diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 461cf4b0..69c355a3 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -211,7 +211,7 @@ func cachedRules(ctx context.Context, fss []fs.FS) (*yara.Rules, error) { // recursiveScan recursively YARA scans the configured paths - handling archives and OCI images. // -//nolint:gocognit // ignoring complexity of 101 > 98 +//nolint:gocognit,cyclop // ignoring complexity of 101,38 func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error) { logger := clog.FromContext(ctx) logger.Debug("recursive scan", slog.Any("config", c)) @@ -225,7 +225,9 @@ func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report var scanPathFindings sync.Map for _, scanPath := range c.ScanPaths { - c.Renderer.Scanning(ctx, scanPath) + if c.Renderer != nil { + c.Renderer.Scanning(ctx, scanPath) + } logger.Debug("recursive scan", slog.Any("scanPath", scanPath)) imageURI := "" ociExtractPath := "" diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go index 2cc3a9c0..4c0f02ff 100644 --- a/pkg/compile/compile.go +++ b/pkg/compile/compile.go @@ -59,6 +59,9 @@ var badRules = map[string]bool{ "Windows_API_Function": true, // TTC-CERT "cve_202230190_html_payload": true, + // JPCERT + "malware_PlugX_config": true, + "malware_shellcode_hash": true, } // rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable. diff --git a/pkg/report/report.go b/pkg/report/report.go index ac2cc576..fe64df78 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -652,6 +652,9 @@ func handleOverrides(original, override []*malcontent.Behavior) []*malcontent.Be if b, exists := behaviorMap[o.Override]; exists { b.RiskLevel = o.RiskLevel b.RiskScore = o.RiskScore + + // Delete the override rule from the behavior map + delete(behaviorMap, o.RuleName) } } diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara index 15253463..0dcf70b9 100644 --- a/rules/combo/dropper/shell.yara +++ b/rules/combo/dropper/shell.yara @@ -40,7 +40,7 @@ rule curl_chmod_relative_run_tiny : critical { filesize < 6KB and all of them } -rule curl_tor_chmod_relative_run : critical { +rule curl_tor_chmod_relative_run : high { meta: description = "change dir, fetch file via tor, make it executable, and run it" hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588" @@ -55,8 +55,10 @@ rule curl_tor_chmod_relative_run : critical { $curl = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/ $chmod = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/ $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword + + $not_go = "listen.onionndots" condition: - any of ($tor*) and $cd and $curl and $chmod and $dot_slash + any of ($tor*) and $cd and $curl and $chmod and $dot_slash and filesize < 1MB and none of ($not*) } @@ -167,4 +169,4 @@ rule obsessive_dropper : critical { $cmd_chmod = "chmod" fullword condition: filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*) -} \ No newline at end of file +} diff --git a/rules/false_positives/datadog.yara b/rules/false_positives/datadog.yara new file mode 100644 index 00000000..cbc02762 --- /dev/null +++ b/rules/false_positives/datadog.yara @@ -0,0 +1,11 @@ +rule ddtrace_rules_json : override { + meta: + description = "appsec/rules.json" + linux_multi_persist = "medium" + strings: + $datadog = /[Dd]atadog/ + $datadog_generic = /[Dd]atadog \w{0,32}/ + $datadog_test_scanner = "Datadog test scanner" + condition: + all of them +} diff --git a/rules/false_positives/k8s_dashboard.yara b/rules/false_positives/k8s_dashboard.yara new file mode 100644 index 00000000..56c97e3b --- /dev/null +++ b/rules/false_positives/k8s_dashboard.yara @@ -0,0 +1,15 @@ +rule mode_php_js : override { + meta: + description = "mode-php.js, mode-php_laravel_blade.js" + php_executor = "high" + strings: + $ace_define = "ace.define" + $ace_lib = "ace/lib" + $ace_mode = "ace/mode" + $ace_require = "ace.require" + $mode_php_laravel_blade = "ace/mode/php_laravel_blade" + $php_worker = "ace/mode/php_worker" + $php_worker2 = "PhpWorker" + condition: + 6 of them +} diff --git a/rules/false_positives/nvim.yara b/rules/false_positives/nvim.yara new file mode 100644 index 00000000..d9606aac --- /dev/null +++ b/rules/false_positives/nvim.yara @@ -0,0 +1,10 @@ +rule nvim_binary : override { + meta: + description = "nvim" + linux_multi_persist = "medium" + strings: + $nvim_generic = /nvim_\w{0,32}/ + $nvim_path = "/home/build/src/nvim" + condition: + all of them +} diff --git a/rules/false_positives/rancher.yara b/rules/false_positives/rancher.yara new file mode 100644 index 00000000..a25eeedd --- /dev/null +++ b/rules/false_positives/rancher.yara @@ -0,0 +1,13 @@ +rule pull_scripts : override { + meta: + curl_chmod_relative_run_tiny = "medium" + description = "pull-scripts" + strings: + $binary = "BINARY_NAME=\"charts-build-scripts_${OS}_${ARCH}.exe\"" + $chmod = "chmod +x ./bin/charts-build-scripts" + $echo1 = "echo \"Downloading charts-build-scripts version ${CHARTS_BUILD_SCRIPTS_REPO}@${CHARTS_BUILD_SCRIPT_VERSION}\"" + $echo2 = "echo \"${BINARY_NAME} => ./bin/charts-build-scripts\"" + $version_cmd = "./bin/charts-build-scripts --version" + condition: + all of them +} diff --git a/rules/false_positives/tensorflow_model_analysis.yara b/rules/false_positives/tensorflow_model_analysis.yara new file mode 100644 index 00000000..1fd7304f --- /dev/null +++ b/rules/false_positives/tensorflow_model_analysis.yara @@ -0,0 +1,13 @@ +rule tfjs_predict_extractor_util : override { + meta: + description = "tfjs_predict_extractor_util.py" + py_dropper_chmod = "medium" + strings: + $copyright_google = "# Copyright 2019 Google LLC" + $subprocess_chmod = "subprocess.check_call(['chmod', '+x', path])" + $tfjs_predict_extractor = "Utilities for tfjs_predict_extractor." + $tfjs_url_linux = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-linux" + $tfjs_url_macos = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-macos" + condition: + all of them +} diff --git a/rules/false_positives/trivy.yara b/rules/false_positives/trivy.yara new file mode 100644 index 00000000..7824fe45 --- /dev/null +++ b/rules/false_positives/trivy.yara @@ -0,0 +1,11 @@ +rule trivy_binary : override { + meta: + curl_tor_chmod_relative_run = "medium" + description = "trivy" + strings: + $aqua_security_trivy = "aquasecurity:trivy" + $trivy_install = "# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh" + $trivy_repo = "github.com/aquasecurity/trivy" + condition: + all of them +} diff --git a/rules/false_positives/vitess.yara b/rules/false_positives/vitess.yara new file mode 100644 index 00000000..09413231 --- /dev/null +++ b/rules/false_positives/vitess.yara @@ -0,0 +1,12 @@ +rule vitess : override { + meta: + linux_multi_persist = "medium" + description = "vitess" + strings: + $issue = "This error should not happen and is a bug. Please file an issue on GitHub: https://github.com/vitessio/vitess/issues/new/choose" + $vitess = "vitess" + $vitess_io = "vitess.io" + $vitess_repo = "https://github.com/vitessio" + condition: + all of them +} diff --git a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index fc1f0e4b..bf8b3d36 100644 --- a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -20,12 +20,12 @@ env/LANG env/TEMP env/USER evasion/base64/decode -evasion/int_to_char evasion/unusual_include exec/cmd exec/program exec/program/background exec/shell_command +false_positives/k8s_dashboard fd/read fs/directory/create fs/directory/remove diff --git a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index e317c2c4..30ee2bde 100644 --- a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -19,7 +19,6 @@ env/HOME env/TEMP env/USER evasion/base64/decode -evasion/int_to_char evasion/unusual_include exec/cmd exec/program diff --git a/test_data/javascript/clean/mode-php.js.simple b/test_data/javascript/clean/mode-php.js.simple new file mode 100644 index 00000000..bb27cde9 --- /dev/null +++ b/test_data/javascript/clean/mode-php.js.simple @@ -0,0 +1,65 @@ +# javascript/clean/mode-php.js +combo/backdoor/php +combo/net/tunnel_proxy +compression/bzip2 +compression/gzip +databases/mysql +databases/sqlite +encoding/base64 +encoding/reverse +env/USER +evasion/base64/decode +exec/program +exec/program/background +exec/shell_command +fs/directory/create +fs/directory/remove +fs/fifo/create +fs/file/delete +fs/file/delete/forcibly +fs/file/truncate +fs/link/read +fs/lock/update +fs/node/create +fs/permission/modify +fs/symlink/resolve +fs/watch +hash/md5 +kernel/acct +kernel/hostname/get +kernel/platform +net/fetch +net/hostname/resolve +net/hostport/parse +net/http/cookies +net/http/form/upload +net/http/post +net/ip/parse +net/ip/resolve +net/ip/string +net/socket/connect +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/upload +net/url/encode +process/chroot +process/effective/groupid/get +process/groupid/set +process/parent_pid/get +process/userid/set +process/username/get +random/insecure +ref/daemon +ref/ip_port +ref/path/etc +ref/path/hidden +ref/site/url +ref/words/agent +ref/words/password +ref/words/plugin +ref/words/spoof +secrets/private_key +tty/pathname diff --git a/test_data/javascript/clean/mode-php_laravel_blade.js.simple b/test_data/javascript/clean/mode-php_laravel_blade.js.simple new file mode 100644 index 00000000..a876a6f7 --- /dev/null +++ b/test_data/javascript/clean/mode-php_laravel_blade.js.simple @@ -0,0 +1,65 @@ +# javascript/clean/mode-php_laravel_blade.js +combo/backdoor/php +combo/net/tunnel_proxy +compression/bzip2 +compression/gzip +databases/mysql +databases/sqlite +encoding/base64 +encoding/reverse +env/USER +evasion/base64/decode +exec/program +exec/program/background +exec/shell_command +fs/directory/create +fs/directory/remove +fs/fifo/create +fs/file/delete +fs/file/delete/forcibly +fs/file/truncate +fs/link/read +fs/lock/update +fs/node/create +fs/permission/modify +fs/symlink/resolve +fs/watch +hash/md5 +kernel/acct +kernel/hostname/get +kernel/platform +net/fetch +net/hostname/resolve +net/hostport/parse +net/http/cookies +net/http/form/upload +net/http/post +net/ip/parse +net/ip/resolve +net/ip/string +net/socket/connect +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/upload +net/url/encode +process/chroot +process/effective/groupid/get +process/groupid/set +process/parent_pid/get +process/userid/set +process/username/get +random/insecure +ref/daemon +ref/ip_port +ref/path/etc +ref/path/hidden +ref/site/url +ref/words/agent +ref/words/password +ref/words/plugin +ref/words/spoof +secrets/private_key +tty/pathname diff --git a/test_data/javascript/clean/napi_rs_runtime.js.simple b/test_data/javascript/clean/napi_rs_runtime.js.simple index f2477358..0278766b 100644 --- a/test_data/javascript/clean/napi_rs_runtime.js.simple +++ b/test_data/javascript/clean/napi_rs_runtime.js.simple @@ -4,7 +4,6 @@ data/embedded/base64/url encoding/base64 encoding/json/decode encoding/json/encode -evasion/int_to_char fd/write fs/directory/create fs/directory/list diff --git a/test_data/javascript/clean/securityDashboards.plugin.js.simple b/test_data/javascript/clean/securityDashboards.plugin.js.simple index 09cc9df7..3173659a 100644 --- a/test_data/javascript/clean/securityDashboards.plugin.js.simple +++ b/test_data/javascript/clean/securityDashboards.plugin.js.simple @@ -10,7 +10,6 @@ databases/mysql encoding/base64 encoding/json/decode encoding/json/encode -evasion/int_to_char evasion/xor/commands fs/link/create fs/lock/update diff --git a/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple b/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple index 2f057a90..57d406d7 100644 --- a/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -1,6 +1,5 @@ # linux/2022.Symbiote/kerneldev.so.bkp 3P/threat_hunting/keylogger -combo/stealer/pam dylib/symbol/address evasion/process/hide fs/link/read diff --git a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index 35798386..39b1bed9 100644 --- a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -2,7 +2,6 @@ 3P/elastic/threat combo/backdoor/kill_rm combo/botnet/systemctl -combo/dropper/binary combo/dropper/shell combo/stealer/linux_server combo/stealer/ssh diff --git a/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index 5225cfa9..9a463012 100644 --- a/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -1,7 +1,6 @@ # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72 3P/elastic/threat 3P/threat_hunting/xmrig -combo/stealer/pam compression/gzip crypto/aes crypto/ecdsa diff --git a/test_data/linux/clean/appsec-rules.json.simple b/test_data/linux/clean/appsec-rules.json.simple index b94531ad..38546f0b 100644 --- a/test_data/linux/clean/appsec-rules.json.simple +++ b/test_data/linux/clean/appsec-rules.json.simple @@ -15,7 +15,6 @@ databases/sqlite device/hardware/enumeration encoding/base64 evasion/base64/decode -evasion/int_to_char exec/shell_command fs/fifo/create fs/file/times/set diff --git a/test_data/linux/clean/chezmoi.simple b/test_data/linux/clean/chezmoi.simple index fe8783d2..9bddcfbc 100644 --- a/test_data/linux/clean/chezmoi.simple +++ b/test_data/linux/clean/chezmoi.simple @@ -41,7 +41,6 @@ env/TMPDIR env/USER env/get evasion/content/length/0 -evasion/int_to_char evasion/xor/commands exec/cmd exec/program diff --git a/test_data/linux/clean/clickhouse.simple b/test_data/linux/clean/clickhouse.simple new file mode 100644 index 00000000..3ff6e188 --- /dev/null +++ b/test_data/linux/clean/clickhouse.simple @@ -0,0 +1,195 @@ +# linux/clean/clickhouse +3P/threat_hunting/keylogger +3P/threat_hunting/pypykatz +3P/threat_hunting/shodan/io +3P/threat_hunting/torproject +admin/package/install +admin/shutdown +builtin/openssl +cloud/google/metadata +combo/critical_paths +combo/dropper/shell +combo/miner/argon2d_numa_self +combo/net/tunnel_proxy +combo/recon/capabilities +compression/bzip2 +compression/gzip +compression/zstd +crypto/aes +crypto/ed25519 +crypto/file/encrypter +crypto/gost89 +crypto/tls +data/embedded/base64/url +data/embedded/html +data/embedded/pem/private_key +databases/leveldb +databases/mysql +databases/postgresql +databases/sqlite +dylib/address/check +dylib/iterate +dylib/symbol/address +encoding/base64 +encoding/json/decode +encoding/json/encode +env/DYLD_LIBRARY_PATH +env/HOME +env/LANG +env/LD_LIBRARY_PATH +env/SHELL +env/TEMP +env/TERM +env/TMPDIR +env/USER +evasion/base64/decode +exec/cmd +exec/program +exec/program/background +exec/shell_echo +fd/epoll +fd/read +fs/directory/create +fs/directory/remove +fs/file/capabilities/set +fs/file/copy +fs/file/delete +fs/file/delete/forcibly +fs/file/open +fs/file/read +fs/file/times/set +fs/file/truncate +fs/file/write +fs/link/create +fs/link/read +fs/lock/update +fs/mount +fs/mounts/read +fs/node/create +fs/permission/chown +fs/permission/modify +fs/permission/modify/dangerous +fs/symlink/resolve +fs/tempdir +fs/tempdir/create +fs/watch +hash/blake2b +hash/md5 +hash/sha1 +hash/sha256 +hash/whirlpool +kernel/acct +kernel/cpu/info +kernel/dev/block/device +kernel/hostname/get +kernel/module/load +kernel/netlink +kernel/opencl +kernel/platform +kernel/ptrace +net/bpf +net/dns/over/https +net/dns/reverse +net/dns/servers +net/dns/txt +net/fetch +net/grpc +net/hostname/resolve +net/hostport/parse +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http2 +net/http_proxy +net/icmp +net/interface/get +net/interface/list +net/ip +net/ip/parse +net/ip/resolve +net/ip/string +net/ntlm +net/oauth2 +net/reuseport +net/sendfile +net/socket/connect +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/socks5 +net/ssh +net/upload +net/url +net/url/encode +net/websocket +persist/pid_file +privesc/sudo +process/chdir +process/chroot +process/create +process/executable_path +process/groupid/set +process/multithreaded +process/name/get +process/thread_local_storage +process/userid/set +process/username/get +procfs/arbitrary/pid +procfs/cpuinfo +procfs/meminfo +procfs/net/dev +procfs/pid/maps +procfs/pid/status +procfs/self/cgroup +procfs/self/exe +procfs/self/status +procfs/stat +random/insecure +ref/daemon +ref/email +ref/ip_port +ref/path/dev/shm +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home/config +ref/path/relative/hidden +ref/path/root +ref/path/tmp +ref/path/usr/bin +ref/path/usr/local +ref/path/var +ref/path/var/log +ref/program/sudo +ref/site/download +ref/site/dyndns +ref/site/grayware +ref/site/http/dynamic +ref/site/proxy +ref/site/url +ref/words/collection +ref/words/decryptor +ref/words/exclamation +ref/words/heartbeat +ref/words/infected +ref/words/intercept +ref/words/leetspeak +ref/words/malicious +ref/words/obfuscate +ref/words/password +ref/words/plugin +ref/words/server_address +secrets/aws +secrets/gcloud +secrets/private_key +security_controls/linux/ufw +shell/background/sleep +shell/ignore_output +shell/pipe_sh +time/tzinfo diff --git a/test_data/linux/clean/default_config.json.simple b/test_data/linux/clean/default_config.json.simple index 0495024d..ac19e203 100644 --- a/test_data/linux/clean/default_config.json.simple +++ b/test_data/linux/clean/default_config.json.simple @@ -16,7 +16,6 @@ databases/sqlite device/hardware/enumeration encoding/base64 evasion/base64/decode -evasion/int_to_char exec/shell_command fs/fifo/create fs/file/times/set diff --git a/test_data/linux/clean/kuma-cp.simple b/test_data/linux/clean/kuma-cp.simple new file mode 100644 index 00000000..79cad611 --- /dev/null +++ b/test_data/linux/clean/kuma-cp.simple @@ -0,0 +1,130 @@ +# linux/clean/kuma-cp +3P/threat_hunting/hijacker +3P/threat_hunting/privilegeescalation +archives/zip +combo/backdoor/iptables +combo/critical_paths +combo/dropper/shell +combo/net/host_port +combo/net/tunnel_proxy +compression/bzip2 +compression/gzip +compression/zstd +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/base64/url +data/embedded/html +data/embedded/pem/test_key +databases/mysql +databases/postgresql +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/LANG +env/SHELL +env/TERM +env/USER +evasion/base64/external +evasion/content/length/0 +exec/cmd +exec/program +fs/directory/create +fs/directory/list +fs/directory/remove +fs/fifo/create +fs/file/copy +fs/file/delete +fs/file/delete/forcibly +fs/file/read +fs/file/stat +fs/link/read +fs/mount +fs/node/create +fs/permission/chown +fs/permission/modify +fs/quota/manipulate +fs/swap/on +fs/unmount +fs/watch +hash/md5 +kernel/cpu/info +kernel/dev/block/device +kernel/hostname/get +kernel/netlink +kernel/platform +kernel/seccomp +net/bpf +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/download +net/fetch +net/grpc +net/hostname/resolve +net/hostport/parse +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http2 +net/http_proxy +net/icmp +net/interface/list +net/ip/multicast/send +net/ip/parse +net/mac/address +net/oauth2 +net/sendfile +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/ssh +net/stat +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/websocket +persist/crontab +process/chroot +process/groupid/set +process/username/get +ref/daemon +ref/ip_port +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home/config +ref/path/tmp +ref/path/usr/bin +ref/path/var +ref/path/var/run +ref/program/sudo +ref/site/download +ref/site/http/dynamic +ref/site/url +ref/words/collection +ref/words/exclamation +ref/words/heartbeat +ref/words/intercept +ref/words/password +ref/words/plugin +ref/words/server_address +secrets/htpasswd +secrets/private_key +security_controls/linux/iptables +security_controls/linux/selinux +shell/background/sleep +techniques/code_eval diff --git a/test_data/linux/clean/melange.simple b/test_data/linux/clean/melange.simple new file mode 100644 index 00000000..e69de29b diff --git a/test_data/linux/clean/minio.x86_64.simple b/test_data/linux/clean/minio.x86_64.simple index 2d048529..a082bee0 100644 --- a/test_data/linux/clean/minio.x86_64.simple +++ b/test_data/linux/clean/minio.x86_64.simple @@ -35,7 +35,6 @@ env/USER env/get evasion/content/length/0 evasion/hide_shell_history -evasion/int_to_char evasion/vm/check exec/cmd exec/program diff --git a/test_data/linux/clean/mongosh.simple b/test_data/linux/clean/mongosh.simple index 1111879b..62f6a687 100644 --- a/test_data/linux/clean/mongosh.simple +++ b/test_data/linux/clean/mongosh.simple @@ -39,7 +39,6 @@ env/get evasion/base64/decode evasion/base64/php_functions evasion/hex -evasion/int_to_char exec/cmd exec/program exec/program/background diff --git a/test_data/linux/clean/nvim.simple b/test_data/linux/clean/nvim.simple new file mode 100644 index 00000000..e69de29b diff --git a/test_data/linux/clean/pull-scripts.simple b/test_data/linux/clean/pull-scripts.simple new file mode 100644 index 00000000..e5b9c50c --- /dev/null +++ b/test_data/linux/clean/pull-scripts.simple @@ -0,0 +1,11 @@ +# linux/clean/pull-scripts +combo/dropper/shell +fs/directory/create +fs/file/delete/forcibly +fs/file/make_executable +fs/permission/modify +net/download +net/fetch +process/chdir +shell/exec +shell/ignore_output diff --git a/test_data/linux/clean/pulumi.simple b/test_data/linux/clean/pulumi.simple new file mode 100644 index 00000000..e5362977 --- /dev/null +++ b/test_data/linux/clean/pulumi.simple @@ -0,0 +1,147 @@ +# linux/clean/pulumi +3P/threat_hunting/iodine +3P/threat_hunting/sharppack +admin/pip_install +archives/zip +cloud/aws/metadata +cloud/google/metadata +cloud/google/storage +combo/dropper/shell +combo/net/host_port +combo/net/scan_tool +compression/bzip2 +compression/gzip +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/html +data/embedded/pem/certificate +data/embedded/pem/test_key +data/embedded/ssh/signature +databases/mysql +databases/postgresql +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/LANG +env/SHELL +env/TEMP +env/TERM +env/TMPDIR +env/USER +env/get +evasion/content/length/0 +exec/cmd +exec/program +exec/program/background +fs/directory/create +fs/directory/list +fs/directory/remove +fs/fifo/create +fs/file/copy +fs/file/delete +fs/file/delete/forcibly +fs/file/open +fs/file/read +fs/file/times/set +fs/file/write +fs/link/read +fs/lock/update +fs/mount +fs/permission/chown +fs/permission/modify +fs/swap/off +fs/symlink/resolve +fs/tempdir +fs/tempdir/create +fs/tempfile/create +group/lookup +hash/blake2b +hash/md5 +hash/sha1 +hash/sha256 +kernel/cpu/info +kernel/hostname/get +kernel/module +kernel/netlink +kernel/platform +kernel/sysinfo +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/download +net/fetch +net/grpc +net/hostname/resolve +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http2 +net/http_proxy +net/icmp +net/ip +net/ip/multicast/send +net/ip/parse +net/ip/resolve +net/mac/address +net/oauth2 +net/sendfile +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/socks5 +net/ssh +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/websocket +net/wireless +persist/pid_file +process/chroot +process/list +process/parent_pid/get +process/username/get +random/insecure +ref/daemon +ref/ip_port +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home/config +ref/path/root +ref/path/usr/bin +ref/path/var +ref/program/osascript +ref/program/sudo +ref/site/download +ref/site/http/dynamic +ref/site/url +ref/words/exclamation +ref/words/heartbeat +ref/words/intercept +ref/words/leetspeak +ref/words/password +ref/words/plugin +ref/words/server_address +secrets/gcloud +secrets/keychain +secrets/private_key +secrets/ssh +shell/background/sleep +shell/exec +shell/pipe_sh +techniques/code_eval +ui/clipboard diff --git a/test_data/linux/clean/rules.json.simple b/test_data/linux/clean/rules.json.simple new file mode 100644 index 00000000..0c34e6a2 --- /dev/null +++ b/test_data/linux/clean/rules.json.simple @@ -0,0 +1,73 @@ +# linux/clean/rules.json +3P/threat_hunting/gobuster +3P/threat_hunting/openvas +3P/threat_hunting/rapid7 +3P/threat_hunting/sqlninja +combo/backdoor/iptables +combo/recon/system_network +combo/stealer/linux_server +combo/stealer/ssh +compression/bzip2 +compression/gzip +compression/zstd +databases/mysql +databases/postgresql +databases/sqlite +device/hardware/enumeration +encoding/base64 +evasion/base64/decode +exec/shell_command +fs/fifo/create +fs/file/times/set +fs/lock/update +fs/mount +fs/node/create +fs/permission/modify +kernel/acct +kernel/apparmor +kernel/platform +net/dns/servers +net/download +net/http/cookies +net/socket/connect +net/upload +net/wireless +persist/bash +persist/crontab +persist/linux_multi +persist/ssh_authorized_keys +persist/zsh +process/chroot +process/unshare +process/username/get +ref/cve +ref/daemon +ref/path/etc +ref/path/etc/hosts +ref/path/hidden +ref/path/home +ref/path/home/config +ref/path/tmp +ref/path/var +ref/path/var/run +ref/program/masscan +ref/program/nmap +ref/program/readelf +ref/program/sshd +ref/words/exfil +ref/words/exploit +ref/words/password +ref/words/plugin +secrets/aws +secrets/bash_history +secrets/gshadow +secrets/htpasswd +secrets/shadow +secrets/ssh +secrets/ssh_authorized_hosts +security_controls/linux/iptables +security_controls/linux/ufw +shell/bash_dev_tcp +shell/bash_dev_udp +shell/nohup +tty/pathname diff --git a/test_data/linux/clean/runtime-security-fentry.o.simple b/test_data/linux/clean/runtime-security-fentry.o.simple index 891ec95b..64af1781 100644 --- a/test_data/linux/clean/runtime-security-fentry.o.simple +++ b/test_data/linux/clean/runtime-security-fentry.o.simple @@ -2,7 +2,6 @@ combo/backdoor/net_exec combo/recon/system_network exec/program -fs/attributes/remove fs/attributes/set fs/directory/create fs/directory/remove diff --git a/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple b/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple index b3425e48..1fb73c1d 100644 --- a/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -2,7 +2,6 @@ combo/backdoor/net_exec combo/recon/system_network exec/program -fs/attributes/remove fs/attributes/set fs/directory/create fs/directory/remove diff --git a/test_data/linux/clean/runtime-security.o.simple b/test_data/linux/clean/runtime-security.o.simple index a59039f3..42eb0474 100644 --- a/test_data/linux/clean/runtime-security.o.simple +++ b/test_data/linux/clean/runtime-security.o.simple @@ -2,7 +2,6 @@ combo/backdoor/net_exec combo/recon/system_network exec/program -fs/attributes/remove fs/attributes/set fs/directory/create fs/directory/remove diff --git a/test_data/linux/clean/sonarlint-metadata.json.simple b/test_data/linux/clean/sonarlint-metadata.json.simple index dd5d1bf5..1eeb1a23 100644 --- a/test_data/linux/clean/sonarlint-metadata.json.simple +++ b/test_data/linux/clean/sonarlint-metadata.json.simple @@ -36,7 +36,6 @@ ref/path/dev/mqueue ref/path/etc ref/path/etc/hosts ref/path/hidden -ref/path/home ref/path/relative ref/path/tmp ref/path/users diff --git a/test_data/linux/clean/trivy.simple b/test_data/linux/clean/trivy.simple new file mode 100644 index 00000000..83f07f02 --- /dev/null +++ b/test_data/linux/clean/trivy.simple @@ -0,0 +1,197 @@ +# linux/clean/trivy +3P/threat_hunting/bruteratel +3P/threat_hunting/github/username +3P/threat_hunting/hijacker +3P/threat_hunting/linkedint +3P/threat_hunting/privilegeescalation +admin/package/install +admin/pip_install +archives/unarchive +archives/zip +builtin/openssl +cloud/aws/metadata +cloud/google/metadata +cloud/google/storage +combo/backdoor/iptables +combo/backdoor/kill_rm +combo/critical_paths +combo/dropper/shell +combo/exploit/breakout +combo/net/host_port +combo/net/tunnel_proxy +combo/stealer/cloud +compression/bzip2 +compression/gzip +compression/xz +compression/zstd +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/html +data/embedded/pem/certificate +data/embedded/pem/private_key +data/embedded/pem/test_key +data/embedded/ssh/signature +databases/leveldb +databases/mysql +databases/postgresql +databases/sqlite +dylib/symbol/address +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/LANG +env/SHELL +env/TEMP +env/TERM +env/TMPDIR +env/USER +evasion/base64/decode +evasion/content/length/0 +exec/cmd +exec/program +false_positives/trivy +fs/attributes/set +fs/directory/create +fs/directory/list +fs/directory/remove +fs/file/copy +fs/file/delete +fs/file/delete/forcibly +fs/file/open +fs/file/read +fs/file/stat +fs/file/times/set +fs/file/truncate +fs/file/write +fs/link/create +fs/link/read +fs/lock/update +fs/loopback +fs/mount +fs/node/create +fs/permission/chown +fs/permission/modify +fs/swap/off +fs/symlink/resolve +fs/tempdir +fs/tempdir/create +fs/tempfile/create +fs/watch +hash/blake2b +hash/md5 +hash/sha1 +kernel/apparmor +kernel/cpu/info +kernel/dev/block/device +kernel/dev/loopback +kernel/hostname/get +kernel/netlink +kernel/opencl +kernel/platform +kernel/seccomp +kernel/sysinfo +net/bpf +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/fetch +net/grpc +net/hostname/resolve +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http2 +net/http_proxy +net/icmp +net/ip +net/ip/multicast/send +net/ip/parse +net/mac/address +net/oauth2 +net/sendfile +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/socks5 +net/ssh +net/stat +net/syncookie +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/websocket +net/wireless +process/chdir +process/chdir/unusual +process/chroot +process/executable_path +process/groupid/set +process/groups/set +process/list +process/multithreaded +process/name/get +process/userid/set +procfs/arbitrary/pid +procfs/self/mountinfo +random/insecure +ref/daemon +ref/ip/dns_resolver +ref/ip_port +ref/path/dev/shm +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home/config +ref/path/root +ref/path/tmp +ref/path/users +ref/path/usr/bin +ref/path/usr/lib/python +ref/path/usr/local +ref/path/var +ref/path/var/run +ref/program/osascript +ref/program/sudo +ref/site/download +ref/site/github_api +ref/site/github_raw +ref/site/http/dynamic +ref/site/url +ref/words/backdoor +ref/words/collection +ref/words/exclamation +ref/words/heartbeat +ref/words/intercept +ref/words/leetspeak +ref/words/locked/files +ref/words/malicious +ref/words/password +ref/words/plugin +ref/words/server_address +ref/words/trojan +secrets/aws +secrets/gcloud +secrets/htpasswd +secrets/keychain +secrets/private_key +secrets/ssh +security_controls/linux/iptables +shell/background/sleep +shell/pipe_sh +techniques/brute_force +techniques/code_eval +time/tzinfo diff --git a/test_data/linux/clean/vitess/vtadmin.simple b/test_data/linux/clean/vitess/vtadmin.simple new file mode 100644 index 00000000..2635c99b --- /dev/null +++ b/test_data/linux/clean/vitess/vtadmin.simple @@ -0,0 +1,155 @@ +# linux/clean/vitess/vtadmin +3P/threat_hunting/gobuster +3P/threat_hunting/hijacker +3P/threat_hunting/openvas +3P/threat_hunting/rapid7 +3P/threat_hunting/sqlninja +archives/zip +cloud/google/metadata +combo/backdoor/iptables +combo/backdoor/payload +combo/critical_paths +combo/net/host_port +compression/bzip2 +compression/gzip +compression/zstd +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/html +databases/leveldb +databases/mysql +databases/postgresql +databases/sqlite +device/hardware/enumeration +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/SHELL +env/TEMP +env/TERM +env/USER +env/get +evasion/base64/decode +evasion/content/length/0 +exec/cmd +exec/program +exec/shell_command +fs/directory/create +fs/directory/list +fs/directory/remove +fs/fifo/create +fs/file/copy +fs/file/delete +fs/file/read +fs/file/stat +fs/file/times/set +fs/link/read +fs/lock/update +fs/mount +fs/node/create +fs/permission/chown +fs/permission/modify +fs/tempdir/create +fs/watch +hash/md5 +kernel/acct +kernel/apparmor +kernel/cpu/info +kernel/hostname/get +kernel/netlink +kernel/platform +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/download +net/fetch +net/grpc +net/hostname/resolve +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http/server +net/http2 +net/http_proxy +net/icmp +net/ip/parse +net/sendfile +net/socket/connect +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/ssh +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/wireless +persist/crontab +persist/linux_multi +persist/pid_file +persist/ssh_authorized_keys +process/chdir +process/chroot +process/groups/set +process/unshare +process/username/get +procfs/self/cgroup +procfs/self/mountinfo +ref/daemon +ref/ip_port +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home +ref/path/home/config +ref/path/relative +ref/path/relative/hidden +ref/path/tmp +ref/path/usr/bin +ref/path/usr/sbin +ref/path/var +ref/path/var/run +ref/program/masscan +ref/program/nmap +ref/program/readelf +ref/program/sshd +ref/site/http/dynamic +ref/site/url +ref/words/exclamation +ref/words/exfil +ref/words/exploit +ref/words/heartbeat +ref/words/intercept +ref/words/leetspeak +ref/words/obfuscate +ref/words/password +ref/words/plugin +ref/words/server_address +secrets/aws +secrets/bash_history +secrets/gshadow +secrets/htpasswd +secrets/private_key +secrets/shadow +secrets/ssh +secrets/ssh_authorized_hosts +security_controls/linux/iptables +security_controls/linux/ufw +shell/background/sleep +shell/bash_dev_tcp +shell/bash_dev_udp +shell/exec +tty/pathname diff --git a/test_data/linux/clean/vitess/vtclient.simple b/test_data/linux/clean/vitess/vtclient.simple new file mode 100644 index 00000000..bcac30f4 --- /dev/null +++ b/test_data/linux/clean/vitess/vtclient.simple @@ -0,0 +1,139 @@ +# linux/clean/vitess/vtclient +3P/threat_hunting/gobuster +3P/threat_hunting/openvas +3P/threat_hunting/rapid7 +3P/threat_hunting/sqlninja +archives/zip +cloud/google/metadata +combo/backdoor/iptables +combo/backdoor/payload +combo/net/host_port +compression/bzip2 +compression/gzip +compression/zstd +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/html +databases/leveldb +databases/mysql +databases/postgresql +databases/sqlite +device/hardware/enumeration +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/USER +env/get +evasion/base64/decode +evasion/content/length/0 +exec/program +exec/shell_command +fs/directory/list +fs/directory/remove +fs/fifo/create +fs/file/copy +fs/file/delete +fs/file/read +fs/file/stat +fs/file/times/set +fs/link/read +fs/lock/update +fs/mount +fs/node/create +fs/permission/chown +fs/permission/modify +fs/watch +hash/md5 +kernel/acct +kernel/apparmor +kernel/cpu/info +kernel/hostname/get +kernel/netlink +kernel/platform +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/download +net/grpc +net/hostname/resolve +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http/server +net/http2 +net/http_proxy +net/icmp +net/ip/parse +net/sendfile +net/socket/connect +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/wireless +persist/crontab +persist/linux_multi +persist/pid_file +persist/ssh_authorized_keys +process/chroot +process/groups/set +process/unshare +process/username/get +procfs/self/cgroup +procfs/self/mountinfo +ref/daemon +ref/ip_port +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home +ref/path/home/config +ref/path/relative +ref/path/tmp +ref/path/var +ref/path/var/run +ref/program/masscan +ref/program/nmap +ref/program/readelf +ref/program/sshd +ref/site/http/dynamic +ref/site/url +ref/words/exclamation +ref/words/exfil +ref/words/exploit +ref/words/heartbeat +ref/words/intercept +ref/words/obfuscate +ref/words/password +ref/words/plugin +ref/words/server_address +secrets/aws +secrets/bash_history +secrets/gshadow +secrets/htpasswd +secrets/private_key +secrets/shadow +secrets/ssh +secrets/ssh_authorized_hosts +security_controls/linux/iptables +security_controls/linux/ufw +shell/background/sleep +shell/bash_dev_tcp +shell/bash_dev_udp +tty/pathname diff --git a/test_data/linux/clean/wolfictl.simple b/test_data/linux/clean/wolfictl.simple new file mode 100644 index 00000000..2740b989 --- /dev/null +++ b/test_data/linux/clean/wolfictl.simple @@ -0,0 +1,184 @@ +# linux/clean/wolfictl +3P/threat_hunting/github/username +3P/threat_hunting/gost +3P/threat_hunting/hijacker +3P/threat_hunting/runascs +admin/pip_install +admin/system_directories +archives/tar/command +archives/unarchive +archives/zip +cloud/aws/metadata +cloud/google/metadata +cloud/google/storage +combo/backdoor/kill_rm +combo/critical_paths +combo/dropper/shell +combo/exploit/breakout +combo/net/raw_flooder +combo/net/scan_tool +combo/net/tunnel_proxy +combo/stealer/browser +compression/bzip2 +compression/gzip +compression/xz +compression/zstd +crypto/aes +crypto/ecdsa +crypto/ed25519 +crypto/tls +data/embedded/html +data/embedded/pem/certificate +data/embedded/ssh/signature +databases/mysql +databases/postgresql +databases/sqlite +dylib/symbol/address +encoding/base64 +encoding/json +encoding/json/decode +encoding/json/encode +env/HOME +env/LANG +env/TEMP +env/TERM +env/TMPDIR +env/USER +env/get +evasion/content/length/0 +exec/cmd +exec/program +fs/attributes/set +fs/blkid +fs/directory/create +fs/directory/list +fs/directory/remove +fs/fifo/create +fs/file/copy +fs/file/delete +fs/file/delete/forcibly +fs/file/read +fs/file/stat +fs/file/times/set +fs/file/truncate +fs/file/write +fs/link/create +fs/link/read +fs/lock/update +fs/loopback +fs/mount +fs/node/create +fs/permission/chown +fs/permission/modify +fs/swap/off +fs/swap/on +fs/symlink/resolve +fs/tempdir +fs/tempdir/create +fs/tempfile/create +fs/unmount +fs/watch +hash/blake2b +hash/md5 +kernel/cpu/info +kernel/dev/loopback +kernel/hostname/get +kernel/netlink +kernel/platform +kernel/seccomp +kernel/sysinfo +net/dns +net/dns/reverse +net/dns/servers +net/dns/txt +net/fetch +net/grpc +net/hostname/resolve +net/http/accept/encoding +net/http/auth +net/http/cookies +net/http/form/upload +net/http/post +net/http/request +net/http2 +net/http_proxy +net/icmp +net/interface/list +net/ip +net/ip/multicast/send +net/ip/parse +net/mac/address +net/oauth2 +net/reuseport +net/reverse_proxy +net/sendfile +net/socket/listen +net/socket/local/address +net/socket/peer/address +net/socket/receive +net/socket/send +net/socks5 +net/ssh +net/stat +net/udp/receive +net/udp/send +net/upload +net/url +net/url/encode +net/url/request +net/wireless +persist/crontab +persist/pid_file +process/chdir +process/chroot +process/create +process/executable_path +process/find +process/groupid/set +process/groups/set +process/multithreaded +process/unshare +process/userid/set +process/username/get +procfs/arbitrary/pid +procfs/self/mountinfo +ref/daemon +ref/extensions/office +ref/ip_port +ref/path/bin/su +ref/path/dev/shm +ref/path/etc +ref/path/etc/hosts +ref/path/etc/resolv.conf +ref/path/hidden +ref/path/home/config +ref/path/root +ref/path/users +ref/path/usr/bin +ref/path/usr/local +ref/path/usr/sbin +ref/path/var +ref/site/github_api +ref/site/http/dynamic +ref/site/url +ref/words/dropper +ref/words/exclamation +ref/words/heartbeat +ref/words/infected +ref/words/intercept +ref/words/locked/files +ref/words/malicious +ref/words/password +ref/words/plugin +secrets/gcloud +secrets/htpasswd +secrets/keychain +secrets/private_key +secrets/ssh +security_controls/linux/selinux +security_controls/macos/xprotect +shell/background/sleep +shell/pipe_sh +techniques/brute_force +time/clock/set +ui/clipboard diff --git a/test_data/macOS/2024.BeaverTail/Jami.json b/test_data/macOS/2024.BeaverTail/Jami.json index 085b760e..a449d499 100644 --- a/test_data/macOS/2024.BeaverTail/Jami.json +++ b/test_data/macOS/2024.BeaverTail/Jami.json @@ -10,22 +10,28 @@ }, "Behaviors": [ { - "Description": "Uses HTTP, archives, and references multiple browsers", + "Description": "Beaver Tail Infostealer", "MatchStrings": [ - ".config", - "Application Support", - "Brave-Browser", - "BraveSoftw", - "Chrome/User Data", - "Google/Chrome", - "Opera Software", - "Roaming/" + "%1_%2_%3_%4_%5", + "*.ldb", + "/.pyp/python.exe", + "/client/99", + "/pdown", + "/uploads", + "Download Python Success!", + "Upload LDB Finshed", + "clientDownFinished", + "logkc_db", + "name=\"multi_file\"", + "pDownFinished", + "upLDBFinished" ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/stealer/browser.yara#multiple_browser_refs", - "ID": "combo/stealer/browser", - "RuleName": "multiple_browser_refs" + "RiskScore": 4, + "RiskLevel": "CRITICAL", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/family/beaver_tail.yara#beaver_tail", + "ReferenceURL": "https://objective-see.org/blog/blog_0x7A.html", + "ID": "malware/family/beaver_tail", + "RuleName": "beaver_tail" }, { "Description": "makes HTTPS connections and references multiple Chrome crypto wallet extensions", @@ -50,6 +56,62 @@ "ID": "combo/stealer/wallet", "RuleName": "crypto_extension_stealer" }, + { + "Description": "hardcoded IP address within a URL", + "MatchStrings": [ + "http://95.164.17.24:1224" + ], + "RiskScore": 3, + "RiskLevel": "HIGH", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/http-ip.yara#http_hardcoded_ip", + "ID": "ref/site/http/ip", + "RuleName": "http_hardcoded_ip" + }, + { + "Description": "contains embedded HTTP URLs", + "MatchStrings": [ + "http://95.164.17.24" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#http_url", + "ID": "ref/site/url", + "RuleName": "http_url" + }, + { + "Description": "steals login keychain", + "MatchStrings": [ + "Keychains", + "logkc_db" + ], + "RiskScore": 4, + "RiskLevel": "CRITICAL", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/keychain.yara#login_keychain_eager_beaver", + "ReferenceURL": "https://www.group-ib.com/blog/apt-lazarus-python-scripts/", + "ID": "secrets/keychain", + "RuleName": "login_keychain_eager_beaver" + }, + { + "Description": "references 'cstealer' tool", + "MatchStrings": [ + "aeachknmefphepccionboohckonoeemg", + "aholpfdialjgjfhomihkjbmgjidlcdno", + "bfnaelmomeimhlpmgjnjophhpkkoljpa", + "ejbalbakoplchlghecdalmeeeajnimhm", + "fhbohimaelbohpjbbldcngcnapndodjp", + "hnfanknocfeofbddgcijnmhnfnkdnaad", + "ibnejdfjmmkpcnlpebklmnkoeoihofec", + "jblndlipeogpafnldhgmapagcccfchpi", + "nkbihfbeogaeaoehlefnkodbefgpgknn" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#cstealer_offensive_tool_keyword", + "ReferenceURL": "https://github.com/mthcht/ThreatHunting-Keywords", + "RuleAuthor": "mthcht", + "ID": "3P/threat_hunting/cstealer", + "RuleName": "cstealer_offensive_tool_keyword" + }, { "Description": "binary contains little text content", "MatchStrings": [ @@ -61,30 +123,6 @@ "ID": "evasion/binary/opaque", "RuleName": "opaque_binary" }, - { - "Description": "Beaver Tail Infostealer", - "MatchStrings": [ - "%1_%2_%3_%4_%5", - "*.ldb", - "/.pyp/python.exe", - "/client/99", - "/pdown", - "/uploads", - "Download Python Success!", - "Upload LDB Finshed", - "clientDownFinished", - "logkc_db", - "name=\"multi_file\"", - "pDownFinished", - "upLDBFinished" - ], - "RiskScore": 4, - "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/family/beaver_tail.yara#beaver_tail", - "ReferenceURL": "https://objective-see.org/blog/blog_0x7A.html", - "ID": "malware/family/beaver_tail", - "RuleName": "beaver_tail" - }, { "Description": "download files", "MatchStrings": [ @@ -109,27 +147,45 @@ "RuleName": "form_data_reference" }, { - "Description": "uploads files", + "Description": "hardcoded IP address", "MatchStrings": [ - "UploadEv", - "uploads" + "95.164.17.24" ], "RiskScore": 2, "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/upload.yara#upload", - "ID": "net/upload", - "RuleName": "upload" + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip.yara#hardcoded_ip", + "ID": "ref/ip", + "RuleName": "hardcoded_ip" }, { - "Description": "hardcoded IP address", + "Description": "Uses HTTP, archives, and references multiple browsers", "MatchStrings": [ - "95.164.17.24" + ".config", + "Application Support", + "Brave-Browser", + "BraveSoftw", + "Chrome/User Data", + "Google/Chrome", + "Opera Software", + "Roaming/" + ], + "RiskScore": 3, + "RiskLevel": "HIGH", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/stealer/browser.yara#multiple_browser_refs", + "ID": "combo/stealer/browser", + "RuleName": "multiple_browser_refs" + }, + { + "Description": "uploads files", + "MatchStrings": [ + "UploadEv", + "uploads" ], "RiskScore": 2, "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip.yara#hardcoded_ip", - "ID": "ref/ip", - "RuleName": "hardcoded_ip" + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/upload.yara#upload", + "ID": "net/upload", + "RuleName": "upload" }, { "Description": "hardcoded IP:port destination", @@ -155,28 +211,6 @@ "ID": "ref/path/home/config", "RuleName": "home_config_path" }, - { - "Description": "hardcoded IP address within a URL", - "MatchStrings": [ - "http://95.164.17.24:1224" - ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/http-ip.yara#http_hardcoded_ip", - "ID": "ref/site/http/ip", - "RuleName": "http_hardcoded_ip" - }, - { - "Description": "contains embedded HTTP URLs", - "MatchStrings": [ - "http://95.164.17.24" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#http_url", - "ID": "ref/site/url", - "RuleName": "http_url" - }, { "Description": "gets very excited", "MatchStrings": [ @@ -187,40 +221,6 @@ "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/exclamation.yara#exclamations", "ID": "ref/words/exclamation", "RuleName": "exclamations" - }, - { - "Description": "steals login keychain", - "MatchStrings": [ - "Keychains", - "logkc_db" - ], - "RiskScore": 4, - "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/keychain.yara#login_keychain_eager_beaver", - "ReferenceURL": "https://www.group-ib.com/blog/apt-lazarus-python-scripts/", - "ID": "secrets/keychain", - "RuleName": "login_keychain_eager_beaver" - }, - { - "Description": "references 'cstealer' tool", - "MatchStrings": [ - "aeachknmefphepccionboohckonoeemg", - "aholpfdialjgjfhomihkjbmgjidlcdno", - "bfnaelmomeimhlpmgjnjophhpkkoljpa", - "ejbalbakoplchlghecdalmeeeajnimhm", - "fhbohimaelbohpjbbldcngcnapndodjp", - "hnfanknocfeofbddgcijnmhnfnkdnaad", - "ibnejdfjmmkpcnlpebklmnkoeoihofec", - "jblndlipeogpafnldhgmapagcccfchpi", - "nkbihfbeogaeaoehlefnkodbefgpgknn" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#cstealer_offensive_tool_keyword", - "ReferenceURL": "https://github.com/mthcht/ThreatHunting-Keywords", - "RuleAuthor": "mthcht", - "ID": "3P/threat_hunting/cstealer", - "RuleName": "cstealer_offensive_tool_keyword" } ], "RiskScore": 4, diff --git a/test_data/macOS/2024.LightSpy/dropper.simple b/test_data/macOS/2024.LightSpy/dropper.simple index 9ef15e1a..ba0281db 100644 --- a/test_data/macOS/2024.LightSpy/dropper.simple +++ b/test_data/macOS/2024.LightSpy/dropper.simple @@ -8,7 +8,6 @@ dylib/symbol/address dylib/user env/TERM evasion/odd_pidfile -fs/attributes/remove fs/attributes/set fs/directory/create fs/file/stat diff --git a/test_data/macOS/2024.Rustdoor/localfile.simple b/test_data/macOS/2024.Rustdoor/localfile.simple index 10a7a277..1bfdba97 100644 --- a/test_data/macOS/2024.Rustdoor/localfile.simple +++ b/test_data/macOS/2024.Rustdoor/localfile.simple @@ -1,6 +1,5 @@ # macOS/2024.Rustdoor/localfile archives/zip -combo/dropper/binary combo/dropper/macos combo/dropper/shell combo/stealer/browser diff --git a/test_data/npm/2024.discord-api-ts/postinstall.js.simple b/test_data/npm/2024.discord-api-ts/postinstall.js.simple index c17455c4..b54e85e8 100644 --- a/test_data/npm/2024.discord-api-ts/postinstall.js.simple +++ b/test_data/npm/2024.discord-api-ts/postinstall.js.simple @@ -1,7 +1,6 @@ # npm/2024.discord-api-ts/postinstall.js fs/directory/create obfuscation/generic/hex -obfuscation/js/function_spam obfuscation/js/hex_functions obfuscation/js/parseInt ref/words/exclamation diff --git a/test_data/npm/2024.helmet-validate.axios/config.js.simple b/test_data/npm/2024.helmet-validate.axios/config.js.simple index deff3af8..0971f773 100644 --- a/test_data/npm/2024.helmet-validate.axios/config.js.simple +++ b/test_data/npm/2024.helmet-validate.axios/config.js.simple @@ -1,4 +1,3 @@ # npm/2024.helmet-validate.axios/config.js -combo/backdoor/remote_eval ref/site/url techniques/code_eval diff --git a/test_data/npm/2024.hlwgirl/index.js.simple b/test_data/npm/2024.hlwgirl/index.js.simple index 6ef38bd0..301cfc0b 100644 --- a/test_data/npm/2024.hlwgirl/index.js.simple +++ b/test_data/npm/2024.hlwgirl/index.js.simple @@ -1,5 +1,4 @@ # npm/2024.hlwgirl/index.js -combo/backdoor/base64_exec encoding/base64 evasion/hex fs/file/write diff --git a/test_data/npm/2024.noblox/postinstall.js.json b/test_data/npm/2024.noblox/postinstall.js.json index 725ef159..6f54aabb 100644 --- a/test_data/npm/2024.noblox/postinstall.js.json +++ b/test_data/npm/2024.noblox/postinstall.js.json @@ -1830,16 +1830,17 @@ "RuleName": "excessive_hex_refs" }, { - "Description": "javascript obfuscation (excessive const functions)", + "Description": "javascript obfuscation (integer parsing)", "MatchStrings": [ "const", "function(", + "parseInt", "{return" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/obfuscation/js/function_spam.yara#js_const_func_obfuscation", - "ID": "obfuscation/js/function_spam", + "RiskScore": 3, + "RiskLevel": "HIGH", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/obfuscation/js/parseInt.yara#js_const_func_obfuscation", + "ID": "obfuscation/js/parseInt", "RuleName": "js_const_func_obfuscation" }, { @@ -1992,20 +1993,6 @@ "ID": "obfuscation/js/hex_functions", "RuleName": "js_hex_obfuscation" }, - { - "Description": "javascript obfuscation (integer parsing)", - "MatchStrings": [ - "const", - "function(", - "parseInt", - "{return" - ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/obfuscation/js/parseInt.yara#js_const_func_obfuscation", - "ID": "obfuscation/js/parseInt", - "RuleName": "js_const_func_obfuscation" - }, { "Description": "path reference for C:\\Windows (may be partial)", "MatchStrings": [ diff --git a/test_data/npm/2024.testerrrrrrrrrr/init.js.simple b/test_data/npm/2024.testerrrrrrrrrr/init.js.simple index fd354ca1..032e08b6 100644 --- a/test_data/npm/2024.testerrrrrrrrrr/init.js.simple +++ b/test_data/npm/2024.testerrrrrrrrrr/init.js.simple @@ -2,7 +2,6 @@ combo/recon/nodejs evasion/char_to_int evasion/dynamic_import -evasion/int_to_char net/hostname/resolve net/http/form/upload net/http/post diff --git a/test_data/php/2024.Inull-Studio/err.php.simple b/test_data/php/2024.Inull-Studio/err.php.simple index 81d0acf0..cbc341ca 100644 --- a/test_data/php/2024.Inull-Studio/err.php.simple +++ b/test_data/php/2024.Inull-Studio/err.php.simple @@ -1,6 +1,4 @@ # php/2024.Inull-Studio/err.php -combo/backdoor/php -evasion/base64/hidden evasion/mask_exceptions obfuscation/php/filler obfuscation/php/str_replace diff --git a/test_data/python/2024.yocolor/setup.py.json b/test_data/python/2024.yocolor/setup.py.json index 2cdd1385..eb937caf 100644 --- a/test_data/python/2024.yocolor/setup.py.json +++ b/test_data/python/2024.yocolor/setup.py.json @@ -25,6 +25,29 @@ "ID": "admin/pip_install", "RuleName": "pip_installer_fernet" }, + { + "Description": "contains embedded HTTPS URLs", + "MatchStrings": [ + "https://github.com/tartley/yocolor", + "https://pypi.org/pypi?" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url", + "ID": "ref/site/url", + "RuleName": "https_url" + }, + { + "Description": "path reference within /usr/bin", + "MatchStrings": [ + "/usr/bin/env" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-bin.yara#usr_bin_path", + "ID": "ref/path/usr/bin", + "RuleName": "usr_bin_path" + }, { "Description": "Python library installer that executes the Windows 'start' command", "MatchStrings": [ @@ -91,29 +114,6 @@ "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/executable_path.yara#python_sys_executable", "ID": "process/executable_path", "RuleName": "python_sys_executable" - }, - { - "Description": "path reference within /usr/bin", - "MatchStrings": [ - "/usr/bin/env" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-bin.yara#usr_bin_path", - "ID": "ref/path/usr/bin", - "RuleName": "usr_bin_path" - }, - { - "Description": "contains embedded HTTPS URLs", - "MatchStrings": [ - "https://github.com/tartley/yocolor", - "https://pypi.org/pypi?" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url", - "ID": "ref/site/url", - "RuleName": "https_url" } ], "RiskScore": 4, diff --git a/test_data/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple b/test_data/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple new file mode 100644 index 00000000..ca5da13f --- /dev/null +++ b/test_data/python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py.simple @@ -0,0 +1,9 @@ +# python/clean/tensorflow_model_analysis/tfjs_predict_extractor_util.py +combo/dropper/python +exec/program +fs/permission/modify +fs/tempdir/create +kernel/platform +net/url +net/url/request +ref/site/url diff --git a/test_data/windows/2024.GitHub.Clipper/main.exe.simple b/test_data/windows/2024.GitHub.Clipper/main.exe.simple index 8d89936e..5ee9018c 100644 --- a/test_data/windows/2024.GitHub.Clipper/main.exe.simple +++ b/test_data/windows/2024.GitHub.Clipper/main.exe.simple @@ -84,7 +84,6 @@ ref/site/http/dynamic ref/site/url ref/words/password ref/words/plugin -secrets/chromium_credit_cards secrets/chromium_master_password secrets/firefox/cookies secrets/firefox/master_password diff --git a/test_data/windows/2024.aspdasdksa2/callback.bat.json b/test_data/windows/2024.aspdasdksa2/callback.bat.json index ff289202..91a85d0d 100644 --- a/test_data/windows/2024.aspdasdksa2/callback.bat.json +++ b/test_data/windows/2024.aspdasdksa2/callback.bat.json @@ -6,16 +6,19 @@ "Size": 1105, "Behaviors": [ { - "Description": "Stops EDR/Antivirus services", + "Description": "Detects suspicious PowerShell code that downloads from web sites", "MatchStrings": [ - "alwarebytes", - "stopservice" + "System.Net.WebClient).DownloadFile('http" ], "RiskScore": 4, "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/degrader/edr_killer.yara#edr_stopper", - "ID": "combo/degrader/edr_killer", - "RuleName": "edr_stopper" + "RuleURL": "https://github.com/Neo23x0/signature-base/blob/f448cbc9db16ac30559ce5a5c848317478569207/yara/gen_powershell_susp.yar#L52-L91", + "ReferenceURL": "Internal%20Research", + "RuleAuthor": "Florian Roth (Nextron Systems)", + "RuleLicense": "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE", + "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/f448cbc9db16ac30559ce5a5c848317478569207/LICENSE", + "ID": "3P/signature_base/powershell/webdownload", + "RuleName": "SIGNATURE_BASE_Suspicious_Powershell_Webdownload_1" }, { "Description": "Uses powershell to define Windows Defender exclusions", @@ -28,17 +31,6 @@ "ID": "combo/degrader/win_defender", "RuleName": "win_defender_exclusion" }, - { - "Description": "download files", - "MatchStrings": [ - "DownloadFile" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download.yara#download", - "ID": "net/download", - "RuleName": "download" - }, { "Description": "Uses RunAs to execute code as another user", "MatchStrings": [ @@ -51,15 +43,15 @@ "RuleName": "runas_admin" }, { - "Description": "kills tasks and/or processes", + "Description": "powershell", "MatchStrings": [ - "taskkill" + "powershell -Command" ], "RiskScore": 2, "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/taskkill.yara#taskkill", - "ID": "process/taskkill", - "RuleName": "taskkill" + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/program/powershell.yara#powershell", + "ID": "ref/program/powershell", + "RuleName": "powershell" }, { "Description": "path reference for C:\\Windows (may be partial)", @@ -72,17 +64,6 @@ "ID": "ref/path/windows_root", "RuleName": "windows_path" }, - { - "Description": "powershell", - "MatchStrings": [ - "powershell -Command" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/program/powershell.yara#powershell", - "ID": "ref/program/powershell", - "RuleName": "powershell" - }, { "Description": "accesses hardcoded executable endpoint", "MatchStrings": [ @@ -117,21 +98,6 @@ "ID": "ref/site/url", "RuleName": "https_url" }, - { - "Description": "Detects suspicious PowerShell code that downloads from web sites", - "MatchStrings": [ - "System.Net.WebClient).DownloadFile('http" - ], - "RiskScore": 4, - "RiskLevel": "CRITICAL", - "RuleURL": "https://github.com/Neo23x0/signature-base/blob/f448cbc9db16ac30559ce5a5c848317478569207/yara/gen_powershell_susp.yar#L52-L91", - "ReferenceURL": "Internal%20Research", - "RuleAuthor": "Florian Roth (Nextron Systems)", - "RuleLicense": "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE", - "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/f448cbc9db16ac30559ce5a5c848317478569207/LICENSE", - "ID": "3P/signature_base/powershell/webdownload", - "RuleName": "SIGNATURE_BASE_Suspicious_Powershell_Webdownload_1" - }, { "Description": "references 'powershell' tool", "MatchStrings": [ @@ -144,6 +110,40 @@ "RuleAuthor": "mthcht", "ID": "3P/threat_hunting/powershell", "RuleName": "powershell_offensive_tool_keyword" + }, + { + "Description": "Stops EDR/Antivirus services", + "MatchStrings": [ + "alwarebytes", + "stopservice" + ], + "RiskScore": 4, + "RiskLevel": "CRITICAL", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/degrader/edr_killer.yara#edr_stopper", + "ID": "combo/degrader/edr_killer", + "RuleName": "edr_stopper" + }, + { + "Description": "download files", + "MatchStrings": [ + "DownloadFile" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download.yara#download", + "ID": "net/download", + "RuleName": "download" + }, + { + "Description": "kills tasks and/or processes", + "MatchStrings": [ + "taskkill" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/taskkill.yara#taskkill", + "ID": "process/taskkill", + "RuleName": "taskkill" } ], "RiskScore": 4, diff --git a/test_data/windows/2024.aspdasdksa2/creal.pyc.simple b/test_data/windows/2024.aspdasdksa2/creal.pyc.simple index bf610aac..b8d2db11 100644 --- a/test_data/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/test_data/windows/2024.aspdasdksa2/creal.pyc.simple @@ -32,6 +32,5 @@ ref/site/download ref/site/url ref/words/password secrets/chrome_cookies -secrets/chromium_credit_cards secrets/chromium_master_password tty/getpass