Address false positives seen with jupyterhub and reflex

Signed-off-by: egibs <[email protected]>

rules/combo/degrader/edr_killer.yara

@@ -11,8 +11,10 @@ rule win_kill_proc_likely : high {
 	$debug_uhf = "UnhandledExceptionFilter"
 	$kill_gmh = "GetModuleHandle"
 	$kill_tp = "TerminateProcess"
+
+    $not_printdeps_exe = {55 73 61 67 65 3A 0A 20 20 50 72 69 6E 74 44 65 70 73 20 46 49 4C 45 2E 2E 2E 00 00 00 00 00 56 65 72 73 69 6F 6E 3A 20 72 00 00 25 70 00 00 65 45 00 00 70 50}
   condition:
-	filesize < 1MB and 1 of ($kill*) and 2 of ($debug*) and 1 of ($f*) 
+	filesize < 1MB and 1 of ($kill*) and 2 of ($debug*) and 1 of ($f*) and none of ($not_*)
 }
 
 rule win_kill_proc : critical {
@@ -28,8 +30,10 @@ rule win_kill_proc : critical {
 	$debug_uhf = "UnhandledExceptionFilter"
 	$kill_gmh = "GetModuleHandle"
 	$kill_tp = "TerminateProcess"
+
+    $not_printdeps_exe = {55 73 61 67 65 3A 0A 20 20 50 72 69 6E 74 44 65 70 73 20 46 49 4C 45 2E 2E 2E 00 00 00 00 00 56 65 72 73 69 6F 6E 3A 20 72 00 00 25 70 00 00 65 45 00 00 70 50}
   condition:
-	filesize < 1MB and all of ($kill*) and 3 of ($debug*) and 1 of ($f*) 
+	filesize < 1MB and all of ($kill*) and 3 of ($debug*) and 1 of ($f*) and none of ($not_*)
 }
 
 rule edr_stopper : critical {
@@ -40,4 +44,4 @@ rule edr_stopper : critical {
 	$stop = "stopservice"
   condition:
 	filesize < 1MB and $stop and any of ($kind*)
-}
+}

rules/combo/stealer/browser.yara

@@ -60,6 +60,8 @@ rule multiple_browser_refs : critical {
     $not_ff_js = "Firefox can even throw an error"
     $not_generated_comment = "// This file is generated"
     $not_generated_file = "/utils/generate_types/index.js"
+    $not_microsoft = "Copyright (c) Microsoft Corporation."
+    $not_microsoft_playright = "Microsoft.Playwright"
   condition:
     2 of ($name*) and 3 of ($fs*) and none of ($not*)
 }
@@ -152,4 +154,4 @@ rule chrome_encrypted_cookies : critical {
 		$select = /SELECT.{0,64}encrypted_value{0,64}cookies/
 	condition:
 		$select
-}
+}

rules/obfuscation/js/char_codes.yara

@@ -13,9 +13,12 @@ rule child_process : critical {
 		$a_shift = "shift"
 		$a_push = "push"
 
-		$const = "const "
-		$function = "function("
-		$return = "{return"
+		$a_const = "const "
+		$a_function = "function("
+		$a_return = "{return"
+
+		$not_sw_bundle = "Recorded click position in absolute coordinates did not match the center of the clicked element."
+		$not_sw_bundle2 = "This is likely due to a difference between the test runner and the trace viewer operating systems."
 	condition:
-		filesize < 128KB and all of them
+		filesize < 128KB and all of ($a_*) and none of ($not_*)
 }

rules/obfuscation/js/function_spam.yara

@@ -5,6 +5,10 @@ rule js_const_func_obfuscation : critical {
 		$const = "const "
 		$function = "function("
 		$return = "{return"
+
+        $not_bootstrap = "* Copyright 2011-2024 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors)"
+		$not_fb = "Copyright (c) Facebook, Inc. and its affiliates."
+		$not_mit = "This source code is licensed under the MIT license found in the * LICENSE file in the root directory of this source tree."
 	condition:
-		filesize < 256KB and #const > 32 and #function > 48 and #return > 64
+		filesize < 256KB and #const > 32 and #function > 48 and #return > 64 and none of ($not_*)
 }

test_data/javascript/clean/bootstrap.bundle.min.js.simple

@@ -0,0 +1,4 @@
+# javascript/clean/bootstrap.bundle.min.js
+encoding/json/decode
+ref/site/url
+time/clock/sleep

test_data/javascript/clean/index-DVt3E1Ef.js.simple

@@ -0,0 +1,10 @@
+# javascript/clean/index-DVt3E1Ef.js
+encoding/json/decode
+encoding/json/encode
+evasion/int_to_char
+exec/cmd
+fs/mount
+net/download
+ref/site/url
+ref/words/password
+techniques/code_eval

test_data/javascript/clean/sw.bundle.js.simple

@@ -0,0 +1,14 @@
+# javascript/clean/sw.bundle.js
+archives/zip
+encoding/base64
+encoding/json/decode
+encoding/json/encode
+evasion/int_to_char
+fd/read
+fd/write
+kernel/platform
+net/upload
+net/url
+obfuscation/js/high_entropy
+ref/site/url
+ref/words/password

test_data/linux/clean/api.json.simple

@@ -0,0 +1,29 @@
+# linux/clean/api.json
+archives/zip
+combo/recon/system_network
+encoding/json/decode
+encoding/json/encode
+env/USER
+fs/file/delete/forcibly
+net/download
+net/http/auth
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/http/request
+net/socket/listen
+net/socket/send
+net/socks5
+net/upload
+net/url
+net/url/encode
+net/websocket
+ref/daemon
+ref/ip_port
+ref/path/tmp
+ref/site/url
+ref/words/agent
+ref/words/intercept
+ref/words/password
+ref/words/server_address
+techniques/code_eval

test_data/refresh-testdata.sh

@@ -127,5 +127,5 @@ for f in $(find "${test_data}" -name "*.json"); do
 done
 
 echo "processing queue with length: $(wc -l ${qscript})"
-tr '\n' '\0' <"${qscript}" | xargs -0 -n1 -P"${MAX_PROCS}" -I% sh -c '%'
+tr '\n' '\0' <"${qscript}" | xargs -0 -n1 -P"${MAX_PROCS}" -J% sh -c '%'
 echo "test data regeneration complete!!"

test_data/windows/clean/PrintDeps.exe.simple

@@ -0,0 +1,3 @@
+# windows/clean/PrintDeps.exe
+data/emdedded/app/manifest
+evasion/anti/debugger