Address false positives seen with argocd, grafana, jupyterhub, and reflex

pkg/compile/compile.go

@@ -31,6 +31,7 @@ var badRules = map[string]bool{
 	"ELASTIC_Macos_Creddump_Keychainaccess_535C1511":      true,
 	"SIGNATURE_BASE_Reconcommands_In_File":                true,
 	"SIGNATURE_BASE_Apt_CN_Tetrisplugins_JS":              true,
+	"CAPE_Sparkrat":                                       true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,

rules/combo/degrader/edr_killer.yara

@@ -11,11 +11,12 @@ rule win_kill_proc_likely : high {
 	$debug_uhf = "UnhandledExceptionFilter"
 	$kill_gmh = "GetModuleHandle"
 	$kill_tp = "TerminateProcess"
+
   condition:
-	filesize < 1MB and 1 of ($kill*) and 2 of ($debug*) and 1 of ($f*) 
+	filesize < 1MB and 1 of ($kill*) and 2 of ($debug*) and 1 of ($f*)
 }
 
-rule win_kill_proc : critical {
+rule win_kill_proc : high {
   meta:
     description = "Windows EDR/Antivirus bypass"
   strings:
@@ -28,8 +29,9 @@ rule win_kill_proc : critical {
 	$debug_uhf = "UnhandledExceptionFilter"
 	$kill_gmh = "GetModuleHandle"
 	$kill_tp = "TerminateProcess"
+
   condition:
-	filesize < 1MB and all of ($kill*) and 3 of ($debug*) and 1 of ($f*) 
+	filesize < 1MB and all of ($kill*) and 3 of ($debug*) and 1 of ($f*)
 }
 
 rule edr_stopper : critical {
@@ -40,4 +42,4 @@ rule edr_stopper : critical {
 	$stop = "stopservice"
   condition:
 	filesize < 1MB and $stop and any of ($kind*)
-}
+}

rules/combo/stealer/browser.yara

@@ -21,7 +21,7 @@ rule multiple_browser_credentials : high {
     3 of ($c_*) and none of ($not_*)
 }
 
-rule multiple_browser_refs : critical {
+rule multiple_browser_refs : high {
   meta:
     description = "Makes references to multiple browser credentials"
     hash_1985_actions_UserGet = "e3a457ec75e3a042fb34fa6d49e0e833265d21d26c4e0119aaa1b6ec8a9460ec"
@@ -152,4 +152,4 @@ rule chrome_encrypted_cookies : critical {
 		$select = /SELECT.{0,64}encrypted_value{0,64}cookies/
 	condition:
 		$select
-}
+}

rules/combo/stealer/crypto.yara

@@ -1,4 +1,4 @@
-rule js_crypto_stealer : critical {
+rule js_crypto_stealer : high {
   meta:
     description = "steals private cryptographic data"
   strings:
@@ -11,6 +11,7 @@ rule js_crypto_stealer : critical {
     $url = /https{0,1}:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
 
 	$POST = "POST"
+
   condition:
 	filesize < 50KB and $url and $POST and any of ($pk*)
 }

rules/obfuscation/js/char_codes.yara

@@ -1,6 +1,6 @@
 import "math"
 
-rule child_process : critical {
+rule child_process : high {
 	meta:
 		description = "obfuscated javascript that relies on character manipulation"
 		filetypes = "javascript"
@@ -16,6 +16,7 @@ rule child_process : critical {
 		$const = "const "
 		$function = "function("
 		$return = "{return"
+
 	condition:
 		filesize < 128KB and all of them
 }

rules/obfuscation/js/function_spam.yara

@@ -1,10 +1,11 @@
-rule js_const_func_obfuscation : critical {
+rule js_const_func_obfuscation : medium {
 	meta:
 		description = "javascript obfuscation (excessive const functions)"
 	strings:
 		$const = "const "
 		$function = "function("
 		$return = "{return"
+
 	condition:
 		filesize < 256KB and #const > 32 and #function > 48 and #return > 64
 }

rules/obfuscation/js/parseInt.yara

@@ -1,4 +1,4 @@
-rule js_const_func_obfuscation : critical {
+rule js_const_func_obfuscation : high {
 	meta:
 		description = "javascript obfuscation (integer parsing)"
 		filetypes = "javascript"
@@ -7,6 +7,7 @@ rule js_const_func_obfuscation : critical {
 		$function = "function("
 		$return = "{return"
 		$parseInt = "parseInt"
+
 	condition:
 		filesize < 256KB and #const > 16 and #function > 32 and #parseInt > 8 and #return > 32
 }