules/anti-static/base64/exec.yara +++ b/rules/anti-static/base64/exec.yara @@ -50,7 +50,7 @@ rule base64_suspicious_commands: critical { rule base64_exec: critical { meta: description = "executes base64 encoded commands" - filetypes = "text/x-python" + filetypes = "py" strings: $os_system = /os\.system\(b64[\"\'\(\)\w\=]{3,96}/ fullword @@ -62,7 +62,7 @@ rule base64_exec: critical { rule echo_decode_bash: critical { meta: description = "executes base64 encoded shell commands" - filetypes = "application/x-sh,application/x-zsh" + filetypes = "bash,sh,zsh" strings: $pipe = /base64 {0,2}(-d|--decode) {0,2}\| {0,2}(bash|zsh|sh)/ fullword @@ -77,7 +77,7 @@ import "math" rule echo_decode_bash_probable: high { meta: description = "likely pipes base64 into a shell" - filetypes = "application/x-sh,application/x-zsh" + filetypes = "bash,sh,zsh" strings: $decode = /base64 {0,2}(-d|--decode)/ fullword @@ -90,7 +90,7 @@ rule echo_decode_bash_probable: high { rule ruby_system_near_enough: critical { meta: description = "Executes commands from base64 content" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $system = /system\(["'\w\)]{0,16}/ diff --git a/rules/anti-static/base64/function_names.yara b/rules/anti-static/base64/function_names.yara index ae5c437a5..61ed6811d 100644 --- a/rules/anti-static/base64/function_names.yara +++ b/rules/anti-static/base64/function_names.yara @@ -1,7 +1,7 @@ rule base64_php_functions: medium { meta: description = "References PHP functions in base64 form" - filetypes = "text/x-php" + filetypes = "php" strings: $php = "6.95)" - filetypes = "application/x-elf" + filetypes = "elf" condition: normal_elf and math.entropy(1, filesize) >= 6.95 @@ -22,7 +22,7 @@ rule higher_elf_entropy_68: medium { rule normal_elf_high_entropy_7_4: high { meta: description = "high entropy ELF binary (>7.4)" - filetypes = "application/x-elf" + filetypes = "elf" strings: $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" @@ -35,7 +35,7 @@ rule normal_elf_high_entropy_7_4: high { rule normal_elf_high_entropy_footer_7_4: high { meta: description = "high entropy footer in ELF binary (>7.4)" - filetypes = "application/x-elf" + filetypes = "elf" condition: normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4 @@ -44,7 +44,7 @@ rule normal_elf_high_entropy_footer_7_4: high { rule normal_elf_high_entropy_footer_7_4_rc4: high { meta: description = "high entropy footer in ELF binary (>7.4), likely RC4 encrypted" - filetypes = "application/x-elf" + filetypes = "elf" strings: $cmp_e_x_256 = { 81 f? 00 01 00 00 } // cmp {ebx, ecx, edx}, 256 diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara index 8e2e225d9..fa0218305 100644 --- a/rules/anti-static/elf/header.yara +++ b/rules/anti-static/elf/header.yara @@ -5,7 +5,7 @@ rule single_load_rwe: critical { meta: description = "Binary with a single LOAD segment marked RWE" family = "Stager" - filetypes = "application/x-elf" + filetypes = "elf" author = "Tenable" @@ -17,7 +17,7 @@ rule fake_section_headers_conflicting_entry_point_address: critical { meta: description = "binary with fake sections header" family = "Obfuscation" - filetypes = "application/x-elf" + filetypes = "elf" author = "Tenable" @@ -29,7 +29,7 @@ rule fake_dynamic_symbols: critical { meta: description = "binary with fake dynamic symbol table" family = "Obfuscation" - filetypes = "application/x-elf" + filetypes = "elf" author = "Tenable" condition: @@ -39,7 +39,7 @@ rule fake_dynamic_symbols: critical { rule high_entropy_header: high { meta: description = "high entropy ELF header (>7)" - filetypes = "application/x-elf" + filetypes = "elf" strings: $not_pyinst = "pyi-bootloader-ignore-signals" diff --git a/rules/anti-static/elf/multiple.yara b/rules/anti-static/elf/multiple.yara index b4da19bb8..894bbf520 100644 --- a/rules/anti-static/elf/multiple.yara +++ b/rules/anti-static/elf/multiple.yara @@ -3,7 +3,7 @@ import "elf" rule multiple_elf: medium { meta: description = "multiple ELF binaries within an ELF binary" - filetypes = "application/x-elf" + filetypes = "elf" strings: $elf_head = "\x7fELF" diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara index 6316b7571..d309da820 100644 --- a/rules/anti-static/elf/tiny.yara +++ b/rules/anti-static/elf/tiny.yara @@ -3,7 +3,7 @@ import "elf" rule impossibly_small_elf_program: high { meta: description = "ELF binary is unusually small" - filetypes = "application/x-elf" + filetypes = "elf" strings: $not_hello_c = "hello.c" diff --git a/rules/anti-static/macho/entropy.yara b/rules/anti-static/macho/entropy.yara index 380c97349..6a821c505 100644 --- a/rules/anti-static/macho/entropy.yara +++ b/rules/anti-static/macho/entropy.yara @@ -8,7 +8,7 @@ private rule smaller_macho { rule higher_entropy_6_9: medium { meta: description = "higher entropy binary (>6.9)" - filetypes = "application/x-mach-binary" + filetypes = "macho" condition: smaller_macho and math.entropy(1, filesize) >= 6.9 @@ -17,7 +17,7 @@ rule higher_entropy_6_9: medium { rule high_entropy_7_2: high { meta: description = "high entropy binary (>7.2)" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: // prevent bazel false positive diff --git a/rules/anti-static/macho/footer.yara b/rules/anti-static/macho/footer.yara index 9f1e40fab..5ee0acac5 100644 --- a/rules/anti-static/macho/footer.yara +++ b/rules/anti-static/macho/footer.yara @@ -9,7 +9,7 @@ rule high_entropy_trailer: high { meta: description = "higher-entropy machO trailer (normally NULL) - possible viral infection" ref = "https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $page_zero = "_PAGEZERO" diff --git a/rules/anti-static/macho/tiny.yara b/rules/anti-static/macho/tiny.yara index 8c5faad5a..f017ded56 100644 --- a/rules/anti-static/macho/tiny.yara +++ b/rules/anti-static/macho/tiny.yara @@ -1,7 +1,7 @@ rule impossibly_small_macho_program: medium { meta: description = "machO binary is unusually small" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $stub_helper = "__stub_helper" diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index d1ba108bb..b1ad5ce3e 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -41,7 +41,7 @@ rule excessive_bitwise_math: high { rule bitwise_math: low { meta: description = "uses bitwise math" - filetypes = "text/x-python" + filetypes = "py" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -55,7 +55,7 @@ rule bidirectional_bitwise_math: medium { meta: description = "uses bitwise math in both directions" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "text/x-python" + filetypes = "py" strings: $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ @@ -69,7 +69,7 @@ rule bitwise_python_string: medium { meta: description = "creates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -82,7 +82,7 @@ rule bitwise_python_string_exec_eval: high { meta: description = "creates and evaluates string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -97,7 +97,7 @@ rule bitwise_python_string_exec_eval_nearby: critical { meta: description = "creates and executes string using bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = /"".join\(chr\(\w{1,4} >> \w{1,3}\) for \w{1,16} in \w{1,16}/ @@ -112,7 +112,7 @@ rule unsigned_bitwise_math: medium { meta: description = "uses unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -129,7 +129,7 @@ rule unsigned_bitwise_math_excess: high { meta: description = "uses an excessive amount of unsigned bitwise math" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -147,7 +147,7 @@ rule unsigned_bitwise_math_excess: high { rule charAtBitwise: high { meta: description = "converts manipulated numbers into characters" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -162,7 +162,7 @@ rule bidirectional_bitwise_math_php: high { meta: description = "uses bitwise math in both directions" ref = "https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection" - filetypes = "text/x-php" + filetypes = "php" strings: $php = "6)" - filetypes = "application/javascript" + filetypes = "js,ts" condition: math.entropy(1, filesize) >= 6 @@ -164,7 +164,7 @@ rule high_entropy: medium { rule very_high_entropy: high { meta: description = "very high entropy javascript (>7)" - filetypes = "application/javascript" + filetypes = "js,ts" condition: math.entropy(1, filesize) >= 7 @@ -173,7 +173,7 @@ rule very_high_entropy: high { rule charCodeAtIncrement: medium { meta: description = "converts incremented numbers into characters" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $function = "function(" @@ -186,7 +186,7 @@ rule charCodeAtIncrement: medium { rule js_many_parseInt: high { meta: description = "javascript obfuscation (integer parsing)" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $const = "const " @@ -201,7 +201,7 @@ rule js_many_parseInt: high { rule over_powered_arrays: high { meta: description = "uses many powered array elements (>25)" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $function = /function\(\w,/ @@ -215,7 +215,7 @@ rule over_powered_arrays: high { rule string_prototype_function: high { meta: description = "obfuscates function calls via string prototypes" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /String\["prototype"\].{1,32} = function\(\) \{ eval\(this\.toString\(\)\)\;/ @@ -228,7 +228,7 @@ rule string_prototype_function: high { rule unicode_prototype: critical { meta: description = "sets obfuscated Array.prototype attribute" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /Array\.prototype\.\\[\w\\]{2,256}\s{0,2}=.{0,64}/ @@ -240,7 +240,7 @@ rule unicode_prototype: critical { rule var_filler: high { meta: description = "header is filled with excessive variable declarations" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /[a-z]{2,8}\d{1,5} = "[a-z]{2,8}\d{1,5}"/ fullword @@ -252,7 +252,7 @@ rule var_filler: high { rule large_random_variables: high { meta: description = "contains large random variable names" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{32,256} = '.{4}/ fullword @@ -264,7 +264,7 @@ rule large_random_variables: high { rule many_complex_var: medium { meta: description = "defines multiple complex variables" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{1,256} = \(/ @@ -276,7 +276,7 @@ rule many_complex_var: medium { rule many_complex_var_high: high { meta: description = "excessive complex variable declarations" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /var [a-zA-Z_]{1,256} = \(.{1,64}/ @@ -288,7 +288,7 @@ rule many_complex_var_high: high { rule many_static_map_lookups: medium { meta: description = "contains large number of static map lookups" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /\[[\"\'][a-z]{1,32}[\"\']\]/ @@ -300,7 +300,7 @@ rule many_static_map_lookups: medium { rule obfuscated_map_to_array_conversions: high { meta: description = "obfuscated map to array conversions" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /\[[\"\'a-z]{1,32}\]\s{0,2}\+\s{0,2}\[\]\)\[\d{1,4}\]/ @@ -312,7 +312,7 @@ rule obfuscated_map_to_array_conversions: high { rule large_obfuscated_array: high { meta: description = "contains large obfuscated arrays" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ref = /[a-z]{32,256}=\[\]/ fullword @@ -325,7 +325,7 @@ rule large_obfuscated_array: high { rule high_entropy_charAt: medium { meta: description = "high entropy javascript (>5.37) that uses charAt/substr/join loops" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ = "charAt(" @@ -341,7 +341,7 @@ rule high_entropy_charAt: medium { rule charAt_long_string: medium { meta: description = "uses charAt/substr/join loops with a long variable" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $s_charAt = "charAt(" @@ -360,7 +360,7 @@ rule charAt_long_string: medium { rule charAt_long_vars: medium { meta: description = "uses charAt/substr/join loops with long variables" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $s_charAt = "charAt(" @@ -379,7 +379,7 @@ rule charAt_long_vars: medium { rule obfuscated_require: high { meta: description = "sets variable to the 'require' keyword" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $ = /global\[\"\w{1,16}\"\]\s{0,2}=\s{0,2}require;/ diff --git a/rules/anti-static/obfuscation/math.yara b/rules/anti-static/obfuscation/math.yara index b20dd7214..7cd3b9c83 100644 --- a/rules/anti-static/obfuscation/math.yara +++ b/rules/anti-static/obfuscation/math.yara @@ -1,38 +1,25 @@ -private rule math_probably_js { - strings: - $f_function = "function" - $f_return = "return" - $f_local = "local" - $f_var = "var" fullword - $f_global = "global[" - $f_end = "end" fullword - - condition: - filesize < 5MB and 3 of ($f*) -} - rule js_long_math: high { meta: description = "performs multiple rounds of long integer math" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $d = /\d{6,14}[\+\-]\d{6,14}/ fullword condition: - math_probably_js and #d > 64 + #d > 64 } rule js_long_dumb_math: critical { meta: description = "performs multiple rounds of long dumb integer math" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $d = /[-\+]\([-\+]\d{6,14}[-\+]\([-\+]\d{6,14}\)\)/ condition: - math_probably_js and #d > 32 + #d > 32 } rule js_junk_math: medium { @@ -48,7 +35,7 @@ rule js_junk_math: medium { $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/ condition: - math_probably_js and $charAt and 2 of ($m*) + $charAt and 2 of ($m*) } rule js_junk_math_high: high { @@ -64,5 +51,5 @@ rule js_junk_math_high: high { $m_tiny_vars_long_remainder = /\w{0,2}\s{0,2}=\s{0,2}\(\w + \w\) % \d{4,16};/ condition: - math_probably_js and $charAt and 3 of ($m*) + $charAt and 3 of ($m*) } diff --git a/rules/anti-static/obfuscation/nodejs.yara b/rules/anti-static/obfuscation/nodejs.yara index b9b0fff55..3e7d7c745 100644 --- a/rules/anti-static/obfuscation/nodejs.yara +++ b/rules/anti-static/obfuscation/nodejs.yara @@ -1,7 +1,7 @@ rule nodejs_buffer_from: medium { meta: description = "loads arbitrary bytes from a buffer" - filetypes = "application/javascript,application/typescript" + filetypes = "js,ts" strings: $ref = /Buffer\.from\(\[[\d,]{8,63}\)/ @@ -13,7 +13,7 @@ rule nodejs_buffer_from: medium { rule nodejs_buffer_from_many: high { meta: description = "loads many arbitrary bytes from a buffer" - filetypes = "application/javascript,application/typescript" + filetypes = "js,ts" strings: $ref = /Buffer\.from\(\[[\d,]{63,2048}/ diff --git a/rules/anti-static/obfuscation/osascript.yara b/rules/anti-static/obfuscation/osascript.yara index b0d1247f7..34a90767c 100644 --- a/rules/anti-static/obfuscation/osascript.yara +++ b/rules/anti-static/obfuscation/osascript.yara @@ -1,7 +1,7 @@ rule compiled_osascript: medium { meta: description = "compiled osascript" - filetypes = "application/x-applescript" + filetypes = "scpt,scptd" strings: $s_sysoexec = "sysoexecTEXT" diff --git a/rules/anti-static/obfuscation/padding.yara b/rules/anti-static/obfuscation/padding.yara index 1973a3bb5..75da779f2 100644 --- a/rules/anti-static/obfuscation/padding.yara +++ b/rules/anti-static/obfuscation/padding.yara @@ -45,7 +45,7 @@ rule gzinflate_str_replace: critical { rule funky_function: critical { meta: description = "creatively hidden forms of the term 'function'" - filetypes = "text/x-php" + filetypes = "php" strings: $a = "'fu'.'nct'.'ion'" diff --git a/rules/anti-static/obfuscation/perl.yara b/rules/anti-static/obfuscation/perl.yara index c914dff51..b3774aa79 100644 --- a/rules/anti-static/obfuscation/perl.yara +++ b/rules/anti-static/obfuscation/perl.yara @@ -2,7 +2,7 @@ rule generic_obfuscated_perl: medium { meta: description = "Obfuscated PERL code" - filetypes = "text/x-perl" + filetypes = "pl" strings: $unpack_nospace = "pack'" fullword diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara index f0cffbe5f..c2f2b8c49 100644 --- a/rules/anti-static/obfuscation/php.yara +++ b/rules/anti-static/obfuscation/php.yara @@ -3,7 +3,7 @@ rule php_obfuscation: high { description = "obfuscated PHP code" credit = "Ported from https://github.com/jvoisin/php-malware-finder" - filetypes = "text/x-php" + filetypes = "php" strings: $php = "7)" - filetype = "application/vnd.microsoft.portable-executable" + filetype = "exe,pe" condition: uint16(0) == 0x5a4d and math.entropy(0, filesize) > 7 diff --git a/rules/anti-static/packer/py_kramer.yara b/rules/anti-static/packer/py_kramer.yara index 4e8af5ac2..c5e5aae4c 100644 --- a/rules/anti-static/packer/py_kramer.yara +++ b/rules/anti-static/packer/py_kramer.yara @@ -2,7 +2,7 @@ rule kramer: critical { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "text/x-python" + filetypes = "py" strings: $ = ".__init__...." @@ -21,7 +21,7 @@ rule py_kramer_packer2: critical python { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "text/x-python" + filetypes = "py" strings: $ = "class Kramer():" @@ -38,7 +38,7 @@ rule py_kramer_packer3: critical python { meta: description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" - filetypes = "text/x-python" + filetypes = "py" strings: $ = "Kramer.__decode__" diff --git a/rules/anti-static/packer/py_vare.yara b/rules/anti-static/packer/py_vare.yara index 251bfed96..688da08c7 100644 --- a/rules/anti-static/packer/py_vare.yara +++ b/rules/anti-static/packer/py_vare.yara @@ -1,7 +1,7 @@ rule Vare_Obfuscator: critical { meta: description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" - filetypes = "text/x-python" + filetypes = "py" strings: $var = "__VareObfuscator__" diff --git a/rules/anti-static/packer/pycloak.yara b/rules/anti-static/packer/pycloak.yara index 13beeabb8..5532ac54e 100644 --- a/rules/anti-static/packer/pycloak.yara +++ b/rules/anti-static/packer/pycloak.yara @@ -2,7 +2,7 @@ rule pycloak: critical { meta: description = "packed with pycloak" ref = "https://github.com/addi00000/pycloak" - filetypes = "text/x-python" + filetypes = "py" strings: $ = "__builtins__.__dict__[__builtins__.__dict__" diff --git a/rules/anti-static/packer/pyobfuscate.yara b/rules/anti-static/packer/pyobfuscate.yara index 58ab681d7..bde8940f6 100644 --- a/rules/anti-static/packer/pyobfuscate.yara +++ b/rules/anti-static/packer/pyobfuscate.yara @@ -1,7 +1,7 @@ rule pyobfuscate: high { meta: description = "uses 'pyobfuscate' packer" - filetypes = "text/x-python" + filetypes = "py" strings: $def = "def" fullword diff --git a/rules/anti-static/packer/upx.yara b/rules/anti-static/packer/upx.yara index e6dd78a6d..6fa1801b4 100644 --- a/rules/anti-static/packer/upx.yara +++ b/rules/anti-static/packer/upx.yara @@ -1,7 +1,7 @@ rule upx: high { meta: description = "Binary is packed with UPX" - filetype = "application/x-upx" + filetype = "upx" strings: $u_upx_sig = "UPX!" @@ -16,7 +16,7 @@ rule upx: high { rule upx_elf: high { meta: description = "Linux ELF binary packed with UPX" - filetype = "application/x-upx" + filetype = "upx" strings: $proc_self = "/proc/self/exe" @@ -30,7 +30,7 @@ rule upx_elf: high { rule upx_elf_tampered: critical { meta: description = "Linux ELF binary packed with modified UPX" - filetype = "application/x-upx" + filetype = "upx" strings: $prot_exec = "PROT_EXEC|PROT_WRITE failed" diff --git a/rules/anti-static/unmarshal/marshal.yara b/rules/anti-static/unmarshal/marshal.yara index 86df4127e..e2da33b3d 100644 --- a/rules/anti-static/unmarshal/marshal.yara +++ b/rules/anti-static/unmarshal/marshal.yara @@ -14,7 +14,7 @@ private rule pySetup { rule unmarshal_py_marshal: medium { meta: description = "reads python values from binary content" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = "import marshal" @@ -26,7 +26,7 @@ rule unmarshal_py_marshal: medium { rule setuptools_py_marshal: suspicious { meta: description = "Python library installer that reads values from binary content" - filetypes = "text/x-python" + filetypes = "py" condition: pySetup and unmarshal_py_marshal diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index bc6576577..c51da388d 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -27,7 +27,7 @@ private rule ip_elf_or_macho { rule bin_hardcoded_ip: high { meta: description = "ELF with hardcoded IP address" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: // stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google) diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 4d2c00e75..963e89ffc 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -79,7 +79,7 @@ rule http_url_with_question: medium { rule binary_with_url: low { meta: description = "binary contains hardcoded URL" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: $ref = /https*:\/\/[\w\.\/]{8,160}[\/\w\=\&]{0,32}/ @@ -91,7 +91,7 @@ rule binary_with_url: low { rule binary_url_with_question: high { meta: description = "binary contains hardcoded URL with question mark" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{1,32}/ diff --git a/rules/c2/connect/bash_tcp.yara b/rules/c2/connect/bash_tcp.yara index 6ebc77599..1ce61ca5c 100644 --- a/rules/c2/connect/bash_tcp.yara +++ b/rules/c2/connect/bash_tcp.yara @@ -1,7 +1,7 @@ rule bash_tcp: high { meta: description = "sends data via /dev/tcp (bash)" - filetypes = "application/x-sh,application/x-zsh" + filetypes = "bash,sh,zsh" strings: $ref = /[\w \-\\<]{0,32}>"{0,1}\/dev\/tcp\/[\$\{\/\:\-\w\"]{0,32}/ diff --git a/rules/c2/tool_transfer/chmod_dropper.yara b/rules/c2/tool_transfer/chmod_dropper.yara index 825b62ced..244d90443 100644 --- a/rules/c2/tool_transfer/chmod_dropper.yara +++ b/rules/c2/tool_transfer/chmod_dropper.yara @@ -1,7 +1,7 @@ rule chmod_77x_dropper: critical { meta: description = "transfers program, uses dangerous permissions, and possibly runs a binary" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: $chmod = /chmod [\-\w ]{0,3}77[750] [ \$\@\w\/\.]{0,64}/ @@ -21,7 +21,7 @@ rule chmod_77x_dropper: critical { rule chmod_executable_shell_binary: high { meta: description = "executable makes another file executable" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: $chmod = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara index 3c1ddeb39..13acfe6a4 100644 --- a/rules/c2/tool_transfer/download.yara +++ b/rules/c2/tool_transfer/download.yara @@ -122,7 +122,7 @@ private rule smallerBinary { rule http_archive_url_higher: high { meta: description = "accesses hardcoded archive file endpoint" - filetypes = "application/x-elf,application/x-mach-binary" + filetypes = "elf,macho" strings: $ref = /https{0,1}:\/\/[\w\.]{0,160}[:\/\w\_\-\?\@=]{6,160}\.(zip|tar|tgz|gz|xz)/ fullword diff --git a/rules/c2/tool_transfer/js.yara b/rules/c2/tool_transfer/js.yara index 6cf41982c..28732a0b2 100644 --- a/rules/c2/tool_transfer/js.yara +++ b/rules/c2/tool_transfer/js.yara @@ -1,7 +1,7 @@ rule javascript_dropper: critical { meta: description = "Javascript dropper" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $lh = /require\(['"]https{0,1}['"]\)/ diff --git a/rules/c2/tool_transfer/macos.yara b/rules/c2/tool_transfer/macos.yara index f86a5cc2a..4c82c9b22 100644 --- a/rules/c2/tool_transfer/macos.yara +++ b/rules/c2/tool_transfer/macos.yara @@ -12,7 +12,7 @@ rule macos_chflags_hidden: critical { meta: description = "dropper that hides it's payload using chflags" hash = "e064158742c9a5f451e69b02e83eea9fb888623fafe34ff5b38036901d8419b4" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $c_curl = "curl" fullword @@ -27,7 +27,7 @@ rule macos_chflags_hidden: critical { rule cocoa_bundle_dropper: critical { meta: ref = "https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $bundle = "NSBundle" fullword diff --git a/rules/c2/tool_transfer/npm.yara b/rules/c2/tool_transfer/npm.yara index 237515560..20306a097 100644 --- a/rules/c2/tool_transfer/npm.yara +++ b/rules/c2/tool_transfer/npm.yara @@ -2,7 +2,7 @@ rule npm_dropper: critical { meta: description = "NPM binary dropper" ref = "https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks" - filetypes = "application/javascript,application/typescript" + filetypes = "js,ts" strings: $npm_format = /"format":/ diff --git a/rules/c2/tool_transfer/osascript.yara b/rules/c2/tool_transfer/osascript.yara index 85116a2bb..20eb94bea 100644 --- a/rules/c2/tool_transfer/osascript.yara +++ b/rules/c2/tool_transfer/osascript.yara @@ -1,7 +1,7 @@ rule osascript_dropper: high { meta: description = "osascript dropper" - filetypes = "application/x-applescript" + filetypes = "scpt,scptd" strings: $c_osascript = "osascript" fullword diff --git a/rules/c2/tool_transfer/php.yara b/rules/c2/tool_transfer/php.yara index b3217718b..dd623611a 100644 --- a/rules/c2/tool_transfer/php.yara +++ b/rules/c2/tool_transfer/php.yara @@ -1,7 +1,7 @@ rule php_copy_url: high { meta: ref = "kinsing" - filetypes = "text/x-php" + filetypes = "php" strings: $php = "" diff --git a/rules/data/builtin/multiple.yara b/rules/data/builtin/multiple.yara index 383b26ec6..e4567dad1 100644 --- a/rules/data/builtin/multiple.yara +++ b/rules/data/builtin/multiple.yara @@ -30,7 +30,7 @@ private rule _bundled_glibc: medium { rule elf_with_bundled_glibc_and_openssl: high { meta: description = "includes bundled copy of glibc and OpenSSL" - filetypes = "application/x-elf" + filetypes = "elf" condition: _bundled_openssl and _bundled_glibc diff --git a/rules/data/encoding/json-encode.yara b/rules/data/encoding/json-encode.yara index 04802aee5..cc7a5b5e3 100644 --- a/rules/data/encoding/json-encode.yara +++ b/rules/data/encoding/json-encode.yara @@ -24,7 +24,7 @@ rule MarshalJSON: harmless { rule json_dumps: low { meta: description = "encodes JSON" - filetypes = "text/x-python" + filetypes = "py" strings: $jsone = "json" fullword diff --git a/rules/discover/user/username-get.yara b/rules/discover/user/username-get.yara index 99e77e805..8e0dfacc9 100644 --- a/rules/discover/user/username-get.yara +++ b/rules/discover/user/username-get.yara @@ -47,7 +47,7 @@ private rule user_pythonSetup { rule pysetup_gets_login: high { meta: description = "Python library installer gets login information" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = "os.getlogin" fullword diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara index 9695a90d7..d035cae18 100644 --- a/rules/evasion/indicator_blocking/hidden_window.yara +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -30,7 +30,7 @@ private rule hidden_window_pythonSetup { rule subprocess_CREATE_NO_WINDOW_setuptools: high { meta: description = "runs commands, hides windows" - filetypes = "text/x-python" + filetypes = "py" strings: $sub = "subprocess" @@ -43,7 +43,7 @@ rule subprocess_CREATE_NO_WINDOW_setuptools: high { rule subprocess_CREATE_NO_WINDOW_high: high { meta: description = "runs commands, hides windows" - filetypes = "text/x-python" + filetypes = "py" strings: $s_sub = "subprocess" diff --git a/rules/evasion/indicator_blocking/mask_exceptions.yara b/rules/evasion/indicator_blocking/mask_exceptions.yara index 858915d89..0e289864d 100644 --- a/rules/evasion/indicator_blocking/mask_exceptions.yara +++ b/rules/evasion/indicator_blocking/mask_exceptions.yara @@ -19,7 +19,7 @@ private rule indicator_blocking_pythonSetup { rule py_no_fail: medium { meta: description = "Python code that hides exceptions" - filetypes = "text/x-python" + filetypes = "py" strings: $e_short = /except:.{0,4}pass/ fullword @@ -32,7 +32,7 @@ rule py_no_fail: medium { rule setuptools_no_fail: suspicious { meta: description = "Python library installer that hides exceptions" - filetypes = "text/x-python" + filetypes = "py" condition: indicator_blocking_pythonSetup and py_no_fail diff --git a/rules/evasion/net/hide_ports.yara b/rules/evasion/net/hide_ports.yara index ac8df80cb..5dc0c9a22 100644 --- a/rules/evasion/net/hide_ports.yara +++ b/rules/evasion/net/hide_ports.yara @@ -11,7 +11,7 @@ private rule net_elf { rule hides_ports: high { meta: description = "may hide ports" - filetypes = "application/x-mach-binary,application/x-elf" + filetypes = "elf,macho" strings: $bin_ss = "/usr/bin/ss" diff --git a/rules/evasion/rootkit/kernel.yara b/rules/evasion/rootkit/kernel.yara index a7c39658b..3c7848893 100644 --- a/rules/evasion/rootkit/kernel.yara +++ b/rules/evasion/rootkit/kernel.yara @@ -3,7 +3,7 @@ rule linux_kernel_module_getdents64: critical linux { description = "kernel module that intercepts directory listing" ref = "https://github.com/m0nad/Diamorphine" - filetypes = "application/x-elf,application/x-sharedlib" + filetypes = "elf,so" strings: $getdents64 = "getdents64" @@ -17,7 +17,7 @@ rule linux_kernel_module_getdents64: critical linux { rule linux_kernel_module_orig: high linux { meta: description = "kernel module that intercepts directory listing and signals" - filetypes = "application/x-elf,application/x-sharedlib" + filetypes = "elf,so" strings: $getdents64 = "orig_getdents64" @@ -43,7 +43,7 @@ rule lkm_dirent: high { meta: description = "kernel rootkit designed to hide files (linux_dirent)" - filetypes = "application/x-sharedlib" + filetypes = "so" strings: $l_dirent = "linux_dirent" diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara index 7669564c7..045ee34f8 100644 --- a/rules/evasion/rootkit/userspace.yara +++ b/rules/evasion/rootkit/userspace.yara @@ -1,7 +1,7 @@ rule readdir_intercept_source: high { meta: description = "userland rootkit source designed to hide files (DECLARE_READDIR)" - filetypes = "application/x-sharedlib,text/x-c" + filetypes = "c,so" strings: $declare = "DECLARE_READDIR" @@ -14,7 +14,7 @@ rule readdir_intercept_source: high { rule hide_dir_contents: high { meta: description = "userland rootkit source designed to hide files" - filetypes = "application/x-sharedlib,text/x-c" + filetypes = "c,so" strings: $readdir64 = "readdir64" @@ -32,7 +32,7 @@ rule readdir_intercept: high { meta: description = "userland rootkit designed to hide files (readdir64)" - filetypes = "application/x-sharedlib,text/x-c" + filetypes = "c,so" strings: $r_new65 = "readdir64" fullword @@ -50,7 +50,7 @@ rule readdir_dlsym_interceptor: high { meta: description = "userland rootkit designed to hide files (readdir64+readlink)" - filetypes = "application/x-sharedlib,text/x-c" + filetypes = "c,so" strings: $f_dlsym = "dlsym" fullword @@ -68,7 +68,7 @@ rule readdir_tcp_wrapper_intercept: high { meta: description = "userland rootkit designed to hide files and bypass tcp-wrappers" ref = "https://github.com/ldpreload/Medusa" - filetypes = "application/x-sharedlib,text/x-c" + filetypes = "c,so" strings: $r_new65 = "readdir64" fullword @@ -105,7 +105,7 @@ rule medusa_like_ld_preload: critical linux { rule linux_rootkit_terms: critical linux { meta: description = "appears to be a Linux rootkit" - filetypes = "application/x-elf,application/x-sharedlib" + filetypes = "elf,so" strings: $s_Rootkit = "Rootkit" diff --git a/rules/evasion/self_deletion/run_and_delete.yara b/rules/evasion/self_deletion/run_and_delete.yara index 3a56bbd03..6557dd681 100644 --- a/rules/evasion/self_deletion/run_and_delete.yara +++ b/rules/evasion/self_deletion/run_and_delete.yara @@ -39,7 +39,7 @@ rule fetch_run_sleep_delete: critical { private rule run_delete_py_fetcher: medium { meta: description = "fetches content" - filetypes = "text/x-python" + filetypes = "py" strings: $http_requests = "requests.get" fullword @@ -57,7 +57,7 @@ private rule run_delete_py_fetcher: medium { rule python_setsid_remove: high { meta: description = "fetch, run in background, delete" - filetypes = "text/x-python" + filetypes = "py" strings: $subprocess = /subprocess.\w{1,32}\([\"\'\/\w\ \-\)]{0,64}/ diff --git a/rules/exec/cmd/cmd.yara b/rules/exec/cmd/cmd.yara index 0ccdb4ac3..58f077722 100644 --- a/rules/exec/cmd/cmd.yara +++ b/rules/exec/cmd/cmd.yara @@ -15,7 +15,7 @@ rule exec: medium { rule ruby_exec: medium { meta: description = "executes a command" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $require = "require" fullword @@ -28,7 +28,7 @@ rule ruby_exec: medium { rule ruby_run_exe: high { meta: description = "runs an executable program" - filetypes = "text/x-ruby" + filetypes = "rb" strings: $require = "require" fullword @@ -41,7 +41,7 @@ rule ruby_run_exe: high { rule java_process_builder: medium { meta: description = "runs an external program" - filetypes = "text/x-java,application/java-archive" + filetypes = "jar,java" strings: $lang = "java/lang/Process" @@ -55,7 +55,7 @@ rule java_process_builder: medium { rule java_exec: medium { meta: description = "runs an external program" - filetypes = "text/x-java,application/java-archive" + filetypes = "jar,java" strings: $lang = "java/lang/Runtime" diff --git a/rules/exec/dylib/replace.yara b/rules/exec/dylib/replace.yara index 48ecc626f..c9065c57f 100644 --- a/rules/exec/dylib/replace.yara +++ b/rules/exec/dylib/replace.yara @@ -1,7 +1,7 @@ rule java_replacement_class: medium java { meta: description = "runtime override of a class" - filetypes = "application/java-vm,text/x-jav" + filetypes = "class,java" strings: $replace = "loadReplacementClass" diff --git a/rules/exec/imports/python.yara b/rules/exec/imports/python.yara index e33609b38..2e5385b9c 100644 --- a/rules/exec/imports/python.yara +++ b/rules/exec/imports/python.yara @@ -1,6 +1,7 @@ rule has_import: low { meta: description = "imports python modules" + filetypes = "py" strings: $ref = /import [a-z0-9A-Z]{2,12}/ fullword @@ -13,6 +14,7 @@ rule has_import: low { rule python_code_as_chr_int: critical { meta: description = "hides additional import as array of integers" + filetypes = "py" strings: $import = "import" fullword @@ -26,7 +28,7 @@ rule python_code_as_chr_int: critical { rule single_line_import: medium { meta: description = "imports built-in and executes more code on the same line" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = /import [a-z0-9]{0,8};/ @@ -38,7 +40,7 @@ rule single_line_import: medium { rule single_line_import_multiple: high { meta: description = "imports multiple built-ins on the same line" - filetypes = "text/x-python" + filetypes = "py" strings: $ref = /import [a-z0-9]{0,8}; {0,2}import [a-z0-9]{0,8}; {0,2}/ @@ -50,7 +52,7 @@ rule single_line_import_multiple: high { rule single_line_import_multiple_comma: medium { meta: description = "imports multiple comma spearated built-ins" - filetypes = "text/x-python" + filetypes = "py" strings: $ref2 = /import \w{2,8},\w{2,8},\w{2,8},[\w,]{0,64}/ @@ -62,6 +64,7 @@ rule single_line_import_multiple_comma: medium { rule __import__: medium { meta: description = "directly imports code using built-in __import__" + filetypes = "py" strings: $import = /__import__\([\'\w\(\[]\)\],]{0,64}/ @@ -73,6 +76,7 @@ rule __import__: medium { rule __import__sus: high { meta: description = "directly imports code using built-in __import__" + filetypes = "py" strings: $sus = /__import__.{0,128}(zlib|fernet|base64|b64decode|exec\()/ @@ -84,6 +88,7 @@ rule __import__sus: high { rule zipimport: medium { meta: description = "loads external module using zipimporter" + filetypes = "py" strings: $zipimporter = "zipimporter" @@ -96,6 +101,7 @@ rule zipimport: medium { rule zipimport_obfuscated: high { meta: description = "loads obfuscated enccrypted module using zipimporter" + filetypes = "py" strings: $must_import = "import" fullword diff --git a/rules/exec/install_additional/pip_install.yara b/rules/exec/install_additional/pip_install.yara index 937a198fe..38f774e93 100644 --- a/rules/exec/install_additional/pip_install.yara +++ b/rules/exec/install_additional/pip_install.yara @@ -26,7 +26,7 @@ rule pip_installer: medium { meta: description = "Installs software using pip from python" - filetypes = "text/x-python,application/x-python-code,application/x-sh" + filetypes = "bash,py,pyc,sh,zsh" strings: $ref = /pip3{0,1}[ \'\"\,]{0,5}install[ \'\"\,]{0,5}[\w\-\_\%]{0,32}/ @@ -39,7 +39,7 @@ rule pip_installer_fernet: critical { meta: description = "Installs fernet crypto package using pip" ref = "https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/" - filetypes = "text/x-python,application/x-python-code" + filetypes = "py,pyc" strings: $ref = /pip.{1,5}install.{1,4}fernet/ @@ -52,7 +52,7 @@ rule pip_installer_url: critical { meta: description = "Installs Python package from hardcoded URL" ref = "https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/" - filetypes = "text/x-python,application/x-python-code,application/x-sh" + filetypes = "bash,py,pyc,sh,zsh" strings: $ref = /pip.{1,5}install.{1,4}https{0,1}:\/\/.{0,64}/ @@ -64,7 +64,7 @@ rule pip_installer_url: critical { rule pip_installer_socket: critical { meta: description = "Installs socket library using pip" - filetypes = "text/x-python,application/x-python-code" + filetypes = "py,pyc" strings: $ref = /pip.{1,5}install.{1,4}socket/ @@ -76,7 +76,7 @@ rule pip_installer_socket: critical { rule pip_installer_requests: high { meta: description = "Installs requests library using pip" - filetypes = "text/x-python,application/x-python-code" + filetypes = "py,pyc" strings: $ref = /pip.{1,5}install.{1,4}requests/ @@ -88,7 +88,7 @@ rule pip_installer_requests: high { rule pip_installer_sus: high { meta: description = "Installs libraries using pip" - filetypes = "text/x-python,application/x-python-code" + filetypes = "py,pyc" strings: $crypto = "Crypto.Cipher" diff --git a/rules/exec/program/opaque.yara b/rules/exec/program/opaque.yara index 6e03dda7f..f9dfd28ef 100644 --- a/rules/exec/program/opaque.yara +++ b/rules/exec/program/opaque.yara @@ -11,7 +11,7 @@ import "math" rule macho_opaque_binary: high { meta: description = "opaque binary executes mystery command-lines" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword @@ -30,7 +30,7 @@ rule macho_opaque_binary: high { rule macho_opaque_binary_long_str: high { meta: description = "opaque binary executes mystery command-lines, contains large alphanumeric string" - filetypes = "application/x-mach-binary" + filetypes = "macho" strings: $word_with_spaces = /[a-z]{2,16} [a-uxyz]{2,16}/ fullword diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index 839d586de..e0e762ba1 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -3,7 +3,7 @@ import "math" rule js_eval: medium { meta: description = "evaluate code dynamically using eval()" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $val = /eval\([\.\+ _a-zA-Z\"\'\(\,\)]{1,32}/ fullword @@ -17,7 +17,7 @@ rule js_eval: medium { rule js_eval_fx_str: high { meta: description = "evaluate processed string using eval()" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $val = /eval\(\w{0,16}\([\"\'].{0,16}/ @@ -29,7 +29,7 @@ rule js_eval_fx_str: high { rule js_eval_fx_str_multiple: critical { meta: description = "multiple evaluations of processed string using eval()" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $val = /eval\(\w{0,16}\([\"\'].{0,16}/ @@ -41,7 +41,7 @@ rule js_eval_fx_str_multiple: critical { rule js_eval_response: critical { meta: description = "executes code directly from HTTP response" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $val = /eval\(\w{0,16}\.responseText\)/ @@ -53,7 +53,7 @@ rule js_eval_response: critical { rule js_eval_near_enough_fromChar: high { meta: description = "Likely executes encrypted content" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $exec = /[\s\{]eval\(/ @@ -66,7 +66,7 @@ rule js_eval_near_enough_fromChar: high { rule js_eval_obfuscated_fromChar: critical { meta: description = "Likely executes encrypted content" - filetypes = "application/javascript" + filetypes = "js,ts" strings: $exec = /[\s\{]eval\(/ @@ -91,7 +91,7 @@ rule js_anonymous_function: medium { rule python_exec: medium { meta: description = "evaluate code dynamically using exec()" - filetypes = "text/x-python" + filetypes = "py" strings: $f_import = "import" fullword @@ -109,7 +109,7 @@ rule python_exec: medium { rule python_exec_near_enough_chr: high { meta: description = "Likely executes encoded character content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = "exec(" @@ -122,7 +122,7 @@ rule python_exec_near_enough_chr: high { rule python_exec_near_enough_fernet: high { meta: description = "Likely executes Fernet encrypted content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = "exec(" @@ -135,7 +135,7 @@ rule python_exec_near_enough_fernet: high { rule python_exec_near_enough_decrypt: high { meta: description = "Likely executes encrypted content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = /\bexec\(/ @@ -148,7 +148,7 @@ rule python_exec_near_enough_decrypt: high { rule python_exec_chr: critical { meta: description = "Executes encoded character content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = /exec\(.{0,16}chr\(.{0,16}\[\d[\d\, ]{0,64}/ @@ -160,7 +160,7 @@ rule python_exec_chr: critical { rule python_exec_bytes: critical { meta: description = "Executes a transformed bytestream" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = /exec\([\w\.\(]{0,16}\(b['"].{8,16}/ @@ -172,7 +172,7 @@ rule python_exec_bytes: critical { rule python_exec_complex: high { meta: description = "Executes code from a complex expression" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = /exec\([\w\. =]{1,32}\(.{0,8192}\)\)/ fullword @@ -187,7 +187,7 @@ rule python_exec_complex: high { rule python_exec_fernet: critical { meta: description = "Executes Fernet encrypted content" - filetypes = "text/x-python" + filetypes = "py" strings: $exec = /exec\(.{0,16}Fernet\(.{0,64}/ @@ -199,7 +199,7 @@ rule python_exec_fernet: critical { rule shell_eval: medium { meta: description = "evaluate shell code dynamically using eval" - filetypes = "application/x-sh,application/x-zsh" + filetypes = "bash,sh,zsh" strings: $val = /eval \$\w{0,64}/ fullword @@ -212,7 +212,7 @@ rule shell_eval: medium { rule php_create_function_no_args: high { meta: description = "dynamically creates PHP functions without arguments" - filetypes = "text/x-php" + filetypes = "php" strings: $val = /create_function\([\'\"]{2},\$/ @@ -224,7 +224,7 @@ rule php_create_function_no_args: high { rule php_at_eval: critical { meta: description = "evaluates code in a way that suppresses errors" - filetypes = "text/x-php" + filetypes = "php" strings: $at_eval = /@\beval\s{0,32}\(\s{0,32}(\$\w{0,32}|\.\s{0,32}"[^"]{0,32}"|\.\s{0,32}'[^']{0,32}'|\w+\(\s{0,32}\))/ diff --git a/rules/exec/shell/command.yara b/rules/exec/shell/command.yara index 4e08ce006..ce263e67b 100644 --- a/rules/exec/shell/command.yara +++ b/rules/exec/shell/command.yara @@ -4,7 +4,7 @@ rule system: medium { syscalls = "fork,execl" ref = "https://man7.org/linux/man-pages/man3/system.3.html" - filetypes = "application/x-elf,application/x-mach-binary" + filetypes = "elf,macho" strings: $system = "system" fullword @@ -29,6 +29,8 @@ rule generic_shell_exec: medium { meta: description = "execute a shell command" + filetypes = "php" + strings: $exec = "shell_exec" @@ -41,7 +43,7 @@ rule php_shell_exec: medium php { description = "execute a shell command" syscalls = "fork,execl" - filetypes = "text/x-php" + filetypes = "php" strings: $php = "com.apple.security.get-task-allow" diff --git a/tests/javascript/2022.an-instance.99.10.9/index.js.simple b/tests/javascript/2022.an-instance.99.10.9/index.js.simple index b20cead17..fc531b160 100644 --- a/tests/javascript/2022.an-instance.99.10.9/index.js.simple +++ b/tests/javascript/2022.an-instance.99.10.9/index.js.simple @@ -1,5 +1,4 @@ # javascript/2022.an-instance.99.10.9/index.js: critical -anti-static/obfuscation/hex: medium data/encoding/int: low data/encoding/json_encode: low discover/network/interface_list: medium diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 13bc2cd8c..1ecf42b8e 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -8,7 +8,7 @@ | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | -| +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | contains a large hexadecimal string variable | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | +| +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#long_hex_var)** | contains a large hexadecimal string variable | [Zc="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102](https://github.com/search?q=Zc%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102&type=code) | | +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [https://](https://)
[http://](http://)
[Windows](https://github.com/search?q=Windows&type=code)
[windows](https://github.com/search?q=windows&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[linux](https://github.com/search?q=linux&type=code) | diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 38f50a1c8..ac848d14a 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -49,7 +49,6 @@ exec/plugin: low exec/program: medium exec/program/background: low exec/remote_commands/code_eval: medium -exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium fs/directory/create: low diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 89e3f52d7..f528c6056 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -48,7 +48,6 @@ exec/cmd: medium exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/shell/power: medium exec/tty/pathname: medium fs/directory/create: low diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index 20fee0617..240accadf 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -1,6 +1,5 @@ # javascript/clean/connection.js: medium anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium c2/client: medium c2/tool_transfer/os: low credential/password: low diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index 6c1986368..05dca08b9 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -2,6 +2,7 @@ anti-behavior/blocklist/user: low anti-behavior/random_behavior: low anti-static/obfuscation/js: medium +anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/ip: medium c2/tool_transfer/arch: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index e2c2fa125..eecf1f2af 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -35,7 +35,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index cb9353a64..52aa31f3b 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -35,7 +35,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 1ef91113d..41e5e9af0 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -33,7 +33,6 @@ evasion/logging/acct: low exec/plugin: low exec/program: medium exec/program/background: low -exec/shell/command: medium exec/tty/pathname: medium fs/directory/create: low fs/directory/remove: low diff --git a/tests/javascript/clean/yarn-3.8.7.cjs.simple b/tests/javascript/clean/yarn-3.8.7.cjs.simple index dd2d6c8d5..6f828faab 100644 --- a/tests/javascript/clean/yarn-3.8.7.cjs.simple +++ b/tests/javascript/clean/yarn-3.8.7.cjs.simple @@ -1,6 +1,5 @@ # javascript/clean/yarn-3.8.7.cjs: medium anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium anti-static/obfuscation/math: medium c2/addr/ip: medium c2/tool_transfer/arch: low diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index bed85d165..d2b32d26a 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -1,6 +1,6 @@ # linux/2024.Kaiji/eight-nebraska-autumn-illinois: critical 3P/elastic/threat: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: medium c2/addr/url: low c2/discovery/ip_dns_resolver: medium diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index 299c71a70..f3d540c1d 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -1,6 +1,6 @@ # linux/2024.TellYouThePass/uranus-ack-mike-cat: critical 3P/arkbird/solg_ran_elf: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high collect/databases/mysql: medium collect/databases/postgresql: medium diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index c7ded2b26..12e4936b4 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -1,6 +1,6 @@ # linux/2024.chisel/crondx: critical 3P/sekoia/chisel_strings: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high c2/addr/url: low c2/discovery/ip_dns_resolver: medium diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index 5563260b4..923184645 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -1,6 +1,6 @@ # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72: critical 3P/elastic/threat: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/base64/exec: high anti-static/base64/http_agent: high anti-static/elf/base64: critical diff --git a/tests/linux/2024.hadooken/drop2.sh.simple b/tests/linux/2024.hadooken/drop2.sh.simple index f6fbb3946..86ac2b0f6 100644 --- a/tests/linux/2024.hadooken/drop2.sh.simple +++ b/tests/linux/2024.hadooken/drop2.sh.simple @@ -1,7 +1,5 @@ -# linux/2024.hadooken/drop2.sh: critical +# linux/2024.hadooken/drop2.sh: high c2/addr/ip: high -exec/imports/python: low -impact/remote_access/remote_eval: critical net/http: low net/url/embedded: low net/url/parse: low diff --git a/tests/linux/2024.kworker_pretenders/aclocal.m4.simple b/tests/linux/2024.kworker_pretenders/aclocal.m4.simple index 585db0e28..0f1826319 100644 --- a/tests/linux/2024.kworker_pretenders/aclocal.m4.simple +++ b/tests/linux/2024.kworker_pretenders/aclocal.m4.simple @@ -1,9 +1,8 @@ -# linux/2024.kworker_pretenders/aclocal.m4: high +# linux/2024.kworker_pretenders/aclocal.m4: medium c2/connect/curl_easy: medium discover/user/HOME: low exec/shell/command: medium exec/shell/exec: medium -exfil/curl_elf: high fs/file/times_set: medium fs/file/truncate: low fs/link_read: low diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 76e6c22c5..01be76f17 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -1,6 +1,6 @@ # linux/2024.kworker_pretenders/emp3r0r.agent: critical 3P/elastic/exploit_cve_2021: critical -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-behavior/vm_check: medium anti-static/elf/entropy: high anti-static/obfuscation/syscall: medium diff --git a/tests/linux/2024.vncjew/__min__c.json b/tests/linux/2024.vncjew/__min__c.json index 2bf46f34f..b7cb6ad31 100644 --- a/tests/linux/2024.vncjew/__min__c.json +++ b/tests/linux/2024.vncjew/__min__c.json @@ -35,15 +35,28 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", - "MatchStrings": [ - "math/rand" + "Description": "uses a random number generator", + "MatchStrings": [ + "nonZeroRandomBytes", + "p224RandomPoint", + "p521RandomPoint", + "p384RandomPoint", + "getRandomBatch", + "getRandomData", + "serverRandom", + "extendRandom", + "clientRandom", + "randomOrder", + "randomEnum", + "urandom127", + "getrandom", + "GetRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index b7fa9b80f..6a1d68600 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -1,5 +1,5 @@ # linux/clean/buildah: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index 7071d18d5..ca4ad01a2 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -1,5 +1,5 @@ # linux/clean/buildkitd: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 65b5bda81..ae0b66ee9 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -1,5 +1,5 @@ # linux/clean/caddy: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 25d548d2f..27db933ca 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -1,5 +1,5 @@ # linux/clean/chezmoi: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium anti-static/xor/functions: medium c2/addr/discord: medium diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index 621034054..076eb51c1 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -3,6 +3,7 @@ anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium anti-behavior/random_behavior: low anti-static/elf/multiple: medium +anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 0d088c43a..3d3b4dfcd 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -1,6 +1,7 @@ # linux/clean/clickhouse: medium anti-behavior/random_behavior: low anti-static/elf/multiple: medium +anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 0c9935c4e..9141c04b0 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -6,7 +6,7 @@ | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | +| MEDIUM | [anti-static/obfuscation/math](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/math.yara#js_junk_math) | suspicious junk math | [firstNonSlashEnd = -1;](https://github.com/search?q=firstNonSlashEnd+%3D+-1%3B&type=code)
[rationalCubicW = -1;](https://github.com/search?q=rationalCubicW+%3D+-1%3B&type=code)
[templateDepth = -1;](https://github.com/search?q=templateDepth+%3D+-1%3B&type=code)
[lastCommonSep = -1;](https://github.com/search?q=lastCommonSep+%3D+-1%3B&type=code)
[divisorLength = -1;](https://github.com/search?q=divisorLength+%3D+-1%3B&type=code)
[historyIndex = -1;](https://github.com/search?q=historyIndex+%3D+-1%3B&type=code)
[lastTokenPos = -1;](https://github.com/search?q=lastTokenPos+%3D+-1%3B&type=code)
[preDotState = -1;](https://github.com/search?q=preDotState+%3D+-1%3B&type=code)
[singleQuote = -1;](https://github.com/search?q=singleQuote+%3D+-1%3B&type=code)
[lastCounter = -1;](https://github.com/search?q=lastCounter+%3D+-1%3B&type=code)
[questionIdx = -1;](https://github.com/search?q=questionIdx+%3D+-1%3B&type=code)
[singleQuote = -2;](https://github.com/search?q=singleQuote+%3D+-2%3B&type=code)
[lastCursor = -1;](https://github.com/search?q=lastCursor+%3D+-1%3B&type=code)
[lastMatch = -1;](https://github.com/search?q=lastMatch+%3D+-1%3B&type=code)
[lastSlash = -1;](https://github.com/search?q=lastSlash+%3D+-1%3B&type=code)
[position = -1;](https://github.com/search?q=position+%3D+-1%3B&type=code)
[startDot = -1;](https://github.com/search?q=startDot+%3D+-1%3B&type=code)
[rootEnd = -1;](https://github.com/search?q=rootEnd+%3D+-1%3B&type=code)
[nonHost = -1;](https://github.com/search?q=nonHost+%3D+-1%3B&type=code)
[timeout = -1;](https://github.com/search?q=timeout+%3D+-1%3B&type=code)
[hashIdx = -1;](https://github.com/search?q=hashIdx+%3D+-1%3B&type=code)
[hostEnd = -1;](https://github.com/search?q=hostEnd+%3D+-1%3B&type=code)
[column = -1;](https://github.com/search?q=column+%3D+-1%3B&type=code)
[cursor = -1;](https://github.com/search?q=cursor+%3D+-1%3B&type=code)
[family = -1;](https://github.com/search?q=family+%3D+-1%3B&type=code)
[extIdx = -1;](https://github.com/search?q=extIdx+%3D+-1%3B&type=code)
[(offset + 1)](https://github.com/search?q=%28offset+%2B+1%29&type=code)
[atSign = -1;](https://github.com/search?q=atSign+%3D+-1%3B&type=code)
[(length + 1)](https://github.com/search?q=%28length+%2B+1%29&type=code)
[start = -1;](https://github.com/search?q=start+%3D+-1%3B&type=code)
[(eqPos + 1)](https://github.com/search?q=%28eqPos+%2B+1%29&type=code)
[dots = -1;](https://github.com/search?q=dots+%3D+-1%3B&type=code)
[line = -1;](https://github.com/search?q=line+%3D+-1%3B&type=code)
[left = -1;](https://github.com/search?q=left+%3D+-1%3B&type=code)
[(envc + 1)](https://github.com/search?q=%28envc+%2B+1%29&type=code)
[(argc + 1)](https://github.com/search?q=%28argc+%2B+1%29&type=code)
[end = -1;](https://github.com/search?q=end+%3D+-1%3B&type=code)
[(pos + 6)](https://github.com/search?q=%28pos+%2B+6%29&type=code)
[(pos + 1)](https://github.com/search?q=%28pos+%2B+1%29&type=code)
[x_t = -1;](https://github.com/search?q=x_t+%3D+-1%3B&type=code)
[(pos + 5)](https://github.com/search?q=%28pos+%2B+5%29&type=code)
[pos = -1;](https://github.com/search?q=pos+%3D+-1%3B&type=code)
[(16 + 1)](https://github.com/search?q=%2816+%2B+1%29&type=code)
[w = -1;](https://github.com/search?q=w+%3D+-1%3B&type=code)
[(n + 2)](https://github.com/search?q=%28n+%2B+2%29&type=code)
[v = -1;](https://github.com/search?q=v+%3D+-1%3B&type=code)
[charAt](https://github.com/search?q=charAt&type=code)
[(e+38)](https://github.com/search?q=%28e%2B38%29&type=code)
[(b+1)](https://github.com/search?q=%28b%2B1%29&type=code)
[(Y+1)](https://github.com/search?q=%28Y%2B1%29&type=code)
[(O+1)](https://github.com/search?q=%28O%2B1%29&type=code)
[(A+1)](https://github.com/search?q=%28A%2B1%29&type=code)
[(l+2)](https://github.com/search?q=%28l%2B2%29&type=code)
[(l+1)](https://github.com/search?q=%28l%2B1%29&type=code)
[(F+1)](https://github.com/search?q=%28F%2B1%29&type=code)
[(l+3)](https://github.com/search?q=%28l%2B3%29&type=code)
[c=-1;](https://github.com/search?q=c%3D-1%3B&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [message_port](https://github.com/search?q=message_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index 649ea7b65..d71ee05b1 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -1,5 +1,5 @@ # linux/clean/containerd: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/ip: medium c2/addr/server: medium diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple index 0391bda17..af580c4ba 100644 --- a/tests/linux/clean/kolide/launcher.simple +++ b/tests/linux/clean/kolide/launcher.simple @@ -1,5 +1,5 @@ # linux/clean/kolide/launcher: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 3abc8b2a5..804f8abe5 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -1,5 +1,6 @@ # linux/clean/kuma-cp: medium anti-behavior/random_behavior: low +anti-static/obfuscation/math: medium anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index bad04c5ba..5982086a8 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -1,5 +1,5 @@ # linux/clean/melange: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/elf/multiple: medium anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index f270a5347..2256dcd3b 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -1,6 +1,6 @@ # linux/clean/mongosh: medium anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium +anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 3ea7a7995..9e3fda87f 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -1,5 +1,5 @@ # linux/clean/opa: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index f735f3470..411a5a8c8 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -1,5 +1,5 @@ # linux/clean/pulumi: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index ff34210c7..693abb9bd 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -1,11 +1,11 @@ -## linux/clean/slack [🟡 MEDIUM] +## linux/clean/slack [🛑 HIGH] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| +| HIGH | [anti-static/obfuscation/math](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/math.yara#js_junk_math_high) | multiple examples of suspicious junk math | [(bid_time%86400000000)](https://github.com/search?q=%28bid_time%2586400000000%29&type=code)
[var kSize = 2048;](https://github.com/search?q=var+kSize+%3D+2048%3B&type=code)
[(i + 32)](https://github.com/search?q=%28i+%2B+32%29&type=code)
[charAt](https://github.com/search?q=charAt&type=code)
[(e+38)](https://github.com/search?q=%28e%2B38%29&type=code) | | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [https://%s](https://%s)
[http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | diff --git a/tests/linux/clean/systemd-sysv-generator.simple b/tests/linux/clean/systemd-sysv-generator.simple index 16de84002..b21c771f0 100644 --- a/tests/linux/clean/systemd-sysv-generator.simple +++ b/tests/linux/clean/systemd-sysv-generator.simple @@ -5,6 +5,7 @@ c2/tool_transfer/os: low credential/password: low evasion/file/prefix: medium exec/system_controls/systemd: low +false-positives/systemd: low fs/file/delete: low fs/path/etc: low impact/remote_access/agent: medium diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 8e5d65acf..bffc9fdcb 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -15,3 +15,4 @@ net/socket/listen: medium net/socket/receive: low net/socket/send: low net/tcp/synflood: medium +persist/kernel_module/symbol_lookup: low diff --git a/tests/linux/clean/trino.linux-amd64.launcher.json b/tests/linux/clean/trino.linux-amd64.launcher.json index a38cdad59..eecefccec 100644 --- a/tests/linux/clean/trino.linux-amd64.launcher.json +++ b/tests/linux/clean/trino.linux-amd64.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", diff --git a/tests/linux/clean/trino.linux-arm64.launcher.json b/tests/linux/clean/trino.linux-arm64.launcher.json index ac8abed85..ef6fa0dc9 100644 --- a/tests/linux/clean/trino.linux-arm64.launcher.json +++ b/tests/linux/clean/trino.linux-arm64.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", diff --git a/tests/linux/clean/trino.linux-ppc64le.launcher.json b/tests/linux/clean/trino.linux-ppc64le.launcher.json index e932aef6f..feeacaa91 100644 --- a/tests/linux/clean/trino.linux-ppc64le.launcher.json +++ b/tests/linux/clean/trino.linux-ppc64le.launcher.json @@ -40,15 +40,22 @@ ], "Behaviors": [ { - "Description": "exhibits random behavior", + "Description": "uses a random number generator", "MatchStrings": [ - "math/rand" + "readTimeRandom", + "rand_getrandom", + "urandomECDSA", + "randomOrder", + "readRandom", + "randomEnum", + "GetRandom", + "getRandom" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random", "ID": "anti-behavior/random_behavior", - "RuleName": "go_rand" + "RuleName": "random" }, { "Description": "mentions an IP and port", diff --git a/tests/linux/mimipenguin/bash/mimipenguin.simple b/tests/linux/mimipenguin/bash/mimipenguin.simple index 7baab98c1..d5f19d7b0 100644 --- a/tests/linux/mimipenguin/bash/mimipenguin.simple +++ b/tests/linux/mimipenguin/bash/mimipenguin.simple @@ -8,7 +8,6 @@ credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low discover/system/platform: medium -exec/imports/python: low exec/shell/exec: medium exec/shell/ignore_output: medium exfil/stealer/password: critical diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 23791b7e2..9ef8e0186 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -11,7 +11,6 @@ data/encoding/base64: low discover/process/name: medium discover/processes/list: medium discover/system/platform: medium -exec/imports/python: low exfil/stealer/password: critical fs/file/open: low fs/path/etc: low diff --git a/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple index ad35cab99..a1cbf5173 100644 --- a/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple +++ b/tests/linux/synthetic/cnc-dns-over-https.aarch64.simple @@ -1,5 +1,5 @@ # linux/synthetic/cnc-dns-over-https.aarch64: high -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/ip: high c2/addr/url: low c2/discovery/ip_dns_resolver: medium diff --git a/tests/npm/2024.hlwgirl/index.js.simple b/tests/npm/2024.hlwgirl/index.js.simple index be0480fb1..36b5027e3 100644 --- a/tests/npm/2024.hlwgirl/index.js.simple +++ b/tests/npm/2024.hlwgirl/index.js.simple @@ -1,5 +1,4 @@ # npm/2024.hlwgirl/index.js: high -anti-static/obfuscation/hex: high data/encoding/base64: low fs/file/write: low impact/remote_access/base64_exec: high diff --git a/tests/npm/2024.persona-tool/preinstall.js.simple b/tests/npm/2024.persona-tool/preinstall.js.simple index 858fdff2f..388bfed23 100644 --- a/tests/npm/2024.persona-tool/preinstall.js.simple +++ b/tests/npm/2024.persona-tool/preinstall.js.simple @@ -1,6 +1,5 @@ # npm/2024.persona-tool/preinstall.js: critical anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium c2/addr/ip: medium c2/discovery/ip_dns_resolver: medium data/encoding/json_encode: low diff --git a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple index a5558a3e5..cb7fd8696 100644 --- a/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.7.index.browser.esm.js.simple @@ -1,6 +1,5 @@ # npm/2024.solana_web3/v1.95.7.index.browser.esm.js: critical anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium anti-static/obfuscation/strtoi: medium c2/addr/url: high credential/ssl/key: high diff --git a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple index c1b0e004b..b19dd72e7 100644 --- a/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple +++ b/tests/npm/2024.solana_web3/v1.95.8.index.browser.esm.js.simple @@ -1,6 +1,5 @@ # npm/2024.solana_web3/v1.95.8.index.browser.esm.js: high anti-behavior/random_behavior: low -anti-static/obfuscation/hex: medium anti-static/obfuscation/strtoi: medium credential/ssl/key: high credential/ssl/private_key: low diff --git a/tests/php/2024.Inull-Studio/err.php.simple b/tests/php/2024.Inull-Studio/err.php.simple index 811f299fc..55fbd5d25 100644 --- a/tests/php/2024.Inull-Studio/err.php.simple +++ b/tests/php/2024.Inull-Studio/err.php.simple @@ -1,6 +1,4 @@ # php/2024.Inull-Studio/err.php: critical anti-static/base64/obfuscated_caller: critical anti-static/obfuscation/padding: medium -anti-static/obfuscation/php: high -evasion/indicator_blocking/mask_exceptions: medium impact/remote_access/php: critical diff --git a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple index 83bffee23..3f3bd5b2d 100644 --- a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple +++ b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple @@ -4,6 +4,5 @@ anti-static/base64/function_names: medium anti-static/obfuscation/php: medium data/base64/decode: medium data/encoding/base64: low -evasion/indicator_blocking/mask_exceptions: medium impact/remote_access/php: high net/url/embedded: low diff --git a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple index c52c7bb02..2d4d4b9b3 100644 --- a/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple +++ b/tests/php/2024.WordFence.evasion/wp-engine-fast-action.php.simple @@ -1,4 +1,3 @@ -# php/2024.WordFence.evasion/wp-engine-fast-action.php: critical -anti-static/obfuscation/php: high +# php/2024.WordFence.evasion/wp-engine-fast-action.php: medium data/embedded/base64: medium data/encoding/reverse: low diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index adc01c233..91f7f089e 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -7,9 +7,7 @@ data/embedded/base64_url: medium data/embedded/html: medium data/encoding/base64: low discover/process/egid: medium -evasion/indicator_blocking/mask_exceptions: medium evasion/time/php_no_limit: medium -exec/imports/python: low exec/shell/command: medium fs/directory/remove: low fs/file/delete: low diff --git a/tests/ruby/2018.CMD_Backdoor/connect.rb.simple b/tests/ruby/2018.CMD_Backdoor/connect.rb.simple index ac423f66d..7cef93853 100644 --- a/tests/ruby/2018.CMD_Backdoor/connect.rb.simple +++ b/tests/ruby/2018.CMD_Backdoor/connect.rb.simple @@ -1,7 +1,6 @@ # ruby/2018.CMD_Backdoor/connect.rb: high discover/process/working_directory: low discover/system/platform: medium -exec/shell/command: medium fs/path/usr_bin: low impact/remote_access/backdoor: high net/http: low diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index d685f6d00..7484cd2d7 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -5,7 +5,7 @@ 3P/elastic/infostealer_wallets: critical 3P/elastic/multi_threat: high anti-behavior/anti_debugger: medium -anti-behavior/random_behavior: medium +anti-behavior/random_behavior: low c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium From 3f35ae1137212aa02c9a8bd13615c19f19fccaf2 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 10:03:39 -0500 Subject: [PATCH 11/18] Fix Slack test Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/anti-behavior/random_behavior.yara | 2 +- rules/anti-static/obfuscation/hex.yara | 8 ++++---- rules/anti-static/obfuscation/math.yara | 2 ++ rules/anti-static/obfuscation/php.yara | 8 ++++---- rules/anti-static/obfuscation/python.yara | 2 +- rules/exec/install_additional/pip_install.yara | 2 +- rules/impact/remote_access/remote_eval.yara | 14 +++++++------- rules/impact/rootkit/rootkit.yara | 2 +- rules/malware/family/poseidon_stealer.yara | 4 ++-- rules/malware/family/rustdoor.yara | 6 +++--- rules/malware/framework/cobalt_strike.yara | 2 +- rules/persist/kernel_module/symbol-lookup.yara | 2 +- tests/javascript/clean/yarn-3.8.7.cjs.simple | 1 - tests/linux/clean/chrome.simple | 1 - tests/linux/clean/clickhouse.simple | 1 - tests/linux/clean/code-oss.md | 1 - tests/linux/clean/kuma-cp.simple | 1 - tests/linux/clean/mongosh.simple | 1 - tests/linux/clean/slack.md | 3 +-- .../clean/Swashbuckle.AspNetCore.ReDoc.dll.simple | 1 - 20 files changed, 29 insertions(+), 35 deletions(-) diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara index ff1eec6f8..c0d63f240 100644 --- a/rules/anti-behavior/random_behavior.yara +++ b/rules/anti-behavior/random_behavior.yara @@ -45,7 +45,7 @@ rule java_random: low { rule go_rand: medium { meta: description = "exhibits random behavior" - filetypes = "go" + filetypes = "go" strings: $ref = "math/rand" diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara index 8380e3994..324b4fd3e 100644 --- a/rules/anti-static/obfuscation/hex.yara +++ b/rules/anti-static/obfuscation/hex.yara @@ -13,7 +13,7 @@ rule excessive_hex_refs: medium { rule hex_parse: medium { meta: description = "converts hex data to ASCII" - filetypes = "py" + filetypes = "py" strings: $node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -27,7 +27,7 @@ rule hex_parse: medium { rule hex_convert_from_base64: medium { meta: description = "converts base64 hex data to ASCII" - filetypes = "py" + filetypes = "py" strings: $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -42,7 +42,7 @@ rule hex_convert_from_base64: medium { rule hex_parse_base64_high: high { meta: description = "converts base64 hex data to ASCII" - filetypes = "py" + filetypes = "py" strings: $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ @@ -61,7 +61,7 @@ rule hex_parse_base64_high: high { rule mega_string: high { meta: description = "python script decodes large hexadecimal string" - filetypes = "py" + filetypes = "py" strings: $unhexlify = "unhexlify" diff --git a/rules/anti-static/obfuscation/math.yara b/rules/anti-static/obfuscation/math.yara index 7cd3b9c83..690edd3a7 100644 --- a/rules/anti-static/obfuscation/math.yara +++ b/rules/anti-static/obfuscation/math.yara @@ -25,6 +25,7 @@ rule js_long_dumb_math: critical { rule js_junk_math: medium { meta: description = "suspicious junk math" + filetypes = "js,ts" strings: $charAt = "charAt" @@ -41,6 +42,7 @@ rule js_junk_math: medium { rule js_junk_math_high: high { meta: description = "multiple examples of suspicious junk math" + filetypes = "js,ts" strings: $charAt = "charAt" diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara index c2f2b8c49..612035b2f 100644 --- a/rules/anti-static/obfuscation/php.yara +++ b/rules/anti-static/obfuscation/php.yara @@ -3,7 +3,7 @@ rule php_obfuscation: high { description = "obfuscated PHP code" credit = "Ported from https://github.com/jvoisin/php-malware-finder" - filetypes = "php" + filetypes = "php" strings: $php = "[VMware](https://github.com/search?q=VMware&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | -| MEDIUM | [anti-static/obfuscation/math](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/math.yara#js_junk_math) | suspicious junk math | [firstNonSlashEnd = -1;](https://github.com/search?q=firstNonSlashEnd+%3D+-1%3B&type=code)
[rationalCubicW = -1;](https://github.com/search?q=rationalCubicW+%3D+-1%3B&type=code)
[templateDepth = -1;](https://github.com/search?q=templateDepth+%3D+-1%3B&type=code)
[lastCommonSep = -1;](https://github.com/search?q=lastCommonSep+%3D+-1%3B&type=code)
[divisorLength = -1;](https://github.com/search?q=divisorLength+%3D+-1%3B&type=code)
[historyIndex = -1;](https://github.com/search?q=historyIndex+%3D+-1%3B&type=code)
[lastTokenPos = -1;](https://github.com/search?q=lastTokenPos+%3D+-1%3B&type=code)
[preDotState = -1;](https://github.com/search?q=preDotState+%3D+-1%3B&type=code)
[singleQuote = -1;](https://github.com/search?q=singleQuote+%3D+-1%3B&type=code)
[lastCounter = -1;](https://github.com/search?q=lastCounter+%3D+-1%3B&type=code)
[questionIdx = -1;](https://github.com/search?q=questionIdx+%3D+-1%3B&type=code)
[singleQuote = -2;](https://github.com/search?q=singleQuote+%3D+-2%3B&type=code)
[lastCursor = -1;](https://github.com/search?q=lastCursor+%3D+-1%3B&type=code)
[lastMatch = -1;](https://github.com/search?q=lastMatch+%3D+-1%3B&type=code)
[lastSlash = -1;](https://github.com/search?q=lastSlash+%3D+-1%3B&type=code)
[position = -1;](https://github.com/search?q=position+%3D+-1%3B&type=code)
[startDot = -1;](https://github.com/search?q=startDot+%3D+-1%3B&type=code)
[rootEnd = -1;](https://github.com/search?q=rootEnd+%3D+-1%3B&type=code)
[nonHost = -1;](https://github.com/search?q=nonHost+%3D+-1%3B&type=code)
[timeout = -1;](https://github.com/search?q=timeout+%3D+-1%3B&type=code)
[hashIdx = -1;](https://github.com/search?q=hashIdx+%3D+-1%3B&type=code)
[hostEnd = -1;](https://github.com/search?q=hostEnd+%3D+-1%3B&type=code)
[column = -1;](https://github.com/search?q=column+%3D+-1%3B&type=code)
[cursor = -1;](https://github.com/search?q=cursor+%3D+-1%3B&type=code)
[family = -1;](https://github.com/search?q=family+%3D+-1%3B&type=code)
[extIdx = -1;](https://github.com/search?q=extIdx+%3D+-1%3B&type=code)
[(offset + 1)](https://github.com/search?q=%28offset+%2B+1%29&type=code)
[atSign = -1;](https://github.com/search?q=atSign+%3D+-1%3B&type=code)
[(length + 1)](https://github.com/search?q=%28length+%2B+1%29&type=code)
[start = -1;](https://github.com/search?q=start+%3D+-1%3B&type=code)
[(eqPos + 1)](https://github.com/search?q=%28eqPos+%2B+1%29&type=code)
[dots = -1;](https://github.com/search?q=dots+%3D+-1%3B&type=code)
[line = -1;](https://github.com/search?q=line+%3D+-1%3B&type=code)
[left = -1;](https://github.com/search?q=left+%3D+-1%3B&type=code)
[(envc + 1)](https://github.com/search?q=%28envc+%2B+1%29&type=code)
[(argc + 1)](https://github.com/search?q=%28argc+%2B+1%29&type=code)
[end = -1;](https://github.com/search?q=end+%3D+-1%3B&type=code)
[(pos + 6)](https://github.com/search?q=%28pos+%2B+6%29&type=code)
[(pos + 1)](https://github.com/search?q=%28pos+%2B+1%29&type=code)
[x_t = -1;](https://github.com/search?q=x_t+%3D+-1%3B&type=code)
[(pos + 5)](https://github.com/search?q=%28pos+%2B+5%29&type=code)
[pos = -1;](https://github.com/search?q=pos+%3D+-1%3B&type=code)
[(16 + 1)](https://github.com/search?q=%2816+%2B+1%29&type=code)
[w = -1;](https://github.com/search?q=w+%3D+-1%3B&type=code)
[(n + 2)](https://github.com/search?q=%28n+%2B+2%29&type=code)
[v = -1;](https://github.com/search?q=v+%3D+-1%3B&type=code)
[charAt](https://github.com/search?q=charAt&type=code)
[(e+38)](https://github.com/search?q=%28e%2B38%29&type=code)
[(b+1)](https://github.com/search?q=%28b%2B1%29&type=code)
[(Y+1)](https://github.com/search?q=%28Y%2B1%29&type=code)
[(O+1)](https://github.com/search?q=%28O%2B1%29&type=code)
[(A+1)](https://github.com/search?q=%28A%2B1%29&type=code)
[(l+2)](https://github.com/search?q=%28l%2B2%29&type=code)
[(l+1)](https://github.com/search?q=%28l%2B1%29&type=code)
[(F+1)](https://github.com/search?q=%28F%2B1%29&type=code)
[(l+3)](https://github.com/search?q=%28l%2B3%29&type=code)
[c=-1;](https://github.com/search?q=c%3D-1%3B&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [message_port](https://github.com/search?q=message_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 804f8abe5..3abc8b2a5 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -1,6 +1,5 @@ # linux/clean/kuma-cp: medium anti-behavior/random_behavior: low -anti-static/obfuscation/math: medium anti-static/obfuscation/syscall: medium c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 2256dcd3b..6657368dd 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -1,6 +1,5 @@ # linux/clean/mongosh: medium anti-behavior/random_behavior: low -anti-static/obfuscation/math: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 693abb9bd..868e34db2 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -1,8 +1,7 @@ -## linux/clean/slack [🛑 HIGH] +## linux/clean/slack [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| HIGH | [anti-static/obfuscation/math](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/math.yara#js_junk_math_high) | multiple examples of suspicious junk math | [(bid_time%86400000000)](https://github.com/search?q=%28bid_time%2586400000000%29&type=code)
[var kSize = 2048;](https://github.com/search?q=var+kSize+%3D+2048%3B&type=code)
[(i + 32)](https://github.com/search?q=%28i+%2B+32%29&type=code)
[charAt](https://github.com/search?q=charAt&type=code)
[(e+38)](https://github.com/search?q=%28e%2B38%29&type=code) | | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | `$elf_head` | diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index 75d428cc6..ebe810732 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -1,6 +1,5 @@ # windows/clean/Swashbuckle.AspNetCore.ReDoc.dll: medium anti-behavior/random_behavior: low -anti-static/obfuscation/math: medium c2/client: medium c2/tool_transfer/arch: low c2/tool_transfer/os: low From a51618ef6aa1a382d92131da3a533c74fd5b7403 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 10:26:06 -0500 Subject: [PATCH 12/18] Fix up rename reporting Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/testdata/scan_archive | 13 +++++++------ pkg/programkind/programkind.go | 3 +++ rules/fs/file/file-rename.yara | 4 +++- .../eight-nebraska-autumn-illinois.simple | 1 + .../2024.kworker_pretenders/emp3r0r.agent.simple | 1 + tests/linux/clean/buildah.simple | 1 + tests/linux/clean/buildkitd.simple | 1 + tests/linux/clean/caddy.simple | 1 + tests/linux/clean/chezmoi.simple | 1 + tests/linux/clean/chrome.simple | 1 + tests/linux/clean/clickhouse.simple | 1 + tests/linux/clean/code-oss.md | 1 + tests/linux/clean/containerd.simple | 1 + tests/linux/clean/cpack.md | 1 + tests/linux/clean/kolide/launcher.simple | 1 + tests/linux/clean/kuma-cp.simple | 1 + tests/linux/clean/melange.simple | 1 + tests/linux/clean/mongosh.simple | 1 + tests/linux/clean/opa.simple | 1 + tests/linux/clean/pandoc.md | 1 + tests/linux/clean/pulumi.simple | 1 + tests/linux/clean/slack.md | 1 + tests/linux/clean/trivy.simple | 1 + tests/linux/clean/trufflehog.md | 1 + tests/linux/clean/wolfictl.simple | 1 + tests/macOS/2024.LightSpy/dropper.simple | 1 + tests/npm/2024.harthat/deference.js.simple | 1 - tests/npm/2024.next-react-notify/tocall.js.simple | 1 - 28 files changed, 36 insertions(+), 9 deletions(-) diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index bbd38846b..cc36dade8 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -1096,15 +1096,16 @@ "RuleName": "go_file_read" }, { - "Description": "rename", + "Description": "renames files", "MatchStrings": [ - "rename" + "os.rename", + "os.Rename" ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#rename", + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename", "ID": "fs/file/rename", - "RuleName": "rename" + "RuleName": "explicit_rename" }, { "Description": "access filesystem metadata", diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index 5f8e6aee9..6cc2f898e 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -77,7 +77,10 @@ var supportedKind = map[string]string{ "ko": "application/x-object", "lnk": "application/x-ms-shortcut", "lua": "text/x-lua", + "M": "text/x-objectivec", + "m": "text/x-objectivec", "macho": "application/x-mach-binary", + "mm": "text/x-objectivec", "md": "", "o": "application/octet-stream", "pe": "application/vnd.microsoft.portable-executable", diff --git a/rules/fs/file/file-rename.yara b/rules/fs/file/file-rename.yara index fe1db696e..3ea39d4f4 100644 --- a/rules/fs/file/file-rename.yara +++ b/rules/fs/file/file-rename.yara @@ -14,7 +14,7 @@ rule rename: harmless posix { rule explicit_rename: low { meta: description = "renames files" - filetypes = "py,rb" + filetypes = "elf,go,macho,m,py,rb" strings: $rename = "os.rename" fullword @@ -22,6 +22,7 @@ rule explicit_rename: low { $move_file = "MoveFile" $ruby = "File.rename" $objc = "renameFile" fullword + $go = "os.Rename" fullword condition: any of them @@ -30,6 +31,7 @@ rule explicit_rename: low { rule ren: medium windows { meta: description = "renames files" + filetypes = "exe,pe,ps1" strings: $rename = "rename" diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index d2b32d26a..4d26d9f13 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -44,6 +44,7 @@ fs/file/delete_forcibly: low fs/file/make_executable: high fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: low fs/link_read: low fs/lock_update: low diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 01be76f17..0b8b30153 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -83,6 +83,7 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: low fs/file/write: low fs/link_create: low diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index 6a1d68600..c34456320 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -72,6 +72,7 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index ca4ad01a2..7b4243b19 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -60,6 +60,7 @@ fs/file/copy: medium fs/file/delete: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/write: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index ae0b66ee9..a4a4ff9ea 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -80,6 +80,7 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 27db933ca..a8287ab09 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -89,6 +89,7 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/write: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index 621034054..c8856e8ca 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -85,6 +85,7 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 0d088c43a..f3423ad06 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -102,6 +102,7 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 993b310cb..368287420 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -138,6 +138,7 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index d71ee05b1..311d92460 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -59,6 +59,7 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_create: low diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index 41d8b52b5..d478dff40 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -88,6 +88,7 @@ | LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm -f $TARGET_FILE](https://github.com/search?q=rm+-f+%24TARGET_FILE&type=code) | | LOW | [fs/file/flags_change](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-flags-change.yara#chflags) | [May update file flags using chflags](https://man.freebsd.org/cgi/man.cgi?chflags(1)) | [chflags](https://github.com/search?q=chflags&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple index af580c4ba..dda8bad26 100644 --- a/tests/linux/clean/kolide/launcher.simple +++ b/tests/linux/clean/kolide/launcher.simple @@ -56,6 +56,7 @@ fs/file/create: medium fs/file/delete: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 3abc8b2a5..d68654a5a 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -74,6 +74,7 @@ fs/file/delete: low fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index 5982086a8..64d9e6c34 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -79,6 +79,7 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/write: low fs/link_create: low fs/link_read: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 6657368dd..5e03df842 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -97,6 +97,7 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 9e3fda87f..e264706e0 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -49,6 +49,7 @@ fs/file/copy: medium fs/file/delete: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: low fs/file/write: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 5b15799c6..55869b01b 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -129,6 +129,7 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [renameFile](https://github.com/search?q=renameFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 411a5a8c8..950abd32a 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -85,6 +85,7 @@ fs/file/delete: medium fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 868e34db2..200427fd9 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -140,6 +140,7 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 421c8211a..7ae82cda9 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -102,6 +102,7 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 8c27bf920..c7c16b212 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -146,6 +146,7 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code)
[ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[os.Rename](https://github.com/search?q=os.Rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index 44f0fdb3a..b1188a8f5 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -93,6 +93,7 @@ fs/file/delete: medium fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low +fs/file/rename: low fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index 87a5ff237..f28462f3b 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -21,6 +21,7 @@ exec/shell/TERM: low fs/attributes/remove: medium fs/attributes/set: medium fs/directory/create: low +fs/file/rename: low fs/file/stat: low fs/file/write: low fs/lock_update: low diff --git a/tests/npm/2024.harthat/deference.js.simple b/tests/npm/2024.harthat/deference.js.simple index 8938138ca..489644706 100644 --- a/tests/npm/2024.harthat/deference.js.simple +++ b/tests/npm/2024.harthat/deference.js.simple @@ -5,7 +5,6 @@ c2/tool_transfer/os: low discover/system/platform: medium evasion/indicator_blocking/echo_off: high fs/file/delete: medium -fs/file/rename: medium fs/file/write: low impact/remote_access/dll_injection: critical net/download/fetch: critical diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index 8612abaf5..de43eff3f 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -7,7 +7,6 @@ evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high exec/shell/power: medium fs/file/delete: medium -fs/file/rename: medium fs/file/write: low net/download/fetch: critical net/http: low From 2e0fd4a37854f78eaab9fc4b3c33f0c5e0131410 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 10:31:11 -0500 Subject: [PATCH 13/18] Add more file types to explicit_rename Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/fs/file/file-rename.yara | 2 +- tests/javascript/clean/highlight.esm.js.simple | 1 + tests/javascript/clean/highlight.js.simple | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/fs/file/file-rename.yara b/rules/fs/file/file-rename.yara index 3ea39d4f4..60c169142 100644 --- a/rules/fs/file/file-rename.yara +++ b/rules/fs/file/file-rename.yara @@ -14,7 +14,7 @@ rule rename: harmless posix { rule explicit_rename: low { meta: description = "renames files" - filetypes = "elf,go,macho,m,py,rb" + filetypes = "elf,go,js,macho,m,py,rb,ts" strings: $rename = "os.rename" fullword diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index 6cb32ca4c..4795f0b28 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -50,6 +50,7 @@ fs/file/copy: medium fs/file/create: medium fs/file/delete: medium fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index e270f46ef..56bdf3a7c 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -50,6 +50,7 @@ fs/file/copy: medium fs/file/create: medium fs/file/delete: medium fs/file/read: low +fs/file/rename: low fs/file/times_set: medium fs/file/write: low fs/link_read: low From ccf2d2021063275c4a16995363ba8229684dc753 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 10:37:04 -0500 Subject: [PATCH 14/18] Fix up remaining PHP filetypes Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/anti-static/obfuscation/php.yara | 20 +++++++++---------- .../indicator_blocking/mask_exceptions.yara | 2 +- tests/php/2024.Inull-Studio/err.php.simple | 2 ++ tests/php/2024.S3RV4N7-SHELL/crot.php.simple | 1 + .../wp-engine-fast-action.php.simple | 3 ++- tests/php/2024.sagsooz/2024.php.simple | 1 + 6 files changed, 17 insertions(+), 12 deletions(-) diff --git a/rules/anti-static/obfuscation/php.yara b/rules/anti-static/obfuscation/php.yara index 612035b2f..261e1f270 100644 --- a/rules/anti-static/obfuscation/php.yara +++ b/rules/anti-static/obfuscation/php.yara @@ -78,7 +78,7 @@ rule small_reversed_function_names: critical { meta: description = "Contains function names in reverse" credit = "Initially ported from https://github.com/jvoisin/php-malware-finder" - filetypes = "text/x-php" + filetypes = "php" strings: $php = " Date: Mon, 19 May 2025 12:23:47 -0500 Subject: [PATCH 15/18] Remove redundant programkind condition Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/programkind/programkind.go | 2 +- rules/fs/file/exists.yara | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/programkind/programkind.go b/pkg/programkind/programkind.go index 6cc2f898e..233b69fd8 100644 --- a/pkg/programkind/programkind.go +++ b/pkg/programkind/programkind.go @@ -215,7 +215,7 @@ func makeFileType(path string, ext string, mime string) *FileType { return Path(".elf") } - if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") { + if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") { return &FileType{ Ext: ext, MIME: mime, diff --git a/rules/fs/file/exists.yara b/rules/fs/file/exists.yara index 4a220cd72..beafedf71 100644 --- a/rules/fs/file/exists.yara +++ b/rules/fs/file/exists.yara @@ -12,6 +12,7 @@ rule path_exists: low { rule java_exists: low { meta: description = "check if a file exists" + filetypes = "java" strings: $ref = "java/io/File" fullword From cfc00b76f9bec83b2bf319449f0e242ff837ee83 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 15:23:42 -0500 Subject: [PATCH 16/18] Add more file types to rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/testdata/scan_archive | 12 ++++++------ rules/anti-behavior/anti-debugger.yara | 4 ++-- rules/anti-behavior/random_behavior.yara | 2 +- rules/anti-static/elf/base64.yara | 1 + rules/credential/clipboard.yara | 2 +- rules/crypto/cipher.yara | 1 + rules/crypto/ecdsa.yara | 1 + rules/crypto/encrypted-stream.yara | 1 + rules/crypto/ethereum.yara | 1 + rules/crypto/fastrand.yara | 1 + rules/crypto/ssl.yara | 1 + rules/data/base64/base64-decode.yara | 7 +++++++ rules/data/base64/base64-encode.yara | 6 ++++++ rules/discover/processes/list.yara | 1 + rules/discover/system/environment.yara | 1 + rules/discover/system/multiple.yara | 1 + rules/discover/system/platform.yara | 3 +++ rules/discover/user/HOME.yara | 3 ++- rules/discover/user/userinfo.yara | 1 + .../bypass_security/executionpolicy_bypass.yara | 2 ++ rules/evasion/indicator_blocking/echo_off.yara | 1 + rules/evasion/indicator_blocking/hidden_window.yara | 1 + rules/evasion/indicator_blocking/hide_errors.yara | 1 + rules/evasion/indicator_blocking/process.yara | 1 + rules/evasion/logging/syslog.yara | 1 + rules/evasion/time/php_no_time_limit.yara | 1 + rules/exec/cmd/pipe.yara | 1 + rules/fs/directory/directory-list.yara | 4 ++-- rules/fs/file/file-read.yara | 3 +++ rules/fs/file/file-stat.yara | 5 ++++- rules/fs/file/file-write.yara | 3 +++ rules/fs/path/applications.yara | 2 ++ rules/fs/path/boot.yara | 1 + rules/fs/path/lib64.yara | 1 + rules/impact/degrade/app.yara | 2 ++ rules/impact/degrade/edr.yara | 2 +- rules/impact/ransom/fernet_listdir.yara | 2 ++ rules/impact/resource/forkbomb.yara | 2 ++ rules/impact/wipe/crypto.yara | 2 ++ rules/impact/wipe/desktop.yara | 2 ++ rules/lateral/scan/cve-2024-4577.yara | 1 + rules/mem/anonymous-file.yara | 1 + rules/mem/protect.yara | 1 + rules/net/http/websocket.yara | 1 + rules/net/resolve/hostname-resolve.yara | 2 ++ rules/net/socket/multiplexing.yara | 1 + rules/net/socket/socket-connect.yara | 2 ++ rules/net/socket/socket-listen.yara | 2 ++ rules/net/socket/socket-options-set.yara | 1 + rules/net/ssl/no_verify.yara | 1 + rules/net/udp/kcp.yara | 1 + rules/persist/xdg_desktop_entry.yara | 1 + rules/privesc/runas.yara | 1 + rules/process/executable_path.yara | 1 + rules/process/multiprocess.yara | 1 + rules/process/multithreaded.yara | 1 + tests/c/clean/ruby_http_parser/test.c.simple | 1 - .../5A50D54796BB27126E03A7E25DD5D589.cache.js.simple | 5 +---- .../5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 5 +---- tests/javascript/clean/highlight.esm.js.simple | 2 -- tests/javascript/clean/highlight.js.simple | 2 -- tests/javascript/clean/mode-php.js.simple | 3 --- .../clean/mode-php_laravel_blade.js.simple | 3 --- tests/javascript/clean/php.js.simple | 3 --- tests/javascript/clean/yarn-3.8.7.cjs.simple | 3 +-- tests/linux/2021.XMR-Stak/1b1a56.elf.simple | 1 - tests/linux/2024.melofee/2023.8d855c2874.elf.simple | 1 - tests/linux/2024.melofee/pskt.simple | 1 - tests/linux/clean/acme.sh.simple | 1 - tests/linux/clean/bazel.simple | 2 -- tests/linux/clean/botan.simple | 2 -- tests/linux/clean/buildkitd.simple | 1 - tests/linux/clean/chezmoi.simple | 1 - tests/linux/clean/chrome.simple | 1 - tests/linux/clean/clickhouse.simple | 2 -- tests/linux/clean/code-oss.md | 4 ---- tests/linux/clean/cpack.md | 2 -- tests/linux/clean/http-fingerprints.lua.simple | 1 - tests/linux/clean/kolide/launcher.simple | 1 - tests/linux/clean/kolide/osqueryd.simple | 1 - tests/linux/clean/kuma-cp.simple | 1 - tests/linux/clean/mongosh.simple | 6 +----- tests/linux/clean/nvim.simple | 2 -- tests/linux/clean/opa.simple | 3 --- tests/linux/clean/pandoc.md | 2 -- tests/linux/clean/qemu-system-xtensa.md | 2 -- tests/linux/clean/slack.md | 3 --- tests/linux/clean/trivy.simple | 3 --- tests/linux/clean/trufflehog.md | 1 - tests/linux/clean/wolfictl.simple | 1 - tests/linux/mimipenguin/python/mimipenguin.simple | 2 -- .../macOS/2023.3CX/libffmpeg.change_unrelated.mdiff | 6 ++---- tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple | 2 -- tests/macOS/2023.3CX/libffmpeg.dylib.simple | 2 -- .../2023.3CX/libffmpeg.increase_unrelated.mdiff | 6 ++---- .../2024.79-137-192-4/var_tmp_exe_starting2.simple | 1 - tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple | 1 - tests/npm/2024.next-react-notify/tocall.js.simple | 1 - tests/php/2024.S3RV4N7-SHELL/crot.php.simple | 1 - tests/php/2024.malcure/simple.php.simple | 1 - tests/php/2024.sagsooz/2024.php.simple | 1 - tests/php/clean/composer-2.7.7.simple | 2 -- tests/php/clean/run-tests.php.simple | 1 - .../ruby/2024.Infecting_Simulation/malware.rb.simple | 1 - tests/ruby/2024.gtfo/rsocket.rb.simple | 1 - tests/ruby/2024.reverse_shells/oreilly1.rb.simple | 1 - tests/ruby/2024.reverse_shells/oreilly2.rb.simple | 1 - tests/windows/2024.GitHub.Clipper/main.exe.simple | 5 +---- tests/windows/2024.aspdasdksa2/creal.exe.simple | 1 - tests/windows/2024.aspdasdksa2/creal.pyc.simple | 1 - 110 files changed, 103 insertions(+), 117 deletions(-) diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index cc36dade8..3d72acb0c 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -1108,15 +1108,15 @@ "RuleName": "explicit_rename" }, { - "Description": "access filesystem metadata", + "Description": "access filesystem information", "MatchStrings": [ - "fs.statDirEntry" + "_stat" ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat", + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#stat", "ID": "fs/file/stat", - "RuleName": "npm_stat" + "RuleName": "stat" }, { "Description": "forcibly synchronizes file state to disk", diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara index ad8893453..d6bb0cd11 100644 --- a/rules/anti-behavior/anti-debugger.yara +++ b/rules/anti-behavior/anti-debugger.yara @@ -1,7 +1,7 @@ rule win_debugger_present: medium windows { meta: description = "Detects if process is being executed within a debugger" - filetypes = "ps1,exe,pe" + filetypes = "exe,pe,ps1" strings: $debug_idp = "IsDebuggerPresent" @@ -14,7 +14,7 @@ rule win_debugger_present: medium windows { rule win_debugger_or_vm: medium windows { meta: description = "Detects if process is being executed within a debugger or VM" - filetypes = "ps1,exe,pe" + filetypes = "exe,pe,ps1" strings: $cpu_pfp = "IsProcessorFeaturePresent" diff --git a/rules/anti-behavior/random_behavior.yara b/rules/anti-behavior/random_behavior.yara index c0d63f240..6e45dbe2f 100644 --- a/rules/anti-behavior/random_behavior.yara +++ b/rules/anti-behavior/random_behavior.yara @@ -57,7 +57,7 @@ rule go_rand: medium { rule rand_call: medium { meta: description = "exhibits random behavior" - filetypes = "c,perl,php" + filetypes = "c,pl,php" strings: $ref = "rand()" diff --git a/rules/anti-static/elf/base64.yara b/rules/anti-static/elf/base64.yara index e34d2354e..beaf88047 100644 --- a/rules/anti-static/elf/base64.yara +++ b/rules/anti-static/elf/base64.yara @@ -14,6 +14,7 @@ rule contains_base64_elf: high { rule elf_contains_base64_elf: critical { meta: description = "ELF binary contains base64 ELF binary" + filetypes = "elf" strings: $elf_head = "f0VMRgI" diff --git a/rules/credential/clipboard.yara b/rules/credential/clipboard.yara index baf17290e..b40491dc7 100644 --- a/rules/credential/clipboard.yara +++ b/rules/credential/clipboard.yara @@ -17,6 +17,7 @@ rule nspasteboard: medium macos { rule py_pasteboard: high { meta: description = "access clipboard contents" + filetypes = "py" strings: $clip = "pyperclip.copy(" @@ -25,4 +26,3 @@ rule py_pasteboard: high { condition: any of them } - diff --git a/rules/crypto/cipher.yara b/rules/crypto/cipher.yara index dfebf184a..147a99cbb 100644 --- a/rules/crypto/cipher.yara +++ b/rules/crypto/cipher.yara @@ -1,6 +1,7 @@ rule go_cipher: harmless { meta: description = "Uses crypto/cipher" + filetypes = "elf,go,macho" strings: $ref = "XORKeyStream" diff --git a/rules/crypto/ecdsa.yara b/rules/crypto/ecdsa.yara index d4e310eef..742aa1657 100644 --- a/rules/crypto/ecdsa.yara +++ b/rules/crypto/ecdsa.yara @@ -1,6 +1,7 @@ rule crypto_ecdsa { meta: description = "Uses the Go crypto/ecdsa library" + filetypes = "elf,go,macho" strings: $ref = "crypto/ecdsa" diff --git a/rules/crypto/encrypted-stream.yara b/rules/crypto/encrypted-stream.yara index 4c9243937..b60aa62d0 100644 --- a/rules/crypto/encrypted-stream.yara +++ b/rules/crypto/encrypted-stream.yara @@ -1,6 +1,7 @@ rule go_encrypted_stream: high { meta: description = "Uses github.com/nknorg/encrypted-stream to encrypt streams" + filetypes = "elf,go,macho" strings: $ref1 = ").Encrypt" diff --git a/rules/crypto/ethereum.yara b/rules/crypto/ethereum.yara index 52068a24c..6beca8945 100644 --- a/rules/crypto/ethereum.yara +++ b/rules/crypto/ethereum.yara @@ -1,6 +1,7 @@ rule ethereum: medium { meta: description = "uses Ethereum" + filetypes = "js,ts" strings: $ethers = "require(\"ethers\");" diff --git a/rules/crypto/fastrand.yara b/rules/crypto/fastrand.yara index 0ed6967f1..de456c94b 100644 --- a/rules/crypto/fastrand.yara +++ b/rules/crypto/fastrand.yara @@ -1,6 +1,7 @@ rule uses_pseudo_rng: medium { meta: description = "uses a fast pseudorandom generator" + filetypes = "elf,go,macho" strings: $ethers = "valyala/fastrand" diff --git a/rules/crypto/ssl.yara b/rules/crypto/ssl.yara index b6da5b47f..c13759c56 100644 --- a/rules/crypto/ssl.yara +++ b/rules/crypto/ssl.yara @@ -1,6 +1,7 @@ rule py_ssl { meta: description = "uses Python SSL library" + filetypes = "py" strings: $ssl = "import ssl" fullword diff --git a/rules/data/base64/base64-decode.yara b/rules/data/base64/base64-decode.yara index 8e0654409..47b8e6ee1 100644 --- a/rules/data/base64/base64-decode.yara +++ b/rules/data/base64/base64-decode.yara @@ -2,6 +2,7 @@ rule base64_decode: medium python { meta: description = "decode base64 strings" ref = "https://docs.python.org/3/library/base64.html" + filetypes = "py" strings: $b64decode = "b64decode" @@ -13,6 +14,7 @@ rule base64_decode: medium python { rule py_base64_decode: medium php { meta: description = "decode base64 strings" + filetypes = "py" strings: $b64decode = "base64_decode" @@ -24,6 +26,7 @@ rule py_base64_decode: medium php { rule js_base64_decode: medium js { meta: description = "decode base64 strings" + filetypes = "js,ts" strings: $atob = "atob(" @@ -35,6 +38,7 @@ rule js_base64_decode: medium js { rule js_double_base64_decode: critical js { meta: description = "double-decodes base64 strings" + filetypes = "js,ts" strings: $atob = "atob(atob(" @@ -46,6 +50,7 @@ rule js_double_base64_decode: critical js { rule ruby_base64_decode: medium ruby { meta: description = "decode base64 strings" + filetypes = "rb" strings: $b64decode = /[\._]decode64/ @@ -58,6 +63,7 @@ rule urlsafe_decode64: medium ruby { meta: description = "decode base64 strings" ref = "https://ruby-doc.org/3.3.0/stdlibs/base64/Base64.html" + filetypes = "rb" strings: $urlsafe_decode64_ruby = "urlsafe_decode64" @@ -70,6 +76,7 @@ rule powershell_decode: medium { meta: description = "decode base64 strings" ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0" + filetypes = "ps1" strings: $ref = /System\.Convert[\]: ]+FromBase64String/ ascii diff --git a/rules/data/base64/base64-encode.yara b/rules/data/base64/base64-encode.yara index e53690c92..3d4f54b0c 100644 --- a/rules/data/base64/base64-encode.yara +++ b/rules/data/base64/base64-encode.yara @@ -2,6 +2,7 @@ rule base64_encode: medium python { meta: description = "encode base64 strings" ref = "https://docs.python.org/3/library/base64.html" + filetypes = "py" strings: $b64encode = "b64encode" @@ -13,6 +14,7 @@ rule base64_encode: medium python { rule py_base64_encode: medium php { meta: description = "encode base64 strings" + filetypes = "php" strings: $b64encode = "base64_encode" @@ -24,6 +26,7 @@ rule py_base64_encode: medium php { rule ruby_base64_encode: medium ruby { meta: description = "encode base64 strings" + filetypes = "rb" strings: $b64encode = /[\._]encode64/ @@ -36,6 +39,7 @@ rule urlsafe_encode64: medium ruby { meta: description = "encode base64 strings" ref = "https://ruby-doc.org/3.3.0/stdlibs/base64/Base64.html" + filetypes = "rb" strings: $urlsafe_encode64_ruby = "urlsafe_encode64" @@ -48,6 +52,7 @@ rule powershell_encode: medium { meta: description = "encode base64 strings" ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0" + filetypes = "ps1" strings: $ref = /System\.Convert[\]: ]+ToBase64String/ ascii @@ -59,6 +64,7 @@ rule powershell_encode: medium { rule java_base64_encode: medium { meta: description = "encode base64 strings" + filetypes = "jar,java" strings: $ref = "Base64$Encoder" diff --git a/rules/discover/processes/list.yara b/rules/discover/processes/list.yara index 13f5e880a..b2c6af543 100644 --- a/rules/discover/processes/list.yara +++ b/rules/discover/processes/list.yara @@ -71,6 +71,7 @@ rule proclist: medium { rule java_lang_processes_opaque: medium { meta: description = "accesses process list" + filetypes = "jar,java" strings: $processes = "processes" fullword diff --git a/rules/discover/system/environment.yara b/rules/discover/system/environment.yara index 30d8ffe6a..fddfe40f4 100644 --- a/rules/discover/system/environment.yara +++ b/rules/discover/system/environment.yara @@ -1,6 +1,7 @@ rule os_environ: medium { meta: description = "Dump values from the environment" + filetypes = "py" strings: $ref = "os.environ.items()" fullword diff --git a/rules/discover/system/multiple.yara b/rules/discover/system/multiple.yara index 7ddc1123c..03b40216f 100644 --- a/rules/discover/system/multiple.yara +++ b/rules/discover/system/multiple.yara @@ -41,6 +41,7 @@ rule hostinfo_collector_api: high macos { rule hostinfo_collector_npm: critical { meta: description = "collects an unusual amount of host information" + filetypes = "js,ts" strings: $f_userInfo = "os.userInfo()" diff --git a/rules/discover/system/platform.yara b/rules/discover/system/platform.yara index d5ec29aaf..dac8a3614 100644 --- a/rules/discover/system/platform.yara +++ b/rules/discover/system/platform.yara @@ -74,6 +74,7 @@ rule python_platform: medium { meta: description = "system platform identification" ref = "https://docs.python.org/3/library/platform.html" + filetypes = "py" strings: $ref = "platform.dist()" @@ -101,6 +102,7 @@ rule npm_uname: medium { meta: description = "get system identification" ref = "https://nodejs.org/api/process.html" + filetypes = "js,ts" strings: $ = "process.platform" @@ -118,6 +120,7 @@ rule npm_uname: medium { rule ruby_uname: medium ruby { meta: description = "get system identification" + filetypes = "rb" strings: $ = "CONFIG['host_os']" diff --git a/rules/discover/user/HOME.yara b/rules/discover/user/HOME.yara index aa2f1c4fb..80c848f83 100644 --- a/rules/discover/user/HOME.yara +++ b/rules/discover/user/HOME.yara @@ -16,6 +16,7 @@ rule node_HOME { meta: description = "Looks up the HOME directory for the current user" ref = "https://man.openbsd.org/login.1#ENVIRONMENT" + filetypes = "js,ts" strings: $ref = "env.HOME" fullword @@ -27,6 +28,7 @@ rule node_HOME { rule py_HOME { meta: description = "Looks up the HOME directory for the current user" + filetypes = "py" strings: $ref = "os.path.expanduser(\"~\")" fullword @@ -34,4 +36,3 @@ rule py_HOME { condition: all of them } - diff --git a/rules/discover/user/userinfo.yara b/rules/discover/user/userinfo.yara index 85e8e7a83..70c81dd37 100644 --- a/rules/discover/user/userinfo.yara +++ b/rules/discover/user/userinfo.yara @@ -2,6 +2,7 @@ rule userinfo: medium { meta: syscall = "getuid" description = "returns user info for the current process" + filetypes = "js,ts" strings: $ref = "os.userInfo()" diff --git a/rules/evasion/bypass_security/executionpolicy_bypass.yara b/rules/evasion/bypass_security/executionpolicy_bypass.yara index 9093f68a6..80ab001e3 100644 --- a/rules/evasion/bypass_security/executionpolicy_bypass.yara +++ b/rules/evasion/bypass_security/executionpolicy_bypass.yara @@ -1,6 +1,7 @@ rule ps_executionpolicy_bypass: high { meta: description = "bypasses PowerShell Execution Policy" + filetypes = "ps1" strings: $ref = "-ExecutionPolicy Bypass" @@ -12,6 +13,7 @@ rule ps_executionpolicy_bypass: high { rule ps_executionpolicy_bypass_small_child: high { meta: description = "Calls powerscript and bypasses PowerShell Execution Policy" + filetypes = "ps1" strings: $ref = "-ExecutionPolicy Bypass" diff --git a/rules/evasion/indicator_blocking/echo_off.yara b/rules/evasion/indicator_blocking/echo_off.yara index b53e287b9..e9cbf833c 100644 --- a/rules/evasion/indicator_blocking/echo_off.yara +++ b/rules/evasion/indicator_blocking/echo_off.yara @@ -1,6 +1,7 @@ rule js_echo_off: high { meta: description = "runs a batch file and hides command output" + filetypes = "js,ts" strings: $ref = "@echo off" diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara index d035cae18..3ed227b4d 100644 --- a/rules/evasion/indicator_blocking/hidden_window.yara +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -1,6 +1,7 @@ rule subprocess_CREATE_NO_WINDOW: medium { meta: description = "runs commands, hides windows" + filetypes = "py" strings: $sub = "subprocess" diff --git a/rules/evasion/indicator_blocking/hide_errors.yara b/rules/evasion/indicator_blocking/hide_errors.yara index bde087325..7f7ba735a 100644 --- a/rules/evasion/indicator_blocking/hide_errors.yara +++ b/rules/evasion/indicator_blocking/hide_errors.yara @@ -2,6 +2,7 @@ rule php_suppressed_include: high { meta: description = "Includes a file, suppressing errors" credit = "Inspired by DodgyPHP rule in php-malware-finder" + filetypes = "php" strings: $php = "[openssl](https://github.com/search?q=openssl&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | `$opt48`
`$opt52`
`$opt12`
`$opt13`
`$opt14`
`$opt63`
`$opt62`
`$opt61`
`$opt60`
`$opt59`
`$opt15`
`$opt16`
`$opt17`
`$opt18`
`$opt19`
`$opt20`
`$opt21`
`$opt22`
`$opt23`
`$opt24`
`$opt25`
`$opt26`
`$opt27`
`$opt28`
`$opt29`
`$opt30`
`$opt31`
`$opt32`
`$opt33`
`$opt34`
`$opt35`
`$opt36`
`$opt37`
`$opt38`
`$opt39`
`$opt40`
`$opt41`
`$opt42`
`$opt43`
`$opt44`
`$opt45`
`$opt46`
`$opt47`
`$opt49`
`$opt50`
`$opt51`
`$opt53`
`$opt54`
`$opt55`
`$opt56`
`$opt57`
`$opt58`
`$opt10`
`$opt11`
`$opt0`
`$opt7`
`$opt8`
`$opt9`
[7654](https://github.com/search?q=7654&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[onml](https://github.com/search?q=onml&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[3210](https://github.com/search?q=3210&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#js_base64_decode) | decode base64 strings | [js_base64_decode::atob(](https://github.com/search?q=js_base64_decode%3A%3Aatob%28&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::h0dHBzOi8v](https://github.com/search?q=contains_base64_url%3A%3Ah0dHBzOi8v&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | @@ -35,7 +33,6 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#browser_platform) | system platform identification via browser user-agent | [platformVersion](https://github.com/search?q=platformVersion&type=code)
[userAgentData](https://github.com/search?q=userAgentData&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code)
[ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen_go) | [launches program and reads its output](https://linux.die.net/man/3/popen) | [CombinedOutput](https://github.com/search?q=CombinedOutput&type=code)
[exec](https://github.com/search?q=exec&type=code) | @@ -139,7 +136,6 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index d478dff40..5794c73a7 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -8,8 +8,6 @@ | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[windows](https://github.com/search?q=windows&type=code)
[Darwin](https://github.com/search?q=Darwin&type=code)
[linux](https://github.com/search?q=linux&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code)
[macos](https://github.com/search?q=macos&type=code) | | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | `$ref` | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | diff --git a/tests/linux/clean/http-fingerprints.lua.simple b/tests/linux/clean/http-fingerprints.lua.simple index b71c46429..b9437a03b 100644 --- a/tests/linux/clean/http-fingerprints.lua.simple +++ b/tests/linux/clean/http-fingerprints.lua.simple @@ -8,7 +8,6 @@ collect/databases/mysql: medium credential/password: low credential/server/htpasswd: medium exec/plugin: low -fs/file/read: low fs/path/etc: low fs/path/home: low fs/path/root: medium diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple index dda8bad26..143cbf616 100644 --- a/tests/linux/clean/kolide/launcher.simple +++ b/tests/linux/clean/kolide/launcher.simple @@ -57,7 +57,6 @@ fs/file/delete: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/truncate: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/kolide/osqueryd.simple b/tests/linux/clean/kolide/osqueryd.simple index 9c8953a09..70d39c5ea 100644 --- a/tests/linux/clean/kolide/osqueryd.simple +++ b/tests/linux/clean/kolide/osqueryd.simple @@ -26,7 +26,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/tls: low -data/base64/decode: medium data/compression/bzip2: low data/compression/gzip: low data/compression/lzma: low diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index d68654a5a..ea67d52e5 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -75,7 +75,6 @@ fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/write: low fs/link_read: low fs/mount: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 5e03df842..6ff9c762e 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -24,8 +24,6 @@ crypto/openssl: medium crypto/public_key: low crypto/tls: low crypto/uuid: medium -data/base64/decode: medium -data/base64/encode: medium data/base64/external: medium data/compression/bzip2: low data/compression/gzip: low @@ -56,13 +54,12 @@ discover/process/parent: low discover/process/working_directory: low discover/processes/list: medium discover/system/hostname: low -discover/system/platform: medium +discover/system/platform: low discover/system/sysinfo: medium discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low discover/user/USERPROFILE: medium -discover/user/info: medium discover/user/name_get: low evasion/file/prefix: medium evasion/logging/acct: low @@ -98,7 +95,6 @@ fs/file/delete_forcibly: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index 7a19756d0..e80b78151 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -13,8 +13,6 @@ credential/ssh: medium credential/ssh/d: medium crypto/openssl: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/zlib: low data/encoding/base64: low data/random/insecure: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index e264706e0..db183ac34 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -19,8 +19,6 @@ crypto/ecdsa: low crypto/ed25519: low crypto/public_key: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zstd: low data/embedded/html: medium @@ -50,7 +48,6 @@ fs/file/delete: low fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: low fs/file/write: low fs/link_read: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 55869b01b..c8a55bbd8 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -16,8 +16,6 @@ | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | | MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/encoding/utf16](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/utf16.yara#chr) | assembles strings from UTF-16 code units | `$ref` | | MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index 3c1dd5755..8b773f855 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -11,8 +11,6 @@ | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)
[bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)
[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)
[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)
[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)
[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)
[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)
[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)
[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)
[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)
[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)
[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)
[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)
[BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)
[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)
[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)
[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)
[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code)
[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)
[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)
[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)
[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)
[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)
[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)
[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)
[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)
[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)
[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code)
[QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code) | diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 200427fd9..8f526acfe 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -22,7 +22,6 @@ | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | `$opt60`
`$opt36`
`$opt62`
`$opt61`
`$opt59`
`$opt58`
`$opt57`
`$opt56`
`$opt55`
`$opt10`
`$opt11`
`$opt12`
`$opt13`
`$opt14`
`$opt15`
`$opt16`
`$opt17`
`$opt18`
`$opt19`
`$opt20`
`$opt21`
`$opt22`
`$opt23`
`$opt24`
`$opt25`
`$opt26`
`$opt27`
`$opt28`
`$opt29`
`$opt30`
`$opt31`
`$opt32`
`$opt33`
`$opt34`
`$opt35`
`$opt37`
`$opt38`
`$opt39`
`$opt40`
`$opt41`
`$opt42`
`$opt43`
`$opt44`
`$opt45`
`$opt46`
`$opt47`
`$opt48`
`$opt49`
`$opt50`
`$opt51`
`$opt52`
`$opt53`
`$opt54`
`$opt63`
`$opt9`
`$opt8`
`$opt7`
`$opt0`
[srqp](https://github.com/search?q=srqp&type=code)
[onml](https://github.com/search?q=onml&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[7654](https://github.com/search?q=7654&type=code)
[3210](https://github.com/search?q=3210&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#js_base64_decode) | decode base64 strings | [js_base64_decode::atob(](https://github.com/search?q=js_base64_decode%3A%3Aatob%28&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::DRVJUSUZJQ0FUR](https://github.com/search?q=contains_base64%3A%3ADRVJUSUZJQ0FUR&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | @@ -35,7 +34,6 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#browser_platform) | system platform identification via browser user-agent | [platformVersion](https://github.com/search?q=platformVersion&type=code)
[userAgentData](https://github.com/search?q=userAgentData&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | @@ -141,7 +139,6 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 7ae82cda9..ba833fc54 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -34,8 +34,6 @@ crypto/ed25519: low crypto/openssl: medium crypto/public_key: low crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium data/compression/bzip2: low data/compression/gzip: low data/compression/lzma: low @@ -103,7 +101,6 @@ fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index c7c16b212..09a90e0ea 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -147,7 +147,6 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code)
[ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[os.Rename](https://github.com/search?q=os.Rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index b1188a8f5..93ea02624 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -94,7 +94,6 @@ fs/file/delete_forcibly: medium fs/file/open: low fs/file/read: low fs/file/rename: low -fs/file/stat: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 9ef8e0186..9f946cfbf 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -6,11 +6,9 @@ credential/os/shadow: medium credential/password: low credential/password/finder: high credential/ssh/d: medium -data/base64/decode: medium data/encoding/base64: low discover/process/name: medium discover/processes/list: medium -discover/system/platform: medium exfil/stealer/password: critical fs/file/open: low fs/path/etc: low diff --git a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff index 1c6c0ba57..3de65c25b 100644 --- a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff @@ -1,4 +1,4 @@ -## Changed (2 added, 16 removed): macOS/clean/ls [🟡 MEDIUM → 🔵 LOW] +## Changed (2 added, 14 removed): macOS/clean/ls [🟡 MEDIUM → 🔵 LOW] ### 2 new behaviors @@ -7,13 +7,11 @@ | +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | | +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -### 16 removed behaviors +### 14 removed behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | -| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| -MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | -MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[http](https://github.com/search?q=http&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple index d929c3599..f396c7106 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple @@ -12,8 +12,6 @@ c2/tool_transfer/os: low crypto/aes: low crypto/encrypt: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low data/encoding/base64: low diff --git a/tests/macOS/2023.3CX/libffmpeg.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dylib.simple index 3cca27c6a..080038bc7 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dylib.simple @@ -6,8 +6,6 @@ c2/tool_transfer/os: low crypto/aes: low crypto/encrypt: medium crypto/rc4: low -data/base64/decode: medium -data/base64/encode: medium data/compression/zlib: low data/encoding/base64: low exec/shell/TERM: low diff --git a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff index a77e8e67b..9c13f30ad 100644 --- a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff @@ -1,12 +1,10 @@ -## Changed (16 added, 2 removed): macOS/2023.3CX/libffmpeg.dylib [🔵 LOW → 🟡 MEDIUM] +## Changed (14 added, 2 removed): macOS/2023.3CX/libffmpeg.dylib [🔵 LOW → 🟡 MEDIUM] -### 16 new behaviors +### 14 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | -| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | -| +MEDIUM | **[data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode)** | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[http](https://github.com/search?q=http&type=code) | diff --git a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple index 633722371..465ed14ae 100644 --- a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple +++ b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple @@ -7,6 +7,5 @@ fs/file/make_executable: high fs/path/tmp: medium fs/path/var: low fs/permission/modify: medium -impact/degrade/app: medium process/create: low process/multithreaded: low diff --git a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple index 270e10c62..58ea40364 100644 --- a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple +++ b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple @@ -11,7 +11,6 @@ crypto/gost89: low crypto/openssl: medium crypto/public_key: low crypto/rc4: low -data/base64/decode: medium data/compression/zlib: low data/encoding/base64: low data/hash/blake2b: low diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index de43eff3f..adfe31bd8 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -3,7 +3,6 @@ c2/addr/ip: high c2/addr/url: high c2/tool_transfer/os: low discover/system/platform: medium -evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high exec/shell/power: medium fs/file/delete: medium diff --git a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple index 83bffee23..e9d520d94 100644 --- a/tests/php/2024.S3RV4N7-SHELL/crot.php.simple +++ b/tests/php/2024.S3RV4N7-SHELL/crot.php.simple @@ -2,7 +2,6 @@ 3P/sig_base/webshell_php: critical anti-static/base64/function_names: medium anti-static/obfuscation/php: medium -data/base64/decode: medium data/encoding/base64: low evasion/indicator_blocking/mask_exceptions: medium impact/remote_access/php: high diff --git a/tests/php/2024.malcure/simple.php.simple b/tests/php/2024.malcure/simple.php.simple index b3ee01953..b41fe5d44 100644 --- a/tests/php/2024.malcure/simple.php.simple +++ b/tests/php/2024.malcure/simple.php.simple @@ -1,7 +1,6 @@ # php/2024.malcure/simple.php: critical 3P/sig_base/webshell_php: critical 3P/sig_base/webshell_php_obfusc: critical -data/base64/decode: medium data/encoding/base64: low exec/remote_commands/code_eval: high impact/remote_access/backdoor: medium diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index bccf67b92..a88adeee7 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -2,7 +2,6 @@ 3P/sig_base/webshell_php: critical c2/addr/url: medium credential/password: low -data/base64/decode: medium data/embedded/base64_url: medium data/embedded/html: medium data/encoding/base64: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 10c593bf5..878816868 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -16,7 +16,6 @@ crypto/aes: low crypto/encrypt: medium crypto/openssl: medium crypto/public_key: low -data/base64/decode: medium data/base64/encode: medium data/compression/bzip2: low data/compression/gzip: low @@ -47,7 +46,6 @@ fs/directory/remove: low fs/file/copy: medium fs/file/delete: low fs/file/delete_forcibly: medium -fs/file/read: low fs/file/times_set: medium fs/file/truncate: low fs/file/write: low diff --git a/tests/php/clean/run-tests.php.simple b/tests/php/clean/run-tests.php.simple index 7c5a6ac74..c4677531e 100644 --- a/tests/php/clean/run-tests.php.simple +++ b/tests/php/clean/run-tests.php.simple @@ -1,7 +1,6 @@ # php/clean/run-tests.php: medium anti-behavior/random_behavior: low c2/tool_transfer/os: low -data/base64/decode: medium data/base64/encode: medium data/compression/gzip: low data/compression/zlib: low diff --git a/tests/ruby/2024.Infecting_Simulation/malware.rb.simple b/tests/ruby/2024.Infecting_Simulation/malware.rb.simple index ef81dee51..f247c5282 100644 --- a/tests/ruby/2024.Infecting_Simulation/malware.rb.simple +++ b/tests/ruby/2024.Infecting_Simulation/malware.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.Infecting_Simulation/malware.rb: high fs/directory/traverse: medium -fs/file/read: low fs/file/rename: low fs/file/write: medium malware/ref: high diff --git a/tests/ruby/2024.gtfo/rsocket.rb.simple b/tests/ruby/2024.gtfo/rsocket.rb.simple index 69d986209..217fecd73 100644 --- a/tests/ruby/2024.gtfo/rsocket.rb.simple +++ b/tests/ruby/2024.gtfo/rsocket.rb.simple @@ -1,5 +1,4 @@ # ruby/2024.gtfo/rsocket.rb: high exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/ruby/2024.reverse_shells/oreilly1.rb.simple b/tests/ruby/2024.reverse_shells/oreilly1.rb.simple index 002d799bc..51719b850 100644 --- a/tests/ruby/2024.reverse_shells/oreilly1.rb.simple +++ b/tests/ruby/2024.reverse_shells/oreilly1.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.reverse_shells/oreilly1.rb: high c2/addr/ip: medium exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/ruby/2024.reverse_shells/oreilly2.rb.simple b/tests/ruby/2024.reverse_shells/oreilly2.rb.simple index 3ca8cdcde..995ca0b57 100644 --- a/tests/ruby/2024.reverse_shells/oreilly2.rb.simple +++ b/tests/ruby/2024.reverse_shells/oreilly2.rb.simple @@ -1,6 +1,5 @@ # ruby/2024.reverse_shells/oreilly2.rb: critical 3P/sig_base/hktl_shellpop_ruby: critical exec/cmd/pipe: medium -fs/file/read: low impact/remote_access/reverse_shell: high net/tcp/connect: medium diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index 7484cd2d7..8b7e29042 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -29,7 +29,6 @@ credential/ssl/private_key: low crypto/aes: low crypto/cipher: medium crypto/decrypt: low -crypto/ecdsa: low crypto/ed25519: low crypto/public_key: low crypto/rc4: low @@ -45,7 +44,6 @@ discover/ip/public: high discover/network/mac_address: medium discover/processes/list: medium discover/system/cpu: low -exec/cmd/pipe: medium exec/conditional/is_admin: medium exec/plugin: low exec/program: medium @@ -97,10 +95,9 @@ net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/remote_control/vnc: medium -net/resolve/hostname: medium +net/resolve/hostname: low net/socket/listen: medium net/socket/local_addr: low -net/socket/options_set: medium net/socket/peer_address: low net/socket/receive: low net/socket/send: low diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 3b312d9c9..b57a915ed 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -33,5 +33,4 @@ net/url/request: medium os/signal/handle: low process/chdir: low process/create: low -process/multi: medium process/terminate: medium diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index c3a1cb378..a39b203d1 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -17,7 +17,6 @@ credential/browser/chromium_master_password: high credential/gaming/minecraft: medium credential/password: low crypto/aes: low -data/base64/decode: medium data/encoding/base64: low discover/ip/geo: high discover/ip/public: high From 6ba2318d1fda4bf2bbe4a893b697d6f79e84d1c4 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 15:27:32 -0500 Subject: [PATCH 17/18] Loosen up execution policy rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/evasion/bypass_security/executionpolicy_bypass.yara | 2 -- tests/npm/2024.next-react-notify/tocall.js.simple | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/evasion/bypass_security/executionpolicy_bypass.yara b/rules/evasion/bypass_security/executionpolicy_bypass.yara index 80ab001e3..9093f68a6 100644 --- a/rules/evasion/bypass_security/executionpolicy_bypass.yara +++ b/rules/evasion/bypass_security/executionpolicy_bypass.yara @@ -1,7 +1,6 @@ rule ps_executionpolicy_bypass: high { meta: description = "bypasses PowerShell Execution Policy" - filetypes = "ps1" strings: $ref = "-ExecutionPolicy Bypass" @@ -13,7 +12,6 @@ rule ps_executionpolicy_bypass: high { rule ps_executionpolicy_bypass_small_child: high { meta: description = "Calls powerscript and bypasses PowerShell Execution Policy" - filetypes = "ps1" strings: $ref = "-ExecutionPolicy Bypass" diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index adfe31bd8..de43eff3f 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -3,6 +3,7 @@ c2/addr/ip: high c2/addr/url: high c2/tool_transfer/os: low discover/system/platform: medium +evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high exec/shell/power: medium fs/file/delete: medium From 20ab0cc2bb60f64fce329838483b676c621976a1 Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Mon, 19 May 2025 15:42:24 -0500 Subject: [PATCH 18/18] More rule tweaks Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- rules/exec/remote_commands/code_eval.yara | 1 + rules/persist/kernel_module/symbol-lookup.yara | 6 +++--- tests/c/clean/falco/ppm_events.c.simple | 1 + tests/ruby/2024.Ruby_rootkit/Ruby.c.simple | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index e0e762ba1..90a090b75 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -79,6 +79,7 @@ rule js_eval_obfuscated_fromChar: critical { rule js_anonymous_function: medium { meta: description = "evaluates code using an anonymous function" + filetypes = "js,ts" strings: $func = /\n\s{0,8}\(function\s{0,8}\(\)\s{0,8}\{/ diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara index b37bba1d4..8a053bf00 100644 --- a/rules/persist/kernel_module/symbol-lookup.yara +++ b/rules/persist/kernel_module/symbol-lookup.yara @@ -3,7 +3,7 @@ rule kallsyms_lookup: high linux { description = "access unexported kernel symbols" ref = "https://lwn.net/Articles/813350/" - filetypes = "elf,so" + filetypes = "c,elf,so" strings: $ref = "kallsyms_lookup_name" fullword @@ -29,7 +29,7 @@ rule kallsyms: medium linux { rule bpftrace: override linux { meta: description = "bpftrace" - filetypes = "elf,so" + filetypes = "c,elf,so" kallsyms = "medium" strings: @@ -42,7 +42,7 @@ rule bpftrace: override linux { rule bpf: override linux { meta: description = "libbpf" - filetypes = "so,elf" + filetypes = "c,so,elf" kallsyms_lookup = "medium" proc_d_exe_high = "medium" proc_d_cmdline = "medium" diff --git a/tests/c/clean/falco/ppm_events.c.simple b/tests/c/clean/falco/ppm_events.c.simple index 20ef71b3c..3a5bb5439 100644 --- a/tests/c/clean/falco/ppm_events.c.simple +++ b/tests/c/clean/falco/ppm_events.c.simple @@ -7,3 +7,4 @@ net/http/post: medium net/socket/connect: medium net/socket/send: low net/url/embedded: low +persist/kernel_module/symbol_lookup: low diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple index 0fb588c0f..8792dc9bc 100644 --- a/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple +++ b/tests/ruby/2024.Ruby_rootkit/Ruby.c.simple @@ -1,5 +1,6 @@ -# ruby/2024.Ruby_rootkit/Ruby.c: high +# ruby/2024.Ruby_rootkit/Ruby.c: critical 3P/elastic/rootkit: high c2/refs: medium evasion/rootkit/refs: high malware/ref: medium +persist/kernel_module/symbol_lookup: high