From 4b26bde0846c36ba0913fc1c401a2aa561ff47aa Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 22 May 2025 08:18:30 -0500
Subject: [PATCH 1/2] Reduce FPs for common JS files

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/exec/remote_commands/code_eval.yara | 36 +++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara
index 90a090b75..22e9a3b57 100644
--- a/rules/exec/remote_commands/code_eval.yara
+++ b/rules/exec/remote_commands/code_eval.yara
@@ -59,8 +59,24 @@ rule js_eval_near_enough_fromChar: high {
     $exec    = /[\s\{]eval\(/
     $decrypt = "String.fromCharCode"
 
+    $not_code_server = "fromCharCode(...codes: number[]): string;"
+    $not_grafana     = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]).push("
+    $not_jupyter     = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push("
+    $not_jupyter2    = "self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] = self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] || []).push([[132,7061]"
+    $not_jupyter3    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[227],{69119:"
+    $not_jupyter4    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[9296],{49296:"
+    $not_jupyter5    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[4470],{27902:"
+    $not_monaco1     = "https://github.com/microsoft/monaco-editor"
+    $not_monaco2     = "Monaco is not using webworkers for background tasks"
+    $not_pem1        = "Determine if an object is a Buffer"
+    $not_pem2        = "@author   Feross Aboukhadijeh <https://feross.org>"
+    $not_phpmain     = "php-language-features/dist/phpMain.js.map"
+    $not_protobuf    = "see: https://github.com/dcodeio/protobuf.js for details"
+    $not_tree_sitter = "@see https://tree-sitter.github.io/tree-sitter/using-parsers/queries"
+    $not_tweetnacl   = "Implementation derived from TweetNaCl"
+
   condition:
-    filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384
+    filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 and none of ($not*)
 }
 
 rule js_eval_obfuscated_fromChar: critical {
@@ -72,8 +88,24 @@ rule js_eval_obfuscated_fromChar: critical {
     $exec = /[\s\{]eval\(/
     $ref  = /fromCharCode\(\w{0,16}\s{0,2}[\-\+\*\^]{0,2}\w{0,16}/
 
+    $not_code_server = "fromCharCode(...codes: number[]): string;"
+    $not_grafana     = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]).push("
+    $not_jupyter     = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push("
+    $not_jupyter2    = "self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] = self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] || []).push([[132,7061]"
+    $not_jupyter3    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[227],{69119:"
+    $not_jupyter4    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[9296],{49296:"
+    $not_jupyter5    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[4470],{27902:"
+    $not_monaco1     = "https://github.com/microsoft/monaco-editor"
+    $not_monaco2     = "Monaco is not using webworkers for background tasks"
+    $not_pem1        = "Determine if an object is a Buffer"
+    $not_pem2        = "@author   Feross Aboukhadijeh <https://feross.org>"
+    $not_phpmain     = "php-language-features/dist/phpMain.js.map"
+    $not_protobuf    = "see: https://github.com/dcodeio/protobuf.js for details"
+    $not_tree_sitter = "@see https://tree-sitter.github.io/tree-sitter/using-parsers/queries"
+    $not_tweetnacl   = "Implementation derived from TweetNaCl"
+
   condition:
-    filesize < 5MB and all of them and math.abs(@exec - @ref) > 384
+    filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 and none of ($not*)
 }
 
 rule js_anonymous_function: medium {

From edf3d6766da6907f84f71a873df740019f04a81d Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Thu, 22 May 2025 09:38:36 -0500
Subject: [PATCH 2/2] Drop severities

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/exec/remote_commands/code_eval.yara | 48 ++++-------------------
 1 file changed, 8 insertions(+), 40 deletions(-)

diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara
index 22e9a3b57..59c369942 100644
--- a/rules/exec/remote_commands/code_eval.yara
+++ b/rules/exec/remote_commands/code_eval.yara
@@ -50,62 +50,30 @@ rule js_eval_response: critical {
     filesize < 1MB and any of ($val*)
 }
 
-rule js_eval_near_enough_fromChar: high {
+rule js_eval_near_enough_fromChar: medium {
   meta:
-    description = "Likely executes encrypted content"
+    description = "Evaluates content via String.fromCharCode"
     filetypes   = "js,ts"
 
   strings:
-    $exec    = /[\s\{]eval\(/
+    $eval    = /[\s\{]eval\(/
     $decrypt = "String.fromCharCode"
 
-    $not_code_server = "fromCharCode(...codes: number[]): string;"
-    $not_grafana     = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]).push("
-    $not_jupyter     = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push("
-    $not_jupyter2    = "self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] = self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] || []).push([[132,7061]"
-    $not_jupyter3    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[227],{69119:"
-    $not_jupyter4    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[9296],{49296:"
-    $not_jupyter5    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[4470],{27902:"
-    $not_monaco1     = "https://github.com/microsoft/monaco-editor"
-    $not_monaco2     = "Monaco is not using webworkers for background tasks"
-    $not_pem1        = "Determine if an object is a Buffer"
-    $not_pem2        = "@author   Feross Aboukhadijeh <https://feross.org>"
-    $not_phpmain     = "php-language-features/dist/phpMain.js.map"
-    $not_protobuf    = "see: https://github.com/dcodeio/protobuf.js for details"
-    $not_tree_sitter = "@see https://tree-sitter.github.io/tree-sitter/using-parsers/queries"
-    $not_tweetnacl   = "Implementation derived from TweetNaCl"
-
   condition:
-    filesize < 5MB and all of them and math.abs(@exec - @decrypt) > 384 and none of ($not*)
+    filesize < 5MB and all of them and math.abs(@eval - @decrypt) > 384
 }
 
-rule js_eval_obfuscated_fromChar: critical {
+rule js_eval_obfuscated_fromChar: high {
   meta:
-    description = "Likely executes encrypted content"
+    description = "Likely evaluates encrypted content via fromCharCode"
     filetypes   = "js,ts"
 
   strings:
-    $exec = /[\s\{]eval\(/
+    $eval = /[\s\{]eval\(/
     $ref  = /fromCharCode\(\w{0,16}\s{0,2}[\-\+\*\^]{0,2}\w{0,16}/
 
-    $not_code_server = "fromCharCode(...codes: number[]): string;"
-    $not_grafana     = "self.webpackChunkgrafana=self.webpackChunkgrafana||[]).push("
-    $not_jupyter     = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push("
-    $not_jupyter2    = "self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] = self[\" webpackChunk_JUPYTERLAB_CORE_OUTPUT \"] || []).push([[132,7061]"
-    $not_jupyter3    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[227],{69119:"
-    $not_jupyter4    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[9296],{49296:"
-    $not_jupyter5    = "self[\" webpackChunk_jupyterlab_application_top \"]=self[\" webpackChunk_jupyterlab_application_top \"]||[]).push([[4470],{27902:"
-    $not_monaco1     = "https://github.com/microsoft/monaco-editor"
-    $not_monaco2     = "Monaco is not using webworkers for background tasks"
-    $not_pem1        = "Determine if an object is a Buffer"
-    $not_pem2        = "@author   Feross Aboukhadijeh <https://feross.org>"
-    $not_phpmain     = "php-language-features/dist/phpMain.js.map"
-    $not_protobuf    = "see: https://github.com/dcodeio/protobuf.js for details"
-    $not_tree_sitter = "@see https://tree-sitter.github.io/tree-sitter/using-parsers/queries"
-    $not_tweetnacl   = "Implementation derived from TweetNaCl"
-
   condition:
-    filesize < 5MB and all of them and math.abs(@exec - @ref) > 384 and none of ($not*)
+    filesize < 5MB and all of them and math.abs(@eval - @ref) > 384
 }
 
 rule js_anonymous_function: medium {