From 1c58757085a32a571307329a360b2d12dad249d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Sun, 17 Nov 2024 08:53:23 -0500 Subject: [PATCH] Improve Python detection for EvilDojo666 attack (#635) * Improve Python detection for EvilDojo666 attack * Improve detection of machO backdoors & stealers (#631) * improve malicious dmg detection * Improve detection of machO backdoors & stealers * improve rules * update testdata * update testdata * tune rules * tune rules --------- Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> * Add files, update test data * Add models.py sample * improve rule matcha accuracy * fmt yara * fix false-positive for versioneer/versioneer.py --------- Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> --- Makefile | 2 +- rules/anti-static/base64/eval.yara | 4 +- rules/anti-static/obfuscation/js.yara | 2 +- rules/anti-static/obfuscation/python.yara | 37 ++++++++++++++++++- rules/c2/addr/url.yara | 14 +++++++ rules/exec/imports/python.yara | 25 +++++++++++++ rules/exec/remote_commands/code_eval.yara | 27 +++++++++++++- rules/false_positives/py_versioneer.yara | 4 +- .../update_base64_payload1.py.simple | 2 + .../update_base64_payload2.py.simple | 1 + tests/linux/2024.hadooken/drop2.sh.simple | 1 + tests/linux/2024.hadooken/figure4.py.simple | 1 + .../mimipenguin/python/mimipenguin.simple | 1 + tests/php/2024.sagsooz/2024.php.simple | 1 + .../python/2021.DiscordSafety/setup.py.simple | 1 + .../valyrian_debug_setup.py.simple | 1 + .../2022.activedevbadge-0.39/setup.py.simple | 1 + tests/python/2023.JokerSpy/shared.dat.simple | 1 + .../python/2023.axderz-1.0.4/setup.py.simple | 1 + tests/python/2024.Custom.RAT/output.py.simple | 1 + .../__init__.py.simple | 1 + .../obfuscated.py.simple | 1 + ...cfb68895a84adaa173c543792be891ba.py.simple | 1 + .../2024.advpruebitaa9-1.0.0/setup.py.simple | 1 + .../pre_install.py.simple | 1 + .../setup.py.simple | 1 + tests/python/2024.coloredtxt/unhex.py.simple | 1 - .../2024.d3duct1v/xfilesyncerx.py.simple | 3 +- .../python/2024.evildojo666/models.py.simple | 5 +++ tests/python/2024.yocolor/__init__.py.simple | 1 + tests/python/2024.yocolor/setup.py.json | 17 +++++++++ .../conda-build/_load_setup_py_data.py.simple | 1 + .../clean/gevent/test__monkey.py.simple | 1 + .../setup.py.simple | 1 + .../clean/google-cloud-sdk/mysql.py.simple | 1 + tests/python/clean/hatch/migrate.py.simple | 1 + tests/python/clean/idna/setup.py.simple | 1 + tests/python/clean/jaraco/__init__.py.simple | 1 + .../clean/magic_trace/magic_trace.py.simple | 1 + tests/python/clean/ml_sdk/setup.py.simple | 1 + tests/python/clean/numba/support.py.simple | 2 + .../pydevd/setup_pydevd_cython.py.simple | 1 + .../python/clean/pyparsing/sparser.py.simple | 1 + tests/python/clean/requests/setup.py.simple | 1 + .../clean/setuptools/discovery.py.simple | 1 + .../clean/setuptools/namespaces.py.simple | 1 + .../clean/setuptools/package_index.py.simple | 1 + .../python/clean/setuptools/sandbox.py.simple | 1 + .../setuptools/test_pyprojecttoml.py.simple | 1 + .../tfjs_predict_extractor_util.py.simple | 1 + .../windows/2024.GitHub.Clipper/raw.py.simple | 1 + 51 files changed, 171 insertions(+), 11 deletions(-) create mode 100644 tests/python/2024.evildojo666/models.py.simple diff --git a/Makefile b/Makefile index b99ac90a1..d2c4a9869 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= 4b70b17db7e2219552be9b4a05e8d8b3ffe09146 +SAMPLES_COMMIT ?= 8c02e6ef4d3a67e4e45f58e1b1b05a586e8bc24f # BEGIN: lint-install ../malcontent # http://github.com/tinkerbell/lint-install diff --git a/rules/anti-static/base64/eval.yara b/rules/anti-static/base64/eval.yara index 1360441c5..9262a5dec 100644 --- a/rules/anti-static/base64/eval.yara +++ b/rules/anti-static/base64/eval.yara @@ -46,9 +46,9 @@ rule ruby_eval2_near_enough: critical { all of them and math.abs(@base64 - @eval) <= 200 } -rule python_exec_near_enough: high { +rule python_exec_near_enough_base64: high { meta: - description = "Evaluates base64 content" + description = "Likely executes base64 content" strings: $exec = "exec(" diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara index 88cd534e3..de7144c8e 100644 --- a/rules/anti-static/obfuscation/js.yara +++ b/rules/anti-static/obfuscation/js.yara @@ -125,7 +125,7 @@ rule js_const_func_obfuscation: medium { rule js_hex_eval_obfuscation: critical { meta: - description = "javascript eval bfuscation (hex)" + description = "javascript eval obfuscation (hex)" strings: $return = /\(eval, _{0,4}0x[\w]{0,32}[\(\[]/ diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index e6829ec66..14146905f 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -1,3 +1,12 @@ +private rule probably_python { + strings: + $f_function = "import" fullword + $f_for = "for x in" fullword + + condition: + filesize < 512KB and any of ($f*) +} + rule Vare_Obfuscator: critical { meta: description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" @@ -29,10 +38,11 @@ rule join_map_chr: high { filetypes = "py" strings: - $ref = /join\(map\(chr,\[\d{1,3},\d{1,3},[\d\,]{1,32}/ + $ref = /join\(map\(chr,\[\d{1,3}, {0,2}\d{1,3}, {0,2}[\d\,]{1,32}/ + $ref2 = /join\(chr\([a-z]{1,5}\) for [a-z]{1,5} in \[\d{1,3}, {0,2}\d{1,3}, {0,2}[\d\,]{1,32}/ condition: - filesize < 8KB and $ref + filesize < 256KB and any of them } rule codecs_decode: high { @@ -463,3 +473,26 @@ rule decompress_base64_entropy: high { filesize < 1MB and any of ($k*) and $b64decode and $long_str and any of ($f*) } +rule join: low { + meta: + description = "joins array together with an empty delimiter" + + strings: + $join = "''.join(" + $join_double = "\"\".join(" + + condition: + probably_python and any of them +} + +rule urllib_as_int_array: critical { + meta: + description = "hides urllib code as an array of integers" + + strings: + $urllib_dot = "117,114,108,108,105,98,46" + $urllib_dot2 = "117, 114, 108, 108, 105, 98, 46" + + condition: + filesize < 1MB and any of them +} diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 8dbfb922a..744abcc0b 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -89,3 +89,17 @@ rule script_url_with_question: high { condition: filesize < 256KB and any of ($f*) and $ref and none of ($not*) } + +rule url_code_as_chr_int: high { + meta: + description = "hides URL within an array of integers" + + strings: + $https = "104,116,116,112,115,58,47,47" + $https2 = "104, 116, 116, 112, 115, 58, 47, 47" + $http = "104,116,116,112,58,47,47" + $http2 = "104, 116, 116, 112, 58, 47, 47" + + condition: + filesize < 1MB and any of them +} diff --git a/rules/exec/imports/python.yara b/rules/exec/imports/python.yara index 0da2ecc95..295448989 100644 --- a/rules/exec/imports/python.yara +++ b/rules/exec/imports/python.yara @@ -1,3 +1,28 @@ +rule has_import: low { + meta: + description = "imports python modules" + + strings: + $ref = /import [a-z0-9A-Z]{2,12}/ fullword + $ref2 = /from [a-z0-9A-Z\.]{2,48} import [a-z0-9A-Z]{2,24}/ fullword + + condition: + filesize < 64KB and any of them +} + +rule python_code_as_chr_int: critical { + meta: + description = "hides additional import as array of integers" + + strings: + $import = "import" fullword + $int_no_space = "105,109,112,111,114,116,32" + $int_space = "105, 109, 112, 111, 114, 116, 32" + + condition: + filesize < 1MB and $import and any of ($int*) +} + rule single_line_import: medium { meta: description = "imports built-in and executes more code on the same line" diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index 0a7e98485..e2f5da0d7 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -1,3 +1,5 @@ +import "math" + rule eval: medium { meta: description = "evaluate code dynamically using eval()" @@ -17,13 +19,36 @@ rule python_exec: medium { strings: $import = "import" fullword - $val = /exec\([a-z\"\'\(\,\)]{1,32}/ fullword + $val = /exec\([\w\ \"\'\.\(\)\[\]]{1,64}/ fullword $empty = "exec()" condition: filesize < 1MB and $import and $val and not $empty } +rule python_exec_near_enough_chr: high { + meta: + description = "Likely executes encoded character content" + + strings: + $exec = "exec(" + $chr = "chr(" + + condition: + all of them and math.abs(@chr - @exec) < 100 +} + +rule python_exec_chr: critical { + meta: + description = "Executes encoded character content" + + strings: + $exec = /exec\(.{0,16}chr\(.{0,16}\[\d[\d\, ]{0,64}/ + + condition: + filesize < 512KB and all of them +} + rule shell_eval: medium { meta: description = "evaluate shell code dynamically using eval" diff --git a/rules/false_positives/py_versioneer.yara b/rules/false_positives/py_versioneer.yara index 8371157e1..78ed4497d 100644 --- a/rules/false_positives/py_versioneer.yara +++ b/rules/false_positives/py_versioneer.yara @@ -1,7 +1,7 @@ rule versioneer_py: override { meta: - description = "versioneer.py" - python_exec_near_enough = "medium" + description = "versioneer.py" + python_exec_near_enough_base64 = "medium" strings: $script = "versioneer.py" diff --git a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple index 073335730..5898f2066 100644 --- a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple +++ b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple @@ -4,7 +4,9 @@ anti-static/base64/eval: high anti-static/base64/function_names: critical data/base64/decode: medium data/encoding/base64: low +exec/imports/python: low exec/program: medium +exec/remote_commands/code_eval: medium fs/file/delete: low fs/file/open: low fs/file/read: low diff --git a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload2.py.simple b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload2.py.simple index e4f54cb77..0354a64f2 100644 --- a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload2.py.simple +++ b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload2.py.simple @@ -5,6 +5,7 @@ anti-static/obfuscation/python: medium data/base64/decode: medium data/encoding/base64: low exec/cmd/pipe: medium +exec/imports/python: low exec/shell/SHELL: low fs/file/open: low fs/file/read: low diff --git a/tests/linux/2024.hadooken/drop2.sh.simple b/tests/linux/2024.hadooken/drop2.sh.simple index 25715d812..ad08ce4b9 100644 --- a/tests/linux/2024.hadooken/drop2.sh.simple +++ b/tests/linux/2024.hadooken/drop2.sh.simple @@ -1,5 +1,6 @@ # linux/2024.hadooken/drop2.sh: critical c2/addr/ip: high +exec/imports/python: low exec/remote_commands/code_eval: medium impact/remote_access/remote_eval: critical net/url/embedded: low diff --git a/tests/linux/2024.hadooken/figure4.py.simple b/tests/linux/2024.hadooken/figure4.py.simple index 28bbcca83..7fdf39ae0 100644 --- a/tests/linux/2024.hadooken/figure4.py.simple +++ b/tests/linux/2024.hadooken/figure4.py.simple @@ -3,6 +3,7 @@ c2/addr/ip: high c2/tool_transfer/binary: high c2/tool_transfer/http_ip_temp: critical c2/tool_transfer/python: high +exec/imports/python: low exec/program: medium fs/file/delete: low fs/file/open: low diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index dd2279af0..625b58e85 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -10,6 +10,7 @@ data/encoding/base64: low discover/process/name: medium discover/processes/list: medium discover/system/platform: medium +exec/imports/python: low exfil/stealer/password: critical fs/directory/list: low fs/file/open: low diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index 2bc7487d9..9076da6d2 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -8,6 +8,7 @@ data/encoding/base64: low discover/process/egid: medium evasion/indicator_blocking/mask_exceptions: medium evasion/time/php_no_limit: medium +exec/imports/python: low exec/shell/command: medium fs/directory/remove: low fs/file/delete: low diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index 91b022fad..45f1515a1 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -7,6 +7,7 @@ c2/tool_transfer/download: high collect/databases/leveldb: medium data/encoding/base64: low data/encoding/marshal: medium +exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium exfil/stealer/browser: high diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index c7d13b7c0..27033bea9 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -8,6 +8,7 @@ discover/user/name_get: high evasion/file/prefix: medium evasion/file/prefix/tmp: high exec/cmd/pipe: medium +exec/imports/python: low exec/program: medium exec/shell/command: medium exfil/curl_post: medium diff --git a/tests/python/2022.activedevbadge-0.39/setup.py.simple b/tests/python/2022.activedevbadge-0.39/setup.py.simple index 482217dc6..45e0c906b 100644 --- a/tests/python/2022.activedevbadge-0.39/setup.py.simple +++ b/tests/python/2022.activedevbadge-0.39/setup.py.simple @@ -1,6 +1,7 @@ # python/2022.activedevbadge-0.39/setup.py: critical c2/tool_transfer/python: critical discover/user/name_get: high +exec/imports/python: low exec/program: medium fs/directory/create: low fs/directory/list: low diff --git a/tests/python/2023.JokerSpy/shared.dat.simple b/tests/python/2023.JokerSpy/shared.dat.simple index a9253ba93..9cc437ee4 100644 --- a/tests/python/2023.JokerSpy/shared.dat.simple +++ b/tests/python/2023.JokerSpy/shared.dat.simple @@ -10,6 +10,7 @@ discover/network/interface_list: medium discover/system/platform: medium discover/user/name_get: low evasion/file/prefix: medium +exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium exec/tty/getpass: low diff --git a/tests/python/2023.axderz-1.0.4/setup.py.simple b/tests/python/2023.axderz-1.0.4/setup.py.simple index 95c2dc180..de0578eda 100644 --- a/tests/python/2023.axderz-1.0.4/setup.py.simple +++ b/tests/python/2023.axderz-1.0.4/setup.py.simple @@ -5,6 +5,7 @@ credential/ssh: high data/encoding/base64: low discover/system/environment: medium evasion/net/http_443: high +exec/imports/python: low exec/program: medium exec/shell/power: medium exfil/stealer/ssh: critical diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index da913dc29..9f1a8a263 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -24,6 +24,7 @@ discover/user/name_get: low exec/cmd/pipe: medium exec/conditional/is_admin: medium exec/conditional/root_check: medium +exec/imports/python: low exec/program: medium exec/shell/command: medium exec/shell/power: medium diff --git a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple index 6f5677bc5..54ac0a2f0 100644 --- a/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple +++ b/tests/python/2024.RookeryCapital_PythonTest/__init__.py.simple @@ -3,6 +3,7 @@ anti-static/obfuscation/python: high data/base64/decode: medium data/encoding/base64: low discover/system/platform: medium +exec/imports/python: low exec/program: medium exec/shell/command: medium fs/file/open: low diff --git a/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple b/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple index ceb4316fb..85554adb9 100644 --- a/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple +++ b/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple @@ -4,5 +4,6 @@ anti-static/obfuscation/python: high data/base64/decode: medium data/encoding/base64: low discover/system/platform: medium +exec/imports/python: low exec/remote_commands/code_eval: medium net/url/request: medium diff --git a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple index 4c3ff4cab..fa773c151 100644 --- a/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple +++ b/tests/python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py.simple @@ -1,5 +1,6 @@ # python/2024.ScreenLocker/0a5f907e9f0dade65fc292d3f1ed1f68cfb68895a84adaa173c543792be891ba.py: critical credential/password: low +exec/imports/python: low exec/shell/command: medium impact/ransom/locked: high malware/family/lockscreen: critical diff --git a/tests/python/2024.advpruebitaa9-1.0.0/setup.py.simple b/tests/python/2024.advpruebitaa9-1.0.0/setup.py.simple index c25f1854d..f5998c8d4 100644 --- a/tests/python/2024.advpruebitaa9-1.0.0/setup.py.simple +++ b/tests/python/2024.advpruebitaa9-1.0.0/setup.py.simple @@ -2,6 +2,7 @@ anti-static/base64/exec: critical data/base64/decode: medium data/encoding/base64: low +exec/imports/python: low exec/program: medium impact/remote_access/py_setuptools: high net/url/embedded: low diff --git a/tests/python/2024.business-kpi-manager-5.9.1/pre_install.py.simple b/tests/python/2024.business-kpi-manager-5.9.1/pre_install.py.simple index 3aed5c478..8f746091f 100644 --- a/tests/python/2024.business-kpi-manager-5.9.1/pre_install.py.simple +++ b/tests/python/2024.business-kpi-manager-5.9.1/pre_install.py.simple @@ -1,5 +1,6 @@ # python/2024.business-kpi-manager-5.9.1/pre_install.py: critical discover/user/name_get: medium +exec/imports/python: low exec/program: medium exfil/curl_post: medium exfil/oob: high diff --git a/tests/python/2024.business-kpi-manager-5.9.1/setup.py.simple b/tests/python/2024.business-kpi-manager-5.9.1/setup.py.simple index 90c5d5688..db68225fb 100644 --- a/tests/python/2024.business-kpi-manager-5.9.1/setup.py.simple +++ b/tests/python/2024.business-kpi-manager-5.9.1/setup.py.simple @@ -1,4 +1,5 @@ # python/2024.business-kpi-manager-5.9.1/setup.py: high +exec/imports/python: low impact/remote_access/py_setuptools: high net/download: medium net/url/embedded: low diff --git a/tests/python/2024.coloredtxt/unhex.py.simple b/tests/python/2024.coloredtxt/unhex.py.simple index e60a1db74..27aacc1c6 100644 --- a/tests/python/2024.coloredtxt/unhex.py.simple +++ b/tests/python/2024.coloredtxt/unhex.py.simple @@ -2,4 +2,3 @@ anti-static/obfuscation/hex: high data/encoding/base64: low exec/imports/python: high -exec/remote_commands/code_eval: medium diff --git a/tests/python/2024.d3duct1v/xfilesyncerx.py.simple b/tests/python/2024.d3duct1v/xfilesyncerx.py.simple index 6f50fd7ce..67d8b0acf 100644 --- a/tests/python/2024.d3duct1v/xfilesyncerx.py.simple +++ b/tests/python/2024.d3duct1v/xfilesyncerx.py.simple @@ -1,6 +1,7 @@ # python/2024.d3duct1v/xfilesyncerx.py: critical anti-static/obfuscation/bitwise: critical anti-static/obfuscation/python: high -exec/remote_commands/code_eval: medium +exec/imports/python: low +exec/remote_commands/code_eval: high impact/remote_access/remote_eval: critical net/url/request: medium diff --git a/tests/python/2024.evildojo666/models.py.simple b/tests/python/2024.evildojo666/models.py.simple new file mode 100644 index 000000000..a6c0a7170 --- /dev/null +++ b/tests/python/2024.evildojo666/models.py.simple @@ -0,0 +1,5 @@ +# python/2024.evildojo666/models.py: critical +anti-static/obfuscation/python: critical +c2/addr/url: high +exec/imports/python: critical +exec/remote_commands/code_eval: critical diff --git a/tests/python/2024.yocolor/__init__.py.simple b/tests/python/2024.yocolor/__init__.py.simple index 763d23f33..973f88cd1 100644 --- a/tests/python/2024.yocolor/__init__.py.simple +++ b/tests/python/2024.yocolor/__init__.py.simple @@ -1,4 +1,5 @@ # python/2024.yocolor/__init__.py: critical +exec/imports/python: low exec/install_additional/pip_install: critical exec/program: medium net/url/embedded: low diff --git a/tests/python/2024.yocolor/setup.py.json b/tests/python/2024.yocolor/setup.py.json index 83d74bbc3..c0d44b9b7 100644 --- a/tests/python/2024.yocolor/setup.py.json +++ b/tests/python/2024.yocolor/setup.py.json @@ -24,6 +24,23 @@ "ID": "crypto/fernet", "RuleName": "crypto_fernet" }, + { + "Description": "imports python modules", + "MatchStrings": [ + "from distutils.core import setup", + "from setuptools import setup", + "import fernet", + "import os", + "import re", + "import sys", + "import with" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import", + "ID": "exec/imports/python", + "RuleName": "has_import" + }, { "Description": "Installs fernet crypto package using pip", "MatchStrings": [ diff --git a/tests/python/clean/conda-build/_load_setup_py_data.py.simple b/tests/python/clean/conda-build/_load_setup_py_data.py.simple index a7dcf653f..860f2ecba 100644 --- a/tests/python/clean/conda-build/_load_setup_py_data.py.simple +++ b/tests/python/clean/conda-build/_load_setup_py_data.py.simple @@ -1,4 +1,5 @@ # python/clean/conda-build/_load_setup_py_data.py: medium +exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low impact/remote_access/py_setuptools: low diff --git a/tests/python/clean/gevent/test__monkey.py.simple b/tests/python/clean/gevent/test__monkey.py.simple index c51d2049e..badb92970 100644 --- a/tests/python/clean/gevent/test__monkey.py.simple +++ b/tests/python/clean/gevent/test__monkey.py.simple @@ -1,5 +1,6 @@ # python/clean/gevent/test__monkey.py: medium anti-static/obfuscation/python: medium +exec/imports/python: low exec/program: medium impact/remote_access/pseudo_terminal: medium process/create: low diff --git a/tests/python/clean/google-auth-library-python/setup.py.simple b/tests/python/clean/google-auth-library-python/setup.py.simple index 1666eb572..60a0961c8 100644 --- a/tests/python/clean/google-auth-library-python/setup.py.simple +++ b/tests/python/clean/google-auth-library-python/setup.py.simple @@ -1,4 +1,5 @@ # python/clean/google-auth-library-python/setup.py: medium +exec/imports/python: low exec/remote_commands/code_eval: medium exec/shell/command: medium fs/file/open: low diff --git a/tests/python/clean/google-cloud-sdk/mysql.py.simple b/tests/python/clean/google-cloud-sdk/mysql.py.simple index 1cfa5592a..b8336f84e 100644 --- a/tests/python/clean/google-cloud-sdk/mysql.py.simple +++ b/tests/python/clean/google-cloud-sdk/mysql.py.simple @@ -1,6 +1,7 @@ # python/clean/google-cloud-sdk/mysql.py: medium collect/databases/mysql: medium credential/password: low +exec/imports/python: low fs/directory/create: low fs/file/copy: medium fs/file/open: low diff --git a/tests/python/clean/hatch/migrate.py.simple b/tests/python/clean/hatch/migrate.py.simple index d3dd6534c..b4ad0aecb 100644 --- a/tests/python/clean/hatch/migrate.py.simple +++ b/tests/python/clean/hatch/migrate.py.simple @@ -1,5 +1,6 @@ # python/clean/hatch/migrate.py: medium discover/system/environment: medium +exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium false-positives/py_hatch: low diff --git a/tests/python/clean/idna/setup.py.simple b/tests/python/clean/idna/setup.py.simple index c8e1f1a09..3a36d1ecf 100644 --- a/tests/python/clean/idna/setup.py.simple +++ b/tests/python/clean/idna/setup.py.simple @@ -1,4 +1,5 @@ # python/clean/idna/setup.py: medium +exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low net/url/embedded: low diff --git a/tests/python/clean/jaraco/__init__.py.simple b/tests/python/clean/jaraco/__init__.py.simple index 2d18e29f7..cf91229fa 100644 --- a/tests/python/clean/jaraco/__init__.py.simple +++ b/tests/python/clean/jaraco/__init__.py.simple @@ -1,6 +1,7 @@ # python/clean/jaraco/__init__.py: medium c2/tool_transfer/python: medium discover/system/platform: medium +exec/imports/python: low exec/program: medium fs/directory/create: low fs/directory/list: low diff --git a/tests/python/clean/magic_trace/magic_trace.py.simple b/tests/python/clean/magic_trace/magic_trace.py.simple index 153559942..be8346c6f 100644 --- a/tests/python/clean/magic_trace/magic_trace.py.simple +++ b/tests/python/clean/magic_trace/magic_trace.py.simple @@ -1,5 +1,6 @@ # python/clean/magic_trace/magic_trace.py: medium c2/tool_transfer/python: medium +exec/imports/python: low exec/program: medium fs/path/tmp: medium fs/permission/modify: medium diff --git a/tests/python/clean/ml_sdk/setup.py.simple b/tests/python/clean/ml_sdk/setup.py.simple index 8400cee11..57f63afdb 100644 --- a/tests/python/clean/ml_sdk/setup.py.simple +++ b/tests/python/clean/ml_sdk/setup.py.simple @@ -1,4 +1,5 @@ # python/clean/ml_sdk/setup.py: medium +exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low net/url/embedded: low diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple index fd144277a..49527331e 100644 --- a/tests/python/clean/numba/support.py.simple +++ b/tests/python/clean/numba/support.py.simple @@ -1,5 +1,7 @@ # python/clean/numba/support.py: medium +anti-static/obfuscation/python: low discover/system/platform: medium +exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium false-positives/setuptools: low diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple index df3177e6e..3679380c9 100644 --- a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple +++ b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple @@ -1,5 +1,6 @@ # python/clean/pydevd/setup_pydevd_cython.py: medium discover/system/platform: medium +exec/imports/python: low exec/remote_commands/code_eval: medium fs/directory/list: low fs/file/delete: low diff --git a/tests/python/clean/pyparsing/sparser.py.simple b/tests/python/clean/pyparsing/sparser.py.simple index b84e97be5..4641c7b15 100644 --- a/tests/python/clean/pyparsing/sparser.py.simple +++ b/tests/python/clean/pyparsing/sparser.py.simple @@ -2,6 +2,7 @@ data/compression/bzip2: low data/compression/gzip: low exec/cmd/pipe: medium +exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low fs/path/usr_bin: low diff --git a/tests/python/clean/requests/setup.py.simple b/tests/python/clean/requests/setup.py.simple index 0b19ea07f..108a1ec34 100644 --- a/tests/python/clean/requests/setup.py.simple +++ b/tests/python/clean/requests/setup.py.simple @@ -1,5 +1,6 @@ # python/clean/requests/setup.py: medium c2/tool_transfer/download: medium +exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium exec/shell/command: medium diff --git a/tests/python/clean/setuptools/discovery.py.simple b/tests/python/clean/setuptools/discovery.py.simple index e00296875..a62920dd1 100644 --- a/tests/python/clean/setuptools/discovery.py.simple +++ b/tests/python/clean/setuptools/discovery.py.simple @@ -1,4 +1,5 @@ # python/clean/setuptools/discovery.py: medium +exec/imports/python: low fs/directory/traverse: medium fs/path/relative: medium fs/path/root: medium diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple index 43cd5497f..72523b70f 100644 --- a/tests/python/clean/setuptools/namespaces.py.simple +++ b/tests/python/clean/setuptools/namespaces.py.simple @@ -1,5 +1,6 @@ # python/clean/setuptools/namespaces.py: medium data/encoding/json_encode: low +exec/imports/python: low exec/remote_commands/code_eval: medium exec/shell/command: medium false-positives/setuptools: low diff --git a/tests/python/clean/setuptools/package_index.py.simple b/tests/python/clean/setuptools/package_index.py.simple index 03e750a95..dcaa7b200 100644 --- a/tests/python/clean/setuptools/package_index.py.simple +++ b/tests/python/clean/setuptools/package_index.py.simple @@ -3,6 +3,7 @@ c2/refs: medium credential/password: low data/embedded/html: medium data/encoding/base64: low +exec/imports/python: low exec/program: medium fs/directory/list: low fs/file/delete: low diff --git a/tests/python/clean/setuptools/sandbox.py.simple b/tests/python/clean/setuptools/sandbox.py.simple index 2ea81cfd9..2ed73fa5c 100644 --- a/tests/python/clean/setuptools/sandbox.py.simple +++ b/tests/python/clean/setuptools/sandbox.py.simple @@ -1,5 +1,6 @@ # python/clean/setuptools/sandbox.py: medium discover/system/platform: medium +exec/imports/python: low exec/plugin: low exec/remote_commands/code_eval: medium fs/directory/create: low diff --git a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple index 4ab1d4f69..4664c2320 100644 --- a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple +++ b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple @@ -1,5 +1,6 @@ # python/clean/setuptools/test_pyprojecttoml.py: medium discover/system/platform: medium +exec/imports/python: low exec/shell/command: medium fs/file/open: low impact/remote_access/py_setuptools: low diff --git a/tests/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple b/tests/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple index 10904c355..1a0653b03 100644 --- a/tests/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple +++ b/tests/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple @@ -1,6 +1,7 @@ # python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py: medium c2/tool_transfer/python: medium discover/system/platform: medium +exec/imports/python: low exec/program: medium fs/permission/modify: medium fs/tempdir/create: low diff --git a/tests/windows/2024.GitHub.Clipper/raw.py.simple b/tests/windows/2024.GitHub.Clipper/raw.py.simple index 340a54e9d..10c529989 100644 --- a/tests/windows/2024.GitHub.Clipper/raw.py.simple +++ b/tests/windows/2024.GitHub.Clipper/raw.py.simple @@ -4,6 +4,7 @@ c2/tool_transfer/download: high c2/tool_transfer/exe_url: high c2/tool_transfer/python: high evasion/indicator_blocking/hidden_window: high +exec/imports/python: low exec/program: medium fs/file/open: low fs/tempdir: low