diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 096e3ffa0..9aab19ab4 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -497,6 +497,14 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi if err != nil { return nil, fmt.Errorf("extract to temp: %w", err) } + // Ensure that tmpRoot is removed before returning if created successfully + if tmpRoot != "" { + defer func() { + if err := os.RemoveAll(tmpRoot); err != nil { + logger.Errorf("remove %s: %v", tmpRoot, err) + } + }() + } // macOS will prefix temporary directories with `/private` // update tmpRoot with this prefix to allow strings.TrimPrefix to work if runtime.GOOS == "darwin" { @@ -515,13 +523,10 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi } if fr != nil { // Store a clean reprepsentation of the archive's scanned file to match single file scanning behavior - extractedFilePath = strings.TrimPrefix(extractedFilePath, tmpRoot) - frs.Store(extractedFilePath, fr) + clean := strings.TrimPrefix(extractedFilePath, tmpRoot) + frs.Store(clean, fr) } } - if err := os.RemoveAll(tmpRoot); err != nil { - logger.Errorf("remove %s: %v", tmpRoot, err) - } return &frs, nil } diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara index 65e3193ef..eb371f23f 100644 --- a/rules/evasion/rootkit/userspace.yara +++ b/rules/evasion/rootkit/userspace.yara @@ -48,18 +48,20 @@ rule readdir_intercept: high { rule readdir_dlsym_interceptor: high { meta: - description = "userland rootkit designed to hide files (readdir)" + description = "userland rootkit designed to hide files (readdir64+readlink)" filetypes = "so,c" strings: - $dlsym = "dlsym" fullword - $readdir64 = "readdir64" fullword - $readlink_maybe_not_needed = "readlink" - $proc = "/proc" + $f_dlsym = "dlsym" fullword + $f_readdir64 = "readdir64" fullword + $f_readlink_maybe_not_needed = "readlink" + $f_proc = "/proc" + + $not_sbcl = "SBCL_HOME" fullword condition: - filesize < 1MB and uint32(0) == 1179403647 and all of them + filesize < 1MB and uint32(0) == 1179403647 and all of ($f*) and none of ($not*) } rule readdir_tcp_wrapper_intercept: high { diff --git a/rules/exfil/stealer/keylogger.yara b/rules/exfil/stealer/keylogger.yara index 843dfa435..4065e768a 100644 --- a/rules/exfil/stealer/keylogger.yara +++ b/rules/exfil/stealer/keylogger.yara @@ -14,7 +14,7 @@ rule keylogger_discord_telegram: high { filesize < 256KB and any of ($http*) and any of ($k*) } -rule py_keylogger_pynput_exfil: critical { +rule py_keylogger_pynput_exfil: high { meta: description = "listens for keyboard events and exfiltrates them" filetypes = "py" @@ -33,7 +33,7 @@ rule py_keylogger_pynput_exfil: critical { filesize < 256KB and any of ($http*) and all of ($f*) } -rule py_keykeyboard_exfil: critical { +rule py_keykeyboard_exfil: high { meta: description = "listens for keyboard events and exfiltrates them" filetypes = "py" @@ -44,7 +44,8 @@ rule py_keykeyboard_exfil: critical { $http_Discord = "Discord" $http_keylogger = /[kK]eylogger/ $http_Telegram = "Telegram" - $f_pynput = "keyboard" fullword + $f_pynput = "pynput" fullword + $f_keyboard = "keyboard" fullword $f_key = ".name" $f_listener = "on_release" diff --git a/rules/false_positives/conda_build.yara b/rules/false_positives/conda_build.yara deleted file mode 100644 index 8f27b4fe7..000000000 --- a/rules/false_positives/conda_build.yara +++ /dev/null @@ -1,14 +0,0 @@ -rule conda_load_setup_py_data: override { - meta: - setuptools_eval = "low" - description = "_load_setup_py_data.py" - - strings: - $exec = "exec(code, ns, ns)" - $func = "load_setup_py_data" - $sbom1 = "# Copyright (C) 2014 Anaconda, Inc" - $sbom2 = "# SPDX-License-Identifier: BSD-3-Clause" - - condition: - filesize < 8KB and all of them -} diff --git a/rules/false_positives/py_hatch.yara b/rules/false_positives/py_hatch.yara index 6f0ab2eab..3c0f1f9e4 100644 --- a/rules/false_positives/py_hatch.yara +++ b/rules/false_positives/py_hatch.yara @@ -1,7 +1,7 @@ rule migrate_py: override { meta: - description = "migrate.py" - setuptools_eval = "medium" + description = "migrate.py" + setuptools_eval_high = "medium" strings: $env = "'_HATCHLING_PORT_ADD_'" diff --git a/rules/false_positives/setuptools.yara b/rules/false_positives/setuptools.yara index fbf129d32..510c127ae 100644 --- a/rules/false_positives/setuptools.yara +++ b/rules/false_positives/setuptools.yara @@ -1,25 +1,7 @@ -rule test_pyprojecttoml: override { - meta: - description = "namespaces.py, test_pyprojecttoml.py" - setuptools_eval = "low" - - strings: - $example = "EXAMPLE" - $func1 = "def create_example(" - $func2 = "def verify_example(" - $func3 = "def test_read_configuration(" - $import = "import setuptools" - $kv = "\"pyproject.toml\": EXAMPLE" - $pyproject = "pyproject.toml" - - condition: - filesize < 16KB and all of them -} - rule setuptools_namespaces: override { meta: - description = "namespaces.py" - setuptools_eval = "low" + description = "namespaces.py" + setuptools_exec_high = "low" strings: $func1 = "def iter_namespace_pkgs(" @@ -36,30 +18,15 @@ rule setuptools_namespaces: override { rule numba_support: override { meta: - description = "support.py" - setuptools_eval = "low" + description = "support.py" + setuptools_exec_high = "low" strings: $comment = "Assorted utilities for use in tests." - $gh_issue = "numba#" + $gh_issue = "numbsa#" $import = "from numba" $repository = "https://github.com/numba/numba" condition: filesize < 64KB and all of them } - -rule setup_pydevd_cython: override { - meta: - description = "setup_pydevd_cython.py" - setuptools_eval = "low" - - strings: - $example = "python setup_pydevd_cython build_ext --inplace" - $header = "A simpler setup version just to compile the speedup module." - $import = "from setuptools import setup" - $pydevd = "pydevd" - - condition: - filesize < 16KB and all of them -} diff --git a/rules/false_positives/trino_upx.yara b/rules/false_positives/trino_upx.yara new file mode 100644 index 000000000..382b1f9ab --- /dev/null +++ b/rules/false_positives/trino_upx.yara @@ -0,0 +1,21 @@ +rule trino_upx_override: override { + meta: + description = "https://trino.io/ - UPX encrypted and crazy" + upx = "medium" + high_entropy_header = "medium" + normal_elf_high_entropy_7_4 = "medium" + obfuscated_elf = "medium" + + strings: + $ = "Go buildinf" + $ = "p\tgiNub.com/fdih/" + $ = "kTixuOsFBOtGYSTLRLWK6G" + $ = "wnwmwkwbqc" + $ = "zYna%i%qj%" + $ = "kUNKNOWN:$" + $ = "q\tcCuXMaxlebo" + $ = "lmRnTEOIt" + + condition: + filesize > 1MB and filesize < 3MB and 85 % of them +} diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index 796014f47..61bcbf970 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -39,7 +39,7 @@ rule setuptools_homedir: high { remote_access_pythonSetup and any of them } -rule setuptools_cmd_exec: suspicious { +rule setuptools_cmd_exec: high { meta: description = "Python library installer that executes external commands" @@ -51,6 +51,8 @@ rule setuptools_cmd_exec: suspicious { $not_comment = "Editable install to a prefix should be discoverable." $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" + $not_sdist_publish = "python setup.py sdist bdist_wheel" + $not_twine_upload = "twine upload dist/*" condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) @@ -70,13 +72,46 @@ rule setuptools_cmd_exec_start: critical { remote_access_pythonSetup and any of ($f*) } -rule setuptools_eval: critical { +rule setuptools_eval: medium { meta: description = "Python library installer that evaluates arbitrary code" strings: - $f_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword - $f_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + + condition: + remote_access_pythonSetup and any of ($f*) +} + +rule setuptools_eval_high: high { + meta: + description = "Python library installer that evaluates arbitrary code" + + strings: + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + + condition: + remote_access_pythonSetup and any of ($f*) and none of ($not*) +} + +rule setuptools_exec: medium { + meta: + description = "Python library installer that executes arbitrary code" + + strings: + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + + condition: + remote_access_pythonSetup and any of ($f*) +} + +rule setuptools_exec_high: high { + meta: + description = "Python library installer that evaluates arbitrary code" + + strings: + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword $not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")" $not_comment = "Editable install to a prefix should be discoverable." $not_google = /# Copyright [1-2][0-9]{3} Google Inc/ @@ -86,6 +121,7 @@ rule setuptools_eval: critical { $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\"" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" $not_test_egg_class = "class TestEggInfo" + $not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara index 815a2d848..2b2de8c51 100644 --- a/rules/malware/family/beurk.yara +++ b/rules/malware/family/beurk.yara @@ -23,12 +23,14 @@ rule beurk_xor: critical linux { ref = "https://github.com/unix-thrust/beurk" strings: - $ = "BEURK" xor(1-31) fullword - $ = "BEURK" xor(33-255) fullword - $ = "b3urkR0cks" xor(1-31) - $ = "b3urkR0cks" xor(33-255) + $x_BEURK = "BEURK" xor(1-31) fullword + $x_BEURK2 = "BEURK" xor(33-255) fullword + $x_b3urkR0cks = "b3urkR0cks" xor(1-31) + $x_b3urkR0cks2 = "b3urkR0cks" xor(33-255) + + $dlsym = "dlsym" fullword condition: - filesize < 2MB and any of them + filesize < 2MB and $dlsym and any of ($x*) } diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara index 83b895b91..374d3d31b 100644 --- a/rules/persist/shell/bash.yara +++ b/rules/persist/shell/bash.yara @@ -26,9 +26,10 @@ rule bash_persist_persistent: high { $ref3 = ".profile" $ref4 = ".bashrc" - $not_bash = "POSIXLY_CORRECT" - $not_csh = ".cshrc" fullword - $not_tcsh = "tcsh" fullword + $not_bash = "POSIXLY_CORRECT" + $not_csh = ".cshrc" + $not_tcsh = "tcsh" fullword + $not_tcshrc = ".tcshrc" condition: 3 of them and none of ($not*) @@ -56,7 +57,8 @@ rule bash_logout_persist: high { $not_bash = "POSIXLY_CORRECT" $not_comment = "# ~/.bash_logout" $not_clear = "/usr/bin/clear_console" - $not_csh = ".cshrc" fullword + $not_csh = ".cshrc" + $not_tcshrc = ".tcshrc" condition: filesize < 2097152 and any of ($ref*) and none of ($not*) diff --git a/tests/linux/2024.sbcl.market/sbcl.clean.simple b/tests/linux/2024.sbcl.market/sbcl.clean.simple new file mode 100644 index 000000000..07b00a26f --- /dev/null +++ b/tests/linux/2024.sbcl.market/sbcl.clean.simple @@ -0,0 +1,24 @@ +# linux/2024.sbcl.market/sbcl.clean: medium +c2/addr/url: low +c2/tool_transfer/arch: low +crypto/rc4: low +data/compression/zstd: low +discover/user/HOME: low +discover/user/USER: low +evasion/file/location/var_tmp: medium +exec/dylib/address_check: low +exec/dylib/symbol_address: medium +exec/program: medium +exec/program/background: low +exec/shell/echo: medium +fs/file/delete: low +fs/file/truncate: low +fs/link_read: low +fs/path/dev: medium +fs/path/tmp: medium +fs/path/var: low +fs/permission/modify: low +fs/proc/self_exe: medium +fs/symlink_resolve: low +fs/tempdir/TEMP: low +net/url/embedded: low diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff index fb3cc46aa..0d81f2098 100644 --- a/tests/linux/2024.sbcl.market/sbcl.sdiff +++ b/tests/linux/2024.sbcl.market/sbcl.sdiff @@ -8,7 +8,6 @@ data/compression/zstd discover/user/HOME discover/user/USER evasion/file/location/var_tmp --evasion/rootkit/userspace exec/dylib/address_check exec/dylib/symbol_address exec/program diff --git a/tests/linux/clean/eza.simple b/tests/linux/clean/eza.simple new file mode 100644 index 000000000..114eb2ec6 --- /dev/null +++ b/tests/linux/clean/eza.simple @@ -0,0 +1,28 @@ +# linux/clean/eza: medium +anti-static/elf/multiple: medium +c2/addr/url: low +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +credential/server/htpasswd: medium +credential/shell/bash_history: medium +credential/ssh/authorized_hosts: medium +crypto/ed25519: low +crypto/rc4: low +data/encoding/base64: low +discover/user/HOME: low +evasion/file/prefix: medium +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +fs/link_read: low +fs/mount: low +fs/path/etc: low +fs/path/home_config: low +fs/proc/self_cgroup: medium +fs/proc/self_exe: medium +fs/proc/self_mountinfo: medium +fs/symlink_resolve: low +fs/tempdir/TEMP: low +net/url/embedded: low +persist/shell/bash: medium +persist/shell/zsh: medium +process/multithreaded: low diff --git a/tests/linux/clean/kolide/launcher.simple b/tests/linux/clean/kolide/launcher.simple new file mode 100644 index 000000000..6ddd68735 --- /dev/null +++ b/tests/linux/clean/kolide/launcher.simple @@ -0,0 +1,126 @@ +# linux/clean/kolide/launcher: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/keychain: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/gzip: low +data/compression/zlib: low +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/blake2b: low +data/hash/md5: low +discover/network/netstat: medium +discover/processes/list: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/user/USER: low +evasion/file/prefix: medium +evasion/logging/acct: low +exec/cmd: medium +exec/plugin: low +exec/program: medium +exec/shell/TERM: low +exec/shell/command: medium +exec/system_controls/systemd: medium +exfil/upload: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/create: medium +fs/file/delete: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/boot: medium +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/path/var_log: medium +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/self_mountinfo: medium +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +hw/dev/block_ice: medium +impact/remote_access/net_term: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/ip/tcp_state_tracker: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/sftp: medium +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/key_management: low +os/kernel/netlink: low +persist/pid_file: medium +privesc/setuid: low +privesc/sudo: medium +process/groupid_set: low +process/groups_set: low +process/multithreaded: low diff --git a/tests/linux/clean/kolide/osqueryd.simple b/tests/linux/clean/kolide/osqueryd.simple new file mode 100644 index 000000000..a5b4f62f8 --- /dev/null +++ b/tests/linux/clean/kolide/osqueryd.simple @@ -0,0 +1,212 @@ +# linux/clean/kolide/osqueryd: medium +anti-static/elf/multiple: medium +anti-static/obfuscation/obfuscate: low +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/databases/leveldb: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/keychain: medium +credential/password: low +credential/shell/bash_history: medium +credential/shell/zsh_history: medium +credential/sniffer/bpf: medium +credential/ssh/authorized_hosts: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ed25519: low +crypto/gost89: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/base64/decode: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/pem_private_key: medium +data/encoding/base64: low +data/hash/blake2b: low +data/hash/md5: low +data/hash/sha1: low +data/hash/sha256: low +data/hash/whirlpool: medium +data/random/insecure: low +discover/cloud/google_metadata: low +discover/components/docker: medium +discover/group/lookup: medium +discover/network/interface: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/process/name: medium +discover/process/parent: low +discover/process/runtime_deps: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/machine_id: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: low +evasion/bypass_security/linux/iptables: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium +evasion/hide_artifacts/pivot_root: medium +evasion/logging/acct: low +evasion/logging/current_logins: medium +evasion/logging/dev_log: medium +evasion/process_injection/ptrace: medium +evasion/process_injection/readelf: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/reconfigure/hostname_set: low +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/arbitrary_command_dev_null: medium +exec/shell/echo: medium +exec/shell/exec: medium +exec/shell/ignore_output: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +exec/tty/vhangup: low +exfil/collection: medium +fs/attributes/remove: medium +fs/attributes/set: medium +fs/blkid: low +fs/directory/create: low +fs/directory/remove: low +fs/event_monitoring: low +fs/fifo_create: low +fs/file/capabilities_set: low +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/flags_change: low +fs/file/open: low +fs/file/open_by_handle: low +fs/file/times_set: medium +fs/file/truncate: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/mounts_read: medium +fs/node_create: low +fs/path/boot: medium +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/from_cookie: low +fs/path/home: low +fs/path/home_config: low +fs/path/root: medium +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/usr_lib_python: medium +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/path/var_log: medium +fs/path/windows_root: low +fs/permission/chown: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/cpuinfo: medium +fs/proc/meminfo: medium +fs/proc/mounts: medium +fs/proc/self_exe: medium +fs/proc/self_mountinfo: medium +fs/proc/self_status: medium +fs/proc/stat: medium +fs/quota_manipulate: low +fs/swap/off: low +fs/swap/on: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/cpu: medium +hw/dev/block_ice: medium +hw/dev/diskmapper: medium +hw/dev/mapper: medium +impact/degrade/linux_paths: medium +impact/infection/worm: medium +impact/reboot: low +impact/remote_access/heartbeat: medium +impact/remote_access/iptables: medium +lateral/scan/tool: medium +mem/anonymous_file: medium +net/dns/txt: low +net/http/2: low +net/http/accept: low +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/send_unicast: low +net/ip/string: medium +net/ip/syncookie: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/rpc/ntlm: medium +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/ssh: medium +net/url/embedded: medium +net/url/encode: medium +os/fd/epoll: low +os/fd/read: low +os/fd/sendfile: low +os/kernel/key_management: low +os/kernel/netlink: low +os/kernel/opencl: medium +os/kernel/perfmon: low +os/kernel/seccomp: low +os/time/clock_set: low +persist/cron/tab: medium +persist/kernel_module/symbol_lookup: medium +persist/kernel_module/unload: medium +persist/pid_file: medium +persist/ssh_authorized_keys: medium +privesc/setuid: low +process/chroot: low +process/create: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +process/name_set: medium +process/namespace_set: low +process/unshare: low +sus/intercept: medium diff --git a/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple new file mode 100644 index 000000000..a46fa6fc2 --- /dev/null +++ b/tests/linux/clean/rust_libtest-350a2b8f7a4551b7.so.simple @@ -0,0 +1,7 @@ +# linux/clean/rust_libtest-350a2b8f7a4551b7.so: medium +c2/addr/url: low +c2/tool_transfer/arch: low +discover/process/runtime_deps: medium +exec/program: medium +fs/path/etc: low +net/url/embedded: low diff --git a/tests/linux/clean/trino.linux-amd64.launcher.simple b/tests/linux/clean/trino.linux-amd64.launcher.simple new file mode 100644 index 000000000..24bbc955f --- /dev/null +++ b/tests/linux/clean/trino.linux-amd64.launcher.simple @@ -0,0 +1,14 @@ +# linux/clean/trino.linux-amd64.launcher: medium +anti-static/elf/content: medium +anti-static/elf/entropy: medium +anti-static/elf/header: medium +anti-static/elf/multiple: medium +anti-static/packer/upx: medium +c2/addr/url: low +c2/tool_transfer/arch: low +crypto/aes: low +data/compression/gzip: low +fs/proc/self_exe: medium +net/dns/txt: low +net/http/post: medium +net/url/embedded: low diff --git a/tests/linux/clean/trino.linux-arm64.launcher.simple b/tests/linux/clean/trino.linux-arm64.launcher.simple new file mode 100644 index 000000000..5a2e5bbc4 --- /dev/null +++ b/tests/linux/clean/trino.linux-arm64.launcher.simple @@ -0,0 +1,12 @@ +# linux/clean/trino.linux-arm64.launcher: medium +anti-static/elf/content: medium +anti-static/elf/entropy: medium +anti-static/elf/header: medium +anti-static/elf/multiple: medium +anti-static/packer/upx: medium +c2/addr/url: low +crypto/aes: low +fs/path/users: medium +fs/proc/self_exe: medium +net/dns/txt: low +net/url/embedded: low diff --git a/tests/linux/clean/trino.linux-ppc64le.launcher.simple b/tests/linux/clean/trino.linux-ppc64le.launcher.simple new file mode 100644 index 000000000..7a9e6ab00 --- /dev/null +++ b/tests/linux/clean/trino.linux-ppc64le.launcher.simple @@ -0,0 +1,10 @@ +# linux/clean/trino.linux-ppc64le.launcher: medium +anti-static/elf/content: medium +anti-static/elf/entropy: medium +anti-static/elf/header: medium +anti-static/elf/multiple: medium +anti-static/packer/upx: medium +c2/addr/url: low +net/dns/txt: low +net/http/post: medium +net/url/embedded: low diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index 95d1fc67b..e1889aba2 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -15,6 +15,6 @@ exec/remote_commands/code_eval: critical exfil/stealer/browser: high fs/directory/create: low fs/path/users: medium -impact/remote_access/py_setuptools: critical +impact/remote_access/py_setuptools: high net/url/embedded: medium net/url/request: medium diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index 31ee7af65..51e46c620 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -33,7 +33,7 @@ exec/shell/power: medium exfil/discord: critical exfil/stealer/browser: high exfil/stealer/discord: high -exfil/stealer/keylogger: critical +exfil/stealer/keylogger: high exfil/upload: high fs/directory/create: low fs/directory/list: low diff --git a/tests/python/clean/airflow/botocore_config.py.simple b/tests/python/clean/airflow/botocore_config.py.simple new file mode 100644 index 000000000..c71e9a94f --- /dev/null +++ b/tests/python/clean/airflow/botocore_config.py.simple @@ -0,0 +1,7 @@ +# python/clean/airflow/botocore_config.py: medium +exec/imports/python: low +impact/remote_access/agent: medium +net/http/request: low +net/ip/host_port: medium +net/socket/connect: medium +net/url/embedded: low diff --git a/tests/python/clean/airflow/db.py.simple b/tests/python/clean/airflow/db.py.simple new file mode 100644 index 000000000..78f3cd6e7 --- /dev/null +++ b/tests/python/clean/airflow/db.py.simple @@ -0,0 +1,13 @@ +# python/clean/airflow/db.py: medium +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/password: low +credential/ssh: medium +exec/plugin: low +fs/tempdir: low +net/ip/host_port: medium +net/tcp/sftp: medium +net/url/embedded: low +os/fd/multiplex: low diff --git a/tests/python/clean/airflow/kubernetes_engine.py.simple b/tests/python/clean/airflow/kubernetes_engine.py.simple new file mode 100644 index 000000000..07bd2598a --- /dev/null +++ b/tests/python/clean/airflow/kubernetes_engine.py.simple @@ -0,0 +1,6 @@ +# python/clean/airflow/kubernetes_engine.py: medium +anti-static/obfuscation/python: medium +exec/imports/python: low +net/http/auth: low +net/url/embedded: low +net/url/request: medium diff --git a/tests/python/clean/conda-build/_load_setup_py_data.py.simple b/tests/python/clean/conda-build/_load_setup_py_data.py.simple index 8572bf45a..88fdc56a1 100644 --- a/tests/python/clean/conda-build/_load_setup_py_data.py.simple +++ b/tests/python/clean/conda-build/_load_setup_py_data.py.simple @@ -3,7 +3,7 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/exists: low fs/file/open: low -impact/remote_access/py_setuptools: low +impact/remote_access/py_setuptools: medium net/download: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/fonttools/psLib.py.simple b/tests/python/clean/fonttools/psLib.py.simple new file mode 100644 index 000000000..136b64901 --- /dev/null +++ b/tests/python/clean/fonttools/psLib.py.simple @@ -0,0 +1,3 @@ +# python/clean/fonttools/psLib.py: low +anti-static/obfuscation/python: low +exec/imports/python: low diff --git a/tests/python/clean/google-auth-library-python/setup.py.simple b/tests/python/clean/google-auth-library-python/setup.py.simple index 09d3a2a14..170dcde4b 100644 --- a/tests/python/clean/google-auth-library-python/setup.py.simple +++ b/tests/python/clean/google-auth-library-python/setup.py.simple @@ -7,5 +7,6 @@ exec/remote_commands/code_eval: medium exec/shell/command: medium fs/file/open: low fs/file/read: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple new file mode 100644 index 000000000..ba66aa37b --- /dev/null +++ b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple @@ -0,0 +1,12 @@ +# python/clean/google-cloud-sdk/requests_setup.py: medium +exec/imports/python: low +exec/program: medium +exec/remote_commands/code_eval: medium +exec/shell/command: medium +fs/file/open: low +fs/path/usr_bin: low +impact/remote_access/py_setuptools: medium +net/url/embedded: low +net/url/parse: low +os/fd/read: low +process/multi: medium diff --git a/tests/python/clean/idna/setup.py.simple b/tests/python/clean/idna/setup.py.simple index 3a36d1ecf..008331d6e 100644 --- a/tests/python/clean/idna/setup.py.simple +++ b/tests/python/clean/idna/setup.py.simple @@ -2,5 +2,6 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/matplotlib/_backend_tk.py.simple b/tests/python/clean/matplotlib/_backend_tk.py.simple new file mode 100644 index 000000000..c2b033ac2 --- /dev/null +++ b/tests/python/clean/matplotlib/_backend_tk.py.simple @@ -0,0 +1,6 @@ +# python/clean/matplotlib/_backend_tk.py: medium +anti-static/obfuscation/bitwise: low +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +net/url/embedded: low diff --git a/tests/python/clean/matplotlib/backend_bases.py.simple b/tests/python/clean/matplotlib/backend_bases.py.simple new file mode 100644 index 000000000..14e0fc17c --- /dev/null +++ b/tests/python/clean/matplotlib/backend_bases.py.simple @@ -0,0 +1,7 @@ +# python/clean/matplotlib/backend_bases.py: medium +c2/tool_transfer/os: low +discover/system/platform: medium +net/socket/connect: medium +net/socket/listen: medium +net/socket/pair: medium +net/url/embedded: low diff --git a/tests/python/clean/matplotlib/backend_qt.py.simple b/tests/python/clean/matplotlib/backend_qt.py.simple new file mode 100644 index 000000000..2fe4bb7b5 --- /dev/null +++ b/tests/python/clean/matplotlib/backend_qt.py.simple @@ -0,0 +1,9 @@ +# python/clean/matplotlib/backend_qt.py: medium +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +exec/remote_commands/code_eval: medium +net/socket/pair: medium +net/socket/receive: low +net/url/embedded: low +os/time/clock_sleep: medium diff --git a/tests/python/clean/matplotlib/backend_wx.py.simple b/tests/python/clean/matplotlib/backend_wx.py.simple new file mode 100644 index 000000000..045e6a281 --- /dev/null +++ b/tests/python/clean/matplotlib/backend_wx.py.simple @@ -0,0 +1,5 @@ +# python/clean/matplotlib/backend_wx.py: medium +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +net/url/embedded: low diff --git a/tests/python/clean/mitmproxy/raw_display.py.simple b/tests/python/clean/mitmproxy/raw_display.py.simple new file mode 100644 index 000000000..f8393396d --- /dev/null +++ b/tests/python/clean/mitmproxy/raw_display.py.simple @@ -0,0 +1,16 @@ +# python/clean/mitmproxy/raw_display.py: medium +c2/tool_transfer/os: low +exec/imports/python: low +exec/program: medium +exec/program/background: low +exec/shell/TERM: low +fs/file/write: low +fs/path/usr_bin: low +net/socket/connect: medium +net/socket/pair: medium +net/socket/receive: low +net/socket/send: low +net/url/embedded: low +os/fd/write: low +persist/daemon: medium +process/multithreaded: medium diff --git a/tests/python/clean/ml_sdk/setup.py.simple b/tests/python/clean/ml_sdk/setup.py.simple index 57f63afdb..f3cad667f 100644 --- a/tests/python/clean/ml_sdk/setup.py.simple +++ b/tests/python/clean/ml_sdk/setup.py.simple @@ -2,5 +2,6 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple index 9f28257b0..585043a3a 100644 --- a/tests/python/clean/numba/support.py.simple +++ b/tests/python/clean/numba/support.py.simple @@ -6,7 +6,6 @@ discover/system/platform: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -false-positives/setuptools: low fs/directory/create: low fs/directory/list: low fs/file/open: low diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple index 543cd076e..7534b61bc 100644 --- a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple +++ b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple @@ -9,6 +9,6 @@ fs/file/open: low fs/file/read: low fs/file/write: low fs/tempdir/TEMP: low -impact/remote_access/py_setuptools: low +impact/remote_access/py_setuptools: medium os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/requests/setup.py.simple b/tests/python/clean/requests/setup.py.simple index 108a1ec34..4d48c3d10 100644 --- a/tests/python/clean/requests/setup.py.simple +++ b/tests/python/clean/requests/setup.py.simple @@ -6,6 +6,7 @@ exec/remote_commands/code_eval: medium exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low +impact/remote_access/py_setuptools: medium net/ip/parse: medium net/url/embedded: low net/url/parse: low diff --git a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple index 102f278c2..3f4fc9686 100644 --- a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple +++ b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple @@ -4,6 +4,5 @@ discover/system/platform: medium exec/imports/python: low exec/shell/command: medium fs/file/open: low -impact/remote_access/py_setuptools: low net/url/embedded: low os/fd/write: low