From 1a45781de90b384c7d5391958013e4e027b45674 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 17 Dec 2024 16:22:07 -0500 Subject: [PATCH 1/4] Address Python false-positives --- Makefile | 2 +- pkg/action/testdata/scan_archive | 2487 ----------------- rules/exfil/stealer/keylogger.yara | 7 +- rules/false_positives/conda_build.yara | 14 - rules/false_positives/py_hatch.yara | 2 +- rules/false_positives/setuptools.yara | 26 +- rules/impact/remote_access/py_setuptools.yara | 44 +- .../emp3r0r.agent.simple | 173 -- tests/linux/clean/buildah.simple | 159 -- tests/linux/clean/buildkitd.simple | 132 - tests/linux/clean/caddy.simple | 163 -- tests/linux/clean/chezmoi.simple | 172 -- tests/linux/clean/chrome.simple | 184 -- tests/linux/clean/clickhouse.simple | 205 -- tests/linux/clean/code-oss.md | 192 -- tests/linux/clean/containerd.simple | 134 - .../securitySolution.chunk.22.js.simple | 48 - .../kibana/securitySolution.chunk.9.js.simple | 70 - tests/linux/clean/kuma-cp.simple | 142 - tests/linux/clean/libgcj.so.17.0.0.simple | 103 - tests/linux/clean/libgcj.so.17.simple | 103 - tests/linux/clean/melange.simple | 160 -- tests/linux/clean/mongosh.simple | 194 -- tests/linux/clean/opa.simple | 106 - tests/linux/clean/pandoc.md | 175 -- tests/linux/clean/pulumi.simple | 159 -- tests/linux/clean/slack.md | 193 -- tests/linux/clean/trivy.simple | 201 -- tests/linux/clean/trufflehog.md | 194 -- tests/linux/clean/wolfictl.simple | 192 -- .../python/2021.DiscordSafety/setup.py.simple | 2 +- tests/python/2024.Custom.RAT/output.py.simple | 2 +- .../clean/airflow/botocore_config.py.simple | 0 tests/python/clean/airflow/db.py.simple | 0 .../clean/airflow/kubernetes_engine.py.simple | 0 .../conda-build/_load_setup_py_data.py.simple | 2 +- tests/python/clean/fonttools/psLib.py.simple | 0 .../setup.py.simple | 1 + .../google-cloud-sdk/requests_setup.py.simple | 0 tests/python/clean/idna/setup.py.simple | 1 + .../clean/matplotlib/_backend_tk.py.simple | 0 .../clean/matplotlib/backend_bases.py.simple | 0 .../clean/matplotlib/backend_qt.py.simple | 0 .../clean/matplotlib/backend_wx.py.simple | 0 .../clean/mitmproxy/raw_display.py.simple | 0 tests/python/clean/ml_sdk/setup.py.simple | 1 + tests/python/clean/numba/support.py.simple | 1 - .../pydevd/setup_pydevd_cython.py.simple | 3 +- tests/python/clean/requests/setup.py.simple | 1 + .../setuptools/test_pyprojecttoml.py.simple | 1 - 50 files changed, 57 insertions(+), 6094 deletions(-) delete mode 100644 rules/false_positives/conda_build.yara create mode 100644 tests/python/clean/airflow/botocore_config.py.simple create mode 100644 tests/python/clean/airflow/db.py.simple create mode 100644 tests/python/clean/airflow/kubernetes_engine.py.simple create mode 100644 tests/python/clean/fonttools/psLib.py.simple create mode 100644 tests/python/clean/google-cloud-sdk/requests_setup.py.simple create mode 100644 tests/python/clean/matplotlib/_backend_tk.py.simple create mode 100644 tests/python/clean/matplotlib/backend_bases.py.simple create mode 100644 tests/python/clean/matplotlib/backend_qt.py.simple create mode 100644 tests/python/clean/matplotlib/backend_wx.py.simple create mode 100644 tests/python/clean/mitmproxy/raw_display.py.simple diff --git a/Makefile b/Makefile index 621cf5bb1..d0712b81e 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= 38d8faef6bcbd63f7cc02bb243b12aaa3e1ba70c +SAMPLES_COMMIT ?= 528a7e975638d2c5ce06da1af32c5918aa4d6c7e # BEGIN: lint-install ../malcontent # http://github.com/tinkerbell/lint-install diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 45e3bfcfa..e69de29bb 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -1,2487 +0,0 @@ -{ - "Files": { - "/apko_0.13.2_linux_arm64/apko": { - "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko", - "SHA256": "ad237dc65d25cfe673b4891e189e9ff1fd041ec817133ac6c565120a6a189189", - "Size": 26400952, - "Syscalls": [ - "accept", - "adjtimex", - "chmod", - "chown", - "chroot", - "clone", - "close", - "execve", - "fchmodat", - "fchown", - "flock", - "fsync", - "getegid", - "geteuid", - "getpeername", - "getpid", - "getrlimit", - "getsockname", - "getsockopt", - "getuid", - "getwd", - "ioctl", - "kill", - "linkat", - "lstat", - "madvise", - "mknod", - "mount", - "nice", - "open", - "pivot_root", - "posix_spawn", - "pread64", - "pwrite64", - "readlink", - "recv", - "rename", - "send", - "sendfile", - "sendmsg", - "sendto", - "setgroups", - "setrlimit", - "setsid", - "setsockopt", - "stat", - "swapoff", - "swapon", - "symlink", - "symlinkat", - "sysctl", - "truncate", - "umount", - "unlink", - "unshare" - ], - "Pledge": [ - "cpath", - "exec", - "fattr", - "flock", - "id", - "inet", - "proc", - "rpath", - "settime", - "stdio", - "sysctl", - "wpath" - ], - "Behaviors": [ - { - "Description": "Contains a table that may be used for XOR decryption", - "MatchStrings": [ - "56789abcdefghijklmnopqrstuvwxyzABCDE::$ref" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-table.yara#xor_table", - "ID": "anti-static/xor/table", - "RuleName": "xor_table" - }, - { - "Description": "mentions an IP and port", - "MatchStrings": [ - "IP", - "dIp", - "getPort", - "hIp", - "hasPort", - "iIp", - "kIp", - "lIp", - "lookupPort", - "mIp", - "oIp", - "pIp", - "parsePort", - "qfIp", - "rxPort", - "sfIp", - "yIp", - "zIp" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention", - "ID": "c2/addr/ip", - "RuleName": "ip_port_mention" - }, - { - "Description": "references a 'server address', possible C2 client", - "MatchStrings": [ - "serverAddress" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address", - "ID": "c2/addr/server", - "RuleName": "server_address" - }, - { - "Description": "binary contains hardcoded URL", - "MatchStrings": [ - "http://localhost", - "http://www.w3.org/XML/1998/namespacexml", - "https://GoString01234567beEfFgGvsignal", - "https://alpinelinux.org/releases.jsondid", - "https://github.com/chainguard", - "https://github.com/google/go", - "https://github.com/spf13/cobra/issues/1279", - "https://github.com/spf13/cobra/issues/1508", - "https://index.docker.io/v1/Path", - "https://index.docker.io/v2/library/ubuntu/tags/list", - "https://pkg.go.dev/text/template", - "https://reproducible", - "https://spdx.org/spdxdocs/apko/directory" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", - "ID": "c2/addr/url", - "RuleName": "binary_with_url" - }, - { - "Description": "contains a client ID", - "MatchStrings": [ - "client_id" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID", - "ID": "c2/client", - "RuleName": "clientID" - }, - { - "Description": "references a specific architecture", - "MatchStrings": [ - "AMD64", - "amd64", - "arm64", - "http://", - "https://", - "x86_64" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", - "ID": "c2/tool_transfer/arch", - "RuleName": "arch_ref" - }, - { - "Description": "references multiple operating systems", - "MatchStrings": [ - "Linux", - "Windows", - "http://", - "https://", - "macOS" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref", - "ID": "c2/tool_transfer/os", - "RuleName": "multiple_os_ref" - }, - { - "Description": "Works with zip files", - "MatchStrings": [ - "archive/zip" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip", - "ID": "collect/archives/zip", - "RuleName": "zip" - }, - { - "Description": "accesses a keychain", - "MatchStrings": [ - "Keychain", - "keychain" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain", - "ID": "credential/keychain", - "RuleName": "keychain" - }, - { - "Description": "references a 'password'", - "MatchStrings": [ - "IncorrectPasswordError", - "Password from", - "PasswordHashIterations", - "UserPassword", - "and password requiredreading", - "bson bytes as Passwordopenpgp", - "passwordSet", - "passwordStdin", - "socksUsernamePassword", - "stripPassword", - "with a password", - "wpassword-stdinparsing" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password", - "ID": "credential/password", - "RuleName": "password" - }, - { - "Description": "References private keys", - "MatchStrings": [ - "privateKey", - "private_key" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val", - "ID": "credential/ssl/private_key", - "RuleName": "private_key_val" - }, - { - "Description": "Supports AES (Advanced Encryption Standard)", - "MatchStrings": [ - "AES", - "crypto/aes" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes", - "ID": "crypto/aes", - "RuleName": "crypto_aes" - }, - { - "Description": "mentions 'ciphertext'", - "MatchStrings": [ - "ciphertext" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext", - "ID": "crypto/cipher", - "RuleName": "ciphertext" - }, - { - "Description": "decrypts data", - "MatchStrings": [ - "DecryptPEMBlock", - "DecryptPKCS1v15SessionK", - "DecryptPrivateKeys", - "DecryptTicket", - "DecrypterOpts", - "DecrypterreadPythonMult", - "DecryptionKeys", - "ErrDecryption", - "NewCBCDecrypter", - "NewCFBDecrypter", - "NewOCFBDecrypter", - "PKCS1v15DecryptOptions", - "aeadDecrypter", - "cbcDecrypter", - "lid options for Decrypttags don", - "newDecrypter", - "ocfbDecrypter", - "pter type in NewDecrypterPrivateKeyargu", - "rsaDecryptOk" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt", - "ID": "crypto/decrypt", - "RuleName": "decrypt" - }, - { - "Description": "Uses the Go crypto/ecdsa library", - "MatchStrings": [ - "crypto/ecdsa" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa", - "ID": "crypto/ecdsa", - "RuleName": "crypto_ecdsa" - }, - { - "Description": "Elliptic curve algorithm used by TLS and SSH", - "MatchStrings": [ - "ed25519" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519", - "ID": "crypto/ed25519", - "RuleName": "ed25519" - }, - { - "Description": "elliptic", - "MatchStrings": [ - "crypto/elliptic", - "elliptic.p224", - "elliptic.p256", - "p256Inverse" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/elliptic.yara#elliptic", - "ID": "crypto/elliptic", - "RuleName": "elliptic" - }, - { - "Description": "references a 'public key'", - "MatchStrings": [ - "Public Key", - "PublicKey", - "public key", - "public-key", - "publicKey", - "public_key", - "publickey" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key", - "ID": "crypto/public_key", - "RuleName": "public_key" - }, - { - "Description": "tls", - "MatchStrings": [ - "TLS13", - "TLSVersion", - "crypto/tls" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls", - "ID": "crypto/tls", - "RuleName": "tls" - }, - { - "Description": "Works with bzip2 files", - "MatchStrings": [ - "bzip2" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2", - "ID": "data/compression/bzip2", - "RuleName": "bzip2" - }, - { - "Description": "works with gzip files", - "MatchStrings": [ - "gzip" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip", - "ReferenceURL": "https://www.gnu.org/software/gzip/", - "ID": "data/compression/gzip", - "RuleName": "gzip" - }, - { - "Description": "works with lzma files", - "MatchStrings": [ - "lzma" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma", - "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm", - "ID": "data/compression/lzma", - "RuleName": "lzma" - }, - { - "Description": "uses zlib", - "MatchStrings": [ - "zlib" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib", - "ID": "data/compression/zlib", - "RuleName": "zlib" - }, - { - "Description": "Zstandard: fast real-time compression algorithm", - "MatchStrings": [ - "(\ufffd/\ufffd", - "zstd" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd", - "ID": "data/compression/zstd", - "RuleName": "zstd" - }, - { - "Description": "Contains embedded PEM certificate", - "MatchStrings": [ - "-----BEGIN CERTIFICATE-----" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert", - "ID": "data/embedded/pem_certificate", - "RuleName": "begin_cert" - }, - { - "Description": "Contains TESTING KEY directive", - "MatchStrings": [ - "TESTING KEY-----" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-test_key.yara#testing_key", - "ID": "data/embedded/pem_test_key", - "RuleName": "testing_key" - }, - { - "Description": "Contains embedded SSH signature", - "MatchStrings": [ - "--BEGIN SSH SIGNATURE--" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature", - "ID": "data/embedded/ssh_signature", - "RuleName": "ssh_signature" - }, - { - "Description": "Contains compressed content in ZStandard format", - "MatchStrings": [ - "(\ufffd/\ufffd" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd", - "ReferenceURL": "https://github.com/facebook/zstd", - "ID": "data/embedded/zstd", - "RuleName": "embedded_zstd" - }, - { - "Description": "go asn1", - "MatchStrings": [ - "asn1.parse", - "encoding/asn1" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/asn1.yara#go_asn1", - "ID": "data/encoding/asn1", - "RuleName": "go_asn1" - }, - { - "Description": "Supports base64 encoded strings", - "MatchStrings": [ - "base64" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64", - "ID": "data/encoding/base64", - "RuleName": "b64" - }, - { - "Description": "Supports JSON encoded objects", - "MatchStrings": [ - "encoding/json" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json", - "ID": "data/encoding/json", - "RuleName": "encoding_json" - }, - { - "Description": "Decodes JSON messages", - "MatchStrings": [ - "json.Unmarshal" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode", - "ID": "data/encoding/json_decode", - "RuleName": "jsondecode" - }, - { - "Description": "encodes JSON", - "MatchStrings": [ - "MarshalJSON" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#MarshalJSON", - "ID": "data/encoding/json_encode", - "RuleName": "MarshalJSON" - }, - { - "Description": "protobuf", - "MatchStrings": [ - "protobuf" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/protobuf.yara#protobuf", - "ID": "data/encoding/protobuf", - "RuleName": "protobuf" - }, - { - "Description": "Uses blake2b encryption algorithm", - "MatchStrings": [ - "blake2b" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b", - "ID": "data/hash/blake2b", - "RuleName": "crypto_blake2b" - }, - { - "Description": "Uses the MD5 signature format", - "MatchStrings": [ - "md5:" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5", - "ID": "data/hash/md5", - "RuleName": "MD5" - }, - { - "Description": "Uses the SHA512 signature format", - "MatchStrings": [ - "SHA512" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha512.yara#SHA512", - "ID": "data/hash/sha512", - "RuleName": "SHA512" - }, - { - "Description": "list network interfaces", - "MatchStrings": [ - "ifconfig" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs", - "ID": "discover/network/interface_list", - "RuleName": "bsd_ifaddrs" - }, - { - "Description": "Retrieves network MAC address", - "MatchStrings": [ - "MAC address" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr", - "ID": "discover/network/mac_address", - "RuleName": "macaddr" - }, - { - "Description": "Uses 'netstat' for network information", - "MatchStrings": [ - "netstat" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat", - "ID": "discover/network/netstat", - "RuleName": "netstat" - }, - { - "Description": "returns the effective group id of the current process", - "MatchStrings": [ - "Getegid" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#getegid", - "ID": "discover/process/egid", - "RuleName": "getegid" - }, - { - "Description": "returns the effective user id of the current process", - "MatchStrings": [ - "Geteuid" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/euid.yara#geteuid", - "ID": "discover/process/euid", - "RuleName": "geteuid" - }, - { - "Description": "gets the active process ID", - "MatchStrings": [ - "getpid" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/pid.yara#getpid", - "ID": "discover/process/pid", - "RuleName": "getpid" - }, - { - "Description": "retrieve resource limits", - "MatchStrings": [ - "Getrlimit", - "getrlimit" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/resource-limits.yara#getrlimit", - "ID": "discover/process/resource_limits", - "RuleName": "getrlimit" - }, - { - "Description": "returns the user id of the current process", - "MatchStrings": [ - "Getuid" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/uid.yara#getuid", - "ID": "discover/process/uid", - "RuleName": "getuid" - }, - { - "Description": "gets current working directory", - "MatchStrings": [ - "Getwd", - "getwd" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/working_directory.yara#getwd", - "ID": "discover/process/working_directory", - "RuleName": "getwd" - }, - { - "Description": "Finds program in process table", - "MatchStrings": [ - "pgrep" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/pgrep.yara#pgrep", - "ID": "discover/processes/pgrep", - "RuleName": "pgrep" - }, - { - "Description": "gets number of processors", - "MatchStrings": [ - "nproc" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count", - "ReferenceURL": "https://man7.org/linux/man-pages/man3/get_nprocs.3.html", - "ID": "discover/system/cpu", - "RuleName": "processor_count" - }, - { - "Description": "accesses the kernel log ring buffer", - "MatchStrings": [ - "dmesg" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg", - "ID": "discover/system/dmesg", - "RuleName": "dmesg" - }, - { - "Description": "get computer host name", - "MatchStrings": [ - "/proc/sys/kernel/hostname" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/sethostname.2.html", - "ID": "discover/system/hostname", - "RuleName": "gethostname" - }, - { - "Description": "system identification", - "MatchStrings": [ - "syscall.Uname", - "uname" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname", - "ReferenceURL": "https://man7.org/linux/man-pages/man1/uname.1.html", - "ID": "discover/system/platform", - "RuleName": "uname" - }, - { - "Description": "Looks up the HOME directory for the current user", - "MatchStrings": [ - "HOME", - "getenv" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME", - "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT", - "ID": "discover/user/HOME", - "RuleName": "HOME" - }, - { - "Description": "Looks up the USER name of the current user", - "MatchStrings": [ - "USER", - "environ", - "getenv" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER", - "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT", - "ID": "discover/user/USER", - "RuleName": "USER" - }, - { - "Description": "get entry from passwd (user) database", - "MatchStrings": [ - "user/lookup" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/lookup.yara#getpwuid", - "ID": "discover/user/lookup", - "RuleName": "getpwuid" - }, - { - "Description": "returns the user name running this process", - "MatchStrings": [ - "whoami" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami", - "ReferenceURL": "https://man7.org/linux/man-pages/man1/whoami.1.html", - "ID": "discover/user/name_get", - "RuleName": "whoami" - }, - { - "Description": "hidden path generated dynamically", - "MatchStrings": [ - "%s/.ssh" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path", - "ReferenceURL": "https://objective-see.org/blog/blog_0x73.html", - "ID": "evasion/file/prefix", - "RuleName": "dynamic_hidden_path" - }, - { - "Description": "change the root mount location", - "MatchStrings": [ - "pivot_root" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hide_artifacts/pivot_root.yara#pivot_root", - "ID": "evasion/hide_artifacts/pivot_root", - "RuleName": "pivot_root" - }, - { - "Description": "references a 'plugin'", - "MatchStrings": [ - "ErrIntOverflowPlugin", - "ErrInvalidLengthPlugin", - "PluginConfigArgs", - "PluginConfigInterface", - "PluginConfigLinux", - "PluginConfigNetwork", - "PluginConfigRootfs", - "PluginConfigUser", - "PluginCreateOptions", - "PluginDescription", - "PluginDevice", - "PluginDisableOptions", - "PluginEnableOptions", - "PluginEnv", - "PluginInspectWithRaw", - "PluginInstallOptions", - "PluginInterfaceType", - "PluginList", - "PluginMount", - "PluginName", - "PluginPrivileges", - "PluginPush", - "PluginReference", - "PluginRemoveOptions", - "PluginSettings", - "PluginSpecwrong", - "PluginsFormat", - "PluginsInfo", - "PluginsListResponse", - "SetPluginConfig", - "_pingOSTypepluginsecret", - "both a container spec and a plugin spec in", - "denied while installing plugin", - "encodeVarintPlugin", - "fileDescriptorPlugin", - "plugin_create", - "plugin_disable", - "plugin_enable", - "plugin_inspect", - "plugin_install", - "plugin_list", - "plugin_push", - "plugin_remove", - "plugin_responses", - "plugin_set", - "plugin_upgrade", - "pluginpath", - "pluginsFormat", - "skipPlugin", - "sovPlugin", - "tryPluginPull", - "tryPluginUpgrade" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin", - "ID": "exec/plugin", - "RuleName": "plugin" - }, - { - "Description": "executes external programs", - "MatchStrings": [ - ").CombinedOutput", - "exec.(*Cmd).Run" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run", - "ID": "exec/program", - "RuleName": "exec_cmd_run" - }, - { - "Description": "calls sleep and runs shell code in the background", - "MatchStrings": [ - "#!", - "2\u003e\u00261 \u0026", - "nohup" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/background-sleep.yara#sleep_and_background", - "ID": "exec/shell/background_sleep", - "RuleName": "sleep_and_background" - }, - { - "Description": "executes shell", - "MatchStrings": [ - "/bin/bash", - "/bin/sh" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell", - "ID": "exec/shell/exec", - "RuleName": "calls_shell" - }, - { - "Description": "works with block device attributes", - "MatchStrings": [ - "blkid" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/blkid.yara#blkid", - "ReferenceURL": "https://man7.org/linux/man-pages/man8/blkid.8.html", - "ID": "fs/blkid", - "RuleName": "blkid" - }, - { - "Description": "manipulate the device parameters of special files", - "MatchStrings": [ - "ioctl" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/device-control.yara#ioctl", - "ID": "fs/device_control", - "RuleName": "ioctl" - }, - { - "Description": "creates directories", - "MatchStrings": [ - "mkdir" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html", - "ID": "fs/directory/create", - "RuleName": "mkdir" - }, - { - "Description": "Uses Go functions to list a directory", - "MatchStrings": [ - ".ReadDir" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir", - "ID": "fs/directory/list", - "RuleName": "GoReadDir" - }, - { - "Description": "Uses libc functions to remove directories", - "MatchStrings": [ - "Rmdir", - "rmdir" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir", - "ID": "fs/directory/remove", - "RuleName": "rmdir" - }, - { - "Description": "make a FIFO special file (a named pipe)", - "MatchStrings": [ - "mkfifo" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo", - "ID": "fs/fifo_create", - "RuleName": "mkfifo" - }, - { - "Description": "check if the current user can access a file", - "MatchStrings": [ - "faccessat2" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-access-check.yara#_access", - "ID": "fs/file/access_check", - "RuleName": "_access" - }, - { - "Description": "deletes files", - "MatchStrings": [ - "unlinkat" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html", - "ID": "fs/file/delete", - "RuleName": "unlink" - }, - { - "Description": "Forcibly deletes files", - "MatchStrings": [ - "rm non-TreeNodersopenpgp" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force", - "ID": "fs/file/delete_forcibly", - "RuleName": "rm_force" - }, - { - "Description": "opens files", - "MatchStrings": [ - "openFile" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open", - "ID": "fs/file/open", - "RuleName": "java_open" - }, - { - "Description": "reads files", - "MatchStrings": [ - "ReadFile", - "os.(*File).Read" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read", - "ID": "fs/file/read", - "RuleName": "go_file_read" - }, - { - "Description": "renames files", - "MatchStrings": [ - "os.rename" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename", - "ID": "fs/file/rename", - "RuleName": "explicit_rename" - }, - { - "Description": "access filesystem metadata", - "MatchStrings": [ - "fs.statDirEntry" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat", - "ID": "fs/file/stat", - "RuleName": "npm_stat" - }, - { - "Description": "forcibly synchronizes file state to disk", - "MatchStrings": [ - "fsync", - "syscall.Fsync" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-sync.yara#fsync", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/fsync.2.html", - "ID": "fs/file/sync", - "RuleName": "fsync" - }, - { - "Description": "truncate a file to a specified length", - "MatchStrings": [ - "truncate" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#truncate", - "ID": "fs/file/truncate", - "RuleName": "truncate" - }, - { - "Description": "writes to file", - "MatchStrings": [ - "AllowOverwriteDirWithFile", - "WriteFile", - "writeFilePatchHeader", - "writeIndexToFile", - "writeOneFile", - "writeRawFile" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write", - "ID": "fs/file/write", - "RuleName": "file_write" - }, - { - "Description": "May create hard file links", - "MatchStrings": [ - "linkat" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat", - "ID": "fs/link_create", - "RuleName": "linkat" - }, - { - "Description": "read value of a symbolic link", - "MatchStrings": [ - "readlinkat" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/readlink.2.html", - "ID": "fs/link_read", - "RuleName": "readlink" - }, - { - "Description": "apply or remove an advisory lock on a file", - "MatchStrings": [ - "flock" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock", - "ID": "fs/lock_update", - "RuleName": "flock" - }, - { - "Description": "mounts file systems", - "MatchStrings": [ - "-o", - "mount" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount", - "ID": "fs/mount", - "RuleName": "mount" - }, - { - "Description": "create device files", - "MatchStrings": [ - "mknod" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/mknod.2.html", - "ID": "fs/node_create", - "RuleName": "mknod" - }, - { - "Description": "Calls /bin/su", - "MatchStrings": [ - "/bin/su" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/bin-su.yara#bin_su", - "ID": "fs/path/bin_su", - "RuleName": "bin_su" - }, - { - "Description": "References /dev/null", - "MatchStrings": [ - "/dev/null" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/dev-null.yara#dev_null", - "ID": "fs/path/dev_null", - "RuleName": "dev_null" - }, - { - "Description": "path reference within /etc", - "MatchStrings": [ - "/etc/apache/mime.typeshpack", - "/etc/apk/keys/etc/apk/archcached", - "/etc/apk/lib/apk", - "/etc/apk/repositories/lib/apk/db/inst", - "/etc/apk/world", - "/etc/bash", - "/etc/busybox-paths.d/usr/bin/setkeyco", - "/etc/default/motd-newsformat", - "/etc/group", - "/etc/hostsgetsockoptnetlinkrib", - "/etc/httpd/conf/mime.typesmime", - "/etc/mime.types", - "/etc/nsswitch.confinvalid", - "/etc/os-release", - "/etc/passwdparse", - "/etc/pki/ca-trust/extracted/pem/tls-c", - "/etc/pki/tls/cacert.peminvalid", - "/etc/pki/tls/certs/ca-bundle.crtx", - "/etc/pki/tls/certsunexpected", - "/etc/protocolsunknown", - "/etc/resolv.confnon-", - "/etc/security/cacertsx", - "/etc/services/etc/apk/keys/etc/apk/ar", - "/etc/ssh/ssh", - "/etc/ssl/ca-bundle.pemx", - "/etc/ssl/cert.peminvalid", - "/etc/ssl/certs/ca-certificates.crttim", - "/etc/ssl/certsbad", - "/etc/zoneinfoparsing" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path", - "ID": "fs/path/etc", - "RuleName": "etc_path" - }, - { - "Description": "references /etc/hosts", - "MatchStrings": [ - "/etc/hosts" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts", - "ID": "fs/path/etc_hosts", - "RuleName": "etc_hosts" - }, - { - "Description": "accesses DNS resolver configuration", - "MatchStrings": [ - "/etc/resolv.conf" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf", - "ID": "fs/path/etc_resolv.conf", - "RuleName": "etc_resolv_conf" - }, - { - "Description": "references path within /home", - "MatchStrings": [ - "/home/sha2561.32.11.33.01.33.11.33.21.34.01.34.11.35.01.36.0ID" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path", - "ID": "fs/path/home", - "RuleName": "home_path" - }, - { - "Description": "path reference within ~/.config", - "MatchStrings": [ - "~/.config/fish/completions/" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path", - "ID": "fs/path/home_config", - "RuleName": "home_config_path" - }, - { - "Description": "references and possibly executes relative path", - "MatchStrings": [ - "./line", - "./pipe" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val", - "ID": "fs/path/relative", - "RuleName": "relative_path_val" - }, - { - "Description": "path reference within /root", - "MatchStrings": [ - "/root/linuxrc/sbin/hwclock/sbin/ipneigh/sbin/iproute/sbin/logread/sbin" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val", - "ID": "fs/path/root", - "RuleName": "root_path_val" - }, - { - "Description": "path reference within /usr/bin", - "MatchStrings": [ - "/usr/bin/ar", - "/usr/bin/ascii", - "/usr/bin/awk", - "/usr/bin/basename", - "/usr/bin/bc", - "/usr/bin/beep", - "/usr/bin/blkdiscard", - "/usr/bin/bunzip2", - "/usr/bin/bzcat", - "/usr/bin/bzip2", - "/usr/bin/cal", - "/usr/bin/chcon", - "/usr/bin/chpst", - "/usr/bin/chrt", - "/usr/bin/chvt", - "/usr/bin/cksum", - "/usr/bin/clear", - "/usr/bin/cmp", - "/usr/bin/comm", - "/usr/bin/crc32", - "/usr/bin/crontab", - "/usr/bin/cryptpw", - "/usr/bin/cut", - "/usr/bin/dc", - "/usr/bin/deallocvt", - "/usr/bin/diff", - "/usr/bin/dirname", - "/usr/bin/dos2unix", - "/usr/bin/dpkg-deb", - "/usr/bin/dumpleases", - "/usr/bin/eject", - "/usr/bin/envdir", - "/usr/bin/envuidgid", - "/usr/bin/expand", - "/usr/bin/expr", - "/usr/bin/factor", - "/usr/bin/fallocate", - "/usr/bin/fgconsole", - "/usr/bin/find", - "/usr/bin/flock", - "/usr/bin/fold", - "/usr/bin/free", - "/usr/bin/ftpget", - "/usr/bin/ftpput", - "/usr/bin/fuser", - "/usr/bin/groups", - "/usr/bin/hd", - "/usr/bin/head", - "/usr/bin/hexdump", - "/usr/bin/hexedit", - "/usr/bin/hostid", - "/usr/bin/id", - "/usr/bin/install", - "/usr/bin/ipcrm", - "/usr/bin/ipcs", - "/usr/bin/killall", - "/usr/bin/last", - "/usr/bin/less", - "/usr/bin/logger", - "/usr/bin/logname", - "/usr/bin/lpq", - "/usr/bin/lpr", - "/usr/bin/lsof", - "/usr/bin/lspci", - "/usr/bin/lsscsi", - "/usr/bin/lsusb", - "/usr/bin/lzcat", - "/usr/bin/lzma", - "/usr/bin/lzopcat", - "/usr/bin/man", - "/usr/bin/md5sum", - "/usr/bin/mesg", - "/usr/bin/microcom", - "/usr/bin/mkfifo", - "/usr/bin/mkpasswd", - "/usr/bin/nc", - "/usr/bin/netcat", - "/usr/bin/nl", - "/usr/bin/nmeter", - "/usr/bin/nohup", - "/usr/bin/nproc", - "/usr/bin/nsenter", - "/usr/bin/nslookup", - "/usr/bin/od", - "/usr/bin/openvt", - "/usr/bin/passwd", - "/usr/bin/paste", - "/usr/bin/patch", - "/usr/bin/pgrep", - "/usr/bin/pkill", - "/usr/bin/pmap", - "/usr/bin/printf", - "/usr/bin/pscan", - "/usr/bin/pstree", - "/usr/bin/pwdx", - "/usr/bin/readlink", - "/usr/bin/realpath", - "/usr/bin/renice", - "/usr/bin/reset", - "/usr/bin/resize", - "/usr/bin/rpm2cpio", - "/usr/bin/runcon", - "/usr/bin/runsvdir", - "/usr/bin/rx", - "/usr/bin/script", - "/usr/bin/seq", - "/usr/bin/setfattr", - "/usr/bin/setkeycodes", - "/usr/bin/setsid", - "/usr/bin/setuidgid", - "/usr/bin/sha1sum", - "/usr/bin/sha256sum", - "/usr/bin/sha3sum", - "/usr/bin/sha512sum", - "/usr/bin/showkey", - "/usr/bin/shred", - "/usr/bin/shuf", - "/usr/bin/smemcap", - "/usr/bin/softlimit", - "/usr/bin/sort", - "/usr/bin/split", - "/usr/bin/ssl_client", - "/usr/bin/strings", - "/usr/bin/sum", - "/usr/bin/svc", - "/usr/bin/svok", - "/usr/bin/tac", - "/usr/bin/tail", - "/usr/bin/taskset", - "/usr/bin/tcpsvd", - "/usr/bin/tee", - "/usr/bin/telnet", - "/usr/bin/test", - "/usr/bin/tftp", - "/usr/bin/timeout", - "/usr/bin/top", - "/usr/bin/traceroute6", - "/usr/bin/tree", - "/usr/bin/truncate", - "/usr/bin/tsortVERSION_ID", - "/usr/bin/ttysize", - "/usr/bin/udhcpc6", - "/usr/bin/udpsvd", - "/usr/bin/unexpand", - "/usr/bin/uniq", - "/usr/bin/unit", - "/usr/bin/unix2dos", - "/usr/bin/unlink", - "/usr/bin/unlzma", - "/usr/bin/unlzop", - "/usr/bin/unshare", - "/usr/bin/unxz", - "/usr/bin/unzip", - "/usr/bin/uptime", - "/usr/bin/users", - "/usr/bin/uudecode", - "/usr/bin/uuencode", - "/usr/bin/vlock", - "/usr/bin/volname", - "/usr/bin/wall", - "/usr/bin/wc", - "/usr/bin/wget", - "/usr/bin/which", - "/usr/bin/whoami", - "/usr/bin/whois", - "/usr/bin/xargs", - "/usr/bin/xxd", - "/usr/bin/xzcat", - "/usr/bin/yes" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path", - "ID": "fs/path/usr_bin", - "RuleName": "usr_bin_path" - }, - { - "Description": "path reference within /usr/local/bin", - "MatchStrings": [ - "/usr/local/bin" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path", - "ID": "fs/path/usr_local", - "RuleName": "usr_local_bin_path" - }, - { - "Description": "path reference within /usr/sbin", - "MatchStrings": [ - "/usr/sbin/add-shell/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdete", - "/usr/sbin/addgroup/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/u", - "/usr/sbin/adduser/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/s", - "/usr/sbin/arping/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/", - "/usr/sbin/brctl/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inet", - "/usr/sbin/chat/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr", - "/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/u", - "/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/", - "/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdat", - "/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/u", - "/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/s", - "/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwri", - "/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr", - "/usr/sbin/ether-wake/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/gete", - "/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-", - "/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftp", - "/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/u", - "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping", - "/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popm", - "/usr/sbin/flash_unlock/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbi", - "/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/s", - "/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/u", - "/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr", - "/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/sete", - "/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partpro", - "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd", - "/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahe", - "/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/s", - "/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/", - "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd", - "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile", - "/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/s", - "/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/u", - "/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/u", - "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree", - "/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerati", - "/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/u", - "/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebo", - "/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setl", - "/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/s", - "/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERS", - "/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiatta", - "/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setlogconsapko-generated", - "/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/u", - "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID", - "/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubideta", - "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating", - "/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY", - "/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/u", - "/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolge", - "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME", - "/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirena", - "/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirename", - "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-sbin.yara#usr_sbin_path", - "ID": "fs/path/usr_sbin", - "RuleName": "usr_sbin_path" - }, - { - "Description": "path reference within /var", - "MatchStrings": [ - "/var/cache%s", - "/var/cache/apk/etc/apk/worldCalculateWorldcache", - "/var/cache/miscAPKINDEX.tar.gzfetchAlpineKeyscfg.MapTo", - "/var/lib/db/sbomSPDXRef-Package-remote", - "/var/run/docker.sockopen" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path", - "ID": "fs/path/var", - "RuleName": "var_path" - }, - { - "Description": "Changes file ownership", - "MatchStrings": [ - "Chown" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown", - "ID": "fs/permission/chown", - "RuleName": "Chown" - }, - { - "Description": "modifies file permissions", - "MatchStrings": [ - "Chmod", - "chmod" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod", - "ReferenceURL": "https://linux.die.net/man/1/chmod", - "ID": "fs/permission/modify", - "RuleName": "chmod" - }, - { - "Description": "stop swapping to a file/device", - "MatchStrings": [ - "swapoff" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff", - "ID": "fs/swap/off", - "RuleName": "swapoff" - }, - { - "Description": "start swapping to a file/device", - "MatchStrings": [ - "swapon" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-on.yara#swapon", - "ID": "fs/swap/on", - "RuleName": "swapon" - }, - { - "Description": "creates symbolic links", - "MatchStrings": [ - "symlink" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-create.yara#symlink", - "ID": "fs/symlink_create", - "RuleName": "symlink" - }, - { - "Description": "resolves symbolic links", - "MatchStrings": [ - "realpath" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath", - "ReferenceURL": "https://man7.org/linux/man-pages/man3/realpath.3.html", - "ID": "fs/symlink_resolve", - "RuleName": "realpath" - }, - { - "Description": "temp", - "MatchStrings": [ - "getenv", - "temp" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp", - "ID": "fs/tempdir/TEMP", - "RuleName": "temp" - }, - { - "Description": "creates temporary files", - "MatchStrings": [ - "mktemp", - "temp file", - "tmpfile" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp", - "ID": "fs/tempfile", - "RuleName": "mktemp" - }, - { - "Description": "unmount file system", - "MatchStrings": [ - "umount" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount", - "ID": "fs/unmount", - "RuleName": "umount" - }, - { - "Description": "references /dev/urandom", - "MatchStrings": [ - "/dev/urandom" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/urandom.yara#urandom", - "ID": "hw/urandom", - "RuleName": "urandom" - }, - { - "Description": "references a 'heartbeat'", - "MatchStrings": [ - "HeartbeatPeriod", - "HeartbeatTick" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat", - "ID": "impact/remote_access/heartbeat", - "RuleName": "heartbeat" - }, - { - "Description": "parse command-line arguments", - "MatchStrings": [ - "getopt" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/parses-arguments.yara#argparse", - "ID": "impact/ui/parses_arguments", - "RuleName": "argparse" - }, - { - "Description": "give advice about use of memory", - "MatchStrings": [ - "madvise" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/advise.yara#madvise", - "ID": "mem/advise", - "RuleName": "madvise" - }, - { - "Description": "Uses DNS (Domain Name Service)", - "MatchStrings": [ - "CNAMEResource", - "SetEDNS0", - "dnsmessage" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs", - "ID": "net/dns", - "RuleName": "go_dns_refs" - }, - { - "Description": "looks up the reverse hostname for an IP", - "MatchStrings": [ - ".in-addr.arpa", - "ip6.arpa" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa", - "ID": "net/dns/reverse", - "RuleName": "in_addr_arpa" - }, - { - "Description": "Examines local DNS servers", - "MatchStrings": [ - "CNAMEResource" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local", - "ID": "net/dns/servers", - "RuleName": "go_dns_refs_local" - }, - { - "Description": "Uses DNS TXT (text) records", - "MatchStrings": [ - "TXT", - "dns" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt", - "ID": "net/dns/txt", - "RuleName": "dns_txt" - }, - { - "Description": "download files", - "MatchStrings": [ - "DownloadLocation", - "downloadLocation", - "to registrySkip downloading" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", - "ID": "net/download", - "RuleName": "download" - }, - { - "Description": "Invokes curl", - "MatchStrings": [ - "curl -H \"" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value", - "ID": "net/download/fetch", - "RuleName": "curl_value" - }, - { - "Description": "Uses the HTTP/2 protocol", - "MatchStrings": [ - "HTTP/2" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2", - "ID": "net/http/2", - "RuleName": "http2" - }, - { - "Description": "accepts binary files via HTTP", - "MatchStrings": [ - "Accept", - "application/octet-stream" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary", - "ID": "net/http/accept", - "RuleName": "http_accept_binary" - }, - { - "Description": "set HTTP response encoding format (example: gzip)", - "MatchStrings": [ - "Accept-Encoding" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type", - "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding", - "ID": "net/http/accept_encoding", - "RuleName": "content_type" - }, - { - "Description": "makes HTTP requests with Bearer authentication", - "MatchStrings": [ - "WWW-Authenticate", - "Www-Authenticate", - "www-authenticate" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth", - "ID": "net/http/auth", - "RuleName": "http_auth" - }, - { - "Description": "Sets HTTP content length to zero", - "MatchStrings": [ - "Content-Length: 0" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0", - "ID": "net/http/content_length", - "RuleName": "content_length_0" - }, - { - "Description": "access HTTP resources using cookies", - "MatchStrings": [ - "Cookie", - "HTTP" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie", - "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies", - "ID": "net/http/cookies", - "RuleName": "http_cookie" - }, - { - "Description": "upload content via HTTP form", - "MatchStrings": [ - "POST", - "application/json", - "application/x-www-form-urlencoded", - "post" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload", - "ID": "net/http/form_upload", - "RuleName": "http_form_upload" - }, - { - "Description": "submits content to websites", - "MatchStrings": [ - "Content-Type for PUTeach colon", - "Content-Type headerdid not find expected alp", - "Content-Type isn", - "Content-Type: text/plain", - "Content-TypeCookie.Valuecontent", - "Content-Typenet/http: timeout awaiting respo", - "HTTP", - "POST" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post", - "ID": "net/http/post", - "RuleName": "http_post" - }, - { - "Description": "use HTTP proxy that requires authentication", - "MatchStrings": [ - "Proxy-Authorization" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth", - "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization", - "ID": "net/http/proxy", - "RuleName": "proxy_auth" - }, - { - "Description": "makes HTTP requests", - "MatchStrings": [ - "HTTP/1.", - "Referer", - "User-Agent" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request", - "ID": "net/http/request", - "RuleName": "http_request" - }, - { - "Description": "access the internet", - "MatchStrings": [ - "invalid packet" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets", - "ID": "net/ip", - "RuleName": "packets" - }, - { - "Description": "connects to an arbitrary hostname:port", - "MatchStrings": [ - "host to transport" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref", - "ID": "net/ip/host_port", - "RuleName": "host_port_ref" - }, - { - "Description": "parses IP address (IPv4 or IPv6)", - "MatchStrings": [ - "IsLinkLocalUnicast", - "IsSingleIP" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go", - "ID": "net/ip/parse", - "RuleName": "ip_go" - }, - { - "Description": "Supports SOCK5 proxies", - "MatchStrings": [ - "SOCKS5", - "socks5" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5", - "ID": "net/proxy/socks5", - "RuleName": "socks5" - }, - { - "Description": "resolve network host name to IP address", - "MatchStrings": [ - "net.hostLookup" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#net_hostlookup", - "ID": "net/resolve/hostname", - "RuleName": "net_hostlookup" - }, - { - "Description": "listen on a socket", - "MatchStrings": [ - "accept", - "listen", - "socket" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen", - "ID": "net/socket/listen", - "RuleName": "listen" - }, - { - "Description": "get local address of connected socket", - "MatchStrings": [ - "getsockname" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/getsockname.2.html", - "ID": "net/socket/local_addr", - "RuleName": "getsockname" - }, - { - "Description": "get socket options", - "MatchStrings": [ - "getsockopt" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-get.yara#getsockopt", - "ID": "net/socket/options_get", - "RuleName": "getsockopt" - }, - { - "Description": "set socket options", - "MatchStrings": [ - "setsockopt" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-set.yara#setsockopt", - "ID": "net/socket/options_set", - "RuleName": "setsockopt" - }, - { - "Description": "get peer address of connected socket", - "MatchStrings": [ - "getpeername" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/getpeername.2.html", - "ID": "net/socket/peer_address", - "RuleName": "getpeername" - }, - { - "Description": "receive a message from a socket", - "MatchStrings": [ - "recvfrom", - "recvmsg" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg", - "ReferenceURL": "https://linux.die.net/man/2/recvmsg", - "ID": "net/socket/receive", - "RuleName": "recvmsg" - }, - { - "Description": "send a message to a socket", - "MatchStrings": [ - "sendmsg", - "sendto" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg", - "ReferenceURL": "https://linux.die.net/man/2/sendmsg", - "ID": "net/socket/send", - "RuleName": "sendmsg" - }, - { - "Description": "connects to a TCP port", - "MatchStrings": [ - "dialTCP" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp", - "ID": "net/tcp/connect", - "RuleName": "connect_tcp" - }, - { - "Description": "Uses crypto/ssh to connect to the SSH (secure shell) service", - "MatchStrings": [ - "SSH" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh", - "ID": "net/tcp/ssh", - "RuleName": "ssh" - }, - { - "Description": "Listens for UDP responses", - "MatchStrings": [ - "ReadFromUDP", - "listenUDP" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen", - "ID": "net/udp/receive", - "RuleName": "udp_listen" - }, - { - "Description": "Sends UDP packets", - "MatchStrings": [ - "DialUDP", - "WriteMsgUDP" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send", - "ID": "net/udp/send", - "RuleName": "udp_send" - }, - { - "Description": "contains embedded HTTPS URLs", - "MatchStrings": [ - "https://GoString01234567beEfFgGvsignal", - "https://alpinelinux.org/releases.jsondid", - "https://github.com/chainguard-dev/apkocould", - "https://github.com/google/go-containerregistry/issues/377internal", - "https://github.com/spf13/cobra/issues/1279", - "https://github.com/spf13/cobra/issues/1508", - "https://index.docker.io/v1/Path", - "https://index.docker.io/v2/library/ubuntu/tags/list", - "https://pkg.go.dev/text/template", - "https://reproducible-builds.org/docs/source-date-epoch/directory", - "https://spdx.org/spdxdocs/apko/directory" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", - "ID": "net/url/embedded", - "RuleName": "https_url" - }, - { - "Description": "encodes URL, likely to pass GET variables", - "MatchStrings": [ - "urlencode" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode", - "ID": "net/url/encode", - "RuleName": "url_encode" - }, - { - "Description": "Handles URL strings", - "MatchStrings": [ - "RequestURI" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle", - "ID": "net/url/parse", - "RuleName": "url_handle" - }, - { - "Description": "requests resources via URL", - "MatchStrings": [ - "http.request", - "net/url" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls", - "ID": "net/url/request", - "RuleName": "requests_urls" - }, - { - "Description": "Retrieve environment variables", - "MatchStrings": [ - "Getenv" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#getenv", - "ID": "os/env/get", - "RuleName": "getenv" - }, - { - "Description": "places a variable into the environment", - "MatchStrings": [ - "setenv" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/set.yara#setenv_putenv", - "ID": "os/env/set", - "RuleName": "setenv_putenv" - }, - { - "Description": "unsetenv", - "MatchStrings": [ - "unsetenv" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/unset.yara#unsetenv", - "ID": "os/env/unset", - "RuleName": "unsetenv" - }, - { - "Description": " close", - "MatchStrings": [ - "_close" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/access.yara#_close", - "ID": "os/fd/access", - "RuleName": "_close" - }, - { - "Description": "manipulate file descriptor with fcntl", - "MatchStrings": [ - "fcntl" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/manipulate.yara#fcntl", - "ID": "os/fd/manipulate", - "RuleName": "fcntl" - }, - { - "Description": "Reads from file descriptors", - "MatchStrings": [ - "pread" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#fd_read", - "ID": "os/fd/read", - "RuleName": "fd_read" - }, - { - "Description": "transfer data between file descriptors", - "MatchStrings": [ - "sendfile", - "syscall.Sendfile" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/sendfile.2.html", - "ID": "os/fd/sendfile", - "RuleName": "sendfile" - }, - { - "Description": "write to file descriptor", - "MatchStrings": [ - "pwrite" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#fd_write", - "ID": "os/fd/write", - "RuleName": "fd_write" - }, - { - "Description": "communicate with kernel services", - "MatchStrings": [ - "netlink" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink", - "ID": "os/kernel/netlink", - "RuleName": "netlink" - }, - { - "Description": "get or set kernel stat", - "MatchStrings": [ - "Sysctl", - "sysctl" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/sysctl.yara#sysctl", - "ID": "os/kernel/sysctl", - "RuleName": "sysctl" - }, - { - "Description": "libc", - "MatchStrings": [ - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle.yara#libc", - "ID": "os/signal/handle", - "RuleName": "libc" - }, - { - "Description": "Listen for SIGALRM (timeout) events", - "MatchStrings": [ - "ALRM", - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-ALRM.yara#sigaction_ALRM", - "ID": "os/signal/handle_ALRM", - "RuleName": "sigaction_ALRM" - }, - { - "Description": "Listen for SIGHUP (hangup) events", - "MatchStrings": [ - "HUP", - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-HUP.yara#sigaction_SIGHUP", - "ID": "os/signal/handle_HUP", - "RuleName": "sigaction_SIGHUP" - }, - { - "Description": "Listen for SIGINT (ctrl-C) events", - "MatchStrings": [ - "SIGINT", - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-INT.yara#sigaction_SIGINT", - "ID": "os/signal/handle_INT", - "RuleName": "sigaction_SIGINT" - }, - { - "Description": "Listen for SIGQUIT (kill) events", - "MatchStrings": [ - "QUIT", - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-QUIT.yara#sigaction_SIGQUIT", - "ID": "os/signal/handle_QUIT", - "RuleName": "sigaction_SIGQUIT" - }, - { - "Description": "Listen for SIGWINCH (terminal window change) events", - "MatchStrings": [ - "WINCH", - "sigaction" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_WINCH", - "ID": "os/signal/handle_WINCH", - "RuleName": "sigaction_WINCH" - }, - { - "Description": "sigprocmask", - "MatchStrings": [ - "sigprocmask" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/mask.yara#sigprocmask", - "ID": "os/signal/mask", - "RuleName": "sigprocmask" - }, - { - "Description": "kill", - "MatchStrings": [ - "syscall.Kill" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/send.yara#kill", - "ID": "os/signal/send", - "RuleName": "kill" - }, - { - "Description": "bsd time conversion", - "MatchStrings": [ - "ctime" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-convert.yara#bsd_time_conversion", - "ID": "os/time/clock_convert", - "RuleName": "bsd_time_conversion" - }, - { - "Description": "set time via system clock", - "MatchStrings": [ - "adjtimex" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-set.yara#linux_adjtimex", - "ID": "os/time/clock_set", - "RuleName": "linux_adjtimex" - }, - { - "Description": "lists crontab entries, may also persist", - "MatchStrings": [ - "crontab" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support", - "ID": "persist/cron/tab", - "RuleName": "crontab_support" - }, - { - "Description": "changes working directory", - "MatchStrings": [ - "cd u" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell", - "ID": "process/chdir", - "RuleName": "chdir_shell" - }, - { - "Description": "change the location of root for the process", - "MatchStrings": [ - "chroot" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot", - "ID": "process/chroot", - "RuleName": "chroot" - }, - { - "Description": "create child process", - "MatchStrings": [ - "clone" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_clone", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/clone.2.html", - "ID": "process/create", - "RuleName": "syscall_clone" - }, - { - "Description": "creates a session and sets the process group ID", - "MatchStrings": [ - "setsid" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/group/create.yara#syscalls", - "ReferenceURL": "https://man7.org/linux/man-pages/man2/setsid.2.html", - "ID": "process/group/create", - "RuleName": "syscalls" - }, - { - "Description": "set group access list", - "MatchStrings": [ - "setgroups" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups", - "ID": "process/groups_set", - "RuleName": "setgroups" - }, - { - "Description": "set resource limits", - "MatchStrings": [ - "setrlimit" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/limit-set.yara#setrlimit", - "ID": "process/limit_set", - "RuleName": "setrlimit" - }, - { - "Description": "adjust the process nice value", - "MatchStrings": [ - "renice" - ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/setpriority.yara#nice", - "ID": "process/setpriority", - "RuleName": "nice" - }, - { - "Description": "disassociate parts of the process execution context", - "MatchStrings": [ - "unshare" - ], - "RiskScore": 1, - "RiskLevel": "LOW", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare", - "ID": "process/unshare", - "RuleName": "syscall_unshare" - }, - { - "Description": "gets very excited", - "MatchStrings": [ - "does not work!!!", - "ontain alphanumerical characters onlyexplicitly tagged !!" - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations", - "ID": "sus/exclamation", - "RuleName": "exclamations" - } - ], - "RiskScore": 2, - "RiskLevel": "MEDIUM" - } - } -} diff --git a/rules/exfil/stealer/keylogger.yara b/rules/exfil/stealer/keylogger.yara index 843dfa435..185dba0ed 100644 --- a/rules/exfil/stealer/keylogger.yara +++ b/rules/exfil/stealer/keylogger.yara @@ -14,7 +14,7 @@ rule keylogger_discord_telegram: high { filesize < 256KB and any of ($http*) and any of ($k*) } -rule py_keylogger_pynput_exfil: critical { +rule py_keylogger_pynput_exfil: high { meta: description = "listens for keyboard events and exfiltrates them" filetypes = "py" @@ -33,7 +33,7 @@ rule py_keylogger_pynput_exfil: critical { filesize < 256KB and any of ($http*) and all of ($f*) } -rule py_keykeyboard_exfil: critical { +rule py_keykeyboard_exfil: high { meta: description = "listens for keyboard events and exfiltrates them" filetypes = "py" @@ -44,7 +44,8 @@ rule py_keykeyboard_exfil: critical { $http_Discord = "Discord" $http_keylogger = /[kK]eylogger/ $http_Telegram = "Telegram" - $f_pynput = "keyboard" fullword + $f_pynput = "pynput" fullword + $f_keyboard = "keyboard" fullword $f_key = ".name" $f_listener = "on_release" diff --git a/rules/false_positives/conda_build.yara b/rules/false_positives/conda_build.yara deleted file mode 100644 index 8f27b4fe7..000000000 --- a/rules/false_positives/conda_build.yara +++ /dev/null @@ -1,14 +0,0 @@ -rule conda_load_setup_py_data: override { - meta: - setuptools_eval = "low" - description = "_load_setup_py_data.py" - - strings: - $exec = "exec(code, ns, ns)" - $func = "load_setup_py_data" - $sbom1 = "# Copyright (C) 2014 Anaconda, Inc" - $sbom2 = "# SPDX-License-Identifier: BSD-3-Clause" - - condition: - filesize < 8KB and all of them -} diff --git a/rules/false_positives/py_hatch.yara b/rules/false_positives/py_hatch.yara index 6f0ab2eab..4075c71cf 100644 --- a/rules/false_positives/py_hatch.yara +++ b/rules/false_positives/py_hatch.yara @@ -1,7 +1,7 @@ rule migrate_py: override { meta: description = "migrate.py" - setuptools_eval = "medium" + setuptools_eval_high = "medium" strings: $env = "'_HATCHLING_PORT_ADD_'" diff --git a/rules/false_positives/setuptools.yara b/rules/false_positives/setuptools.yara index fbf129d32..1d03fe06f 100644 --- a/rules/false_positives/setuptools.yara +++ b/rules/false_positives/setuptools.yara @@ -1,25 +1,7 @@ -rule test_pyprojecttoml: override { - meta: - description = "namespaces.py, test_pyprojecttoml.py" - setuptools_eval = "low" - - strings: - $example = "EXAMPLE" - $func1 = "def create_example(" - $func2 = "def verify_example(" - $func3 = "def test_read_configuration(" - $import = "import setuptools" - $kv = "\"pyproject.toml\": EXAMPLE" - $pyproject = "pyproject.toml" - - condition: - filesize < 16KB and all of them -} - rule setuptools_namespaces: override { meta: description = "namespaces.py" - setuptools_eval = "low" + setuptools_exec_high = "low" strings: $func1 = "def iter_namespace_pkgs(" @@ -37,11 +19,11 @@ rule setuptools_namespaces: override { rule numba_support: override { meta: description = "support.py" - setuptools_eval = "low" + setuptools_exec_high = "low" strings: $comment = "Assorted utilities for use in tests." - $gh_issue = "numba#" + $gh_issue = "numbsa#" $import = "from numba" $repository = "https://github.com/numba/numba" @@ -52,7 +34,7 @@ rule numba_support: override { rule setup_pydevd_cython: override { meta: description = "setup_pydevd_cython.py" - setuptools_eval = "low" + setuptools_exec_high = "low" strings: $example = "python setup_pydevd_cython build_ext --inplace" diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index 796014f47..adc792128 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -39,7 +39,7 @@ rule setuptools_homedir: high { remote_access_pythonSetup and any of them } -rule setuptools_cmd_exec: suspicious { +rule setuptools_cmd_exec: high { meta: description = "Python library installer that executes external commands" @@ -51,7 +51,8 @@ rule setuptools_cmd_exec: suspicious { $not_comment = "Editable install to a prefix should be discoverable." $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" - + $not_sdist_publish = "python setup.py sdist bdist_wheel" + $not_twine_upload = "twine upload dist/*" condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } @@ -70,13 +71,33 @@ rule setuptools_cmd_exec_start: critical { remote_access_pythonSetup and any of ($f*) } -rule setuptools_eval: critical { + +rule setuptools_eval: medium { + meta: + description = "Python library installer that evaluates arbitrary code" + + strings: + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + condition: + remote_access_pythonSetup and any of ($f*) +} + +rule setuptools_exec: medium { + meta: + description = "Python library installer that executes arbitrary code" + + strings: + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + condition: + remote_access_pythonSetup and any of ($f*) +} + +rule setuptools_exec_high: high { meta: description = "Python library installer that evaluates arbitrary code" strings: - $f_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword - $f_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword $not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")" $not_comment = "Editable install to a prefix should be discoverable." $not_google = /# Copyright [1-2][0-9]{3} Google Inc/ @@ -86,11 +107,22 @@ rule setuptools_eval: critical { $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\"" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" $not_test_egg_class = "class TestEggInfo" - + $not_requests_about = "exec(f.read(), about)" + $not_exec_ns = "exec(code, ns, ns)" condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } +rule setuptools_eval_high: high { + meta: + description = "Python library installer that evaluates arbitrary code" + + strings: + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + condition: + remote_access_pythonSetup and any of ($f*) +} + rule setuptools_b64decode: suspicious { meta: description = "Python library installer that does base64 decoding" diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index e2f9da111..e69de29bb 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -1,173 +0,0 @@ -# linux/2024.kworker_pretenders/emp3r0r.agent: critical -3P/elastic/exploit_cve_2021: critical -anti-behavior/vm_check: medium -anti-static/elf/entropy: high -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/discovery/ip_dns_resolver: medium -c2/refs: high -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/os: medium -collect/archives/unarchive: medium -collect/archives/zip: medium -credential/os/shadow: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssh/d: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/xz: medium -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/hash/blake2b: low -data/hash/md5: low -data/hash/sha256: low -discover/network/connectivity: low -discover/network/netstat: medium -discover/processes/list: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: low -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/file/location/chdir_unusual: medium -evasion/file/location/dev_shm: medium -evasion/file/prefix: high -evasion/file/prefix/dev: high -evasion/file/prefix/tmp: high -evasion/hijack_execution/LD_LIBRARY_PATH: low -evasion/logging/current_logins: medium -evasion/logging/hide_shell_history: high -evasion/mimicry/fake_process: critical -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/remote_commands/code_eval: medium -exec/script/shell: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/arbitrary_command_dev_null: medium -exec/shell/background_sleep: medium -exec/shell/exec: medium -exec/tty/open: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/delete: medium -fs/file/delete_forcibly: medium -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/mount: low -fs/path/bin_su: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home: low -fs/path/home_config: low -fs/path/tmp: medium -fs/path/users: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/usr_sbin: low -fs/path/var: low -fs/path/var_log: medium -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/1_cgroup: medium -fs/proc/arbitrary_pid: medium -fs/proc/cpuinfo: medium -fs/symlink_resolve: low -fs/tempdir/TEMP: low -fs/tempfile: low -hw/cpu: medium -impact/exploit: high -impact/exploit/GCONV_PATH: high -impact/exploit/pwnkit: critical -impact/remote_access/heartbeat: medium -impact/remote_access/kill_rm: medium -impact/remote_access/net_exec: medium -impact/remote_access/pseudo_terminal: medium -impact/remote_access/reverse_shell: high -malware/family/emp3r0r: critical -net/dns: low -net/dns/over_https: medium -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/tcp_state_tracker: medium -net/proxy/shadowsocks: high -net/proxy/socks5: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/raw: medium -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/sftp: medium -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: medium -net/url/embedded: medium -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/netlink: low -persist/cron/tab: medium -persist/pid_file: medium -persist/shell/bash: high -privesc/linpeas: high -privesc/setuid: low -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/groupid_set: low -process/groups_set: low -process/multithreaded: low -process/terminate/killed_all: medium -sus/exclamation: medium diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index 60a4df47e..e69de29bb 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -1,159 +0,0 @@ -# linux/clean/buildah: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/sqlite: medium -credential/keychain: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/xz: medium -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/hash/blake2b: low -data/hash/md5: low -discover/network/mac_address: medium -discover/process/name: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: low -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -evasion/bypass_security/linux/iptables: medium -evasion/file/location/dev_mqueue: medium -evasion/file/location/dev_shm: medium -evasion/file/location/var_run: medium -evasion/file/prefix: medium -evasion/file/prefix/dev: low -exec/cmd: medium -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/reconfigure/hostname_set: low -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/exec: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/event_monitoring: low -fs/fifo_create: low -fs/file/create: medium -fs/file/delete: low -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/loopback: medium -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/lib_dynamic: medium -fs/path/relative: medium -fs/path/tmp: medium -fs/path/users: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/usr_sbin: low -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/self_cgroup: medium -fs/proc/self_cmdline: medium -fs/proc/self_exe: medium -fs/proc/self_mountinfo: medium -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -hw/dev/block_ice: medium -impact/degrade/linux_paths: medium -impact/remote_access/iptables: medium -mem/anonymous_file: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/parse: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/kcore: low -os/kernel/key_management: low -os/kernel/netlink: low -os/kernel/seccomp: low -persist/pid_file: medium -privesc/setuid: low -process/chroot: low -process/groupid_set: low -process/groups_set: low -process/multithreaded: low -process/unshare: low -sus/exclamation: medium -sus/intercept: medium diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index b0efb5b9c..e69de29bb 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -1,132 +0,0 @@ -# linux/clean/buildkitd: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/code/github_api: low -credential/password: low -credential/sniffer/pcap: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/hash/md5: low -discover/network/mac_address: medium -discover/network/netstat: medium -discover/process/name: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -evasion/file/location/dev_mqueue: medium -evasion/file/prefix: medium -evasion/process_injection/ptrace: medium -exec/cmd: medium -exec/plugin: low -exec/program: medium -exec/reconfigure/hostname_set: low -exec/shell/SHELL: low -exec/shell/exec: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -fs/attributes/set: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/event_monitoring: low -fs/file/copy: medium -fs/file/delete: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/loopback: medium -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/usr_local: medium -fs/path/var: low -fs/path/windows_root: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/self_mountinfo: medium -fs/tempdir/TEMP: low -fs/tempdir/create: low -fs/tempfile: low -fs/watch: low -impact/remote_access/heartbeat: medium -impact/remote_access/iptables: medium -impact/remote_access/pseudo_terminal: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/kcore: low -os/kernel/netlink: low -os/kernel/seccomp: low -persist/pid_file: medium -persist/service/start: low -process/chroot: low -process/unshare: low -sus/intercept: medium -sus/leetspeak: medium diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 7e0bbcea5..e69de29bb 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -1,163 +0,0 @@ -# linux/clean/caddy: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/refs: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/password: low -credential/server/htpasswd: medium -credential/sniffer/bpf: medium -credential/ssh/d: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/compression/gzip: low -data/compression/zstd: low -data/embedded/base64_terms: medium -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/pem_private_key: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: low -data/random/insecure: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/group/lookup: medium -discover/network/mac_address: medium -discover/process/parent: low -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: low -evasion/file/location/var_run: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/install_additional/package_install: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/script/osa: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/system_controls/stop: low -exec/system_controls/systemd: low -exfil/office_file_ext: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/capabilities_set: low -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/write: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/relative: medium -fs/path/tmp: medium -fs/path/users: medium -fs/path/var: low -fs/path/windows_root: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/pid_stat: medium -fs/proc/pid_statistics: low -fs/proc/self_cgroup: medium -fs/proc/self_exe: medium -fs/proc/self_mountinfo: medium -fs/swap/off: low -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempfile: low -fs/watch: low -hw/wireless: low -net/dns: low -net/dns/over_https: medium -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/http/websocket: medium -net/ip: low -net/ip/connect: medium -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/ip/spoof: medium -net/proxy/reverse: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -net/webrtc: medium -os/env/get: low -os/fd/sendfile: low -os/kernel/netlink: low -persist/kernel_module/unload: medium -persist/pid_file: medium -privesc/sudo: medium -process/chroot: low -process/groups_set: low -sus/exclamation: medium -sus/intercept: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 3340aff74..e69de29bb 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -1,172 +0,0 @@ -# linux/clean/chezmoi: medium -anti-static/xor/functions: medium -c2/addr/discord: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/telegram: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/dropper: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/code/github_api: low -collect/databases/leveldb: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/clipboard: medium -credential/gaming/minecraft: medium -credential/keychain: medium -credential/password: low -credential/server/htpasswd: medium -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/encrypt: medium -crypto/public_key: low -crypto/tls: low -crypto/uuid: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/xz: medium -data/compression/zlib: low -data/compression/zstd: low -data/embedded/base64_terms: medium -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/ssh_signature: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/hash/blake2b: low -data/hash/md5: low -data/random/insecure: low -discover/group/lookup: medium -discover/network/mac_address: medium -discover/process/parent: low -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: low -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/script/osa: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/exec: medium -exec/system_controls/systemd: low -exfil/upload: medium -fs/attributes/chattr: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/users: medium -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/swap/off: low -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempfile: low -fs/watch: low -hw/dev/block_ice: medium -hw/wireless: low -impact/exploit: medium -impact/infection/worm: medium -impact/remote_access/heartbeat: medium -impact/remote_access/implant: medium -impact/remote_access/pseudo_terminal: medium -impact/remote_access/trojan: medium -malware/ref: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/ip/spoof: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -net/webrtc: medium -os/env/get: low -os/fd/sendfile: low -os/kernel/netlink: low -persist/kernel_module/unload: medium -persist/pid_file: medium -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/groups_set: low -sus/exclamation: medium -sus/intercept: medium -sus/malicious: medium diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index b6271f90b..e69de29bb 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -1,184 +0,0 @@ -# linux/clean/chrome: medium -anti-behavior/LD_DEBUG: medium -anti-behavior/LD_PROFILE: medium -anti-static/elf/multiple: medium -anti-static/obfuscation/obfuscate: low -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/refs: medium -c2/tool_transfer/arch: low -c2/tool_transfer/dropper: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/leveldb: medium -collect/databases/sqlite: medium -credential/keychain: medium -credential/keychain/gnome_keyring_daemon: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssh: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/rc4: medium -crypto/tls: low -crypto/uuid: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/encoding/base64: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/sha1: low -data/random/insecure: low -discover/network/interface_list: medium -discover/network/mac_address: medium -discover/process/name: medium -discover/process/parent: low -discover/process/runtime_deps: medium -discover/processes/list: medium -discover/system/hostname: low -discover/system/platform: low -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -evasion/bypass_security/linux/ufw: medium -evasion/file/location/dev_shm: medium -evasion/hijack_execution/LD_LIBRARY_PATH: low -evasion/process_injection/ptrace: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/address_check: low -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/shell/TERM: low -exec/shell/echo: medium -exec/shell/pipe_sh: medium -exec/system_controls/apparmor: medium -exec/system_controls/stop: low -exfil/collection: medium -exfil/office_file_ext: medium -exfil/stealer/credit_card: medium -exfil/upload: medium -fs/directory/create: low -fs/directory/remove: low -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/mounts_read: medium -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home: low -fs/path/home_config: low -fs/path/root: medium -fs/path/tmp: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/var: low -fs/permission/chown: low -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/cpuinfo: medium -fs/proc/meminfo: medium -fs/proc/self_cmdline: medium -fs/proc/self_exe: medium -fs/proc/self_status: medium -fs/proc/stat: medium -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -hw/cpu: medium -hw/dev/block_ice: medium -hw/wireless: low -impact/remote_access/heartbeat: medium -lateral/scan/target_ip: medium -malware/ref: medium -mem/anonymous_file: medium -net/dns/over_https: medium -net/dns/servers: low -net/dns/txt: low -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/cookies: medium -net/http/fake_user_agent: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/p_request: low -net/ip/parse: medium -net/ip/string: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/rpc/ntlm: medium -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/tcp/ssh: medium -net/udp/kcp: medium -net/udp/upnp: medium -net/url/embedded: medium -net/url/encode: medium -net/url/parse: low -net/url/request: medium -net/webrtc: medium -os/fd/epoll: low -os/kernel/netlink: low -os/kernel/opencl: medium -os/kernel/seccomp: low -persist/service/start: low -privesc/setuid: low -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/create: low -process/groups_set: low -process/multithreaded: low -sus/exclamation: medium -sus/intercept: medium -sus/malicious: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 1d49e3f55..e69de29bb 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -1,205 +0,0 @@ -# linux/clean/clickhouse: medium -anti-static/elf/multiple: medium -anti-static/obfuscation/obfuscate: low -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/client: medium -c2/discovery/dyndns: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/dropper: medium -c2/tool_transfer/grayware: medium -c2/tool_transfer/os: medium -collect/databases/leveldb: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/cloud/g: medium -credential/gaming/minecraft: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ed25519: low -crypto/encrypt: medium -crypto/gost89: low -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_private_key: medium -data/encoding/base64: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: low -data/hash/sha1: low -data/hash/sha256: low -data/hash/whirlpool: medium -data/random/insecure: low -discover/cloud/google_metadata: low -discover/network/interface: low -discover/network/interface_list: medium -discover/permissions/capabilities: medium -discover/process/name: medium -discover/process/runtime_deps: medium -discover/processes/list: medium -discover/system/cpu: low -discover/system/dmesg: low -discover/system/hostname: low -discover/system/platform: low -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: low -evasion/bypass_security/linux/ufw: medium -evasion/file/location/dev_shm: medium -evasion/file/prefix: medium -evasion/hijack_execution/DYLD_LIBRARY_PATH: medium -evasion/hijack_execution/LD_LIBRARY_PATH: low -evasion/logging/acct: low -evasion/process_injection/ptrace: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/address_check: low -exec/dylib/iterate: low -exec/dylib/symbol_address: medium -exec/install_additional/package_install: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/program/hidden: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/echo: medium -exec/shell/ignore_output: medium -exec/shell/pipe_sh: medium -exec/system_controls/systemd: low -exfil/collection: medium -exfil/proxy: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/capabilities_set: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: medium -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/mounts_read: medium -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/root: medium -fs/path/tmp: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/var: low -fs/path/var_log: medium -fs/permission/chown: low -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/cpuinfo: medium -fs/proc/meminfo: medium -fs/proc/net_dev: medium -fs/proc/pid_maps: medium -fs/proc/pid_status: medium -fs/proc/self_cgroup: medium -fs/proc/self_exe: medium -fs/proc/self_status: medium -fs/proc/stat: medium -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/watch: low -hw/cpu: medium -hw/dev/block_ice: medium -impact/infection/worm: medium -impact/remote_access/heartbeat: medium -impact/shutdown: medium -net/dns/over_https: medium -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download/fetch: medium -net/email/exotic_addr: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/parse: medium -net/ip/resolve: low -net/ip/string: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/rpc/ntlm: medium -net/socket/connect: medium -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/tcp/grpc: low -net/tcp/ssh: medium -net/url/embedded: medium -net/url/encode: medium -net/url/parse: low -os/fd/epoll: low -os/fd/print: low -os/fd/read: low -os/fd/sendfile: low -os/kernel/netlink: low -os/kernel/opencl: medium -os/time/tzinfo: low -persist/pid_file: medium -privesc/setuid: low -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/create: low -process/groupid_set: low -process/multithreaded: low -sus/exclamation: medium -sus/intercept: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 4270357c9..e69de29bb 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -1,192 +0,0 @@ -## linux/clean/code-oss [🟡 MEDIUM] - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--|--|--|--| -| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | -| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | -| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | -| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code) | -| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | -| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | -| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | -| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | -| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | -| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | -| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | -| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | -| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | -| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | -| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | -| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) | -| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | -| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | -| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root-legacy.js](https://github.com/search?q=%2Froot%2Froot-legacy.js&type=code)
[/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | -| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code) | -| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | -| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | -| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | -| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | -| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) | -| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | -| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | -| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | -| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | -| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | -| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlm](https://github.com/search?q=ntlm&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | -| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | -| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | -| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | -| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://127.0.0.1](http://127.0.0.1)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)
[http://applicationslink](http://applicationslink)
[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)
[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)
[http://buscador.softonic.com/](http://buscador.softonic.com/)
[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)
[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)
[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)
[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)
[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)
[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)
[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)
[http://code.google.com/p/closure](http://code.google.com/p/closure)
[http://crbug.com/1138528](http://crbug.com/1138528)
[http://crbug.com/660005.](http://crbug.com/660005.)
[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)
[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)
[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)
[http://crl.globalsign.net/root](http://crl.globalsign.net/root)
[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)
[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://dts.search](http://dts.search)
[http://en.softonic.com/s/](http://en.softonic.com/s/)
[http://encoding=](http://encoding=)
[http://exslt.org/common](http://exslt.org/common)
[http://familiar](http://familiar)
[http://feed.snap.do/](http://feed.snap.do/)
[http://feed.snapdo.com/](http://feed.snapdo.com/)
[http://feross.org](http://feross.org)
[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)
[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)
[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)
[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)
[http://icl.com/saxon](http://icl.com/saxon)
[http://imEnglish](http://imEnglish)
[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://isearch.avg.com/search](http://isearch.avg.com/search)
[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)
[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)
[http://localhost](http://localhost)
[http://mathematicsmargin](http://mathematicsmargin)
[http://mixidj.delta](http://mixidj.delta)
[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)
[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)
[http://mystart.incredibar.com/](http://mystart.incredibar.com/)
[http://narwhaljs.org](http://narwhaljs.org)
[http://navigation](http://navigation)
[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)
[http://nl.softonic.com/s/](http://nl.softonic.com/s/)
[http://nova.rambler.ru/search](http://nova.rambler.ru/search)
[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)
[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)
[http://ns.adobe.com/data](http://ns.adobe.com/data)
[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)
[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)
[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)
[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)
[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)
[http://ok.hu/katalogus](http://ok.hu/katalogus)
[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)
[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)
[http://radce.centrum.cz/](http://radce.centrum.cz/)
[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)
[http://search.avg.com/route/](http://search.avg.com/route/)
[http://search.avg.com/search](http://search.avg.com/search)
[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)
[http://search.babylon.com/home](http://search.babylon.com/home)
[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)
[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)
[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)
[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)
[http://search.imesh.net/music](http://search.imesh.net/music)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)
[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)
[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)
[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)
[http://search.snap.do/](http://search.snap.do/)
[http://search.snapdo.com/](http://search.snapdo.com/)
[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)
[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)
[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)
[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)
[http://search.walla.co.il/](http://search.walla.co.il/)
[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)
[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)
[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)
[http://site_name](http://site_name)
[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)
[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)
[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)
[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)
[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)
[http://staticsuggested](http://staticsuggested)
[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)
[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)
[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)
[http://unisolated.invalid](http://unisolated.invalid)
[http://userguide.icu](http://userguide.icu)
[http://wpad/wpad.dat](http://wpad/wpad.dat)
[http://www./div](http://www./div)
[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)
[http://www.C//DTD](http://www.C//DTD)
[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)
[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)
[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)
[http://www.color.org](http://www.color.org)
[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)
[http://www.conduit.com/search](http://www.conduit.com/search)
[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)
[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)
[http://www.delta](http://www.delta)
[http://www.example.com](http://www.example.com)
[http://www.hortcut](http://www.hortcut)
[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)
[http://www.icon](http://www.icon)
[http://www.iec.ch](http://www.iec.ch)
[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)
[http://www.interpretation](http://www.interpretation)
[http://www.jclark.com/xt](http://www.jclark.com/xt)
[http://www.language=](http://www.language=)
[http://www.midnight](http://www.midnight)
[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)
[http://www.neti.ee/cgi](http://www.neti.ee/cgi)
[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)
[http://www.search.delta](http://www.search.delta)
[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)
[http://www.searchnu.com/web](http://www.searchnu.com/web)
[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)
[http://www.softonic.com/s/](http://www.softonic.com/s/)
[http://www.squid](http://www.squid)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)
[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)
[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)
[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)
[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)
[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)
[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)
[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)
[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)
[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)
[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)
[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)
[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)
[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)
[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)
[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)
[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)
[http://www.years](http://www.years)
[http://www.yhs.delta](http://www.yhs.delta)
[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)
[http://www1.delta](http://www1.delta)
[http://www2.delta](http://www2.delta)
[http://www2.public](http://www2.public)
[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)
[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)
[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)
[https://alekberg.net/privacy](https://alekberg.net/privacy)
[https://android.com/pay](https://android.com/pay)
[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)
[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)
[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)
[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)
[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)
[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)
[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)
[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)
[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)
[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)
[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)
[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)
[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)
[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)
[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)
[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)
[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)
[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)
[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)
[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)
[https://bit.ly/audio](https://bit.ly/audio)
[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)
[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)
[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)
[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)
[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)
[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)
[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)
[https://buscador.softonic.com/](https://buscador.softonic.com/)
[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)
[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)
[https://c.android.clients.google.com/](https://c.android.clients.google.com/)
[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)
[https://c.docs.google.com/](https://c.docs.google.com/)
[https://c.drive.google.com/](https://c.drive.google.com/)
[https://c.googlesyndication.com/](https://c.googlesyndication.com/)
[https://c.pack.google.com/](https://c.pack.google.com/)
[https://c.play.google.com/](https://c.play.google.com/)
[https://c.youtube.com/](https://c.youtube.com/)
[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)
[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)
[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)
[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)
[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)
[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)
[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)
[https://chrome.cloudflare](https://chrome.cloudflare)
[https://chrome.google.com/webstore](https://chrome.google.com/webstore)
[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)
[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)
[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)
[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)
[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)
[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)
[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)
[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)
[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)
[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)
[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)
[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)
[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)
[https://coccoc.com/search](https://coccoc.com/search)
[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)
[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)
[https://crbug.com/1025266](https://crbug.com/1025266)
[https://crbug.com/1038223.](https://crbug.com/1038223.)
[https://crbug.com/1053756](https://crbug.com/1053756)
[https://crbug.com/1144908.](https://crbug.com/1144908.)
[https://crbug.com/1154140](https://crbug.com/1154140)
[https://crbug.com/1161355](https://crbug.com/1161355)
[https://crbug.com/1214923](https://crbug.com/1214923)
[https://crbug.com/1302249](https://crbug.com/1302249)
[https://crbug.com/1313172](https://crbug.com/1313172)
[https://crbug.com/401439](https://crbug.com/401439)
[https://crbug.com/619103.](https://crbug.com/619103.)
[https://crbug.com/638180.](https://crbug.com/638180.)
[https://crbug.com/824383](https://crbug.com/824383)
[https://crbug.com/824647](https://crbug.com/824647)
[https://crbug.com/927119](https://crbug.com/927119)
[https://crbug.com/981419](https://crbug.com/981419)
[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)
[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)
[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)
[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)
[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)
[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)
[https://crbug.com/dawn/136](https://crbug.com/dawn/136)
[https://crbug.com/dawn/145](https://crbug.com/dawn/145)
[https://crbug.com/dawn/155](https://crbug.com/dawn/155)
[https://crbug.com/dawn/193](https://crbug.com/dawn/193)
[https://crbug.com/dawn/237](https://crbug.com/dawn/237)
[https://crbug.com/dawn/271](https://crbug.com/dawn/271)
[https://crbug.com/dawn/286](https://crbug.com/dawn/286)
[https://crbug.com/dawn/342](https://crbug.com/dawn/342)
[https://crbug.com/dawn/343](https://crbug.com/dawn/343)
[https://crbug.com/dawn/36](https://crbug.com/dawn/36)
[https://crbug.com/dawn/402](https://crbug.com/dawn/402)
[https://crbug.com/dawn/42](https://crbug.com/dawn/42)
[https://crbug.com/dawn/434](https://crbug.com/dawn/434)
[https://crbug.com/dawn/480](https://crbug.com/dawn/480)
[https://crbug.com/dawn/56](https://crbug.com/dawn/56)
[https://crbug.com/dawn/582](https://crbug.com/dawn/582)
[https://crbug.com/dawn/633](https://crbug.com/dawn/633)
[https://crbug.com/dawn/666](https://crbug.com/dawn/666)
[https://crbug.com/dawn/667](https://crbug.com/dawn/667)
[https://crbug.com/dawn/673](https://crbug.com/dawn/673)
[https://crbug.com/dawn/776](https://crbug.com/dawn/776)
[https://crbug.com/dawn/792](https://crbug.com/dawn/792)
[https://crbug.com/dawn/838](https://crbug.com/dawn/838)
[https://crbug.com/dawn/840](https://crbug.com/dawn/840)
[https://crbug.com/dawn/960](https://crbug.com/dawn/960)
[https://crbug.com/new](https://crbug.com/new)
[https://crbug.com/tint.](https://crbug.com/tint.)
[https://crbug.com/tint/1003](https://crbug.com/tint/1003)
[https://crbug.com/v8/7848](https://crbug.com/v8/7848)
[https://crbug.com/v8/8520](https://crbug.com/v8/8520)
[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)
[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)
[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)
[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)
[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)
[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)
[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)
[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)
[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)
[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)
[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)
[https://developer.mozilla.org/en](https://developer.mozilla.org/en)
[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)
[https://developers.google.com/speed/public](https://developers.google.com/speed/public)
[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)
[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)
[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)
[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)
[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)
[https://dns.google/dns](https://dns.google/dns)
[https://dns.quad9.net/dns](https://dns.quad9.net/dns)
[https://dns.sb/privacy/](https://dns.sb/privacy/)
[https://dns.switch.ch/dns](https://dns.switch.ch/dns)
[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)
[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)
[https://dns64.dns.google/dns](https://dns64.dns.google/dns)
[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)
[https://docs.google.com/](https://docs.google.com/)
[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)
[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)
[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)
[https://doh.cox.net/dns](https://doh.cox.net/dns)
[https://doh.dns.sb/dns](https://doh.dns.sb/dns)
[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)
[https://doh.opendns.com/dns](https://doh.opendns.com/dns)
[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)
[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)
[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)
[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)
[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)
[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)
[https://en.softonic.com/s/](https://en.softonic.com/s/)
[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)
[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)
[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)
[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)
[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)
[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)
[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)
[https://example.org](https://example.org)
[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)
[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)
[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)
[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)
[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)
[https://gcp.gvt2.com/](https://gcp.gvt2.com/)
[https://gcp.gvt6.com/](https://gcp.gvt6.com/)
[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)
[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)
[https://github.com/WICG/construct](https://github.com/WICG/construct)
[https://github.com/WICG/conversion](https://github.com/WICG/conversion)
[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)
[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)
[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)
[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)
[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)
[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)
[https://github.com/chalk/ansi](https://github.com/chalk/ansi)
[https://github.com/chalk/supports](https://github.com/chalk/supports)
[https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)
[https://github.com/da](https://github.com/da)
[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)
[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)
[https://github.com/google/closure](https://github.com/google/closure)
[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)
[https://github.com/isaacs/color](https://github.com/isaacs/color)
[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)
[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)
[https://github.com/mafintosh/end](https://github.com/mafintosh/end)
[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)
[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)
[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)
[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)
[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)
[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)
[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)
[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)
[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)
[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)
[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)
[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)
[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)
[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)
[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)
[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)
[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)
[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)
[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)
[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)
[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)
[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)
[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)
[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)
[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)
[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)
[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)
[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)
[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)
[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)
[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)
[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)
[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)
[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)
[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)
[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)
[https://github.com/standard](https://github.com/standard)
[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)
[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)
[https://github.com/tc39/proposal](https://github.com/tc39/proposal)
[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)
[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)
[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)
[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)
[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)
[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)
[https://go.mail.ru/msearch](https://go.mail.ru/msearch)
[https://go.mail.ru/search](https://go.mail.ru/search)
[https://goo.gl/4NeimX](https://goo.gl/4NeimX)
[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)
[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)
[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)
[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)
[https://goo.gl/LdLk22](https://goo.gl/LdLk22)
[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)
[https://goo.gl/rStTGz](https://goo.gl/rStTGz)
[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)
[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)
[https://goo.gl/ximf56](https://goo.gl/ximf56)
[https://goo.gl/yabPex](https://goo.gl/yabPex)
[https://google.com/pay](https://google.com/pay)
[https://googlevideo.com/](https://googlevideo.com/)
[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)
[https://gvt1.com/](https://gvt1.com/)
[https://gvt2.com/](https://gvt2.com/)
[https://gvt6.com/](https://gvt6.com/)
[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)
[https://history.report](https://history.report)
[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)
[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)
[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)
[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)
[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)
[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)
[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)
[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)
[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)
[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)
[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)
[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)
[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)
[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)
[https://invisible](https://invisible)
[https://isearch.avg.com/search](https://isearch.avg.com/search)
[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)
[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)
[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)
[https://m.so.com/index.php](https://m.so.com/index.php)
[https://m.so.com/s](https://m.so.com/s)
[https://m.sogou.com/web/](https://m.sogou.com/web/)
[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)
[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)
[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)
[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)
[https://matteomarescotti.report](https://matteomarescotti.report)
[https://metager.de/favicon.ico](https://metager.de/favicon.ico)
[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)
[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)
[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)
[https://mths.be/punycode](https://mths.be/punycode)
[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)
[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)
[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)
[https://nextdns.io/privacy](https://nextdns.io/privacy)
[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)
[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)
[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)
[https://nl.softonic.com/s/](https://nl.softonic.com/s/)
[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)
[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)
[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)
[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)
[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)
[https://nova.rambler.ru/search](https://nova.rambler.ru/search)
[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)
[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)
[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)
[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)
[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)
[https://oceanhero.today/web](https://oceanhero.today/web)
[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)
[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)
[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)
[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)
[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)
[https://petalsearch.com/search](https://petalsearch.com/search)
[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)
[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)
[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)
[https://play.google.com/billing](https://play.google.com/billing)
[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)
[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)
[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)
[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)
[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)
[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)
[https://scotthelme.report](https://scotthelme.report)
[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)
[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)
[https://search.avg.com/route/](https://search.avg.com/route/)
[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)
[https://search.daum.net/search](https://search.daum.net/search)
[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)
[https://search.gmx.com/web/result](https://search.gmx.com/web/result)
[https://search.gmx.es/web/result](https://search.gmx.es/web/result)
[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)
[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)
[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)
[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)
[https://search.naver.com/search.naver](https://search.naver.com/search.naver)
[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)
[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)
[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)
[https://search.softonic.com/](https://search.softonic.com/)
[https://search.walla.co.il/](https://search.walla.co.il/)
[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)
[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)
[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)
[https://search.yahoo.com/search](https://search.yahoo.com/search)
[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)
[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)
[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)
[https://server1.example](https://server1.example)
[https://server2.example](https://server2.example)
[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)
[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)
[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)
[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)
[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)
[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)
[https://ssl.gstatic.com/](https://ssl.gstatic.com/)
[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)
[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)
[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)
[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)
[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)
[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)
[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)
[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)
[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)
[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)
[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)
[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)
[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)
[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)
[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)
[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)
[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)
[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)
[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)
[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)
[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)
[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)
[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)
[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)
[https://tc39.es/ecma262/](https://tc39.es/ecma262/)
[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)
[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)
[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)
[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)
[https://tobiassachs.report](https://tobiassachs.report)
[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)
[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)
[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)
[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)
[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)
[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)
[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)
[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)
[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)
[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)
[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)
[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)
[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)
[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)
[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)
[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)
[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)
[https://v8.dev/blog/v8](https://v8.dev/blog/v8)
[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)
[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)
[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)
[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)
[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)
[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)
[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)
[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)
[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)
[https://webrtc.org/web](https://webrtc.org/web)
[https://wiki.squid](https://wiki.squid)
[https://www.World](https://www.World)
[https://www.ask.com/web](https://www.ask.com/web)
[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)
[https://www.baidu.com/s](https://www.baidu.com/s)
[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)
[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)
[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)
[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)
[https://www.bing.com/search](https://www.bing.com/search)
[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)
[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)
[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)
[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)
[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)
[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)
[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)
[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)
[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)
[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)
[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)
[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)
[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)
[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)
[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)
[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)
[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)
[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)
[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)
[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)
[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)
[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)
[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)
[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)
[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)
[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)
[https://www.ecma](https://www.ecma)
[https://www.ecosia.org/search](https://www.ecosia.org/search)
[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)
[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)
[https://www.givero.com/search](https://www.givero.com/search)
[https://www.givero.com/suggest](https://www.givero.com/suggest)
[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)
[https://www.google.com/speech](https://www.google.com/speech)
[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)
[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)
[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)
[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)
[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)
[https://www.info.com/serp](https://www.info.com/serp)
[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)
[https://www.microsoft.com/en](https://www.microsoft.com/en)
[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)
[https://www.neti.ee/cgi](https://www.neti.ee/cgi)
[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)
[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)
[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)
[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)
[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)
[https://www.recent](https://www.recent)
[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)
[https://www.so.com/s](https://www.so.com/s)
[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)
[https://www.softonic.com/s/](https://www.softonic.com/s/)
[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)
[https://www.sogou.com/web](https://www.sogou.com/web)
[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)
[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)
[https://www.verisign.com/rpa](https://www.verisign.com/rpa)
[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)
[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)
[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)
[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)
[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)
[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)
[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)
[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)
[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)
[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)
[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)
[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)
[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)
[https://yandex.by/images/search/](https://yandex.by/images/search/)
[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)
[https://yandex.com/images/search](https://yandex.com/images/search)
[https://yandex.com/search/](https://yandex.com/search/)
[https://yandex.kz/images/search/](https://yandex.kz/images/search/)
[https://yandex.ru/images/search/](https://yandex.ru/images/search/)
[https://yandex.ua/images/search/](https://yandex.ua/images/search/)
[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)
[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[const has_password](https://github.com/search?q=const+has_password&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)
[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)
[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)
[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)
[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password_specifics](https://github.com/search?q=password_specifics&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | -| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | -| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | -| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)
[Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | -| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | -| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | -| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | -| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)
[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | -| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | -| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | -| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)
[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | -| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | -| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | -| LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) | -| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | -| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | -| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | -| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | -| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | -| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)
[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | -| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | -| LOW | [os/kernel/perfmon](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/perfmon.yara#perf_event_open) | set up performance monitoring | [perf_event_open](https://github.com/search?q=perf_event_open&type=code) | -| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | -| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_vfork) | [create child process](https://man7.org/linux/man-pages/man2/vfork.2.html) | [vfork](https://github.com/search?q=vfork&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | - diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index d979ac232..e69de29bb 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -1,134 +0,0 @@ -# linux/clean/containerd: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/mysql: medium -credential/password: low -credential/sniffer/bpf: medium -credential/sniffer/pcap: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/hash/md5: low -discover/network/mac_address: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: medium -discover/user/USER: low -evasion/file/location/dev_mqueue: medium -evasion/file/location/dev_shm: medium -evasion/file/location/var_run: medium -evasion/process_injection/ptrace: medium -exec/plugin: low -exec/program: medium -exec/reconfigure/hostname_set: low -exec/shell/TERM: low -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -fs/attributes/set: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/event_monitoring: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: low -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/loopback: medium -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home: low -fs/path/usr_local: medium -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/net_route: medium -fs/proc/self_cgroup: medium -fs/proc/self_mountinfo: medium -fs/tempdir/TEMP: low -fs/tempdir/create: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -hw/dev/block_ice: medium -hw/dev/mapper: medium -impact/remote_access/heartbeat: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/http/websocket: medium -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/send_unicast: low -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/kcore: low -os/kernel/netlink: low -os/kernel/seccomp: low -persist/pid_file: medium -process/chdir: low -process/groupid_set: low -process/groups_set: low -process/terminate/kill_multiple: medium -sus/exclamation: medium -sus/intercept: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple index a78a1d8a9..e69de29bb 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple @@ -1,48 +0,0 @@ -# linux/clean/kibana/securitySolution.chunk.22.js: medium -c2/addr/url: low -c2/discovery/dyndns: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: low -c2/tool_transfer/dropper: medium -c2/tool_transfer/exe_url: low -c2/tool_transfer/grayware: low -c2/tool_transfer/os: medium -collect/databases/mysql: medium -credential/keylogger: medium -credential/password: low -crypto/blockchain: medium -crypto/openssl: medium -data/encoding/json_decode: low -evasion/file/prefix: medium -evasion/rootkit/refs: medium -evasion/rootkit/userspace: low -exec/plugin: low -exec/shell/power: medium -exfil/upload: medium -fs/lock_update: low -fs/path/dev: medium -impact/cryptojacking/monero_pool: medium -impact/ddos: medium -impact/exploit: medium -impact/exploit/cve: medium -impact/exploit/known_s: medium -impact/infection/infected: medium -impact/infection/worm: medium -impact/remote_access/backdoor: medium -impact/remote_access/iptables: medium -impact/remote_access/reverse_shell: low -impact/remote_access/trojan: medium -lateral/scan/brute_force: low -malware/ref: medium -net/dns/txt: low -net/download: medium -net/tcp/sftp: medium -net/url/embedded: medium -net/url/parse: low -persist/daemon: medium -process/chroot: low -sec-tool/net/masscan: low -sec-tool/net/nmap: medium -sec-tool/pentest/metasploit_ref: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 3478ac9b6..e69de29bb 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -1,70 +0,0 @@ -# linux/clean/kibana/securitySolution.chunk.9.js: medium -anti-static/obfuscation/js: medium -anti-static/obfuscation/reverse: medium -c2/addr/ip: medium -c2/addr/url: low -c2/discovery/dyndns: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: low -c2/tool_transfer/dropper: medium -c2/tool_transfer/exe_url: low -c2/tool_transfer/grayware: low -c2/tool_transfer/os: medium -collect/databases/mysql: medium -credential/keylogger: medium -credential/password: low -crypto/blockchain: medium -crypto/encrypt: medium -crypto/openssl: medium -data/embedded/base64_url: medium -data/encoding/base64: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/md5: low -discover/network/mac_address: medium -discover/process/name: medium -discover/process/parent: low -evasion/file/prefix: medium -evasion/rootkit/refs: medium -evasion/rootkit/userspace: low -exec/cmd: medium -exec/plugin: low -exec/shell/power: medium -exec/system_controls/apparmor: medium -exfil/upload: medium -fs/lock_update: low -fs/mount: low -fs/path/dev: medium -impact/cryptojacking/monero_pool: medium -impact/ddos: medium -impact/exploit: medium -impact/exploit/cve: medium -impact/exploit/known_s: medium -impact/infection/infected: medium -impact/infection/worm: medium -impact/remote_access/backdoor: medium -impact/remote_access/iptables: medium -impact/remote_access/reverse_shell: low -impact/remote_access/trojan: medium -lateral/scan/brute_force: low -malware/ref: medium -net/dns/txt: low -net/download: medium -net/http/post: medium -net/http/request: low -net/ip/addr: medium -net/ip/host_port: medium -net/socket/listen: medium -net/socket/send: low -net/tcp/sftp: medium -net/url/embedded: medium -net/url/parse: low -net/url/request: medium -os/kernel/seccomp: low -persist/daemon: medium -process/chroot: low -sec-tool/net/masscan: low -sec-tool/net/nmap: medium -sec-tool/pentest/metasploit_ref: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 59142a2a1..e69de29bb 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -1,142 +0,0 @@ -# linux/clean/kuma-cp: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -credential/password: low -credential/server/htpasswd: medium -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -crypto/uuid: medium -data/base64/external: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_test_key: low -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/md5: low -discover/network/interface_list: medium -discover/network/mac_address: medium -discover/network/netstat: medium -discover/processes/list: medium -discover/system/cpu: low -discover/system/dmesg: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/bypass_security/linux/iptables: medium -evasion/file/location/var_run: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/plugin: low -exec/program: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exfil/collection: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/copy: medium -fs/file/delete: low -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/write: low -fs/link_read: low -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/tmp: medium -fs/path/usr_bin: low -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/quota_manipulate: low -fs/swap/on: low -fs/tempdir/TEMP: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -hw/dev/block_ice: medium -impact/remote_access/heartbeat: medium -impact/remote_access/iptables: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/http/websocket: medium -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/netlink: low -os/kernel/seccomp: low -persist/cron/tab: medium -privesc/sudo: medium -process/chroot: low -process/groupid_set: low -sus/exclamation: medium -sus/intercept: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 65b554ce3..e69de29bb 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -1,103 +0,0 @@ -# linux/clean/libgcj.so.17.0.0: medium -3P/JPCERT/cobaltstrike_v3v4: medium -anti-behavior/random_behavior: low -c2/addr/ip: medium -c2/addr/url: low -c2/tool_transfer/os: medium -credential/password: low -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/public_key: low -crypto/tls: low -crypto/uuid: medium -data/compression/bzip2: low -data/compression/gzip: low -data/embedded/base64_terms: medium -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/encoding/base64: low -data/hash/md5: low -data/hash/sha1: low -data/hash/sha256: low -data/hash/whirlpool: medium -discover/network/interface_list: medium -discover/process/name: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: low -discover/user/HOME: low -discover/user/USER: low -evasion/hijack_execution/LD_LIBRARY_PATH: low -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/address_check: low -exec/dylib/iterate: low -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/shell/SHELL: low -exec/shell/command: medium -exfil/office_file_ext: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/delete: medium -fs/file/open: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_read: low -fs/mounts_read: medium -fs/path/dev: medium -fs/path/etc: low -fs/path/root: medium -fs/path/usr_local: medium -fs/path/var: low -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/mounts: medium -fs/proc/stat: medium -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempfile: low -hw/iokit_registry: low -impact/remote_access/agent: medium -lateral/scan/tool: medium -net/dns/txt: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/cookies: medium -net/http/form_upload: medium -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip: low -net/ip/connect: medium -net/ip/host_port: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/ip/send_unicast: low -net/ip/string: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -process/multithreaded: low -sus/exclamation: medium -sus/intercept: medium -sus/leetspeak: medium diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index 4a19eb230..e69de29bb 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -1,103 +0,0 @@ -# linux/clean/libgcj.so.17: medium -3P/JPCERT/cobaltstrike_v3v4: medium -anti-behavior/random_behavior: low -c2/addr/ip: medium -c2/addr/url: low -c2/tool_transfer/os: medium -credential/password: low -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/public_key: low -crypto/tls: low -crypto/uuid: medium -data/compression/bzip2: low -data/compression/gzip: low -data/embedded/base64_terms: medium -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/encoding/base64: low -data/hash/md5: low -data/hash/sha1: low -data/hash/sha256: low -data/hash/whirlpool: medium -discover/network/interface_list: medium -discover/process/name: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: low -discover/user/HOME: low -discover/user/USER: low -evasion/hijack_execution/LD_LIBRARY_PATH: low -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/address_check: low -exec/dylib/iterate: low -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/shell/SHELL: low -exec/shell/command: medium -exfil/office_file_ext: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/delete: medium -fs/file/open: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_read: low -fs/mounts_read: medium -fs/path/dev: medium -fs/path/etc: low -fs/path/root: medium -fs/path/usr_local: medium -fs/path/var: low -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/mounts: medium -fs/proc/stat: medium -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempfile: low -hw/iokit_registry: low -impact/remote_access/agent: medium -lateral/scan/tool: medium -net/dns/txt: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/cookies: medium -net/http/form_upload: medium -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip: low -net/ip/connect: medium -net/ip/host_port: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/ip/send_unicast: low -net/ip/string: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -process/multithreaded: low -sus/exclamation: medium -sus/intercept: medium -sus/leetspeak: medium diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index afce3a926..e69de29bb 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -1,160 +0,0 @@ -# linux/clean/melange: medium -anti-static/elf/multiple: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/refs: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -collect/archives/tar_command: medium -collect/archives/zip: medium -collect/code/github_api: low -credential/cloud/g: medium -credential/keychain: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -data/base64/external: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/ssh_signature: medium -data/embedded/zstd: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/cloud/google_storage: low -discover/network/interface_list: medium -discover/network/mac_address: medium -discover/network/netstat: medium -discover/processes/pgrep: medium -discover/system/cpu: low -discover/system/dmesg: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/file/location/system_directory: medium -evasion/file/prefix: medium -evasion/hide_artifacts/pivot_root: medium -exec/cmd: medium -exec/install_additional/pip_install: medium -exec/plugin: low -exec/program: medium -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/exec: medium -exec/shell/pipe_sh: medium -fs/blkid: low -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: medium -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/node_create: low -fs/path/bin_su: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/relative: medium -fs/path/root: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/usr_sbin: low -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/swap/off: low -fs/swap/on: low -fs/symlink_resolve: low -fs/tempdir/TEMP: low -fs/tempdir/create: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -impact/remote_access/heartbeat: medium -impact/remote_access/kill_rm: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/parse: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/env/get: low -os/fd/sendfile: low -os/kernel/netlink: low -os/time/clock_set: low -persist/cron/tab: medium -privesc/setuid: low -process/chdir: low -process/chroot: low -process/groupid_set: low -process/multithreaded: low -process/unshare: low -sus/exclamation: medium -sus/intercept: medium diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 9ef86ed4a..e69de29bb 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -1,194 +0,0 @@ -# linux/clean/mongosh: medium -anti-static/obfuscation/hex: medium -anti-static/obfuscation/obfuscate: low -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/addr/url: low -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/tool_transfer/arch: low -c2/tool_transfer/os: medium -collect/archives/unarchive: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/password: low -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ed25519: low -crypto/encrypt: medium -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -crypto/uuid: medium -data/base64/decode: medium -data/base64/encode: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/zlib: low -data/compression/zstd: low -data/embedded/base64_gzip: medium -data/embedded/base64_terms: medium -data/embedded/base64_url: medium -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/pem_private_key: medium -data/encoding/base64: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/sha256: low -data/random/insecure: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/group/lookup: medium -discover/network/interface: low -discover/network/interface_list: medium -discover/network/mac_address: medium -discover/process/name: medium -discover/process/parent: low -discover/process/working_directory: low -discover/processes/list: medium -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/APPDATA: low -discover/user/HOME: low -discover/user/USER: low -discover/user/USERPROFILE: medium -discover/user/info: medium -discover/user/name_get: low -evasion/file/prefix: medium -evasion/logging/acct: low -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/address_check: low -exec/dylib/iterate: low -exec/dylib/symbol_address: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/script/activex: medium -exec/script/osa: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/command: medium -exec/shell/echo: medium -exec/shell/exec: medium -exec/shell/pipe_sh: medium -exec/shell/power: medium -exec/system_controls/systemd: low -exec/tty/pathname: medium -exfil/office_file_ext: medium -exfil/stealer/credit_card: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/capabilities_set: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/path/etc: low -fs/path/file_url: low -fs/path/home_library: low -fs/path/tmp: medium -fs/path/usr_bin: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/cpuinfo: medium -fs/proc/meminfo: medium -fs/proc/self_cgroup: medium -fs/proc/self_exe: medium -fs/proc/stat: medium -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/watch: low -hw/cpu: medium -hw/wireless: low -impact/remote_access/heartbeat: medium -impact/remote_access/kill_rm: medium -lateral/scan/tool: medium -mem/anonymous_file: medium -net/dns: low -net/dns/over_https: medium -net/dns/reverse: medium -net/dns/txt: low -net/download: medium -net/download/fetch: medium -net/ftp: low -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/websocket: medium -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/ip/send_unicast: low -net/ip/spoof: medium -net/ip/string: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/resolve/hostport_parse: low -net/socket/connect: medium -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/ssh: medium -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -net/webrtc: medium -os/env/get: low -os/fd/read: low -os/fd/sendfile: low -os/fd/write: low -persist/daemon/detach: medium -privesc/setuid: low -process/chdir: low -process/chroot: low -process/create: low -process/groupid_set: low -process/groups_set: low -process/multithreaded: low -process/namespace_set: low -process/terminate: medium -process/terminate/taskkill: medium -sec-tool/net/nmap: medium -sus/compiler: medium -sus/exclamation: medium -sus/intercept: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 86b5cdc89..e69de29bb 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -1,106 +0,0 @@ -# linux/clean/opa: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -credential/password: low -credential/ssl/private_key: low -crypto/aes: low -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium -data/compression/gzip: low -data/compression/zstd: low -data/embedded/html: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/md5: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/USER: low -exec/cmd: medium -exec/plugin: low -exec/program: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/delete: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: low -fs/file/write: low -fs/link_read: low -fs/mount: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/relative: medium -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/self_cgroup: medium -fs/proc/self_mountinfo: medium -fs/tempdir/TEMP: low -fs/tempfile: low -fs/watch: low -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/send_unicast: low -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/netlink: low -os/time/tzinfo: low -persist/pid_file: medium -process/chdir: low -process/groups_set: low -sus/exclamation: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 064d08aba..e69de29bb 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -1,175 +0,0 @@ -## linux/clean/pandoc [🟡 MEDIUM] - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--|--|--|--| -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | -| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) | -| MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | -| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | -| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | -| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | -| MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) | -| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | -| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | -| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | -| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | -| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | -| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | -| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/shell/command](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/command.yara#system) | [execute a shell command](https://man7.org/linux/man-pages/man3/system.3.html) | [system](https://github.com/search?q=system&type=code) | -| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#system_call) | executes a shell command | [system](https://github.com/search?q=system&type=code) | -| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | -| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershellcode](https://github.com/search?q=powershellcode&type=code) | -| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)
[docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppam](https://github.com/search?q=ppam&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFile](https://github.com/search?q=CreateFile&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | -| MEDIUM | [fs/mounts_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mounts-read.yara#mount_files) | [Parses active mounts (/etc/fstab, /etc/mtab)](https://linux.die.net/man/3/setmntent) | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code)
[/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code) | -| MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_lib_path) | path reference within /usr/local/lib | [/usr/local/lib/lua/5.4/loadall.so](https://github.com/search?q=%2Fusr%2Flocal%2Flib%2Flua%2F5.4%2Floadall.so&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | -| MEDIUM | [fs/proc/mounts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/mounts.yara#proc_mounts) | Parses active mounts (/proc/mounts | [/proc/mounts](https://github.com/search?q=%2Fproc%2Fmounts&type=code) | -| MEDIUM | [fs/proc/pid_maps](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-maps.yara#proc_maps) | access process memory maps | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | -| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | -| MEDIUM | [impact/infection/worm](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/infection/worm.yara#worm) | References 'Worm' | [worm](https://github.com/search?q=worm&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)
[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)
[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)
[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)
[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)
[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)
[heartbeat](https://github.com/search?q=heartbeat&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code) | -| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)
[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)
[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)
[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)
[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)
[http_cookie](https://github.com/search?q=http_cookie&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)
[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)
[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | -| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)
[htons](https://github.com/search?q=htons&type=code)
[ntohs](https://github.com/search?q=ntohs&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)
[port](https://github.com/search?q=port&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)
[spoofchecker](https://github.com/search?q=spoofchecker&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [.Socks5](https://github.com/search?q=.Socks5&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [connect](https://github.com/search?q=connect&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | -| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [IPPROTO_RAW](https://github.com/search?q=IPPROTO_RAW&type=code)
[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code)
[SO_REUSEPORT](https://github.com/search?q=SO_REUSEPORT&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) | -| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [openURL](https://github.com/search?q=openURL&type=code) | -| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | -| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | -| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) | -| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) | -| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | -| MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) | -| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)
[obfuscates](https://github.com/search?q=obfuscates&type=code) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)
[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)
[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)
[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)
[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)
[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)
[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)
[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)
[JPasswordField](https://github.com/search?q=JPasswordField&type=code)
[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)
[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)
[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)
[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)
[PasswordView](https://github.com/search?q=PasswordView&type=code)
[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)
[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)
[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)
[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)
[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)
[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)
[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)
[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)
[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)
[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)
[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)
[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)
[fbsql_password](https://github.com/search?q=fbsql_password&type=code)
[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)
[groupPassword](https://github.com/search?q=groupPassword&type=code)
[init_with_password](https://github.com/search?q=init_with_password&type=code)
[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)
[ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)
[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)
[oci_password_change](https://github.com/search?q=oci_password_change&type=code)
[param_default_password](https://github.com/search?q=param_default_password&type=code)
[password for entry](https://github.com/search?q=password+for+entry&type=code)
[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)
[password_default](https://github.com/search?q=password_default&type=code)
[password_field_tag](https://github.com/search?q=password_field_tag&type=code)
[password_get_info](https://github.com/search?q=password_get_info&type=code)
[password_grace_time](https://github.com/search?q=password_grace_time&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[password_life_time](https://github.com/search?q=password_life_time&type=code)
[password_lock_time](https://github.com/search?q=password_lock_time&type=code)
[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)
[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)
[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)
[password_verify_function](https://github.com/search?q=password_verify_function&type=code)
[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)
[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)
[radius_user_password](https://github.com/search?q=radius_user_password&type=code)
[sam_password](https://github.com/search?q=sam_password&type=code)
[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)
[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)
[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)
[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)
[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)
[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)
[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)
[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)
[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)
[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)
[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)
[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)
[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)
[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)
[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)
[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)
[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)
[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)
[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)
[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)
[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)
[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)
[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)
[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)
[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)
[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)
[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)
[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)
[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)
[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)
[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)
[edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)
[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)
[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)
[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)
[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)
[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)
[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)
[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)
[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)
[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)
[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)
[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)
[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)
[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)
[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)
[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)
[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)
[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)
[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)
[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)
[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)
[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)
[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)
[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)
[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)
[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)
[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)
[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)
[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)
[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)
[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)
[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)
[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)
[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)
[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)
[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)
[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)
[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)
[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)
[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)
[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)
[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)
[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)
[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)
[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)
[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)
[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)
[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)
[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)
[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)
[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)
[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)
[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)
[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)
[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)
[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) | -| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)
[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)
[MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)
[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)
[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)
[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)
[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)
[MD5_info](https://github.com/search?q=MD5_info&type=code)
[MD5_str](https://github.com/search?q=MD5_str&type=code)
[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)
[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)
[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)
[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)
[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)
[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)
[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)
[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)
[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)
[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)
[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)
[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)
[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)
[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)
[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)
[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)
[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)
[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)
[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)
[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)
[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)
[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)
[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)
[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)
[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)
[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)
[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)
[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)
[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)
[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)
[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)
[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)
[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)
[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)
[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)
[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)
[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)
[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)
[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)
[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)
[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code) | -| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | -| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | -| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) | -| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectory](https://github.com/search?q=CreateDirectory&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [removeDirectory](https://github.com/search?q=removeDirectory&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) | -| LOW | [fs/file/capabilities_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-capabilities-set.yara#setfcap) | [Set file capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) | [setcap](https://github.com/search?q=setcap&type=code) | -| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) | -| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[renameFile](https://github.com/search?q=renameFile&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code)
[/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | -| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | -| LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_addr](https://github.com/search?q=client_addr&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | -| LOW | [process/alarm](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/alarm.yara#alarm) | [set an alarm clock for delivery of a signal](https://man7.org/linux/man-pages/man2/alarm.2.html) | [alarm](https://github.com/search?q=alarm&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)
[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)
[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)
[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)
[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)
[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)
[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)
[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)
[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)
[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)
[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)
[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)
[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)
[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)
[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)
[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)
[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)
[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)
[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)
[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)
[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)
[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)
[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)
[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)
[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)
[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)
[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)
[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)
[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)
[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)
[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)
[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code)
[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)
[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)
[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)
[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)
[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) | -| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | - diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 8b17cd939..e69de29bb 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -1,159 +0,0 @@ -# linux/clean/pulumi: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/os: medium -collect/archives/zip: medium -collect/code/github_api: low -collect/databases/mysql: medium -collect/databases/postgresql: medium -credential/clipboard: medium -credential/cloud/g: medium -credential/keychain: medium -credential/password: low -credential/ssl/private_key: low -crypto/aes: low -crypto/blockchain: medium -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/zlib: low -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/pem_test_key: low -data/embedded/ssh_signature: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: low -data/hash/sha1: low -data/hash/sha256: low -data/random/insecure: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/cloud/google_storage: low -discover/group/lookup: medium -discover/network/mac_address: medium -discover/process/parent: low -discover/process/working_directory: low -discover/processes/list: medium -discover/system/cpu: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/install_additional/pip_install: medium -exec/plugin: low -exec/program: medium -exec/program/background: low -exec/script/osa: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/exec: medium -exec/shell/pipe_sh: medium -exec/system_controls/systemd: low -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: low -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/times_set: medium -fs/file/write: low -fs/link_read: low -fs/lock_update: low -fs/mount: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/root: medium -fs/path/usr_bin: low -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/swap/off: low -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -hw/wireless: low -impact/remote_access/heartbeat: medium -lateral/scan/tool: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download: medium -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/resolve: low -net/proxy/socks5: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/pair: medium -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: low -net/url/encode: medium -net/url/parse: low -net/url/request: medium -net/webrtc: medium -os/env/get: low -os/fd/sendfile: low -os/kernel/netlink: low -persist/kernel_module/unload: medium -persist/pid_file: medium -privesc/sudo: medium -process/chroot: low -sus/exclamation: medium -sus/intercept: medium -sus/lang: medium -sus/leetspeak: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 89d44ca7c..e69de29bb 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -1,193 +0,0 @@ -## linux/clean/slack [🟡 MEDIUM] - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--|--|--|--| -| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | -| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | -| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) | -| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | -| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | -| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | -| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | -| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | -| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) | -| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | -| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | -| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | -| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | -| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) | -| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | -| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | -| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | -| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | -| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | -| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | -| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | -| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | -| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code)
[drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code) | -| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)
[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code)
[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | -| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | -| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | -| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | -| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | -| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | -| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup/sys/fs/cgroupcgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup%2Fsys%2Ffs%2Fcgroupcgroup&type=code) | -| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) | -| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | -| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | -| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | -| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) | -| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[PostHeartbeatTask](https://github.com/search?q=PostHeartbeatTask&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | -| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | -| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | -| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | -| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | -| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)
[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketError](https://github.com/search?q=WebSocketError&type=code)
[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)
[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)
[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)
[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | -| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[openURL](https://github.com/search?q=openURL&type=code)
[openUrl](https://github.com/search?q=openUrl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | -| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | -| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | -| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | -| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | -| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)
[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[fade-out-password](https://github.com/search?q=fade-out-password&type=code)
[for password](https://github.com/search?q=for+password&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[input-password](https://github.com/search?q=input-password&type=code)
[kPassword](https://github.com/search?q=kPassword&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-manager](https://github.com/search?q=password-manager&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[password-strong-label](https://github.com/search?q=password-strong-label&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[reveal-password](https://github.com/search?q=reveal-password&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | -| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | -| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | -| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | -| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | -| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | -| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | -| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)
[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)
[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)
[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)
[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | -| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | -| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | -| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | -| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)
[bssid](https://github.com/search?q=bssid&type=code) | -| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | -| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | -| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | -| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[client_addresses_ca](https://github.com/search?q=client_addresses_ca&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | -| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)
[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.JEST](https://github.com/search?q=env.JEST&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.WATCH](https://github.com/search?q=env.WATCH&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | -| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | -| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)
[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)
[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)
[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)
[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)
[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | -| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | -| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | -| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | - diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 8d67345fb..e69de29bb 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -1,201 +0,0 @@ -# linux/clean/trivy: medium -anti-static/elf/multiple: medium -c2/addr/discord: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/server: medium -c2/client: medium -c2/discovery/ip_dns_resolver: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/github: medium -c2/tool_transfer/os: medium -collect/archives/unarchive: medium -collect/archives/zip: medium -collect/code/github_api: low -collect/databases/leveldb: medium -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/cloud/aws: medium -credential/cloud/g: medium -credential/keychain: medium -credential/password: low -credential/server/htpasswd: medium -credential/sniffer/bpf: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/blockchain: medium -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -data/base64/decode: medium -data/base64/encode: medium -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/xz: medium -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/pem_private_key: medium -data/embedded/pem_test_key: low -data/embedded/ssh_signature: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: medium -data/hash/sha1: low -data/random/insecure: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/cloud/google_storage: low -discover/network/mac_address: medium -discover/network/netstat: medium -discover/process/name: medium -discover/processes/list: medium -discover/system/cpu: low -discover/system/dmesg: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -evasion/bypass_security/linux/iptables: medium -evasion/file/location/chdir_unusual: medium -evasion/file/location/dev_shm: medium -evasion/file/location/var_run: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/symbol_address: medium -exec/install_additional/package_install: medium -exec/install_additional/pip_install: medium -exec/plugin: low -exec/program: medium -exec/script/osa: medium -exec/shell/SHELL: low -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/pipe_sh: medium -exec/system_controls/apparmor: medium -exec/system_controls/systemd: low -exfil/collection: medium -exfil/upload: medium -fs/attributes/set: medium -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: medium -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/loopback: medium -fs/mount: low -fs/node_create: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home: low -fs/path/home_config: low -fs/path/root: medium -fs/path/tmp: medium -fs/path/users: medium -fs/path/usr_bin: low -fs/path/usr_lib_python: medium -fs/path/usr_local: medium -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/self_mountinfo: medium -fs/swap/off: low -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/watch: low -hw/dev/block_ice: medium -hw/wireless: low -impact/remote_access/heartbeat: medium -impact/remote_access/iptables: medium -impact/remote_access/kill_rm: medium -impact/remote_access/trojan: medium -lateral/scan/brute_force: low -malware/ref: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/http/websocket: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/ip/syncookie: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: medium -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/fd/sendfile: low -os/kernel/netlink: low -os/kernel/opencl: medium -os/kernel/seccomp: low -os/time/tzinfo: low -privesc/setuid: low -privesc/sudo: medium -process/chdir: low -process/chroot: low -process/groupid_set: low -process/groups_set: low -process/multithreaded: low -sus/exclamation: medium -sus/intercept: medium -sus/leetspeak: medium -sus/malicious: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 547b61558..e69de29bb 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -1,194 +0,0 @@ -## linux/clean/trufflehog [🟡 MEDIUM] - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--|--|--|--| -| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | -| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | -| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | -| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) | -| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) | -| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)
[telegram.org](https://github.com/search?q=telegram.org&type=code) | -| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)
[clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | -| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) | -| MEDIUM | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | -| MEDIUM | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#shodan_io) | References shodan.io | [shodan.io](https://github.com/search?q=shodan.io&type=code) | -| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | -| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | -| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | -| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | -| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | -| MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) | -| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)
[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) | -| MEDIUM | [credential/gaming/minecraft](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/gaming/minecraft.yara#minecraft) | Has references to Minecraft | [minecraft](https://github.com/search?q=minecraft&type=code) | -| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | -| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | -| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | -| MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) | -| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | -| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | -| MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) | -| MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) | -| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | -| MEDIUM | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.org](https://github.com/search?q=ipify.org&type=code) | -| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | -| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | -| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)
[systeminfo](https://github.com/search?q=systeminfo&type=code) | -| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) | -| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | -| MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | -| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | -| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | -| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | -| MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | -| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)
[file.io](https://github.com/search?q=file.io&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utime](https://github.com/search?q=utime&type=code) | -| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/mysql.sockclientFoundRowsmultiStatementsUNSIGNED](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiStatementsUNSIGNED&type=code)
[/tmp/placeholder/%v](https://github.com/search?q=%2Ftmp%2Fplaceholder%2F%25v&type=code) | -| MEDIUM | [fs/path/users](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/users.yara#home_path_users) | references path within /Users | [/Users/%vorganizations/%v/team/%v/projectssql](https://github.com/search?q=%2FUsers%2F%25vorganizations%2F%25v%2Fteam%2F%25v%2Fprojectssql&type=code) | -| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/statSHA256](https://github.com/search?q=%2Fproc%2F%25d%2FstatSHA256&type=code) | -| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroupcpu](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu&type=code) | -| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | -| MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) | -| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | -| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) | -| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) | -| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | -| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)
[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)
[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)
[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)
[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code) | -| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)
[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)
[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)
[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)
[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)
[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)
[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)
[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)
[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)
[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)
[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)
[WebhookAction](https://github.com/search?q=WebhookAction&type=code)
[WebhookH](https://github.com/search?q=WebhookH&type=code)
[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)
[WebhookResult](https://github.com/search?q=WebhookResult&type=code)
[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)
[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)
[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)
[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)
[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)
[discordwebhook](https://github.com/search?q=discordwebhook&type=code)
[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)
[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)
[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)
[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)
[readwebhooks](https://github.com/search?q=readwebhooks&type=code)
[slackwebhook](https://github.com/search?q=slackwebhook&type=code)
[tineswebhook](https://github.com/search?q=tineswebhook&type=code)
[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)
[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)
[webhook_read](https://github.com/search?q=webhook_read&type=code)
[webhook_secret](https://github.com/search?q=webhook_secret&type=code)
[webhook_write](https://github.com/search?q=webhook_write&type=code)
[webhookaction](https://github.com/search?q=webhookaction&type=code)
[webhookb2](https://github.com/search?q=webhookb2&type=code)
[writewebhooks](https://github.com/search?q=writewebhooks&type=code) | -| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | -| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)
[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | -| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | -| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlmssp](https://github.com/search?q=ntlmssp&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | -| MEDIUM | [net/tcp/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp) | connects to a TCP port | [dialTCP](https://github.com/search?q=dialTCP&type=code) | -| MEDIUM | [net/tcp/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/listen.yara#listen_tcp) | listen on a TCP port | [listening on tcp](https://github.com/search?q=listening+on+tcp&type=code) | -| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses crypto/ssh to connect to the SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)
[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) | -| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | -| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | -| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | -| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)
[interceptor](https://github.com/search?q=interceptor&type=code) | -| MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) | -| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://169.254.169.254/latest/api/tokennonce](http://169.254.169.254/latest/api/tokennonce)
[http://169.254.169.254/latest/meta](http://169.254.169.254/latest/meta)
[http://169.254.169.254/latestProcessProviderExecutionErrorfailed](http://169.254.169.254/latestProcessProviderExecutionErrorfailed)
[http://169.254.169.254/metadata/identity/oauth2/token](http://169.254.169.254/metadata/identity/oauth2/token)
[http://169.254.169.254BalancerAttributes](http://169.254.169.254BalancerAttributes)
[http://169.254.170.2/redis](http://169.254.170.2/redis)
[http://169.254.170.2RequestLimitExceededinvalid](http://169.254.170.2RequestLimitExceededinvalid)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://applicationslink](http://applicationslink)
[http://chunkednosniffCreatedIM](http://chunkednosniffCreatedIM)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://earth.google.com/kml/2.0](http://earth.google.com/kml/2.0)
[http://earth.google.com/kml/2.1](http://earth.google.com/kml/2.1)
[http://earth.google.com/kml/2.2](http://earth.google.com/kml/2.2)
[http://encoding=](http://encoding=)
[http://familiar](http://familiar)
[http://google.com](http://google.com)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://imEnglish](http://imEnglish)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://localhost/truncate](http://localhost/truncate)
[http://mathematicsmargin](http://mathematicsmargin)
[http://metadata/computeMetadata/v1/instance/service](http://metadata/computeMetadata/v1/instance/service)
[http://navigation](http://navigation)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ocsp.snowflakecomputing.comFailed](http://ocsp.snowflakecomputing.comFailed)
[http://portal.microsoftazure.de/https](http://portal.microsoftazure.de/https)
[http://s3.amazonaws.com/doc/2006](http://s3.amazonaws.com/doc/2006)
[http://schemas.microsoft.com/3dmanufacturing/core/2015/02](http://schemas.microsoft.com/3dmanufacturing/core/2015/02)
[http://site_name](http://site_name)
[http://staticsuggested](http://staticsuggested)
[http://www./div](http://www./div)
[http://www.C//DTD](http://www.C//DTD)
[http://www.collada.org/2005/11/COLLADASchema](http://www.collada.org/2005/11/COLLADASchema)
[http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2](http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2)
[http://www.hortcut](http://www.hortcut)
[http://www.icon](http://www.icon)
[http://www.interpretation](http://www.interpretation)
[http://www.language=](http://www.language=)
[http://www.opengis.net/gml/3.2](http://www.opengis.net/gml/3.2)
[http://www.opengis.net/gml/3.3/exr](http://www.opengis.net/gml/3.3/exr)
[http://www.opengis.net/kml/2.2](http://www.opengis.net/kml/2.2)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.topografix.com/GPX/1/1](http://www.topografix.com/GPX/1/1)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/07/owl](http://www.w3.org/2002/07/owl)
[http://www.w3.org/2005/Atom](http://www.w3.org/2005/Atom)
[http://www.w3.org/TR/2001/REC](http://www.w3.org/TR/2001/REC)
[http://www.w3.org/XML/1998/namespacexml](http://www.w3.org/XML/1998/namespacexml)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.years](http://www.years)
[https://a.klaviyo.com/api/profileshttps](https://a.klaviyo.com/api/profileshttps)
[https://accounts.google.com/o/oauth2/authhttps](https://accounts.google.com/o/oauth2/authhttps)
[https://amplitude.com/api/2/taxonomy/categoryhttps](https://amplitude.com/api/2/taxonomy/categoryhttps)
[https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/](https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/)
[https://anypointapi2cartapiflashBasic](https://anypointapi2cartapiflashBasic)
[https://api.abuseipdb.com/api/v2/check](https://api.abuseipdb.com/api/v2/check)
[https://api.abyssale.com/ready](https://api.abyssale.com/ready)
[https://api.adzuna.com](https://api.adzuna.com)
[https://api.aeroworkflow.com/api/unexpected](https://api.aeroworkflow.com/api/unexpected)
[https://api.agora.io/dev/v1/projectshttps](https://api.agora.io/dev/v1/projectshttps)
[https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht](https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht)
[https://api.airtable.com/v0/AWS](https://api.airtable.com/v0/AWS)
[https://api.airvisual.com/v2/countries](https://api.airvisual.com/v2/countries)
[https://api.aiven.io/v1/project](https://api.aiven.io/v1/project)
[https://api.alegra.com/api/v1/users](https://api.alegra.com/api/v1/users)
[https://api.aletheiaapi.com/StockData](https://api.aletheiaapi.com/StockData)
[https://api.ambeedata.com/latest/by](https://api.ambeedata.com/latest/by)
[https://api.anthropic.com/v1/messageshttps](https://api.anthropic.com/v1/messageshttps)
[https://api.api2cart.com/v1.1/account.cart.list.json](https://api.api2cart.com/v1.1/account.cart.list.json)
[https://api.apiflash.com/v1/urltoimage](https://api.apiflash.com/v1/urltoimage)
[https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc](https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc)
[https://api.apify.com/v2/acts](https://api.apify.com/v2/acts)
[https://api.apilayer.com/number_verification/countrieshttps](https://api.apilayer.com/number_verification/countrieshttps)
[https://api.apiscience.com/v1/monitorshttps](https://api.apiscience.com/v1/monitorshttps)
[https://api.apitemplate.io/v1/list](https://api.apitemplate.io/v1/list)
[https://api.app.shortcut.com/api/v3/member](https://api.app.shortcut.com/api/v3/member)
[https://api.appcues.com/v2/accounts/](https://api.appcues.com/v2/accounts/)
[https://api.appfollow.io/api/v2/account/usershttps](https://api.appfollow.io/api/v2/account/usershttps)
[https://api.appointedd.com/v1/availability/slots](https://api.appointedd.com/v1/availability/slots)
[https://api.appoptics.com/v1/metricshost](https://api.appoptics.com/v1/metricshost)
[https://api.apptivo.com/app/dao/v6/leads](https://api.apptivo.com/app/dao/v6/leads)
[https://api.artsy.net/api/tokens/xapp_token](https://api.artsy.net/api/tokens/xapp_token)
[https://api.assemblyai.com/v2/transcripthttps](https://api.assemblyai.com/v2/transcripthttps)
[https://api.atlassian.com/admin/v1/orgshttps](https://api.atlassian.com/admin/v1/orgshttps)
[https://api.audd.io/setCallbackUrl/](https://api.audd.io/setCallbackUrl/)
[https://api.autoklose.com/api/campaigns/](https://api.autoklose.com/api/campaigns/)
[https://api.avaza.com/api/Account.blob.core.windows.net/](https://api.avaza.com/api/Account.blob.core.windows.net/)
[https://api.aviationstack.com/v1/flights](https://api.aviationstack.com/v1/flights)
[https://api.aylien.com/news/stories](https://api.aylien.com/news/stories)
[https://api.bannerbear.com/v2/authhttps](https://api.bannerbear.com/v2/authhttps)
[https://api.baremetrics.com/v1/accounthttps](https://api.baremetrics.com/v1/accounthttps)
[https://api.bitbucket.org/2.0/repositoriesMake](https://api.bitbucket.org/2.0/repositoriesMake)
[https://api.blocknative.com/gasprices/blockpriceshttps](https://api.blocknative.com/gasprices/blockpriceshttps)
[https://api.bombbomb.com/v2/lists/https](https://api.bombbomb.com/v2/lists/https)
[https://api.borgbase.com/graphqlhttps](https://api.borgbase.com/graphqlhttps)
[https://api.brandfetch.io/v1/color](https://api.brandfetch.io/v1/color)
[https://api.browshot.com/api/v1/instance/list](https://api.browshot.com/api/v1/instance/list)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.bugsnag.com/user/organizations](https://api.bugsnag.com/user/organizations)
[https://api.buildkite.com/v2/access](https://api.buildkite.com/v2/access)
[https://api.bulksms.com/v1/messageshttps](https://api.bulksms.com/v1/messageshttps)
[https://api.buttercms.com/v2/posts/](https://api.buttercms.com/v2/posts/)
[https://api.calendly.com/users/mehttps](https://api.calendly.com/users/mehttps)
[https://api.calorieninjas.com/v1/nutrition](https://api.calorieninjas.com/v1/nutrition)
[https://api.capsulecrm.com/api/v2/usershttps](https://api.capsulecrm.com/api/v2/usershttps)
[https://api.captaindata.co/v2/https](https://api.captaindata.co/v2/https)
[https://api.cashboardapp.com/account.xmlhttps](https://api.cashboardapp.com/account.xmlhttps)
[https://api.centralstationcrm.net/api/users.jsonhttps](https://api.centralstationcrm.net/api/users.jsonhttps)
[https://api.chartmogul.com/v1/pinghttps](https://api.chartmogul.com/v1/pinghttps)
[https://api.chatbot.com/storieshttps](https://api.chatbot.com/storieshttps)
[https://api.chec.io/v1/categorieshttps](https://api.chec.io/v1/categorieshttps)
[https://api.chec.io/v1/products](https://api.chec.io/v1/products)
[https://api.checklyhq.com/v1/checks](https://api.checklyhq.com/v1/checks)
[https://api.clarifai.com/v2/inputshttps](https://api.clarifai.com/v2/inputshttps)
[https://api.clarifai.com/v2/users/mehttps](https://api.clarifai.com/v2/users/mehttps)
[https://api.clickup.com/api/v2/userhttps](https://api.clickup.com/api/v2/userhttps)
[https://api.cliengo.com/1.0/account](https://api.cliengo.com/1.0/account)
[https://api.clockify.me/api/v1/userhttps](https://api.clockify.me/api/v1/userhttps)
[https://api.close.com/api/v1/me/https](https://api.close.com/api/v1/me/https)
[https://api.cloudconvert.com/v2/users/mehttps](https://api.cloudconvert.com/v2/users/mehttps)
[https://api.cloudflare.com/client/v4/certificates](https://api.cloudflare.com/client/v4/certificates)
[https://api.cloudflare.com/client/v4/user/tokens/verify](https://api.cloudflare.com/client/v4/user/tokens/verify)
[https://api.cloudflare.com/client/v4/userhttps](https://api.cloudflare.com/client/v4/userhttps)
[https://api.cloudimage.com/invalidatehttps](https://api.cloudimage.com/invalidatehttps)
[https://api.cloudmersive.com/validate/address/parsehttps](https://api.cloudmersive.com/validate/address/parsehttps)
[https://api.cloudplan.biz/api/user/me](https://api.cloudplan.biz/api/user/me)
[https://api.cloudsmith.io/v1/user/self/https](https://api.cloudsmith.io/v1/user/self/https)
[https://api.cloverly.com/2019](https://api.cloverly.com/2019)
[https://api.cloze.com/v1/profile](https://api.cloze.com/v1/profile)
[https://api.codeclimate.com/v1/userhttps](https://api.codeclimate.com/v1/userhttps)
[https://api.codemagic.io/appsunexpected](https://api.codemagic.io/appsunexpected)
[https://api.coinbase.com/v2/userhttps](https://api.coinbase.com/v2/userhttps)
[https://api.coinlayer.com/api/livelive](https://api.coinlayer.com/api/livelive)
[https://api.column.com/entities](https://api.column.com/entities)
[https://api.companyhub.com/v1/me](https://api.companyhub.com/v1/me)
[https://api.confluent.cloud/iam/v2/api](https://api.confluent.cloud/iam/v2/api)
[https://api.contentful.com/organizationshttps](https://api.contentful.com/organizationshttps)
[https://api.conversiontools.io/v1/taskshttps](https://api.conversiontools.io/v1/taskshttps)
[https://api.convertkit.com/v3/forms](https://api.convertkit.com/v3/forms)
[https://api.copper.com/developer_api/v1/tasks/searchhttps](https://api.copper.com/developer_api/v1/tasks/searchhttps)
[https://api.countrylayer.com/v2/all](https://api.countrylayer.com/v2/all)
[https://api.courier.com/preferences](https://api.courier.com/preferences)
[https://api.craftmypdf.com/v1/get](https://api.craftmypdf.com/v1/get)
[https://api.crowdin.com/api/v2/storageshttps](https://api.crowdin.com/api/v2/storageshttps)
[https://api.currencyfreaks.com/latest](https://api.currencyfreaks.com/latest)
[https://api.currencylayer.com/live](https://api.currencylayer.com/live)
[https://api.currencyscoop.com/v1/latest](https://api.currencyscoop.com/v1/latest)
[https://api.currentsapi.services/v1/latest](https://api.currentsapi.services/v1/latest)
[https://api.dandelion.eu/datatxt/li/v1/](https://api.dandelion.eu/datatxt/li/v1/)
[https://api.dareboost.com/0.8/confighttps](https://api.dareboost.com/0.8/confighttps)
[https://api.datadoghq.comhttps](https://api.datadoghq.comhttps)
[https://api.deepai.org/api/text](https://api.deepai.org/api/text)
[https://api.deepgram.com/v1/projects](https://api.deepgram.com/v1/projects)
[https://api.delighted.com/v1/people.jsonapplication/vnd.docusign](https://api.delighted.com/v1/people.jsonapplication/vnd.docusign)
[https://api.deno.com/user](https://api.deno.com/user)
[https://api.detectify.com/rest/v2/assets/https](https://api.detectify.com/rest/v2/assets/https)
[https://api.developer.coinbase.com/waas/pools/protoc](https://api.developer.coinbase.com/waas/pools/protoc)
[https://api.developer.coinbase.com/waas/poolsquery](https://api.developer.coinbase.com/waas/poolsquery)
[https://api.diffbot.com/v4/account](https://api.diffbot.com/v4/account)
[https://api.digitalocean.com/v2/accounthttps](https://api.digitalocean.com/v2/accounthttps)
[https://api.dittowords.com/variantshttps](https://api.dittowords.com/variantshttps)
[https://api.docparser.com/v1/parsers](https://api.docparser.com/v1/parsers)
[https://api.documo.com/v1/me](https://api.documo.com/v1/me)
[https://api.doppler.com/v3/mehttps](https://api.doppler.com/v3/mehttps)
[https://api.dovico.com/Employees/](https://api.dovico.com/Employees/)
[https://api.dropboxapi.com/2/users/get_current_account](https://api.dropboxapi.com/2/users/get_current_account)
[https://api.dyspatch.io/templateshttps](https://api.dyspatch.io/templateshttps)
[https://api.ecostruxureit.com/rest/v1/organizationshttps](https://api.ecostruxureit.com/rest/v1/organizationshttps)
[https://api.edamam.com/auto](https://api.edamam.com/auto)
[https://api.edenai.run/v1/automl/text/projecthttps](https://api.edenai.run/v1/automl/text/projecthttps)
[https://api.elasticemail.com/v2/account/profileoverview](https://api.elasticemail.com/v2/account/profileoverview)
[https://api.elevenlabs.io/v1/user](https://api.elevenlabs.io/v1/user)
[https://api.enablex.io/voice/v1/call/api/access](https://api.enablex.io/voice/v1/call/api/access)
[https://api.endorlabs.com/v1/auth/api](https://api.endorlabs.com/v1/auth/api)
[https://api.enigma.com/businesses/matchhttps](https://api.enigma.com/businesses/matchhttps)
[https://api.envoy.com/v1/locations](https://api.envoy.com/v1/locations)
[https://api.ers.usda.gov/data/arms/state](https://api.ers.usda.gov/data/arms/state)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal](https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal)
[https://api.eu.sendgrid.comtag](https://api.eu.sendgrid.comtag)
[https://api.everhour.com/clientshttps](https://api.everhour.com/clientshttps)
[https://api.exchangeratesapi.io/v1/latest](https://api.exchangeratesapi.io/v1/latest)
[https://api.exportsdk.com/v1/pdfhttps](https://api.exportsdk.com/v1/pdfhttps)
[https://api.fastforex.io/fetch](https://api.fastforex.io/fetch)
[https://api.fastly.com/current_userhttps](https://api.fastly.com/current_userhttps)
[https://api.feedier.com/v1/carriers](https://api.feedier.com/v1/carriers)
[https://api.figma.com/v1/me](https://api.figma.com/v1/me)
[https://api.finage.co.uk/symbol](https://api.finage.co.uk/symbol)
[https://api.findl.com/v1.0/query](https://api.findl.com/v1.0/query)
[https://api.flat.io/v2/meapplication](https://api.flat.io/v2/meapplication)
[https://api.fleetbase.io/v1/contacts/](https://api.fleetbase.io/v1/contacts/)
[https://api.flightapi.io/iata/](https://api.flightapi.io/iata/)
[https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields](https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields)
[https://api.float.com/v3/people](https://api.float.com/v3/people)
[https://api.flutterwave.com/v3/subaccountshttps](https://api.flutterwave.com/v3/subaccountshttps)
[https://api.fmfw.io/api/3/spot/balancegithub](https://api.fmfw.io/api/3/spot/balancegithub)
[https://api.foursquare.com/v2/venues/trending](https://api.foursquare.com/v2/venues/trending)
[https://api.frame.io/v2/mehttps](https://api.frame.io/v2/mehttps)
[https://api.fulcrumapp.com/api/v2/forms.jsonhttps](https://api.fulcrumapp.com/api/v2/forms.jsonhttps)
[https://api.fullstory.com/operations/v1https](https://api.fullstory.com/operations/v1https)
[https://api.fullstory.com/v2/users](https://api.fullstory.com/v2/users)
[https://api.geckoboard.com/](https://api.geckoboard.com/)
[https://api.gemini.com/v1/accounthttps](https://api.gemini.com/v1/accounthttps)
[https://api.gengo.com/v2/account/me](https://api.gengo.com/v2/account/me)
[https://api.geoapify.com/v1/geocode/search](https://api.geoapify.com/v1/geocode/search)
[https://api.geocod.io/v1.6/geocode](https://api.geocod.io/v1.6/geocode)
[https://api.geocodify.com/v2/geocode](https://api.geocodify.com/v2/geocode)
[https://api.getbeamer.com/v0/url](https://api.getbeamer.com/v0/url)
[https://api.getgeoapi.com/v2/currency/list](https://api.getgeoapi.com/v2/currency/list)
[https://api.getgist.com/contacts/](https://api.getgist.com/contacts/)
[https://api.getpostman.com/collections/0/ch1/0/](https://api.getpostman.com/collections/0/ch1/0/)
[https://api.getpostman.com/environments/](https://api.getpostman.com/environments/)
[https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser](https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser)
[https://api.getpostman.com/workspaces/](https://api.getpostman.com/workspaces/)
[https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps](https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps)
[https://api.getresponse.com/v3/accountshttps](https://api.getresponse.com/v3/accountshttps)
[https://api.github.com/2006](https://api.github.com/2006)
[https://api.github.com/apphttps](https://api.github.com/apphttps)
[https://api.github.com/graphqlfailed](https://api.github.com/graphqlfailed)
[https://api.github.com/repos/exec](https://api.github.com/repos/exec)
[https://api.github.com/user/interaction](https://api.github.com/user/interaction)
[https://api.github.com/user/social_accountssql](https://api.github.com/user/social_accountssql)
[https://api.github.comInclude](https://api.github.comInclude)
[https://api.gitter.im/v1/user/me](https://api.gitter.im/v1/user/me)
[https://api.glassnode.com/v1/metrics/indicators/sopr](https://api.glassnode.com/v1/metrics/indicators/sopr)
[https://api.gocardless.com/customers/](https://api.gocardless.com/customers/)
[https://api.goodday.work/2.0/users](https://api.goodday.work/2.0/users)
[https://api.groovehq.com/v1/meexpected](https://api.groovehq.com/v1/meexpected)
[https://api.groq.com/openai/v1/models](https://api.groq.com/openai/v1/models)
[https://api.gumroad.com/v2/products](https://api.gumroad.com/v2/products)
[https://api.gyazo.com/api/images](https://api.gyazo.com/api/images)
[https://api.harvestapp.com/v2/users/me](https://api.harvestapp.com/v2/users/me)
[https://api.hellosign.com/v3/accounthttps](https://api.hellosign.com/v3/accounthttps)
[https://api.helpcrunch.com/v1/departmentshttps](https://api.helpcrunch.com/v1/departmentshttps)
[https://api.heroku.com/apps](https://api.heroku.com/apps)
[https://api.holistic.dev/api/v1/projecthttps](https://api.holistic.dev/api/v1/projecthttps)
[https://api.honeycomb.io/1/authhttps](https://api.honeycomb.io/1/authhttps)
[https://api.html2pdf.app/v1/generatehttps](https://api.html2pdf.app/v1/generatehttps)
[https://api.hubapi.com/contacts/v1/lists](https://api.hubapi.com/contacts/v1/lists)
[https://api.hunter.io/v2/leads_lists](https://api.hunter.io/v2/leads_lists)
[https://api.hybiscus.dev/api/v1/get](https://api.hybiscus.dev/api/v1/get)
[https://api.iconfinder.com/v4/iconsetslogin](https://api.iconfinder.com/v4/iconsetslogin)
[https://api.imagekit.io/v1/fileshttps](https://api.imagekit.io/v1/fileshttps)
[https://api.imagga.com/v2/usagehttps](https://api.imagga.com/v2/usagehttps)
[https://api.instabot.io/v1spring.datasource.password](https://api.instabot.io/v1spring.datasource.password)
[https://api.instamojo.com/oauth2/token/https](https://api.instamojo.com/oauth2/token/https)
[https://api.intercom.io/contacts](https://api.intercom.io/contacts)
[https://api.intra.42.fr/oauth/token](https://api.intra.42.fr/oauth/token)
[https://api.ip2location.io/](https://api.ip2location.io/)
[https://api.ipapi.com/49.146.239.251](https://api.ipapi.com/49.146.239.251)
[https://api.ipgeolocation.io/ipgeo](https://api.ipgeolocation.io/ipgeo)
[https://api.ipinfodb.com/v3/ip](https://api.ipinfodb.com/v3/ip)
[https://api.ipstack.com/134.201.250.155](https://api.ipstack.com/134.201.250.155)
[https://api.jotform.com/user](https://api.jotform.com/user)
[https://api.juro.com/v3/templates](https://api.juro.com/v3/templates)
[https://api.keen.io/3.0/organizations/](https://api.keen.io/3.0/organizations/)
[https://api.kickbox.com/v2/verify](https://api.kickbox.com/v2/verify)
[https://api.knapsackpro.com/v1/builds](https://api.knapsackpro.com/v1/builds)
[https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill](https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill)
[https://api.kucoin.com](https://api.kucoin.com)
[https://api.kylas.io/v1/contactshttps](https://api.kylas.io/v1/contactshttps)
[https://api.languagelayer.com/languages](https://api.languagelayer.com/languages)
[https://api.leadfeeder.com/accountsunexpected](https://api.leadfeeder.com/accountsunexpected)
[https://api.lemlist.com/api/teamhttps](https://api.lemlist.com/api/teamhttps)
[https://api.lemonsqueezy.com/v1/products/](https://api.lemonsqueezy.com/v1/products/)
[https://api.lessannoyingcrm.com](https://api.lessannoyingcrm.com)
[https://api.lexigram.io/v1/lexigraph/search](https://api.lexigram.io/v1/lexigraph/search)
[https://api.linear.app/graphqlhttps](https://api.linear.app/graphqlhttps)
[https://api.linkpreview.net/](https://api.linkpreview.net/)
[https://api.livestorm.co/v1/ping](https://api.livestorm.co/v1/ping)
[https://api.loganalytics.iohttps](https://api.loganalytics.iohttps)
[https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot](https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot)
[https://api.loginradius.com/identity/v2/serverinfo](https://api.loginradius.com/identity/v2/serverinfo)
[https://api.logz.io/v2/whoami](https://api.logz.io/v2/whoami)
[https://api.lokalise.com/api2/system/languages](https://api.lokalise.com/api2/system/languages)
[https://api.loyverse.com/v1.0/merchant/https](https://api.loyverse.com/v1.0/merchant/https)
[https://api.luno.com/api/1/balancehttps](https://api.luno.com/api/1/balancehttps)
[https://api.madkudu.com/v1/pinghttps](https://api.madkudu.com/v1/pinghttps)
[https://api.magicbell.com/notification_preferenceshttps](https://api.magicbell.com/notification_preferenceshttps)
[https://api.mailerlite.com/api/v2/campaigns](https://api.mailerlite.com/api/v2/campaigns)
[https://api.mailgun.net/v3/domainshttps](https://api.mailgun.net/v3/domainshttps)
[https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates](https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates)
[https://api.mailjet.com/v3/REST/messagehttps](https://api.mailjet.com/v3/REST/messagehttps)
[https://api.mailjet.com/v4/sms](https://api.mailjet.com/v4/sms)
[https://api.mailmodo.com/api/v1/campaigns](https://api.mailmodo.com/api/v1/campaigns)
[https://api.mapbox.com/tokens/v2/](https://api.mapbox.com/tokens/v2/)
[https://api.marketstack.com/v1/eod](https://api.marketstack.com/v1/eod)
[https://api.mavenlink.com/api/v1/workspaces.jsonhttps](https://api.mavenlink.com/api/v1/workspaces.jsonhttps)
[https://api.meaningcloud.com/lang](https://api.meaningcloud.com/lang)
[https://api.mediastack.com/v1/news](https://api.mediastack.com/v1/news)
[https://api.mesibo.com/api.php](https://api.mesibo.com/api.php)
[https://api.meta](https://api.meta)
[https://api.miro.com/v1/users/mehttps](https://api.miro.com/v1/users/mehttps)
[https://api.mixmax.com/v1/users/meNvidia](https://api.mixmax.com/v1/users/meNvidia)
[https://api.mockaroo.com/api/types](https://api.mockaroo.com/api/types)
[https://api.monday.com/v2](https://api.monday.com/v2)
[https://api.monkeylearn.com/v3/classifiers](https://api.monkeylearn.com/v3/classifiers)
[https://api.moonclerk.com/forms](https://api.moonclerk.com/forms)
[https://api.moosend.com/v3/lists.json](https://api.moosend.com/v3/lists.json)
[https://api.mux.com/video/v1/assetshttps](https://api.mux.com/video/v1/assetshttps)
[https://api.myintervals.com/client/https](https://api.myintervals.com/client/https)
[https://api.na1.insightly.com/v3.1/Contacts](https://api.na1.insightly.com/v3.1/Contacts)
[https://api.netlify.com/api/v1/siteshttps](https://api.netlify.com/api/v1/siteshttps)
[https://api.newrelic.com/v2/users.json](https://api.newrelic.com/v2/users.json)
[https://api.newscatcherapi.com/v2/search](https://api.newscatcherapi.com/v2/search)
[https://api.nftport.xyz/me/contractshttps](https://api.nftport.xyz/me/contractshttps)
[https://api.ngc.nvidia.com/v3/keys/get](https://api.ngc.nvidia.com/v3/keys/get)
[https://api.ngrok.com/agent_ingressesapplication/vnd.nylas](https://api.ngrok.com/agent_ingressesapplication/vnd.nylas)
[https://api.nicereply.com/v1/users/statshttps](https://api.nicereply.com/v1/users/statshttps)
[https://api.nightfall.ai/v3/uploadhttps](https://api.nightfall.ai/v3/uploadhttps)
[https://api.noticeable.io/graphql](https://api.noticeable.io/graphql)
[https://api.notion.com/v1/usershttps](https://api.notion.com/v1/usershttps)
[https://api.nylas.com/account](https://api.nylas.com/account)
[https://api.omnisend.com/v3/contacts](https://api.omnisend.com/v3/contacts)
[https://api.oopspam.com/v1/spamdetectionhttps](https://api.oopspam.com/v1/spamdetectionhttps)
[https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin](https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin)
[https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings](https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings)
[https://api.openai.com/v1/fine_tuning/jobsfailed](https://api.openai.com/v1/fine_tuning/jobsfailed)
[https://api.openai.com/v1/images/generations](https://api.openai.com/v1/images/generations)
[https://api.openai.com/v1/me](https://api.openai.com/v1/me)
[https://api.openai.com/v1/modelsuser.scheduled_sends](https://api.openai.com/v1/modelsuser.scheduled_sends)
[https://api.openai.com/v1/organizationsfailed](https://api.openai.com/v1/organizationsfailed)
[https://api.openai.com/v1/threads/1error](https://api.openai.com/v1/threads/1error)
[https://api.openai.com/v1/threadshttps](https://api.openai.com/v1/threadshttps)
[https://api.opencagedata.com/geocode/v1/json](https://api.opencagedata.com/geocode/v1/json)
[https://api.openuv.io/api/v1/uv](https://api.openuv.io/api/v1/uv)
[https://api.openweathermap.org/data/2.5/weather](https://api.openweathermap.org/data/2.5/weather)
[https://api.opsgenie.com/v2/account](https://api.opsgenie.com/v2/account)
[https://api.opsgenie.com/v2/alerts/](https://api.opsgenie.com/v2/alerts/)
[https://api.opsgenie.com/v2/users](https://api.opsgenie.com/v2/users)
[https://api.optimizely.com/v2/projectsapplication/vnd.planyo](https://api.optimizely.com/v2/projectsapplication/vnd.planyo)
[https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty](https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty)
[https://api.pagar.me/1/balance](https://api.pagar.me/1/balance)
[https://api.pagerduty.com/usershttps](https://api.pagerduty.com/usershttps)
[https://api.pandadoc.com/public/v1/documentshttps](https://api.pandadoc.com/public/v1/documentshttps)
[https://api.pandascore.co/videogames](https://api.pandascore.co/videogames)
[https://api.paperform.co/v1/formshttps](https://api.paperform.co/v1/formshttps)
[https://api.parsers.dev/api/v1/parse/postgresql/https](https://api.parsers.dev/api/v1/parse/postgresql/https)
[https://api.parseur.com/postgresql](https://api.parseur.com/postgresql)
[https://api.partnerstack.com/api/v2/partnershipshttps](https://api.partnerstack.com/api/v2/partnershipshttps)
[https://api.paymongo.com/v1/payment_methodshttps](https://api.paymongo.com/v1/payment_methodshttps)
[https://api.paystack.co/customerhttps](https://api.paystack.co/customerhttps)
[https://api.pdflayer.com/api/convert](https://api.pdflayer.com/api/convert)
[https://api.pdfshift.io/v3/credits/usagehttps](https://api.pdfshift.io/v3/credits/usagehttps)
[https://api.peopledatalabs.com/v5/person/enrich](https://api.peopledatalabs.com/v5/person/enrich)
[https://api.pepipost.com/v5.1/domain/getDomains](https://api.pepipost.com/v5.1/domain/getDomains)
[https://api.pinata.cloud/pinning/pinJSONToIPFS](https://api.pinata.cloud/pinning/pinJSONToIPFS)
[https://api.pipedream.com/v1/users/mehttps](https://api.pipedream.com/v1/users/mehttps)
[https://api.planetscale.com/v1/organizationshttps](https://api.planetscale.com/v1/organizationshttps)
[https://api.plivo.com/v1/Account/](https://api.plivo.com/v1/Account/)
[https://api.podio.com/user](https://api.podio.com/user)
[https://api.pollsapi.com/v1/get/polls](https://api.pollsapi.com/v1/get/polls)
[https://api.polygon.io/v2/reference/locales](https://api.polygon.io/v2/reference/locales)
[https://api.positionstack.com/v1/forward](https://api.positionstack.com/v1/forward)
[https://api.postageapp.com/v.1.0/get_account_info.json](https://api.postageapp.com/v.1.0/get_account_info.json)
[https://api.postbacks.io/v1/requestPostbackhttps](https://api.postbacks.io/v1/requestPostbackhttps)
[https://api.postmarkapp.com/deliverystatshttps](https://api.postmarkapp.com/deliverystatshttps)
[https://api.prefect.cloud/auth/loginInclude](https://api.prefect.cloud/auth/loginInclude)
[https://api.privacy.com/v1/card](https://api.privacy.com/v1/card)
[https://api.prodpad.com/v1/tagshttps](https://api.prodpad.com/v1/tagshttps)
[https://api.proxycrawl.com/leads](https://api.proxycrawl.com/leads)
[https://api.pulumi.com/api/user/stackshttps](https://api.pulumi.com/api/user/stackshttps)
[https://api.pushbullet.com/v2/users/mehttps](https://api.pushbullet.com/v2/users/mehttps)
[https://api.qase.io/v1/user](https://api.qase.io/v1/user)
[https://api.qualaroo.com/api/v1/nudgeshttps](https://api.qualaroo.com/api/v1/nudgeshttps)
[https://api.ramp.com/developer/v1/tokenhttps](https://api.ramp.com/developer/v1/tokenhttps)
[https://api.rawg.io/api/platforms](https://api.rawg.io/api/platforms)
[https://api.razorpay.com/v1/items](https://api.razorpay.com/v1/items)
[https://api.rebrandly.com/v1/accounthttps](https://api.rebrandly.com/v1/accounthttps)
[https://api.rechargeapps.com/token_information&url=https](https://api.rechargeapps.com/token_information&url=https)
[https://api.refiner.io/v1/identify](https://api.refiner.io/v1/identify)
[https://api.rentman.net/filesAPI](https://api.rentman.net/filesAPI)
[https://api.replicate.com/v1/predictionshttps](https://api.replicate.com/v1/predictionshttps)
[https://api.reply.io/v1/peoplehttps](https://api.reply.io/v1/peoplehttps)
[https://api.request.finance/invoiceshttps](https://api.request.finance/invoiceshttps)
[https://api.ritekit.com/v1/stats/multiple](https://api.ritekit.com/v1/stats/multiple)
[https://api.roaring.io/token](https://api.roaring.io/token)
[https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore](https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore)
[https://api.route4me.com/api.v4/address_book.php](https://api.route4me.com/api.v4/address_book.php)
[https://api.rownd.io/applications/https](https://api.rownd.io/applications/https)
[https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps](https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps)
[https://api.runscope.com/accounthttps](https://api.runscope.com/accounthttps)
[https://api.salesflare.com/me/contacts](https://api.salesflare.com/me/contacts)
[https://api.sandbox.checkout.com/customers/https](https://api.sandbox.checkout.com/customers/https)
[https://api.sandbox.signaturit.com/v3/signatures.jsonhttps](https://api.sandbox.signaturit.com/v3/signatures.jsonhttps)
[https://api.scaleway.com/instance/v1/zones/fr](https://api.scaleway.com/instance/v1/zones/fr)
[https://api.scrapeowl.com/v1/scrape](https://api.scrapeowl.com/v1/scrape)
[https://api.scraperapi.com](https://api.scraperapi.com)
[https://api.scraperbox.com/scrape](https://api.scraperbox.com/scrape)
[https://api.scrapestack.com/scrape](https://api.scrapestack.com/scrape)
[https://api.scrapfly.io/scrape](https://api.scrapfly.io/scrape)
[https://api.scrapingant.com/v1/general](https://api.scrapingant.com/v1/general)
[https://api.screenshotlayer.com/api/capture](https://api.screenshotlayer.com/api/capture)
[https://api.securitytrails.com/v1/pinghttps](https://api.securitytrails.com/v1/pinghttps)
[https://api.semaphore.co/api/v4/account](https://api.semaphore.co/api/v4/account)
[https://api.sendgrid.com/v3/scopesfailed](https://api.sendgrid.com/v3/scopesfailed)
[https://api.sendgrid.comShopify](https://api.sendgrid.comShopify)
[https://api.sendinblue.com/v3/account](https://api.sendinblue.com/v3/account)
[https://api.serphouse.com/account/info](https://api.serphouse.com/account/info)
[https://api.serpstack.com/search](https://api.serpstack.com/search)
[https://api.sheety.co/](https://api.sheety.co/)
[https://api.sherpadesk.com/organizations/https](https://api.sherpadesk.com/organizations/https)
[https://api.shipday.com/carriers](https://api.shipday.com/carriers)
[https://api.shodan.io/api](https://api.shodan.io/api)
[https://api.shotstack.io/stage/renderhttps](https://api.shotstack.io/stage/renderhttps)
[https://api.shutterstock.com/v2/images/searchhttps](https://api.shutterstock.com/v2/images/searchhttps)
[https://api.shutterstock.com/v2/userhelper](https://api.shutterstock.com/v2/userhelper)
[https://api.signable.co.uk/v1/templates](https://api.signable.co.uk/v1/templates)
[https://api.signupgenius.com/v2/k/user/profile/](https://api.signupgenius.com/v2/k/user/profile/)
[https://api.sigopt.com/v1/experimentshttps](https://api.sigopt.com/v1/experimentshttps)
[https://api.simplesat.io/api/answers/](https://api.simplesat.io/api/answers/)
[https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps](https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps)
[https://api.sirv.com/v2/tokenSlack](https://api.sirv.com/v2/tokenSlack)
[https://api.siteleaf.com/v2/siteshttps](https://api.siteleaf.com/v2/siteshttps)
[https://api.skrapp.io/api/v2/accounthttps](https://api.skrapp.io/api/v2/accounthttps)
[https://api.skybiometry.com/fc/account/authenticate](https://api.skybiometry.com/fc/account/authenticate)
[https://api.smartsheet.com/2.0/sheetshttps](https://api.smartsheet.com/2.0/sheetshttps)
[https://api.smooch.io/v2/appsunable](https://api.smooch.io/v2/appsunable)
[https://api.speechtext.ai/recognize](https://api.speechtext.ai/recognize)
[https://api.spoonacular.com/recipes/random](https://api.spoonacular.com/recipes/random)
[https://api.squarespace.com/1.0/profiles](https://api.squarespace.com/1.0/profiles)
[https://api.statuscake.com/v1/sslhttps](https://api.statuscake.com/v1/sslhttps)
[https://api.statuspage.io/v1/pageshttps](https://api.statuspage.io/v1/pageshttps)
[https://api.stitchdata.com/v4/sourceshttps](https://api.stitchdata.com/v4/sourceshttps)
[https://api.stockdata.org/v1/data/quote](https://api.stockdata.org/v1/data/quote)
[https://api.storecove.com/api/v2/discovery/identifiershttps](https://api.storecove.com/api/v2/discovery/identifiershttps)
[https://api.stormboard.com/users/profileapplication/vnd.timecamp](https://api.stormboard.com/users/profileapplication/vnd.timecamp)
[https://api.stormglass.io/v2/weather/point](https://api.stormglass.io/v2/weather/point)
[https://api.storyblok.com/v1/cdn/spaces/me/](https://api.storyblok.com/v1/cdn/spaces/me/)
[https://api.storychief.io/1.0/users](https://api.storychief.io/1.0/users)
[https://api.stripe.com/v1/account/login_links](https://api.stripe.com/v1/account/login_links)
[https://api.stripe.com/v1/account_links](https://api.stripe.com/v1/account_links)
[https://api.stripe.com/v1/apple_pay/domains](https://api.stripe.com/v1/apple_pay/domains)
[https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds](https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds)
[https://api.stripe.com/v1/balance](https://api.stripe.com/v1/balance)
[https://api.stripe.com/v1/billing/meter_event_adjustments](https://api.stripe.com/v1/billing/meter_event_adjustments)
[https://api.stripe.com/v1/billing/meter_events](https://api.stripe.com/v1/billing/meter_events)
[https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries](https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries)
[https://api.stripe.com/v1/billing_portal/sessions](https://api.stripe.com/v1/billing_portal/sessions)
[https://api.stripe.com/v1/chargesx509](https://api.stripe.com/v1/chargesx509)
[https://api.stripe.com/v1/checkout/sessions](https://api.stripe.com/v1/checkout/sessions)
[https://api.stripe.com/v1/climate/orders](https://api.stripe.com/v1/climate/orders)
[https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist](https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist)
[https://api.stripe.com/v1/coupons](https://api.stripe.com/v1/coupons)
[https://api.stripe.com/v1/credit_notes/nowaythiscanexsit](https://api.stripe.com/v1/credit_notes/nowaythiscanexsit)
[https://api.stripe.com/v1/customer_sessions](https://api.stripe.com/v1/customer_sessions)
[https://api.stripe.com/v1/customers/nowaythiscanexist](https://api.stripe.com/v1/customers/nowaythiscanexist)
[https://api.stripe.com/v1/disputes/nowaycanthisexist](https://api.stripe.com/v1/disputes/nowaycanthisexist)
[https://api.stripe.com/v1/ephemeral_keys](https://api.stripe.com/v1/ephemeral_keys)
[https://api.stripe.com/v1/events](https://api.stripe.com/v1/events)
[https://api.stripe.com/v1/files](https://api.stripe.com/v1/files)
[https://api.stripe.com/v1/identity/verification_sessions](https://api.stripe.com/v1/identity/verification_sessions)
[https://api.stripe.com/v1/invoices](https://api.stripe.com/v1/invoices)
[https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist](https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist](https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cards/nowaythiscanexist](https://api.stripe.com/v1/issuing/cards/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist](https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/funding_instructions](https://api.stripe.com/v1/issuing/funding_instructions)
[https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist](https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist](https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist)
[https://api.stripe.com/v1/orders](https://api.stripe.com/v1/orders)
[https://api.stripe.com/v1/payment_intents](https://api.stripe.com/v1/payment_intents)
[https://api.stripe.com/v1/payment_links](https://api.stripe.com/v1/payment_links)
[https://api.stripe.com/v1/payment_method_domains](https://api.stripe.com/v1/payment_method_domains)
[https://api.stripe.com/v1/payment_methods/nowaycanthisexist](https://api.stripe.com/v1/payment_methods/nowaycanthisexist)
[https://api.stripe.com/v1/payouts](https://api.stripe.com/v1/payouts)
[https://api.stripe.com/v1/prices](https://api.stripe.com/v1/prices)
[https://api.stripe.com/v1/products](https://api.stripe.com/v1/products)
[https://api.stripe.com/v1/promotion_codes](https://api.stripe.com/v1/promotion_codes)
[https://api.stripe.com/v1/quotes/nowaythiscanexist](https://api.stripe.com/v1/quotes/nowaythiscanexist)
[https://api.stripe.com/v1/reporting/report_runs](https://api.stripe.com/v1/reporting/report_runs)
[https://api.stripe.com/v1/reviews/nowaycanthisexist/approve](https://api.stripe.com/v1/reviews/nowaycanthisexist/approve)
[https://api.stripe.com/v1/setup_intents/nowaycanthisexist](https://api.stripe.com/v1/setup_intents/nowaycanthisexist)
[https://api.stripe.com/v1/shipping_rates](https://api.stripe.com/v1/shipping_rates)
[https://api.stripe.com/v1/skus](https://api.stripe.com/v1/skus)
[https://api.stripe.com/v1/sources/nowaycanthisexist](https://api.stripe.com/v1/sources/nowaycanthisexist)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records)
[https://api.stripe.com/v1/subscriptions](https://api.stripe.com/v1/subscriptions)
[https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items](https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items)
[https://api.stripe.com/v1/tax/registrations/nowaycanthisexist](https://api.stripe.com/v1/tax/registrations/nowaycanthisexist)
[https://api.stripe.com/v1/tax/settings](https://api.stripe.com/v1/tax/settings)
[https://api.stripe.com/v1/tax_ids](https://api.stripe.com/v1/tax_ids)
[https://api.stripe.com/v1/tax_rates](https://api.stripe.com/v1/tax_rates)
[https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist](https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist)
[https://api.stripe.com/v1/terminal/locations](https://api.stripe.com/v1/terminal/locations)
[https://api.stripe.com/v1/terminal/readers](https://api.stripe.com/v1/terminal/readers)
[https://api.stripe.com/v1/test_helpers/confirmation_tokens](https://api.stripe.com/v1/test_helpers/confirmation_tokens)
[https://api.stripe.com/v1/test_helpers/test_clocks](https://api.stripe.com/v1/test_helpers/test_clocks)
[https://api.stripe.com/v1/tokens/nowaycanthisexist](https://api.stripe.com/v1/tokens/nowaycanthisexist)
[https://api.stripe.com/v1/topups](https://api.stripe.com/v1/topups)
[https://api.stripe.com/v1/transfers](https://api.stripe.com/v1/transfers)
[https://api.stripe.com/v1/webhook_endpoints](https://api.stripe.com/v1/webhook_endpoints)
[https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio](https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio)
[https://api.supabase.com/v1/projectshttps](https://api.supabase.com/v1/projectshttps)
[https://api.supernotes.app/v1/userhttps](https://api.supernotes.app/v1/userhttps)
[https://api.surveyanyplace.com/v1/surveys/https](https://api.surveyanyplace.com/v1/surveys/https)
[https://api.surveysparrow.com/v1/contactshttps](https://api.surveysparrow.com/v1/contactshttps)
[https://api.swell.store/products](https://api.swell.store/products)
[https://api.tailscale.com/api/v2/secret](https://api.tailscale.com/api/v2/secret)
[https://api.tallyfy.com/me](https://api.tallyfy.com/me)
[https://api.taxjar.com/v2/categorieshttps](https://api.taxjar.com/v2/categorieshttps)
[https://api.teamgate.com/v4/usershttps](https://api.teamgate.com/v4/usershttps)
[https://api.telegram.org/bot](https://api.telegram.org/bot)
[https://api.teletype.app/public/api/v1/messageshttps](https://api.teletype.app/public/api/v1/messageshttps)
[https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor](https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor)
[https://api.testingbot.com/v1/userhttps](https://api.testingbot.com/v1/userhttps)
[https://api.textanywhere.com/API/v1.0/REST/statushttps](https://api.textanywhere.com/API/v1.0/REST/statushttps)
[https://api.thinkific.com/api/public/v1/collectionshttps](https://api.thinkific.com/api/public/v1/collectionshttps)
[https://api.thousandeyes.com/v6/endpoint](https://api.thousandeyes.com/v6/endpoint)
[https://api.tickettailor.com/v1/ordershttps](https://api.tickettailor.com/v1/ordershttps)
[https://api.tiingo.com/tiingo/fundamentals/definitionshttps](https://api.tiingo.com/tiingo/fundamentals/definitionshttps)
[https://api.todoist.com/rest/v2/projectshttps](https://api.todoist.com/rest/v2/projectshttps)
[https://api.tomorrow.io/v4/alerts](https://api.tomorrow.io/v4/alerts)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png)
[https://api.tradier.com/v1/watchlistshttps](https://api.tradier.com/v1/watchlistshttps)
[https://api.transferwise.com/v2/profileshttps](https://api.transferwise.com/v2/profileshttps)
[https://api.travelpayouts.com/v2/prices/latest](https://api.travelpayouts.com/v2/prices/latest)
[https://api.travis](https://api.travis)
[https://api.trello.com/1/members/me](https://api.trello.com/1/members/me)
[https://api.twelvedata.com/earliest_timestamp](https://api.twelvedata.com/earliest_timestamp)
[https://api.twilio.com/2010](https://api.twilio.com/2010)
[https://api.twist.com/api/v3/users/get_session_userhttps](https://api.twist.com/api/v3/users/get_session_userhttps)
[https://api.twitter.com/2/tweets/20https](https://api.twitter.com/2/tweets/20https)
[https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare](https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare)
[https://api.tyntec.com/2fa/v1/applicationerror](https://api.tyntec.com/2fa/v1/applicationerror)
[https://api.typeform.com/me](https://api.typeform.com/me)
[https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived](https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived)
[https://api.unify.id/v1/humandetect/verifyhttps](https://api.unify.id/v1/humandetect/verifyhttps)
[https://api.unplu.gg/forecasthttps](https://api.unplu.gg/forecasthttps)
[https://api.unsplash.com/photos/](https://api.unsplash.com/photos/)
[https://api.upcdatabase.org/product/0111222333446](https://api.upcdatabase.org/product/0111222333446)
[https://api.uplead.com/v2/creditshttps](https://api.uplead.com/v2/creditshttps)
[https://api.uploadcare.com/files/https](https://api.uploadcare.com/files/https)
[https://api.uptimerobot.com/v2/getMonitors](https://api.uptimerobot.com/v2/getMonitors)
[https://api.upwave.io/workspaces/https](https://api.upwave.io/workspaces/https)
[https://api.us1.signalfx.com/v2/dashboard](https://api.us1.signalfx.com/v2/dashboard)
[https://api.us2.sumologic.com/api/v1/users](https://api.us2.sumologic.com/api/v1/users)
[https://api.userflow.com/users](https://api.userflow.com/users)
[https://api.userstack.com/detect](https://api.userstack.com/detect)
[https://api.vbout.com/1/app/me.json](https://api.vbout.com/1/app/me.json)
[https://api.vercel.com/www/userenumerating](https://api.vercel.com/www/userenumerating)
[https://api.verimail.io/v3/verify](https://api.verimail.io/v3/verify)
[https://api.veriphone.io/v2/verify](https://api.veriphone.io/v2/verify)
[https://api.voicegain.ai/v1/sa/confighttps](https://api.voicegain.ai/v1/sa/confighttps)
[https://api.voodoosms.com/creditsError](https://api.voodoosms.com/creditsError)
[https://api.vultr.com/v2/accounterror](https://api.vultr.com/v2/accounterror)
[https://api.vyte.in/v2/events](https://api.vyte.in/v2/events)
[https://api.weatherbit.io/v2.0/history/airquality](https://api.weatherbit.io/v2.0/history/airquality)
[https://api.weatherstack.com/current](https://api.weatherstack.com/current)
[https://api.web3.storage/user/uploadshttps](https://api.web3.storage/user/uploadshttps)
[https://api.webflow.com/info](https://api.webflow.com/info)
[https://api.webscraper.io/api/v1/sitemaps](https://api.webscraper.io/api/v1/sitemaps)
[https://api.webscrapingapi.com/v1](https://api.webscrapingapi.com/v1)
[https://api.websitepulse.com/textserver.php](https://api.websitepulse.com/textserver.php)
[https://api.whoxy.com/](https://api.whoxy.com/)
[https://api.wistia.com/v1/stats/account.json](https://api.wistia.com/v1/stats/account.json)
[https://api.worksnaps.com/api/projects.xmlunable](https://api.worksnaps.com/api/projects.xmlunable)
[https://api.worldweatheronline.com/premium/v1/search.ashx](https://api.worldweatheronline.com/premium/v1/search.ashx)
[https://api.yelp.com/v3/businesses/search](https://api.yelp.com/v3/businesses/search)
[https://api.youneedabudget.com/v1/user](https://api.youneedabudget.com/v1/user)
[https://api.zenrows.com/v1/](https://api.zenrows.com/v1/)
[https://api.zeplin.dev/v1/users/meerror](https://api.zeplin.dev/v1/users/meerror)
[https://api.zerobounce.net/v1/activity](https://api.zerobounce.net/v1/activity)
[https://api.zerotier.com/api/v1/networkBranch](https://api.zerotier.com/api/v1/networkBranch)
[https://api.zipbooks.com/v2/auth/loginTotal](https://api.zipbooks.com/v2/auth/loginTotal)
[https://api2.autopilothq.com/v1/account](https://api2.autopilothq.com/v1/account)
[https://api2.frontapp.com/accountshttps](https://api2.frontapp.com/accountshttps)
[https://api4.nozbe.com/v1/api/usershttps](https://api4.nozbe.com/v1/api/usershttps)
[https://apilayer.net/api/check](https://apilayer.net/api/check)
[https://apilayer.net/api/validate](https://apilayer.net/api/validate)
[https://apis.paralleldots.com/v4/intenterror](https://apis.paralleldots.com/v4/intenterror)
[https://apiv2.allsportsapi.com/football/](https://apiv2.allsportsapi.com/football/)
[https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps](https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps)
[https://apiv4.reallysimplesystems.com/accountshttps](https://apiv4.reallysimplesystems.com/accountshttps)
[https://app.apacta.com/api/v1/time_entries](https://app.apacta.com/api/v1/time_entries)
[https://app.asana.com/api/1.0/users/meRead](https://app.asana.com/api/1.0/users/meRead)
[https://app.atera.com/api/v3/alertshttps](https://app.atera.com/api/v3/alertshttps)
[https://app.ayrshare.com/api/analytics/links](https://app.ayrshare.com/api/analytics/links)
[https://app.besnappy.com/api/v1/accountshttps](https://app.besnappy.com/api/v1/accountshttps)
[https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps](https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps)
[https://app.circleci.com/pipelines/](https://app.circleci.com/pipelines/)
[https://app.codacy.com/api/v3/user](https://app.codacy.com/api/v3/user)
[https://app.eraser.io/api/render/elements](https://app.eraser.io/api/render/elements)
[https://app.goflightlabs.com/airports](https://app.goflightlabs.com/airports)
[https://app.karmacrm.com/api/v3/contacts.json](https://app.karmacrm.com/api/v3/contacts.json)
[https://app.klipfolio.com/api/1.0/users](https://app.klipfolio.com/api/1.0/users)
[https://app.launchdarkly.com/api/v2/caller](https://app.launchdarkly.com/api/v2/caller)
[https://app.lendflow.io/api/v1/deals](https://app.lendflow.io/api/v1/deals)
[https://app.loadmill.com/api/v1/labels](https://app.loadmill.com/api/v1/labels)
[https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes](https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes)
[https://app.nimble.com/api/v1/myselfhttps](https://app.nimble.com/api/v1/myselfhttps)
[https://app.onedesk.com/rest/2.0/login/loginUserhttps](https://app.onedesk.com/rest/2.0/login/loginUserhttps)
[https://app.onepagecrm.com/api/v3/contacts.json](https://app.onepagecrm.com/api/v3/contacts.json)
[https://app.paymoapp.com/api/me](https://app.paymoapp.com/api/me)
[https://app.posthog.com/api/event/](https://app.posthog.com/api/event/)
[https://app.revampcrm.com/api/1.0/User/WhoAmIhttps](https://app.revampcrm.com/api/1.0/User/WhoAmIhttps)
[https://app.satismeter.com/api/users](https://app.satismeter.com/api/users)
[https://app.scrapingbee.com/api/v1/](https://app.scrapingbee.com/api/v1/)
[https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=](https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=)
[https://app.surveybot.io/api/v1/surveys](https://app.surveybot.io/api/v1/surveys)
[https://app.terraform.io/api/v2/account/detailshttps](https://app.terraform.io/api/v2/account/detailshttps)
[https://app.ticketmaster.com/discovery/v2/events.json](https://app.ticketmaster.com/discovery/v2/events.json)
[https://app.timecamp.com/third_party/api/user](https://app.timecamp.com/third_party/api/user)
[https://app.tmetric.com/api/v3/userhttps](https://app.tmetric.com/api/v3/userhttps)
[https://app.travis](https://app.travis)
[https://app.vagrantup.com/api/v2/authenticateunexpected](https://app.vagrantup.com/api/v2/authenticateunexpected)
[https://app.workstack.io/api/team](https://app.workstack.io/api/team)
[https://app.zenscrape.com/api/v1/statushttps](https://app.zenscrape.com/api/v1/statushttps)
[https://app.zenserp.com/api/v2/search](https://app.zenserp.com/api/v2/search)
[https://app.zipcodebase.com/api/v1/search](https://app.zipcodebase.com/api/v1/search)
[https://apple.comhttps](https://apple.comhttps)
[https://auth.app.wiz.io/oauth/tokenerror](https://auth.app.wiz.io/oauth/tokenerror)
[https://auth.dfuse.io/v1/auth/issuehttps](https://auth.dfuse.io/v1/auth/issuehttps)
[https://auth.freshbooks.com/oauth/authorize](https://auth.freshbooks.com/oauth/authorize)
[https://authn.nvidia.com/token](https://authn.nvidia.com/token)
[https://axonaut.com/api/v2/companies](https://axonaut.com/api/v2/companies)
[https://backboard.railway.app/graphql/v2application/vnd.sugester](https://backboard.railway.app/graphql/v2application/vnd.sugester)
[https://base.zenkit.com/api/v1/users/mehttps](https://base.zenkit.com/api/v1/users/mehttps)
[https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps](https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps)
[https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative](https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative)
[https://batch.core.usgovcloudapi.net/https](https://batch.core.usgovcloudapi.net/https)
[https://batch.core.windows.net/https](https://batch.core.windows.net/https)
[https://besttime.app/api/v1/keys/https](https://besttime.app/api/v1/keys/https)
[https://blitapp.com/api/apps/allhttps](https://blitapp.com/api/apps/allhttps)
[https://boostnote.io/api/docshttps](https://boostnote.io/api/docshttps)
[https://budibase.app/api/public/v1/applications/searchhttps](https://budibase.app/api/public/v1/applications/searchhttps)
[https://calendarific.com/api/v2/holidays](https://calendarific.com/api/v2/holidays)
[https://campayn.com/api/v1/lists](https://campayn.com/api/v1/lists)
[https://canny.io/api/v1/boards/listhttps](https://canny.io/api/v1/boards/listhttps)
[https://capi.tokeet.com/v1/user](https://capi.tokeet.com/v1/user)
[https://cex.io/api/balance/](https://cex.io/api/balance/)
[https://checkvist.com/auth/login.json](https://checkvist.com/auth/login.json)
[https://cicero.azavea.com/v3.1/account/credits_remaining](https://cicero.azavea.com/v3.1/account/credits_remaining)
[https://circleci.com/api/v1.1/invalid](https://circleci.com/api/v1.1/invalid)
[https://circleci.com/api/v2/mehttps](https://circleci.com/api/v2/mehttps)
[https://cloud.bitbar.com/api/mehttps](https://cloud.bitbar.com/api/mehttps)
[https://cloud.digitalocean.com/v1/oauth/token](https://cloud.digitalocean.com/v1/oauth/token)
[https://cloud.drone.io/api/userhttps](https://cloud.drone.io/api/userhttps)
[https://cloud.google.com/docs/authentication/external/set](https://cloud.google.com/docs/authentication/external/set)
[https://cloud.iexapis.com/stable/stock/aapl/quote](https://cloud.iexapis.com/stable/stock/aapl/quote)
[https://cloud.iexapis.com/v1/stock/aapl/quote](https://cloud.iexapis.com/v1/stock/aapl/quote)
[https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase](https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase)
[https://clustdoc.com/api/usershttps](https://clustdoc.com/api/usershttps)
[https://coda.io/apis/v1/whoami](https://coda.io/apis/v1/whoami)
[https://codequiry.com/api/v1/checks](https://codequiry.com/api/v1/checks)
[https://coinlib.io/api/v1/global](https://coinlib.io/api/v1/global)
[https://collect2.com/api/](https://collect2.com/api/)
[https://commodities](https://commodities)
[https://connect.squareup.com/oauth2/authorize](https://connect.squareup.com/oauth2/authorize)
[https://connect.squareup.com/oauth2/token/statusx509](https://connect.squareup.com/oauth2/token/statusx509)
[https://connect.squareup.com/v2/team](https://connect.squareup.com/v2/team)
[https://connect.squareupsandbox.com/oauth2/revokehttps](https://connect.squareupsandbox.com/oauth2/revokehttps)
[https://connect.squareupsandbox.com/v2/merchantshttps](https://connect.squareupsandbox.com/v2/merchantshttps)
[https://console.jumpcloud.com/api/v2/systemgroupshttps](https://console.jumpcloud.com/api/v2/systemgroupshttps)
[https://content.guardianapis.com/search](https://content.guardianapis.com/search)
[https://convier.me/api/eventhttps](https://convier.me/api/eventhttps)
[https://cosmos.azure.comfailed](https://cosmos.azure.comfailed)
[https://coveralls.io/api/repos/github/secretscanner02/scanner](https://coveralls.io/api/repos/github/secretscanner02/scanner)
[https://customer.guru/export/customers](https://customer.guru/export/customers)
[https://dash.readme.com/api/v1https](https://dash.readme.com/api/v1https)
[https://dashboard.chatfuel.com/api/botshttps](https://dashboard.chatfuel.com/api/botshttps)
[https://data.fixer.io/api/latest](https://data.fixer.io/api/latest)
[https://database.chinacloudapi.cn/expected](https://database.chinacloudapi.cn/expected)
[https://database.cloudapi.de/not](https://database.cloudapi.de/not)
[https://database.usgovcloudapi.net/data](https://database.usgovcloudapi.net/data)
[https://database.windows.net/postgres.database.cloudapi.dehttps](https://database.windows.net/postgres.database.cloudapi.dehttps)
[https://datalake.azure.net/https](https://datalake.azure.net/https)
[https://dataservice.accuweather.com/locations/v1/cities/autocomplete](https://dataservice.accuweather.com/locations/v1/cities/autocomplete)
[https://deliver.kontent.ai/](https://deliver.kontent.ai/)
[https://dev.azure.com/](https://dev.azure.com/)
[https://dev.azuresynapse.nethttps](https://dev.azuresynapse.nethttps)
[https://dev.azuresynapse.usgovcloudapi.netdata](https://dev.azuresynapse.usgovcloudapi.netdata)
[https://dev.lunchmoney.app/v1/categories](https://dev.lunchmoney.app/v1/categories)
[https://developer.api.autodesk.com/authentication/v1/authenticateimage](https://developer.api.autodesk.com/authentication/v1/authenticateimage)
[https://dictionary.yandex.net/api/v1/dicservice.json/getLangs](https://dictionary.yandex.net/api/v1/dicservice.json/getLangs)
[https://discord.com/api/v8/users/https](https://discord.com/api/v8/users/https)
[https://discord.com/api/webhooks/https](https://discord.com/api/webhooks/https)
[https://disqus.com/api/3.0/trends/listThreads.json](https://disqus.com/api/3.0/trends/listThreads.json)
[https://docs.airbrake.io/docs/devops](https://docs.airbrake.io/docs/devops)
[https://docs.stripe.com/api/account_links](https://docs.stripe.com/api/account_links)
[https://docs.stripe.com/api/application_fees/list](https://docs.stripe.com/api/application_fees/list)
[https://docs.stripe.com/api/balance](https://docs.stripe.com/api/balance)
[https://docs.stripe.com/api/billing/meter/create](https://docs.stripe.com/api/billing/meter/create)
[https://docs.stripe.com/api/billing/meter/list](https://docs.stripe.com/api/billing/meter/list)
[https://docs.stripe.com/api/charges/list](https://docs.stripe.com/api/charges/list)
[https://docs.stripe.com/api/charges/update](https://docs.stripe.com/api/charges/update)
[https://docs.stripe.com/api/checkout/sessions/create](https://docs.stripe.com/api/checkout/sessions/create)
[https://docs.stripe.com/api/checkout/sessions/list](https://docs.stripe.com/api/checkout/sessions/list)
[https://docs.stripe.com/api/climate/order/create](https://docs.stripe.com/api/climate/order/create)
[https://docs.stripe.com/api/climate/order/list](https://docs.stripe.com/api/climate/order/list)
[https://docs.stripe.com/api/confirmation_tokens/retrieve](https://docs.stripe.com/api/confirmation_tokens/retrieve)
[https://docs.stripe.com/api/confirmation_tokens/test_create](https://docs.stripe.com/api/confirmation_tokens/test_create)
[https://docs.stripe.com/api/coupons/create](https://docs.stripe.com/api/coupons/create)
[https://docs.stripe.com/api/coupons/list](https://docs.stripe.com/api/coupons/list)
[https://docs.stripe.com/api/credit_notes/list](https://docs.stripe.com/api/credit_notes/list)
[https://docs.stripe.com/api/credit_notes/update](https://docs.stripe.com/api/credit_notes/update)
[https://docs.stripe.com/api/customer_portal/sessions/create](https://docs.stripe.com/api/customer_portal/sessions/create)
[https://docs.stripe.com/api/customer_sessions/create](https://docs.stripe.com/api/customer_sessions/create)
[https://docs.stripe.com/api/customers/list](https://docs.stripe.com/api/customers/list)
[https://docs.stripe.com/api/customers/update](https://docs.stripe.com/api/customers/update)
[https://docs.stripe.com/api/disputes/list](https://docs.stripe.com/api/disputes/list)
[https://docs.stripe.com/api/disputes/update](https://docs.stripe.com/api/disputes/update)
[https://docs.stripe.com/api/events/list](https://docs.stripe.com/api/events/list)
[https://docs.stripe.com/api/fee_refunds/create](https://docs.stripe.com/api/fee_refunds/create)
[https://docs.stripe.com/api/identity/verification_sessions/create](https://docs.stripe.com/api/identity/verification_sessions/create)
[https://docs.stripe.com/api/identity/verification_sessions/list](https://docs.stripe.com/api/identity/verification_sessions/list)
[https://docs.stripe.com/api/invoices/create](https://docs.stripe.com/api/invoices/create)
[https://docs.stripe.com/api/invoices/list](https://docs.stripe.com/api/invoices/list)
[https://docs.stripe.com/api/issuing/authorizations/retrieve](https://docs.stripe.com/api/issuing/authorizations/retrieve)
[https://docs.stripe.com/api/issuing/authorizations/update](https://docs.stripe.com/api/issuing/authorizations/update)
[https://docs.stripe.com/api/issuing/cardholders/create](https://docs.stripe.com/api/issuing/cardholders/create)
[https://docs.stripe.com/api/issuing/cardholders/retrieve](https://docs.stripe.com/api/issuing/cardholders/retrieve)
[https://docs.stripe.com/api/issuing/cards/create](https://docs.stripe.com/api/issuing/cards/create)
[https://docs.stripe.com/api/issuing/cards/retrieve](https://docs.stripe.com/api/issuing/cards/retrieve)
[https://docs.stripe.com/api/issuing/disputes/retrieve](https://docs.stripe.com/api/issuing/disputes/retrieve)
[https://docs.stripe.com/api/issuing/disputes/update](https://docs.stripe.com/api/issuing/disputes/update)
[https://docs.stripe.com/api/issuing/funding_instructions/create](https://docs.stripe.com/api/issuing/funding_instructions/create)
[https://docs.stripe.com/api/issuing/funding_instructions/list](https://docs.stripe.com/api/issuing/funding_instructions/list)
[https://docs.stripe.com/api/issuing/tokens/retrieve](https://docs.stripe.com/api/issuing/tokens/retrieve)
[https://docs.stripe.com/api/issuing/tokens/update](https://docs.stripe.com/api/issuing/tokens/update)
[https://docs.stripe.com/api/issuing/transactions/retrieve](https://docs.stripe.com/api/issuing/transactions/retrieve)
[https://docs.stripe.com/api/issuing/transactions/update](https://docs.stripe.com/api/issuing/transactions/update)
[https://docs.stripe.com/api/payment_intents/create](https://docs.stripe.com/api/payment_intents/create)
[https://docs.stripe.com/api/payment_intents/list](https://docs.stripe.com/api/payment_intents/list)
[https://docs.stripe.com/api/payment_links/payment_links/create](https://docs.stripe.com/api/payment_links/payment_links/create)
[https://docs.stripe.com/api/payment_links/payment_links/list](https://docs.stripe.com/api/payment_links/payment_links/list)
[https://docs.stripe.com/api/payment_method_domains/create](https://docs.stripe.com/api/payment_method_domains/create)
[https://docs.stripe.com/api/payment_method_domains/list](https://docs.stripe.com/api/payment_method_domains/list)
[https://docs.stripe.com/api/payouts/create](https://docs.stripe.com/api/payouts/create)
[https://docs.stripe.com/api/payouts/list](https://docs.stripe.com/api/payouts/list)
[https://docs.stripe.com/api/prices/create](https://docs.stripe.com/api/prices/create)
[https://docs.stripe.com/api/prices/list](https://docs.stripe.com/api/prices/list)
[https://docs.stripe.com/api/products/create](https://docs.stripe.com/api/products/create)
[https://docs.stripe.com/api/products/list](https://docs.stripe.com/api/products/list)
[https://docs.stripe.com/api/promotion_codes/create](https://docs.stripe.com/api/promotion_codes/create)
[https://docs.stripe.com/api/promotion_codes/list](https://docs.stripe.com/api/promotion_codes/list)
[https://docs.stripe.com/api/quotes/list](https://docs.stripe.com/api/quotes/list)
[https://docs.stripe.com/api/quotes/update](https://docs.stripe.com/api/quotes/update)
[https://docs.stripe.com/api/radar/reviews/approve](https://docs.stripe.com/api/radar/reviews/approve)
[https://docs.stripe.com/api/radar/reviews/list](https://docs.stripe.com/api/radar/reviews/list)
[https://docs.stripe.com/api/reporting/report_run/list](https://docs.stripe.com/api/reporting/report_run/list)
[https://docs.stripe.com/api/setup_intents/create](https://docs.stripe.com/api/setup_intents/create)
[https://docs.stripe.com/api/setup_intents/list](https://docs.stripe.com/api/setup_intents/list)
[https://docs.stripe.com/api/shipping_rates/create](https://docs.stripe.com/api/shipping_rates/create)
[https://docs.stripe.com/api/shipping_rates/list](https://docs.stripe.com/api/shipping_rates/list)
[https://docs.stripe.com/api/sources/retrieve](https://docs.stripe.com/api/sources/retrieve)
[https://docs.stripe.com/api/sources/update](https://docs.stripe.com/api/sources/update)
[https://docs.stripe.com/api/subscriptions/create](https://docs.stripe.com/api/subscriptions/create)
[https://docs.stripe.com/api/subscriptions/list](https://docs.stripe.com/api/subscriptions/list)
[https://docs.stripe.com/api/tax/calculations/create](https://docs.stripe.com/api/tax/calculations/create)
[https://docs.stripe.com/api/tax/calculations/line_items](https://docs.stripe.com/api/tax/calculations/line_items)
[https://docs.stripe.com/api/tax/registrations/update](https://docs.stripe.com/api/tax/registrations/update)
[https://docs.stripe.com/api/tax/settings/retrieve](https://docs.stripe.com/api/tax/settings/retrieve)
[https://docs.stripe.com/api/tax_ids/create](https://docs.stripe.com/api/tax_ids/create)
[https://docs.stripe.com/api/tax_ids/list](https://docs.stripe.com/api/tax_ids/list)
[https://docs.stripe.com/api/tax_rates/create](https://docs.stripe.com/api/tax_rates/create)
[https://docs.stripe.com/api/tax_rates/list](https://docs.stripe.com/api/tax_rates/list)
[https://docs.stripe.com/api/terminal/configuration/list](https://docs.stripe.com/api/terminal/configuration/list)
[https://docs.stripe.com/api/terminal/configuration/update](https://docs.stripe.com/api/terminal/configuration/update)
[https://docs.stripe.com/api/terminal/locations/create](https://docs.stripe.com/api/terminal/locations/create)
[https://docs.stripe.com/api/terminal/locations/list](https://docs.stripe.com/api/terminal/locations/list)
[https://docs.stripe.com/api/terminal/readers/create](https://docs.stripe.com/api/terminal/readers/create)
[https://docs.stripe.com/api/terminal/readers/list](https://docs.stripe.com/api/terminal/readers/list)
[https://docs.stripe.com/api/test_clocks/create](https://docs.stripe.com/api/test_clocks/create)
[https://docs.stripe.com/api/test_clocks/list](https://docs.stripe.com/api/test_clocks/list)
[https://docs.stripe.com/api/tokens/create_card](https://docs.stripe.com/api/tokens/create_card)
[https://docs.stripe.com/api/tokens/retrieve](https://docs.stripe.com/api/tokens/retrieve)
[https://docs.stripe.com/api/topups/create](https://docs.stripe.com/api/topups/create)
[https://docs.stripe.com/api/topups/list](https://docs.stripe.com/api/topups/list)
[https://docs.stripe.com/api/transfers/create](https://docs.stripe.com/api/transfers/create)
[https://docs.stripe.com/api/transfers/list](https://docs.stripe.com/api/transfers/list)
[https://docs.stripe.com/api/usage_records/create](https://docs.stripe.com/api/usage_records/create)
[https://docs.stripe.com/api/usage_records/subscription_item_summary_list](https://docs.stripe.com/api/usage_records/subscription_item_summary_list)
[https://docs.stripe.com/api/webhook_endpoints/create](https://docs.stripe.com/api/webhook_endpoints/create)
[https://docs.stripe.com/api/webhook_endpoints/list](https://docs.stripe.com/api/webhook_endpoints/list)
[https://docsapi.helpscout.net/v1/collectionshttps](https://docsapi.helpscout.net/v1/collectionshttps)
[https://dummysite.com](https://dummysite.com)
[https://dynalist.io/api/v1/file/listhttps](https://dynalist.io/api/v1/file/listhttps)
[https://ecs.aliyuncs.com](https://ecs.aliyuncs.com)
[https://eu.posthog.com/api/event/](https://eu.posthog.com/api/event/)
[https://example.teamwork.com/crm/api/v2/users.jsonhttps](https://example.teamwork.com/crm/api/v2/users.jsonhttps)
[https://example.teamwork.com/desk/api/v2/me.jsonRepository](https://example.teamwork.com/desk/api/v2/me.jsonRepository)
[https://example.teamwork.com/spaces/api/v1/users.jsonhttps](https://example.teamwork.com/spaces/api/v1/users.jsonhttps)
[https://extractorapi.com/api/v1/extractor](https://extractorapi.com/api/v1/extractor)
[https://fetchrss.com/api/v1/feed/list](https://fetchrss.com/api/v1/feed/list)
[https://file.io/](https://file.io/)
[https://files.stripe.com/v1/files](https://files.stripe.com/v1/files)
[https://financialmodelingprep.com/api/v3/financial](https://financialmodelingprep.com/api/v3/financial)
[https://finnhub.io/api/v1/calendar/economic](https://finnhub.io/api/v1/calendar/economic)
[https://foo.com/bar](https://foo.com/bar)
[https://formcrafts.com/api/v1/https](https://formcrafts.com/api/v1/https)
[https://formio.form.io/currentapplication/vnd.github.v3](https://formio.form.io/currentapplication/vnd.github.v3)
[https://fxmarketapi.com/apilive](https://fxmarketapi.com/apilive)
[https://gallery.azure.com/https](https://gallery.azure.com/https)
[https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps](https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps)
[https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed](https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed)
[https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps](https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps)
[https://gate.sendbird.com/api/v2/applicationshttps](https://gate.sendbird.com/api/v2/applicationshttps)
[https://gen.duply.co/v1/usagegrant_type=client_credentials](https://gen.duply.co/v1/usagegrant_type=client_credentials)
[https://geo.ipify.org/api/v2/country](https://geo.ipify.org/api/v2/country)
[https://geocode.xyz/51.4647](https://geocode.xyz/51.4647)
[https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https](https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https)
[https://getsandbox.com/api/1/sandboxes/](https://getsandbox.com/api/1/sandboxes/)
[https://gist.github.comMetaDataValidationErrorunable](https://gist.github.comMetaDataValidationErrorunable)
[https://github.com/airbrake/airbrake](https://github.com/airbrake/airbrake)
[https://github.com/dustin](https://github.com/dustin)
[https://github.com/golang/protobuf/issues/1609](https://github.com/golang/protobuf/issues/1609)
[https://github.com/google/go](https://github.com/google/go)
[https://github.com/llvm/llvm](https://github.com/llvm/llvm)
[https://github.com/login/device/codeDiff](https://github.com/login/device/codeDiff)
[https://github.com/login/oauth/access_tokenexpected](https://github.com/login/oauth/access_tokenexpected)
[https://github.com/login/oauth/authorizekey](https://github.com/login/oauth/authorizekey)
[https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.](https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.)
[https://github.com/trufflesecurity/test_keyscannot](https://github.com/trufflesecurity/test_keyscannot)
[https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)
[https://gitlab.com/Skipping](https://gitlab.com/Skipping)
[https://gitlab.com/api/v4/metadatahttps](https://gitlab.com/api/v4/metadatahttps)
[https://gitlab.com/api/v4/personal_access_tokens/self](https://gitlab.com/api/v4/personal_access_tokens/self)
[https://gitlab.com/api/v4/projectshttps](https://gitlab.com/api/v4/projectshttps)
[https://gitlab.com/org/repo.gitAWS](https://gitlab.com/org/repo.gitAWS)
[https://gitlab.com/org/repo.gitNumber](https://gitlab.com/org/repo.gitNumber)
[https://gitlab.comScan](https://gitlab.comScan)
[https://go.postman.co/collection/tls](https://go.postman.co/collection/tls)
[https://go.postman.co/environments/could](https://go.postman.co/environments/could)
[https://go.postman.co/example/error](https://go.postman.co/example/error)
[https://go.postman.co/folder/TLS](https://go.postman.co/folder/TLS)
[https://go.postman.co/request/https](https://go.postman.co/request/https)
[https://go.postman.co/workspace/could](https://go.postman.co/workspace/could)
[https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers](https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers)
[https://go.urbanairship.com/api/schedules](https://go.urbanairship.com/api/schedules)
[https://google.com&width=1920&height=1080xoxb](https://google.com&width=1920&height=1080xoxb)
[https://google.comcrypto/ecdh](https://google.comcrypto/ecdh)
[https://google.comhttps](https://google.comhttps)
[https://grafana.com/api/v1/tokens](https://grafana.com/api/v1/tokens)
[https://graph.chinacloudapi.cn/https](https://graph.chinacloudapi.cn/https)
[https://graph.cloudapi.de/https](https://graph.cloudapi.de/https)
[https://graph.facebook.com/me](https://graph.facebook.com/me)
[https://graph.microsoft.com/https](https://graph.microsoft.com/https)
[https://graph.microsoft.us/https](https://graph.microsoft.us/https)
[https://graph.windows.net/mariadb.database.azure.comhttps](https://graph.windows.net/mariadb.database.azure.comhttps)
[https://graphhopper.com/api/1/geocode](https://graphhopper.com/api/1/geocode)
[https://graphql.us.jupiterone.io/https](https://graphql.us.jupiterone.io/https)
[https://gtmetrix.com/api/2.0/statushttps](https://gtmetrix.com/api/2.0/statushttps)
[https://hg.mozilla.org/releases/mozilla](https://hg.mozilla.org/releases/mozilla)
[https://holidayapi.com/v1/holidays](https://holidayapi.com/v1/holidays)
[https://hooman.pipedrive.com/api/v1/users](https://hooman.pipedrive.com/api/v1/users)
[https://host.io/api/domains/ip/8.8.8.8](https://host.io/api/domains/ip/8.8.8.8)
[https://howtorotate.com/docs/tutorials/airbrake/https](https://howtorotate.com/docs/tutorials/airbrake/https)
[https://howtorotate.com/docs/tutorials/atlassian/https](https://howtorotate.com/docs/tutorials/atlassian/https)
[https://howtorotate.com/docs/tutorials/aws/request](https://howtorotate.com/docs/tutorials/aws/request)
[https://howtorotate.com/docs/tutorials/azure/https](https://howtorotate.com/docs/tutorials/azure/https)
[https://howtorotate.com/docs/tutorials/elevenlabs/https](https://howtorotate.com/docs/tutorials/elevenlabs/https)
[https://howtorotate.com/docs/tutorials/eraser/https](https://howtorotate.com/docs/tutorials/eraser/https)
[https://howtorotate.com/docs/tutorials/gcp/https](https://howtorotate.com/docs/tutorials/gcp/https)
[https://howtorotate.com/docs/tutorials/github/https](https://howtorotate.com/docs/tutorials/github/https)
[https://howtorotate.com/docs/tutorials/gitlab/https](https://howtorotate.com/docs/tutorials/gitlab/https)
[https://howtorotate.com/docs/tutorials/groq/https](https://howtorotate.com/docs/tutorials/groq/https)
[https://howtorotate.com/docs/tutorials/mailchimp/https](https://howtorotate.com/docs/tutorials/mailchimp/https)
[https://howtorotate.com/docs/tutorials/maxmind/https](https://howtorotate.com/docs/tutorials/maxmind/https)
[https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps](https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps)
[https://howtorotate.com/docs/tutorials/mongo/https](https://howtorotate.com/docs/tutorials/mongo/https)
[https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata](https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata)
[https://howtorotate.com/docs/tutorials/npm/](https://howtorotate.com/docs/tutorials/npm/)
[https://howtorotate.com/docs/tutorials/railwayapp/https](https://howtorotate.com/docs/tutorials/railwayapp/https)
[https://howtorotate.com/docs/tutorials/sendbird/https](https://howtorotate.com/docs/tutorials/sendbird/https)
[https://howtorotate.com/docs/tutorials/sendgrid/https](https://howtorotate.com/docs/tutorials/sendgrid/https)
[https://howtorotate.com/docs/tutorials/slack/](https://howtorotate.com/docs/tutorials/slack/)
[https://howtorotate.com/docs/tutorials/sourcegraph/https](https://howtorotate.com/docs/tutorials/sourcegraph/https)
[https://howtorotate.com/docs/tutorials/square/https](https://howtorotate.com/docs/tutorials/square/https)
[https://howtorotate.com/docs/tutorials/stripe/https](https://howtorotate.com/docs/tutorials/stripe/https)
[https://howtorotate.com/docs/tutorials/sumologic/https](https://howtorotate.com/docs/tutorials/sumologic/https)
[https://howtorotate.com/docs/tutorials/twilio/](https://howtorotate.com/docs/tutorials/twilio/)
[https://httpbin.org/anythingAPI](https://httpbin.org/anythingAPI)
[https://httpbin.org/status/200https](https://httpbin.org/status/200https)
[https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11](https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11)
[https://huggingface.co/api/modelsparsing](https://huggingface.co/api/modelsparsing)
[https://huggingface.co/api/whoami](https://huggingface.co/api/whoami)
[https://huggingface.cofailed](https://huggingface.cofailed)
[https://iam.googleapis.com/v1/roleshttps](https://iam.googleapis.com/v1/roleshttps)
[https://iamcredentials..](https://iamcredentials..)
[https://iamcredentials.UNIVERSE_DOMAIN/failed](https://iamcredentials.UNIVERSE_DOMAIN/failed)
[https://iamcredentials.googleapis.com/openpgp](https://iamcredentials.googleapis.com/openpgp)
[https://iamcredentials.googleapis.com/v1/](https://iamcredentials.googleapis.com/v1/)
[https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32](https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32)
[https://id.twitch.tv/oauth2/token](https://id.twitch.tv/oauth2/token)
[https://index.docker.io/v1/Unreachable](https://index.docker.io/v1/Unreachable)
[https://industrial.api.ubidots.com/api/v1.6/variables/https](https://industrial.api.ubidots.com/api/v1.6/variables/https)
[https://interseller.io/api/campaigns/listhttps](https://interseller.io/api/campaigns/listhttps)
[https://io.adafruit.com/api/v2/ladybugtest/feeds/](https://io.adafruit.com/api/v2/ladybugtest/feeds/)
[https://jenkins.example.com](https://jenkins.example.com)
[https://keychecker.trufflesecurity.com/fingerprint/](https://keychecker.trufflesecurity.com/fingerprint/)
[https://learning.postman.com/docs/collaborating](https://learning.postman.com/docs/collaborating)
[https://linkedin.com/in/williamhgates](https://linkedin.com/in/williamhgates)
[https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam](https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam)
[https://login.chinacloudapi.cn/https](https://login.chinacloudapi.cn/https)
[https://login.eagleeyenetworks.com/g/aaa/authenticatehttps](https://login.eagleeyenetworks.com/g/aaa/authenticatehttps)
[https://login.microsoftonline.com/semaphore](https://login.microsoftonline.com/semaphore)
[https://login.microsoftonline.de/2006](https://login.microsoftonline.de/2006)
[https://login.microsoftonline.us/https](https://login.microsoftonline.us/https)
[https://mailsac.com/api/addresseshttps](https://mailsac.com/api/addresseshttps)
[https://mainnet.infura.io/v3/KNAPSACK](https://mainnet.infura.io/v3/KNAPSACK)
[https://manage.chinacloudapi.com/https](https://manage.chinacloudapi.com/https)
[https://manage.chinacloudapi.com/publishsettings/indexhttps](https://manage.chinacloudapi.com/publishsettings/indexhttps)
[https://manage.microsoftazure.de/publishsettings/indexhttp](https://manage.microsoftazure.de/publishsettings/indexhttp)
[https://manage.windowsazure.com/https](https://manage.windowsazure.com/https)
[https://manage.windowsazure.com/publishsettings/indexraw](https://manage.windowsazure.com/publishsettings/indexraw)
[https://manage.windowsazure.us/https](https://manage.windowsazure.us/https)
[https://manage.windowsazure.us/publishsettings/indexunrecognized](https://manage.windowsazure.us/publishsettings/indexunrecognized)
[https://managedhsm.azure.net/https](https://managedhsm.azure.net/https)
[https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps](https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps)
[https://management.azure.com/https](https://management.azure.com/https)
[https://management.chinacloudapi.cn/https](https://management.chinacloudapi.cn/https)
[https://management.core.chinacloudapi.cn/https](https://management.core.chinacloudapi.cn/https)
[https://management.core.cloudapi.de/data](https://management.core.cloudapi.de/data)
[https://management.core.usgovcloudapi.net/https](https://management.core.usgovcloudapi.net/https)
[https://management.core.windows.net/https](https://management.core.windows.net/https)
[https://management.microsoftazure.de/expected](https://management.microsoftazure.de/expected)
[https://management.usgovcloudapi.net/https](https://management.usgovcloudapi.net/https)
[https://mandrillapp.com/api/1.0/users/infohttps](https://mandrillapp.com/api/1.0/users/infohttps)
[https://microsoftgraph.chinacloudapi.cn/server_duration](https://microsoftgraph.chinacloudapi.cn/server_duration)
[https://microsoftgraph.chinacloudapi.cngo](https://microsoftgraph.chinacloudapi.cngo)
[https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus](https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus)
[https://moderationapi.com/api/v1/analyze/languagePostgres](https://moderationapi.com/api/v1/analyze/languagePostgres)
[https://mrticktock.com/app/api/is_timer_active](https://mrticktock.com/app/api/is_timer_active)
[https://my.demio.com/api/v1/ping/query](https://my.demio.com/api/v1/ping/query)
[https://nethunt.com/api/v1/zapier/triggers/readable](https://nethunt.com/api/v1/zapier/triggers/readable)
[https://neutrinoapi.net/url](https://neutrinoapi.net/url)
[https://newsapi.org/v2/everything](https://newsapi.org/v2/everything)
[https://oauth2.googleapis.com/device/codemssql](https://oauth2.googleapis.com/device/codemssql)
[https://oauth2.googleapis.com/tokenoauth2/google](https://oauth2.googleapis.com/tokenoauth2/google)
[https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb](https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb)
[https://onesignal.com/api/v1/appshttps](https://onesignal.com/api/v1/appshttps)
[https://onfleet.com/api/v2/organizationhttps](https://onfleet.com/api/v2/organizationhttps)
[https://open.larksuite.com/open](https://open.larksuite.com/open)
[https://opentelemetry.io/schemas/1.17.0grpclb](https://opentelemetry.io/schemas/1.17.0grpclb)
[https://oss.trufflehog.org/updatesillegal](https://oss.trufflehog.org/updatesillegal)
[https://ossrdbms](https://ossrdbms)
[https://otx.alienvault.com/api/v1/users/mehttps](https://otx.alienvault.com/api/v1/users/mehttps)
[https://owlbot.info/api/v4/dictionary/securityhttps](https://owlbot.info/api/v4/dictionary/securityhttps)
[https://packagecloud.io/api/v1/reposhttps](https://packagecloud.io/api/v1/reposhttps)
[https://partner_settingscategories.statsGoogle](https://partner_settingscategories.statsGoogle)
[https://pastebin.com/api/api_post.phpapplication/vnd.percy](https://pastebin.com/api/api_post.phpapplication/vnd.percy)
[https://paydirtapp.com/api/v1/clients](https://paydirtapp.com/api/v1/clients)
[https://payments.braintree](https://payments.braintree)
[https://payments.sandbox.braintree](https://payments.sandbox.braintree)
[https://pdflayer.com/downloads/invoice.htmlPlanetScale](https://pdflayer.com/downloads/invoice.htmlPlanetScale)
[https://percy.io/api/v1/projectshttps](https://percy.io/api/v1/projectshttps)
[https://person.clearbit.com/v1/people/email/alex](https://person.clearbit.com/v1/people/email/alex)
[https://pixabay.com/api/](https://pixabay.com/api/)
[https://pkg.go.dev/cloud.google.com/go/storage](https://pkg.go.dev/cloud.google.com/go/storage)
[https://pkg.go.dev/go.mongodb.org/mongo](https://pkg.go.dev/go.mongodb.org/mongo)
[https://platform.devtest.ringcentral.com/restapi/oauth/authorize](https://platform.devtest.ringcentral.com/restapi/oauth/authorize)
[https://platform.segmentapis.com/v1beta/workspaceshttps](https://platform.segmentapis.com/v1beta/workspaceshttps)
[https://plugin.api.dronahq.com/users/](https://plugin.api.dronahq.com/users/)
[https://poloniex.com/tradingApihttps](https://poloniex.com/tradingApihttps)
[https://powrbot.com/api/v1/search/single/](https://powrbot.com/api/v1/search/single/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://ps.pndsn.com/signal/https](https://ps.pndsn.com/signal/https)
[https://ps.pndsn.com/v2/objects/https](https://ps.pndsn.com/v2/objects/https)
[https://push.databox.com](https://push.databox.com)
[https://registry.npmjs.org/](https://registry.npmjs.org/)
[https://rendyplayground.simvoly.com/api/site/members](https://rendyplayground.simvoly.com/api/site/members)
[https://rest.clicksend.com/v3/accounthttps](https://rest.clicksend.com/v3/accounthttps)
[https://rest.coinapi.io/v1/exchangeshttps](https://rest.coinapi.io/v1/exchangeshttps)
[https://rest.messagebird.com/messageshttps](https://rest.messagebird.com/messageshttps)
[https://rest.nexmo.com/account/get](https://rest.nexmo.com/account/get)
[https://rest.textmagic.com/api/v2/userhttps](https://rest.textmagic.com/api/v2/userhttps)
[https://restpack.io/api/html2pdf/usagehttps](https://restpack.io/api/html2pdf/usagehttps)
[https://restpack.io/api/screenshot/usagehttps](https://restpack.io/api/screenshot/usagehttps)
[https://rubygems.org/api/v1/gems.jsonerror](https://rubygems.org/api/v1/gems.jsonerror)
[https://run.salesblink.io/api/public/listshttps](https://run.salesblink.io/api/public/listshttps)
[https://runrun.it/api/v1.0/users](https://runrun.it/api/v1.0/users)
[https://salescookie.com/app/Api/CreateTransaction](https://salescookie.com/app/Api/CreateTransaction)
[https://sandbox.impala.travel/v1/bookings](https://sandbox.impala.travel/v1/bookings)
[https://scrutinizer](https://scrutinizer)
[https://search.censys.io/api/v1/accounthttps](https://search.censys.io/api/v1/accounthttps)
[https://selectpdf.com/api2/convert/](https://selectpdf.com/api2/convert/)
[https://sentry.io/api/0/projects/https](https://sentry.io/api/0/projects/https)
[https://service.zipapi.us/zipcode/90210/](https://service.zipapi.us/zipcode/90210/)
[https://servicebus.azure.net/https](https://servicebus.azure.net/https)
[https://servicebus.chinacloudapi.cn/https](https://servicebus.chinacloudapi.cn/https)
[https://servicebus.cloudapi.de/https](https://servicebus.cloudapi.de/https)
[https://servicebus.usgovcloudapi.net/https](https://servicebus.usgovcloudapi.net/https)
[https://servicebus.windows.net/https](https://servicebus.windows.net/https)
[https://services.reachmail.net/administration/users/current](https://services.reachmail.net/administration/users/current)
[https://shot.screenshotapi.net/screenshot](https://shot.screenshotapi.net/screenshot)
[https://simfin.com/api/v2/companies/list](https://simfin.com/api/v2/companies/list)
[https://slack.com/api/auth.testCreateCustomerCard](https://slack.com/api/auth.testCreateCustomerCard)
[https://sms.8x8.com/api/v1/subaccounts/](https://sms.8x8.com/api/v1/subaccounts/)
[https://sms.api.sinch.com/xms/v1/https](https://sms.api.sinch.com/xms/v1/https)
[https://snyk.io/api/v1/user/mefailed](https://snyk.io/api/v1/user/mefailed)
[https://soccer.sportmonks.com/api/v2.0/leagues](https://soccer.sportmonks.com/api/v2.0/leagues)
[https://sourcegraph.com/.api/graphql](https://sourcegraph.com/.api/graphql)
[https://sslmate.com/api/v2/certs/example.com](https://sslmate.com/api/v2/certs/example.com)
[https://staging.cloud](https://staging.cloud)
[https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps](https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps)
[https://storage.UNIVERSE_DOMAIN/storage/v1/gccl](https://storage.UNIVERSE_DOMAIN/storage/v1/gccl)
[https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps](https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps)
[https://storage.googleapis.com/storage/v1/b/](https://storage.googleapis.com/storage/v1/b/)
[https://storage.mtls.googleapis.com/storage/v1/storage](https://storage.mtls.googleapis.com/storage/v1/storage)
[https://stripo.email/emailgeneration/v1/emails](https://stripo.email/emailgeneration/v1/emails)
[https://sts.UNIVERSE_DOMAIN/v1/tokenurn](https://sts.UNIVERSE_DOMAIN/v1/tokenurn)
[https://sts.amazonaws.com/](https://sts.amazonaws.com/)
[https://sts.amazonaws.comnot](https://sts.amazonaws.comnot)
[https://technical](https://technical)
[https://test.api.amadeus.com/v1/security/oauth2/tokenhttps](https://test.api.amadeus.com/v1/security/oauth2/tokenhttps)
[https://timezoneapi.io/api/ip/](https://timezoneapi.io/api/ip/)
[https://track.customer.io/api/v1/customers/5/eventshttps](https://track.customer.io/api/v1/customers/5/eventshttps)
[https://trackapi.nutritionix.com/v2/natural/nutrients](https://trackapi.nutritionix.com/v2/natural/nutrients)
[https://trading.robinhood.com/https](https://trading.robinhood.com/https)
[https://transit.walkscore.com/transit/search/stops/](https://transit.walkscore.com/transit/search/stops/)
[https://trk.mtrl.me/categoryunexpected](https://trk.mtrl.me/categoryunexpected)
[https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https](https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https)
[https://trufflesecurity.com/canariesGetGeoAPI](https://trufflesecurity.com/canariesGetGeoAPI)
[https://trufflesecurity.com/contacted25519](https://trufflesecurity.com/contacted25519)
[https://trufflesecurity.com/trufflehogmax](https://trufflesecurity.com/trufflehogmax)
[https://typetalk.com/oauth2/access_token](https://typetalk.com/oauth2/access_token)
[https://unify.apideck.com/vault/consumerscouldn](https://unify.apideck.com/vault/consumerscouldn)
[https://upload.pypi.org/legacy/](https://upload.pypi.org/legacy/)
[https://uploads.github.com//dependency](https://uploads.github.com//dependency)
[https://uptime.betterstack.com/api/v2/monitorshttps](https://uptime.betterstack.com/api/v2/monitorshttps)
[https://urlscan.io/user/quotashttps](https://urlscan.io/user/quotashttps)
[https://us.qubole.com/api/v1.2/accounthttps](https://us.qubole.com/api/v1.2/accounthttps)
[https://us1.locationiq.com/v1/reverse.php](https://us1.locationiq.com/v1/reverse.php)
[https://v2.convertapi.com/user](https://v2.convertapi.com/user)
[https://v3.api.hypertrack.com/trips/expected](https://v3.api.hypertrack.com/trips/expected)
[https://v6.exchangerate](https://v6.exchangerate)
[https://vault.azure.cn/vault.microsoftazure.denot](https://vault.azure.cn/vault.microsoftazure.denot)
[https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot](https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot)
[https://vault.azure.net/mysql.database.azure.comhttps](https://vault.azure.net/mysql.database.azure.comhttps)
[https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps](https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps)
[https://vault.microsoftazure.de/specific](https://vault.microsoftazure.de/specific)
[https://vault.microsoftazure.dedata](https://vault.microsoftazure.dedata)
[https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp](https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp)
[https://vault.usgovcloudapi.nethttps](https://vault.usgovcloudapi.nethttps)
[https://verifier.meetchopra.com/verify/](https://verifier.meetchopra.com/verify/)
[https://verify.twilio.com/v2/Servicesif](https://verify.twilio.com/v2/Servicesif)
[https://vpnapi.io/api/8.8.8.8](https://vpnapi.io/api/8.8.8.8)
[https://weather.ls.hereapi.com/weather/1.0/report.json](https://weather.ls.hereapi.com/weather/1.0/report.json)
[https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA](https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA)
[https://webexapis.com/v1/access_tokenhttps](https://webexapis.com/v1/access_tokenhttps)
[https://ws.detectlanguage.com/0.2/user/statushttps](https://ws.detectlanguage.com/0.2/user/statushttps)
[https://www.World](https://www.World)
[https://www.apilayer.net/api/validate](https://www.apilayer.net/api/validate)
[https://www.apimatic.io/api/code](https://www.apimatic.io/api/code)
[https://www.appsynergy.com/api](https://www.appsynergy.com/api)
[https://www.bitmex.com](https://www.bitmex.com)
[https://www.browserstack.com/automate/plan.jsonhttps](https://www.browserstack.com/automate/plan.jsonhttps)
[https://www.buddyns.com/api/v2/zone/https](https://www.buddyns.com/api/v2/zone/https)
[https://www.bugherd.com/api_v2/projects.jsonhttps](https://www.bugherd.com/api_v2/projects.jsonhttps)
[https://www.carboninterface.com/api/v1/estimateshttps](https://www.carboninterface.com/api/v1/estimateshttps)
[https://www.clinchpad.com/api/v1/pipelines](https://www.clinchpad.com/api/v1/pipelines)
[https://www.diggernaut.com/api/projectshttps](https://www.diggernaut.com/api/projectshttps)
[https://www.dnscheck.co/api/v1/groups/https](https://www.dnscheck.co/api/v1/groups/https)
[https://www.easy](https://www.easy)
[https://www.eventbriteapi.com/v3/users/me/](https://www.eventbriteapi.com/v3/users/me/)
[https://www.flickr.com/services/rest/](https://www.flickr.com/services/rest/)
[https://www.formbucket.com/v1/profilehttps](https://www.formbucket.com/v1/profilehttps)
[https://www.gocanvas.com/apiv2/forms.xml](https://www.gocanvas.com/apiv2/forms.xml)
[https://www.googleapis.com/auth/cloud](https://www.googleapis.com/auth/cloud)
[https://www.googleapis.com/auth/devstorage.full_controlstorage](https://www.googleapis.com/auth/devstorage.full_controlstorage)
[https://www.googleapis.com/auth/devstorage.read_onlywildcards](https://www.googleapis.com/auth/devstorage.read_onlywildcards)
[https://www.googleapis.com/auth/devstorage.read_writeB](https://www.googleapis.com/auth/devstorage.read_writeB)
[https://www.googleapis.com/auth/devstorage.read_writecredentials](https://www.googleapis.com/auth/devstorage.read_writecredentials)
[https://www.googleapis.com/blogger/v3/blogs/2399953](https://www.googleapis.com/blogger/v3/blogs/2399953)
[https://www.googleapis.com/oauth2/v3/tokeninfo](https://www.googleapis.com/oauth2/v3/tokeninfo)
[https://www.googleapis.com/youtube/v3/channelSections](https://www.googleapis.com/youtube/v3/channelSections)
[https://www.happyscribe.com/api/v1/transcriptionshttps](https://www.happyscribe.com/api/v1/transcriptionshttps)
[https://www.humanity.com/api/v2/me](https://www.humanity.com/api/v2/me)
[https://www.ipqualityscore.com/api/json/account/](https://www.ipqualityscore.com/api/json/account/)
[https://www.mapquestapi.com/datamanager/v2/get](https://www.mapquestapi.com/datamanager/v2/get)
[https://www.meistertask.com/api/projectsapplication/vnd.moonclerk](https://www.meistertask.com/api/projectsapplication/vnd.moonclerk)
[https://www.mindmeister.com/services/rest/oauth2](https://www.mindmeister.com/services/rest/oauth2)
[https://www.mongodb.com/supportability/cosmosdb](https://www.mongodb.com/supportability/cosmosdb)
[https://www.mongodb.com/supportability/documentdbAzure](https://www.mongodb.com/supportability/documentdbAzure)
[https://www.nuget.org/api/v2/packagehttps](https://www.nuget.org/api/v2/packagehttps)
[https://www.parsehub.com/api/v2/projects](https://www.parsehub.com/api/v2/projects)
[https://www.pivotaltracker.com/services/v5/mehttps](https://www.pivotaltracker.com/services/v5/mehttps)
[https://www.planyo.com/rest/](https://www.planyo.com/rest/)
[https://www.postman.com/_api/workspace/](https://www.postman.com/_api/workspace/)
[https://www.protocols.io/api/v3/session/profilerequest](https://www.protocols.io/api/v3/session/profilerequest)
[https://www.recent](https://www.recent)
[https://www.strava.com/oauth/tokenhttps](https://www.strava.com/oauth/tokenhttps)
[https://www.streak.com/api/v1/pipelineshttps](https://www.streak.com/api/v1/pipelineshttps)
[https://www.tefter.io/api/bookmarks](https://www.tefter.io/api/bookmarks)
[https://www.versioneye.com/api/v1/scanshttps](https://www.versioneye.com/api/v1/scanshttps)
[https://www.virustotal.com/api/v3/metadatahttps](https://www.virustotal.com/api/v3/metadatahttps)
[https://www.worldcoinindex.com/apiservice/ticker](https://www.worldcoinindex.com/apiservice/ticker)
[https://www.zipcodeapi.com/rest/](https://www.zipcodeapi.com/rest/)
[https://yourdomain.com/samplecallback](https://yourdomain.com/samplecallback)
[https://yourwebsite.com/callbacks_handler/BuddyNS](https://yourwebsite.com/callbacks_handler/BuddyNS) | -| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | -| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)
[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)
[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)
[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)
[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)
[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)
[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)
[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)
[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)
[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)
[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)
[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)
[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)
[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)
[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)
[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)
[GetPassword](https://github.com/search?q=GetPassword&type=code)
[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)
[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)
[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)
[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)
[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)
[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)
[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)
[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)
[Password from](https://github.com/search?q=Password+from&type=code)
[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)
[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)
[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)
[PasswordModify](https://github.com/search?q=PasswordModify&type=code)
[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)
[PasswordSet](https://github.com/search?q=PasswordSet&type=code)
[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)
[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)
[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)
[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)
[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)
[certificatePassword](https://github.com/search?q=certificatePassword&type=code)
[certificate_password](https://github.com/search?q=certificate_password&type=code)
[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)
[changepassword](https://github.com/search?q=changepassword&type=code)
[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)
[empty password](https://github.com/search?q=empty+password&type=code)
[encryptPassword](https://github.com/search?q=encryptPassword&type=code)
[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)
[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)
[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)
[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)
[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)
[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)
[manglePassword](https://github.com/search?q=manglePassword&type=code)
[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)
[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)
[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)
[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)
[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)
[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)
[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)
[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordFunc](https://github.com/search?q=passwordFunc&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[password_change_date](https://github.com/search?q=password_change_date&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[passwordattachment](https://github.com/search?q=passwordattachment&type=code)
[passwordf](https://github.com/search?q=passwordf&type=code)
[passworduser](https://github.com/search?q=passworduser&type=code)
[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)
[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)
[saltPassword](https://github.com/search?q=saltPassword&type=code)
[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)
[scramblePassword](https://github.com/search?q=scramblePassword&type=code)
[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)
[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)
[username AND password](https://github.com/search?q=username+AND+password&type=code)
[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)
[vcs_password](https://github.com/search?q=vcs_password&type=code)
[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)
[winvalid password](https://github.com/search?q=winvalid+password&type=code) | -| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)
[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)
[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)
[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)
[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)
[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)
[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)
[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)
[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)
[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)
[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)
[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)
[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)
[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)
[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)
[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)
[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)
[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)
[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)
[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)
[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)
[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)
[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)
[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)
[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)
[newDecrypter](https://github.com/search?q=newDecrypter&type=code)
[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)
[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code)
[pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)
[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)
[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)
[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)
[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code) | -| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | -| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | -| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | -| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | -| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | -| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [data/encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) | -| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSONDecode](https://github.com/search?q=JSONDecode&type=code)
[json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) | -| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSONEncode](https://github.com/search?q=JSONEncode&type=code) | -| LOW | [data/hash/blake2b](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b) | Uses blake2b encryption algorithm | [blake2b](https://github.com/search?q=blake2b&type=code) | -| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:copy](https://github.com/search?q=md5%3Acopy&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) | -| LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) | -| LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) | -| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | -| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | -| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)
[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)
[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)
[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)
[PluginStats](https://github.com/search?q=PluginStats&type=code)
[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)
[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)
[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)
[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)
[extended_plugins](https://github.com/search?q=extended_plugins&type=code)
[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)
[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)
[pluginVersion](https://github.com/search?q=pluginVersion&type=code)
[pluginclose](https://github.com/search?q=pluginclose&type=code)
[pluginopen](https://github.com/search?q=pluginopen&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code)
[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)
[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)
[pluginstats](https://github.com/search?q=pluginstats&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [SYSTEMD](https://github.com/search?q=SYSTEMD&type=code)
[systemd](https://github.com/search?q=systemd&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryFn](https://github.com/search?q=CreateDirectoryFn&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) | -| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | -| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)
[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) | -| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code) | -| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code) | -| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | -| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)
[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)
[/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)
[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)
[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)
[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)
[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) | -| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | -| LOW | [fs/path/file_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/file-url.yara#file_url) | file url | [file:///tmp](https://github.com/search?q=file%3A%2F%2F%2Ftmp&type=code) | -| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | -| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code)
[NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code) | -| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/envcomments_pop_1comments_pop_2c](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2c&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) | -| LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) | -| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | -| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | -| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)
[temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | -| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code) | -| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) | -| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)
[oauth2](https://github.com/search?q=oauth2&type=code) | -| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | -| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | -| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | -| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | -| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) | -| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)
[listenUDP](https://github.com/search?q=listenUDP&type=code) | -| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)
[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) | -| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) | -| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.ANSIC](https://github.com/search?q=env.ANSIC&type=code)
[env.RGBC](https://github.com/search?q=env.RGBC&type=code) | -| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)
[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) | -| LOW | [os/kernel/key_management](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/key-management.yara#syscall_keyctl) | kernel key management facility | [keyctl](https://github.com/search?q=keyctl&type=code) | -| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | -| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | -| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | -| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | - diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index 5a76c42d3..e69de29bb 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -1,192 +0,0 @@ -# linux/clean/wolfictl: medium -anti-static/elf/multiple: medium -c2/addr/http_dynamic: medium -c2/addr/ip: medium -c2/addr/url: low -c2/client: medium -c2/tool_transfer/arch: low -c2/tool_transfer/download: medium -c2/tool_transfer/dropper: medium -c2/tool_transfer/os: medium -collect/archives/tar_command: medium -collect/archives/unarchive: medium -collect/archives/zip: medium -collect/code/github_api: low -collect/databases/mysql: medium -collect/databases/postgresql: medium -collect/databases/sqlite: medium -credential/clipboard: medium -credential/cloud/g: medium -credential/keychain: medium -credential/password: low -credential/server/htpasswd: medium -credential/ssl/private_key: low -crypto/aes: low -crypto/blockchain: medium -crypto/cipher: medium -crypto/decrypt: low -crypto/ecdsa: low -crypto/ed25519: low -crypto/openssl: medium -crypto/public_key: low -crypto/tls: low -data/compression/bzip2: low -data/compression/gzip: low -data/compression/lzma: low -data/compression/xz: medium -data/compression/zlib: low -data/compression/zstd: low -data/embedded/html: medium -data/embedded/pem_certificate: low -data/embedded/ssh_signature: medium -data/encoding/base64: low -data/encoding/json: low -data/encoding/json_decode: low -data/encoding/json_encode: low -data/hash/blake2b: low -data/hash/md5: low -discover/cloud/aws_metadata: low -discover/cloud/google_metadata: low -discover/cloud/google_storage: low -discover/network/interface_list: medium -discover/network/mac_address: medium -discover/network/netstat: medium -discover/processes/pgrep: medium -discover/system/cpu: low -discover/system/dmesg: low -discover/system/hostname: low -discover/system/platform: medium -discover/system/sysinfo: medium -discover/user/HOME: low -discover/user/USER: low -discover/user/name_get: medium -evasion/bypass_security/linux/se: medium -evasion/bypass_security/macos/xprotect: medium -evasion/file/location/dev_shm: medium -evasion/file/location/system_directory: medium -evasion/file/prefix: medium -exec/cmd: medium -exec/conditional/LANG: low -exec/dylib/symbol_address: medium -exec/install_additional/pip_install: medium -exec/plugin: low -exec/program: medium -exec/shell/TERM: low -exec/shell/background_sleep: medium -exec/shell/pipe_sh: medium -exec/system_controls/systemd: low -exfil/office_file_ext: medium -fs/attributes/set: medium -fs/blkid: low -fs/directory/create: low -fs/directory/list: low -fs/directory/remove: low -fs/fifo_create: low -fs/file/copy: medium -fs/file/create: medium -fs/file/delete: medium -fs/file/delete_forcibly: medium -fs/file/open: low -fs/file/read: low -fs/file/rename: low -fs/file/stat: low -fs/file/times_set: medium -fs/file/truncate: low -fs/file/write: low -fs/link_create: low -fs/link_read: low -fs/lock_update: low -fs/loopback: medium -fs/mount: low -fs/node_create: low -fs/path/bin_su: low -fs/path/etc: low -fs/path/etc_hosts: medium -fs/path/etc_resolv.conf: low -fs/path/home_config: low -fs/path/root: medium -fs/path/users: medium -fs/path/usr_bin: low -fs/path/usr_local: medium -fs/path/usr_sbin: low -fs/path/var: low -fs/permission/chown: medium -fs/permission/modify: medium -fs/proc/arbitrary_pid: medium -fs/proc/self_mountinfo: medium -fs/swap/off: low -fs/swap/on: low -fs/symlink_resolve: low -fs/tempdir: low -fs/tempdir/TEMP: low -fs/tempdir/TMPDIR: low -fs/tempdir/create: low -fs/tempfile: low -fs/unmount: low -fs/watch: low -hw/wireless: low -impact/ddos/raw_flooder: medium -impact/remote_access/heartbeat: medium -impact/remote_access/kill_rm: medium -lateral/scan/brute_force: low -lateral/scan/tool: medium -malware/ref: medium -net/dns: low -net/dns/reverse: medium -net/dns/servers: low -net/dns/txt: low -net/download/fetch: medium -net/http/2: low -net/http/accept: medium -net/http/accept_encoding: low -net/http/auth: low -net/http/content_length: medium -net/http/cookies: medium -net/http/form_upload: medium -net/http/oauth2: low -net/http/post: medium -net/http/proxy: low -net/http/request: low -net/http/webhook: medium -net/ip: low -net/ip/host_port: medium -net/ip/icmp: medium -net/ip/multicast_send: low -net/ip/parse: medium -net/proxy/reverse: medium -net/proxy/socks5: medium -net/proxy/tunnel: medium -net/resolve/hostname: low -net/socket/listen: medium -net/socket/local_addr: low -net/socket/peer_address: low -net/socket/receive: low -net/socket/reuseport: medium -net/socket/send: low -net/tcp/connect: medium -net/tcp/grpc: low -net/tcp/ssh: medium -net/udp/receive: low -net/udp/send: low -net/url/embedded: medium -net/url/encode: medium -net/url/parse: low -net/url/request: medium -os/env/get: low -os/fd/sendfile: low -os/kernel/netlink: low -os/kernel/seccomp: low -os/time/clock_set: low -persist/cron/tab: medium -persist/pid_file: medium -privesc/setuid: low -process/chdir: low -process/chroot: low -process/create: low -process/groupid_set: low -process/groups_set: low -process/multithreaded: low -process/unshare: low -sus/exclamation: medium -sus/intercept: medium -sus/malicious: medium diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index 95d1fc67b..e1889aba2 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -15,6 +15,6 @@ exec/remote_commands/code_eval: critical exfil/stealer/browser: high fs/directory/create: low fs/path/users: medium -impact/remote_access/py_setuptools: critical +impact/remote_access/py_setuptools: high net/url/embedded: medium net/url/request: medium diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index 31ee7af65..51e46c620 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -33,7 +33,7 @@ exec/shell/power: medium exfil/discord: critical exfil/stealer/browser: high exfil/stealer/discord: high -exfil/stealer/keylogger: critical +exfil/stealer/keylogger: high exfil/upload: high fs/directory/create: low fs/directory/list: low diff --git a/tests/python/clean/airflow/botocore_config.py.simple b/tests/python/clean/airflow/botocore_config.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/airflow/db.py.simple b/tests/python/clean/airflow/db.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/airflow/kubernetes_engine.py.simple b/tests/python/clean/airflow/kubernetes_engine.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/conda-build/_load_setup_py_data.py.simple b/tests/python/clean/conda-build/_load_setup_py_data.py.simple index 8572bf45a..88fdc56a1 100644 --- a/tests/python/clean/conda-build/_load_setup_py_data.py.simple +++ b/tests/python/clean/conda-build/_load_setup_py_data.py.simple @@ -3,7 +3,7 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/exists: low fs/file/open: low -impact/remote_access/py_setuptools: low +impact/remote_access/py_setuptools: medium net/download: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/fonttools/psLib.py.simple b/tests/python/clean/fonttools/psLib.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/google-auth-library-python/setup.py.simple b/tests/python/clean/google-auth-library-python/setup.py.simple index 09d3a2a14..170dcde4b 100644 --- a/tests/python/clean/google-auth-library-python/setup.py.simple +++ b/tests/python/clean/google-auth-library-python/setup.py.simple @@ -7,5 +7,6 @@ exec/remote_commands/code_eval: medium exec/shell/command: medium fs/file/open: low fs/file/read: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/idna/setup.py.simple b/tests/python/clean/idna/setup.py.simple index 3a36d1ecf..008331d6e 100644 --- a/tests/python/clean/idna/setup.py.simple +++ b/tests/python/clean/idna/setup.py.simple @@ -2,5 +2,6 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/matplotlib/_backend_tk.py.simple b/tests/python/clean/matplotlib/_backend_tk.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/matplotlib/backend_bases.py.simple b/tests/python/clean/matplotlib/backend_bases.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/matplotlib/backend_qt.py.simple b/tests/python/clean/matplotlib/backend_qt.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/matplotlib/backend_wx.py.simple b/tests/python/clean/matplotlib/backend_wx.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/mitmproxy/raw_display.py.simple b/tests/python/clean/mitmproxy/raw_display.py.simple new file mode 100644 index 000000000..e69de29bb diff --git a/tests/python/clean/ml_sdk/setup.py.simple b/tests/python/clean/ml_sdk/setup.py.simple index 57f63afdb..f3cad667f 100644 --- a/tests/python/clean/ml_sdk/setup.py.simple +++ b/tests/python/clean/ml_sdk/setup.py.simple @@ -2,5 +2,6 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/file/open: low +impact/remote_access/py_setuptools: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple index 9f28257b0..585043a3a 100644 --- a/tests/python/clean/numba/support.py.simple +++ b/tests/python/clean/numba/support.py.simple @@ -6,7 +6,6 @@ discover/system/platform: medium exec/imports/python: low exec/program: medium exec/remote_commands/code_eval: medium -false-positives/setuptools: low fs/directory/create: low fs/directory/list: low fs/file/open: low diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple index 543cd076e..15c3ffce6 100644 --- a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple +++ b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple @@ -2,6 +2,7 @@ discover/system/platform: medium exec/imports/python: low exec/remote_commands/code_eval: medium +false-positives/setuptools: low fs/directory/list: low fs/file/delete: low fs/file/exists: low @@ -9,6 +10,6 @@ fs/file/open: low fs/file/read: low fs/file/write: low fs/tempdir/TEMP: low -impact/remote_access/py_setuptools: low +impact/remote_access/py_setuptools: medium os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/requests/setup.py.simple b/tests/python/clean/requests/setup.py.simple index 108a1ec34..4d48c3d10 100644 --- a/tests/python/clean/requests/setup.py.simple +++ b/tests/python/clean/requests/setup.py.simple @@ -6,6 +6,7 @@ exec/remote_commands/code_eval: medium exec/shell/command: medium fs/file/open: low fs/path/usr_bin: low +impact/remote_access/py_setuptools: medium net/ip/parse: medium net/url/embedded: low net/url/parse: low diff --git a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple index 102f278c2..3f4fc9686 100644 --- a/tests/python/clean/setuptools/test_pyprojecttoml.py.simple +++ b/tests/python/clean/setuptools/test_pyprojecttoml.py.simple @@ -4,6 +4,5 @@ discover/system/platform: medium exec/imports/python: low exec/shell/command: medium fs/file/open: low -impact/remote_access/py_setuptools: low net/url/embedded: low os/fd/write: low From a6b38fe0e4936d15db443cae1535ec783458cbc8 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 17 Dec 2024 16:29:55 -0500 Subject: [PATCH 2/4] Update testdata --- pkg/action/testdata/scan_archive | 2487 +++++++++++++++++ rules/impact/remote_access/py_setuptools.yara | 24 +- .../emp3r0r.agent.simple | 173 ++ tests/linux/clean/buildah.simple | 159 ++ tests/linux/clean/buildkitd.simple | 132 + tests/linux/clean/caddy.simple | 163 ++ tests/linux/clean/chezmoi.simple | 172 ++ tests/linux/clean/chrome.simple | 184 ++ tests/linux/clean/clickhouse.simple | 205 ++ tests/linux/clean/code-oss.md | 192 ++ tests/linux/clean/containerd.simple | 134 + .../securitySolution.chunk.22.js.simple | 48 + .../kibana/securitySolution.chunk.9.js.simple | 70 + tests/linux/clean/kuma-cp.simple | 142 + tests/linux/clean/libgcj.so.17.0.0.simple | 103 + tests/linux/clean/libgcj.so.17.simple | 103 + tests/linux/clean/melange.simple | 160 ++ tests/linux/clean/mongosh.simple | 194 ++ tests/linux/clean/opa.simple | 106 + tests/linux/clean/pandoc.md | 175 ++ tests/linux/clean/pulumi.simple | 159 ++ tests/linux/clean/slack.md | 193 ++ tests/linux/clean/trivy.simple | 201 ++ tests/linux/clean/trufflehog.md | 194 ++ tests/linux/clean/wolfictl.simple | 192 ++ .../clean/airflow/botocore_config.py.simple | 7 + tests/python/clean/airflow/db.py.simple | 13 + .../clean/airflow/kubernetes_engine.py.simple | 6 + tests/python/clean/fonttools/psLib.py.simple | 3 + .../google-cloud-sdk/requests_setup.py.simple | 12 + .../clean/matplotlib/_backend_tk.py.simple | 6 + .../clean/matplotlib/backend_bases.py.simple | 7 + .../clean/matplotlib/backend_qt.py.simple | 9 + .../clean/matplotlib/backend_wx.py.simple | 5 + .../clean/mitmproxy/raw_display.py.simple | 16 + 35 files changed, 6138 insertions(+), 11 deletions(-) diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index e69de29bb..45e3bfcfa 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -0,0 +1,2487 @@ +{ + "Files": { + "/apko_0.13.2_linux_arm64/apko": { + "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko", + "SHA256": "ad237dc65d25cfe673b4891e189e9ff1fd041ec817133ac6c565120a6a189189", + "Size": 26400952, + "Syscalls": [ + "accept", + "adjtimex", + "chmod", + "chown", + "chroot", + "clone", + "close", + "execve", + "fchmodat", + "fchown", + "flock", + "fsync", + "getegid", + "geteuid", + "getpeername", + "getpid", + "getrlimit", + "getsockname", + "getsockopt", + "getuid", + "getwd", + "ioctl", + "kill", + "linkat", + "lstat", + "madvise", + "mknod", + "mount", + "nice", + "open", + "pivot_root", + "posix_spawn", + "pread64", + "pwrite64", + "readlink", + "recv", + "rename", + "send", + "sendfile", + "sendmsg", + "sendto", + "setgroups", + "setrlimit", + "setsid", + "setsockopt", + "stat", + "swapoff", + "swapon", + "symlink", + "symlinkat", + "sysctl", + "truncate", + "umount", + "unlink", + "unshare" + ], + "Pledge": [ + "cpath", + "exec", + "fattr", + "flock", + "id", + "inet", + "proc", + "rpath", + "settime", + "stdio", + "sysctl", + "wpath" + ], + "Behaviors": [ + { + "Description": "Contains a table that may be used for XOR decryption", + "MatchStrings": [ + "56789abcdefghijklmnopqrstuvwxyzABCDE::$ref" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-table.yara#xor_table", + "ID": "anti-static/xor/table", + "RuleName": "xor_table" + }, + { + "Description": "mentions an IP and port", + "MatchStrings": [ + "IP", + "dIp", + "getPort", + "hIp", + "hasPort", + "iIp", + "kIp", + "lIp", + "lookupPort", + "mIp", + "oIp", + "pIp", + "parsePort", + "qfIp", + "rxPort", + "sfIp", + "yIp", + "zIp" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention", + "ID": "c2/addr/ip", + "RuleName": "ip_port_mention" + }, + { + "Description": "references a 'server address', possible C2 client", + "MatchStrings": [ + "serverAddress" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address", + "ID": "c2/addr/server", + "RuleName": "server_address" + }, + { + "Description": "binary contains hardcoded URL", + "MatchStrings": [ + "http://localhost", + "http://www.w3.org/XML/1998/namespacexml", + "https://GoString01234567beEfFgGvsignal", + "https://alpinelinux.org/releases.jsondid", + "https://github.com/chainguard", + "https://github.com/google/go", + "https://github.com/spf13/cobra/issues/1279", + "https://github.com/spf13/cobra/issues/1508", + "https://index.docker.io/v1/Path", + "https://index.docker.io/v2/library/ubuntu/tags/list", + "https://pkg.go.dev/text/template", + "https://reproducible", + "https://spdx.org/spdxdocs/apko/directory" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url", + "ID": "c2/addr/url", + "RuleName": "binary_with_url" + }, + { + "Description": "contains a client ID", + "MatchStrings": [ + "client_id" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID", + "ID": "c2/client", + "RuleName": "clientID" + }, + { + "Description": "references a specific architecture", + "MatchStrings": [ + "AMD64", + "amd64", + "arm64", + "http://", + "https://", + "x86_64" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref", + "ID": "c2/tool_transfer/arch", + "RuleName": "arch_ref" + }, + { + "Description": "references multiple operating systems", + "MatchStrings": [ + "Linux", + "Windows", + "http://", + "https://", + "macOS" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref", + "ID": "c2/tool_transfer/os", + "RuleName": "multiple_os_ref" + }, + { + "Description": "Works with zip files", + "MatchStrings": [ + "archive/zip" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip", + "ID": "collect/archives/zip", + "RuleName": "zip" + }, + { + "Description": "accesses a keychain", + "MatchStrings": [ + "Keychain", + "keychain" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain", + "ID": "credential/keychain", + "RuleName": "keychain" + }, + { + "Description": "references a 'password'", + "MatchStrings": [ + "IncorrectPasswordError", + "Password from", + "PasswordHashIterations", + "UserPassword", + "and password requiredreading", + "bson bytes as Passwordopenpgp", + "passwordSet", + "passwordStdin", + "socksUsernamePassword", + "stripPassword", + "with a password", + "wpassword-stdinparsing" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password", + "ID": "credential/password", + "RuleName": "password" + }, + { + "Description": "References private keys", + "MatchStrings": [ + "privateKey", + "private_key" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val", + "ID": "credential/ssl/private_key", + "RuleName": "private_key_val" + }, + { + "Description": "Supports AES (Advanced Encryption Standard)", + "MatchStrings": [ + "AES", + "crypto/aes" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes", + "ID": "crypto/aes", + "RuleName": "crypto_aes" + }, + { + "Description": "mentions 'ciphertext'", + "MatchStrings": [ + "ciphertext" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext", + "ID": "crypto/cipher", + "RuleName": "ciphertext" + }, + { + "Description": "decrypts data", + "MatchStrings": [ + "DecryptPEMBlock", + "DecryptPKCS1v15SessionK", + "DecryptPrivateKeys", + "DecryptTicket", + "DecrypterOpts", + "DecrypterreadPythonMult", + "DecryptionKeys", + "ErrDecryption", + "NewCBCDecrypter", + "NewCFBDecrypter", + "NewOCFBDecrypter", + "PKCS1v15DecryptOptions", + "aeadDecrypter", + "cbcDecrypter", + "lid options for Decrypttags don", + "newDecrypter", + "ocfbDecrypter", + "pter type in NewDecrypterPrivateKeyargu", + "rsaDecryptOk" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt", + "ID": "crypto/decrypt", + "RuleName": "decrypt" + }, + { + "Description": "Uses the Go crypto/ecdsa library", + "MatchStrings": [ + "crypto/ecdsa" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa", + "ID": "crypto/ecdsa", + "RuleName": "crypto_ecdsa" + }, + { + "Description": "Elliptic curve algorithm used by TLS and SSH", + "MatchStrings": [ + "ed25519" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519", + "ID": "crypto/ed25519", + "RuleName": "ed25519" + }, + { + "Description": "elliptic", + "MatchStrings": [ + "crypto/elliptic", + "elliptic.p224", + "elliptic.p256", + "p256Inverse" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/elliptic.yara#elliptic", + "ID": "crypto/elliptic", + "RuleName": "elliptic" + }, + { + "Description": "references a 'public key'", + "MatchStrings": [ + "Public Key", + "PublicKey", + "public key", + "public-key", + "publicKey", + "public_key", + "publickey" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key", + "ID": "crypto/public_key", + "RuleName": "public_key" + }, + { + "Description": "tls", + "MatchStrings": [ + "TLS13", + "TLSVersion", + "crypto/tls" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls", + "ID": "crypto/tls", + "RuleName": "tls" + }, + { + "Description": "Works with bzip2 files", + "MatchStrings": [ + "bzip2" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2", + "ID": "data/compression/bzip2", + "RuleName": "bzip2" + }, + { + "Description": "works with gzip files", + "MatchStrings": [ + "gzip" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip", + "ReferenceURL": "https://www.gnu.org/software/gzip/", + "ID": "data/compression/gzip", + "RuleName": "gzip" + }, + { + "Description": "works with lzma files", + "MatchStrings": [ + "lzma" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma", + "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm", + "ID": "data/compression/lzma", + "RuleName": "lzma" + }, + { + "Description": "uses zlib", + "MatchStrings": [ + "zlib" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib", + "ID": "data/compression/zlib", + "RuleName": "zlib" + }, + { + "Description": "Zstandard: fast real-time compression algorithm", + "MatchStrings": [ + "(\ufffd/\ufffd", + "zstd" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd", + "ID": "data/compression/zstd", + "RuleName": "zstd" + }, + { + "Description": "Contains embedded PEM certificate", + "MatchStrings": [ + "-----BEGIN CERTIFICATE-----" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert", + "ID": "data/embedded/pem_certificate", + "RuleName": "begin_cert" + }, + { + "Description": "Contains TESTING KEY directive", + "MatchStrings": [ + "TESTING KEY-----" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-test_key.yara#testing_key", + "ID": "data/embedded/pem_test_key", + "RuleName": "testing_key" + }, + { + "Description": "Contains embedded SSH signature", + "MatchStrings": [ + "--BEGIN SSH SIGNATURE--" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature", + "ID": "data/embedded/ssh_signature", + "RuleName": "ssh_signature" + }, + { + "Description": "Contains compressed content in ZStandard format", + "MatchStrings": [ + "(\ufffd/\ufffd" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd", + "ReferenceURL": "https://github.com/facebook/zstd", + "ID": "data/embedded/zstd", + "RuleName": "embedded_zstd" + }, + { + "Description": "go asn1", + "MatchStrings": [ + "asn1.parse", + "encoding/asn1" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/asn1.yara#go_asn1", + "ID": "data/encoding/asn1", + "RuleName": "go_asn1" + }, + { + "Description": "Supports base64 encoded strings", + "MatchStrings": [ + "base64" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64", + "ID": "data/encoding/base64", + "RuleName": "b64" + }, + { + "Description": "Supports JSON encoded objects", + "MatchStrings": [ + "encoding/json" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json", + "ID": "data/encoding/json", + "RuleName": "encoding_json" + }, + { + "Description": "Decodes JSON messages", + "MatchStrings": [ + "json.Unmarshal" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode", + "ID": "data/encoding/json_decode", + "RuleName": "jsondecode" + }, + { + "Description": "encodes JSON", + "MatchStrings": [ + "MarshalJSON" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#MarshalJSON", + "ID": "data/encoding/json_encode", + "RuleName": "MarshalJSON" + }, + { + "Description": "protobuf", + "MatchStrings": [ + "protobuf" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/protobuf.yara#protobuf", + "ID": "data/encoding/protobuf", + "RuleName": "protobuf" + }, + { + "Description": "Uses blake2b encryption algorithm", + "MatchStrings": [ + "blake2b" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b", + "ID": "data/hash/blake2b", + "RuleName": "crypto_blake2b" + }, + { + "Description": "Uses the MD5 signature format", + "MatchStrings": [ + "md5:" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5", + "ID": "data/hash/md5", + "RuleName": "MD5" + }, + { + "Description": "Uses the SHA512 signature format", + "MatchStrings": [ + "SHA512" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha512.yara#SHA512", + "ID": "data/hash/sha512", + "RuleName": "SHA512" + }, + { + "Description": "list network interfaces", + "MatchStrings": [ + "ifconfig" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs", + "ID": "discover/network/interface_list", + "RuleName": "bsd_ifaddrs" + }, + { + "Description": "Retrieves network MAC address", + "MatchStrings": [ + "MAC address" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr", + "ID": "discover/network/mac_address", + "RuleName": "macaddr" + }, + { + "Description": "Uses 'netstat' for network information", + "MatchStrings": [ + "netstat" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat", + "ID": "discover/network/netstat", + "RuleName": "netstat" + }, + { + "Description": "returns the effective group id of the current process", + "MatchStrings": [ + "Getegid" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#getegid", + "ID": "discover/process/egid", + "RuleName": "getegid" + }, + { + "Description": "returns the effective user id of the current process", + "MatchStrings": [ + "Geteuid" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/euid.yara#geteuid", + "ID": "discover/process/euid", + "RuleName": "geteuid" + }, + { + "Description": "gets the active process ID", + "MatchStrings": [ + "getpid" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/pid.yara#getpid", + "ID": "discover/process/pid", + "RuleName": "getpid" + }, + { + "Description": "retrieve resource limits", + "MatchStrings": [ + "Getrlimit", + "getrlimit" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/resource-limits.yara#getrlimit", + "ID": "discover/process/resource_limits", + "RuleName": "getrlimit" + }, + { + "Description": "returns the user id of the current process", + "MatchStrings": [ + "Getuid" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/uid.yara#getuid", + "ID": "discover/process/uid", + "RuleName": "getuid" + }, + { + "Description": "gets current working directory", + "MatchStrings": [ + "Getwd", + "getwd" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/working_directory.yara#getwd", + "ID": "discover/process/working_directory", + "RuleName": "getwd" + }, + { + "Description": "Finds program in process table", + "MatchStrings": [ + "pgrep" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/pgrep.yara#pgrep", + "ID": "discover/processes/pgrep", + "RuleName": "pgrep" + }, + { + "Description": "gets number of processors", + "MatchStrings": [ + "nproc" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count", + "ReferenceURL": "https://man7.org/linux/man-pages/man3/get_nprocs.3.html", + "ID": "discover/system/cpu", + "RuleName": "processor_count" + }, + { + "Description": "accesses the kernel log ring buffer", + "MatchStrings": [ + "dmesg" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg", + "ID": "discover/system/dmesg", + "RuleName": "dmesg" + }, + { + "Description": "get computer host name", + "MatchStrings": [ + "/proc/sys/kernel/hostname" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/sethostname.2.html", + "ID": "discover/system/hostname", + "RuleName": "gethostname" + }, + { + "Description": "system identification", + "MatchStrings": [ + "syscall.Uname", + "uname" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname", + "ReferenceURL": "https://man7.org/linux/man-pages/man1/uname.1.html", + "ID": "discover/system/platform", + "RuleName": "uname" + }, + { + "Description": "Looks up the HOME directory for the current user", + "MatchStrings": [ + "HOME", + "getenv" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME", + "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT", + "ID": "discover/user/HOME", + "RuleName": "HOME" + }, + { + "Description": "Looks up the USER name of the current user", + "MatchStrings": [ + "USER", + "environ", + "getenv" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER", + "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT", + "ID": "discover/user/USER", + "RuleName": "USER" + }, + { + "Description": "get entry from passwd (user) database", + "MatchStrings": [ + "user/lookup" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/lookup.yara#getpwuid", + "ID": "discover/user/lookup", + "RuleName": "getpwuid" + }, + { + "Description": "returns the user name running this process", + "MatchStrings": [ + "whoami" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami", + "ReferenceURL": "https://man7.org/linux/man-pages/man1/whoami.1.html", + "ID": "discover/user/name_get", + "RuleName": "whoami" + }, + { + "Description": "hidden path generated dynamically", + "MatchStrings": [ + "%s/.ssh" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path", + "ReferenceURL": "https://objective-see.org/blog/blog_0x73.html", + "ID": "evasion/file/prefix", + "RuleName": "dynamic_hidden_path" + }, + { + "Description": "change the root mount location", + "MatchStrings": [ + "pivot_root" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hide_artifacts/pivot_root.yara#pivot_root", + "ID": "evasion/hide_artifacts/pivot_root", + "RuleName": "pivot_root" + }, + { + "Description": "references a 'plugin'", + "MatchStrings": [ + "ErrIntOverflowPlugin", + "ErrInvalidLengthPlugin", + "PluginConfigArgs", + "PluginConfigInterface", + "PluginConfigLinux", + "PluginConfigNetwork", + "PluginConfigRootfs", + "PluginConfigUser", + "PluginCreateOptions", + "PluginDescription", + "PluginDevice", + "PluginDisableOptions", + "PluginEnableOptions", + "PluginEnv", + "PluginInspectWithRaw", + "PluginInstallOptions", + "PluginInterfaceType", + "PluginList", + "PluginMount", + "PluginName", + "PluginPrivileges", + "PluginPush", + "PluginReference", + "PluginRemoveOptions", + "PluginSettings", + "PluginSpecwrong", + "PluginsFormat", + "PluginsInfo", + "PluginsListResponse", + "SetPluginConfig", + "_pingOSTypepluginsecret", + "both a container spec and a plugin spec in", + "denied while installing plugin", + "encodeVarintPlugin", + "fileDescriptorPlugin", + "plugin_create", + "plugin_disable", + "plugin_enable", + "plugin_inspect", + "plugin_install", + "plugin_list", + "plugin_push", + "plugin_remove", + "plugin_responses", + "plugin_set", + "plugin_upgrade", + "pluginpath", + "pluginsFormat", + "skipPlugin", + "sovPlugin", + "tryPluginPull", + "tryPluginUpgrade" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin", + "ID": "exec/plugin", + "RuleName": "plugin" + }, + { + "Description": "executes external programs", + "MatchStrings": [ + ").CombinedOutput", + "exec.(*Cmd).Run" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run", + "ID": "exec/program", + "RuleName": "exec_cmd_run" + }, + { + "Description": "calls sleep and runs shell code in the background", + "MatchStrings": [ + "#!", + "2\u003e\u00261 \u0026", + "nohup" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/background-sleep.yara#sleep_and_background", + "ID": "exec/shell/background_sleep", + "RuleName": "sleep_and_background" + }, + { + "Description": "executes shell", + "MatchStrings": [ + "/bin/bash", + "/bin/sh" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell", + "ID": "exec/shell/exec", + "RuleName": "calls_shell" + }, + { + "Description": "works with block device attributes", + "MatchStrings": [ + "blkid" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/blkid.yara#blkid", + "ReferenceURL": "https://man7.org/linux/man-pages/man8/blkid.8.html", + "ID": "fs/blkid", + "RuleName": "blkid" + }, + { + "Description": "manipulate the device parameters of special files", + "MatchStrings": [ + "ioctl" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/device-control.yara#ioctl", + "ID": "fs/device_control", + "RuleName": "ioctl" + }, + { + "Description": "creates directories", + "MatchStrings": [ + "mkdir" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html", + "ID": "fs/directory/create", + "RuleName": "mkdir" + }, + { + "Description": "Uses Go functions to list a directory", + "MatchStrings": [ + ".ReadDir" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir", + "ID": "fs/directory/list", + "RuleName": "GoReadDir" + }, + { + "Description": "Uses libc functions to remove directories", + "MatchStrings": [ + "Rmdir", + "rmdir" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir", + "ID": "fs/directory/remove", + "RuleName": "rmdir" + }, + { + "Description": "make a FIFO special file (a named pipe)", + "MatchStrings": [ + "mkfifo" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo", + "ID": "fs/fifo_create", + "RuleName": "mkfifo" + }, + { + "Description": "check if the current user can access a file", + "MatchStrings": [ + "faccessat2" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-access-check.yara#_access", + "ID": "fs/file/access_check", + "RuleName": "_access" + }, + { + "Description": "deletes files", + "MatchStrings": [ + "unlinkat" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html", + "ID": "fs/file/delete", + "RuleName": "unlink" + }, + { + "Description": "Forcibly deletes files", + "MatchStrings": [ + "rm non-TreeNodersopenpgp" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force", + "ID": "fs/file/delete_forcibly", + "RuleName": "rm_force" + }, + { + "Description": "opens files", + "MatchStrings": [ + "openFile" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open", + "ID": "fs/file/open", + "RuleName": "java_open" + }, + { + "Description": "reads files", + "MatchStrings": [ + "ReadFile", + "os.(*File).Read" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read", + "ID": "fs/file/read", + "RuleName": "go_file_read" + }, + { + "Description": "renames files", + "MatchStrings": [ + "os.rename" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename", + "ID": "fs/file/rename", + "RuleName": "explicit_rename" + }, + { + "Description": "access filesystem metadata", + "MatchStrings": [ + "fs.statDirEntry" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat", + "ID": "fs/file/stat", + "RuleName": "npm_stat" + }, + { + "Description": "forcibly synchronizes file state to disk", + "MatchStrings": [ + "fsync", + "syscall.Fsync" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-sync.yara#fsync", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/fsync.2.html", + "ID": "fs/file/sync", + "RuleName": "fsync" + }, + { + "Description": "truncate a file to a specified length", + "MatchStrings": [ + "truncate" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#truncate", + "ID": "fs/file/truncate", + "RuleName": "truncate" + }, + { + "Description": "writes to file", + "MatchStrings": [ + "AllowOverwriteDirWithFile", + "WriteFile", + "writeFilePatchHeader", + "writeIndexToFile", + "writeOneFile", + "writeRawFile" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write", + "ID": "fs/file/write", + "RuleName": "file_write" + }, + { + "Description": "May create hard file links", + "MatchStrings": [ + "linkat" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat", + "ID": "fs/link_create", + "RuleName": "linkat" + }, + { + "Description": "read value of a symbolic link", + "MatchStrings": [ + "readlinkat" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/readlink.2.html", + "ID": "fs/link_read", + "RuleName": "readlink" + }, + { + "Description": "apply or remove an advisory lock on a file", + "MatchStrings": [ + "flock" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock", + "ID": "fs/lock_update", + "RuleName": "flock" + }, + { + "Description": "mounts file systems", + "MatchStrings": [ + "-o", + "mount" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount", + "ID": "fs/mount", + "RuleName": "mount" + }, + { + "Description": "create device files", + "MatchStrings": [ + "mknod" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/mknod.2.html", + "ID": "fs/node_create", + "RuleName": "mknod" + }, + { + "Description": "Calls /bin/su", + "MatchStrings": [ + "/bin/su" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/bin-su.yara#bin_su", + "ID": "fs/path/bin_su", + "RuleName": "bin_su" + }, + { + "Description": "References /dev/null", + "MatchStrings": [ + "/dev/null" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/dev-null.yara#dev_null", + "ID": "fs/path/dev_null", + "RuleName": "dev_null" + }, + { + "Description": "path reference within /etc", + "MatchStrings": [ + "/etc/apache/mime.typeshpack", + "/etc/apk/keys/etc/apk/archcached", + "/etc/apk/lib/apk", + "/etc/apk/repositories/lib/apk/db/inst", + "/etc/apk/world", + "/etc/bash", + "/etc/busybox-paths.d/usr/bin/setkeyco", + "/etc/default/motd-newsformat", + "/etc/group", + "/etc/hostsgetsockoptnetlinkrib", + "/etc/httpd/conf/mime.typesmime", + "/etc/mime.types", + "/etc/nsswitch.confinvalid", + "/etc/os-release", + "/etc/passwdparse", + "/etc/pki/ca-trust/extracted/pem/tls-c", + "/etc/pki/tls/cacert.peminvalid", + "/etc/pki/tls/certs/ca-bundle.crtx", + "/etc/pki/tls/certsunexpected", + "/etc/protocolsunknown", + "/etc/resolv.confnon-", + "/etc/security/cacertsx", + "/etc/services/etc/apk/keys/etc/apk/ar", + "/etc/ssh/ssh", + "/etc/ssl/ca-bundle.pemx", + "/etc/ssl/cert.peminvalid", + "/etc/ssl/certs/ca-certificates.crttim", + "/etc/ssl/certsbad", + "/etc/zoneinfoparsing" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path", + "ID": "fs/path/etc", + "RuleName": "etc_path" + }, + { + "Description": "references /etc/hosts", + "MatchStrings": [ + "/etc/hosts" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts", + "ID": "fs/path/etc_hosts", + "RuleName": "etc_hosts" + }, + { + "Description": "accesses DNS resolver configuration", + "MatchStrings": [ + "/etc/resolv.conf" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf", + "ID": "fs/path/etc_resolv.conf", + "RuleName": "etc_resolv_conf" + }, + { + "Description": "references path within /home", + "MatchStrings": [ + "/home/sha2561.32.11.33.01.33.11.33.21.34.01.34.11.35.01.36.0ID" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path", + "ID": "fs/path/home", + "RuleName": "home_path" + }, + { + "Description": "path reference within ~/.config", + "MatchStrings": [ + "~/.config/fish/completions/" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path", + "ID": "fs/path/home_config", + "RuleName": "home_config_path" + }, + { + "Description": "references and possibly executes relative path", + "MatchStrings": [ + "./line", + "./pipe" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val", + "ID": "fs/path/relative", + "RuleName": "relative_path_val" + }, + { + "Description": "path reference within /root", + "MatchStrings": [ + "/root/linuxrc/sbin/hwclock/sbin/ipneigh/sbin/iproute/sbin/logread/sbin" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val", + "ID": "fs/path/root", + "RuleName": "root_path_val" + }, + { + "Description": "path reference within /usr/bin", + "MatchStrings": [ + "/usr/bin/ar", + "/usr/bin/ascii", + "/usr/bin/awk", + "/usr/bin/basename", + "/usr/bin/bc", + "/usr/bin/beep", + "/usr/bin/blkdiscard", + "/usr/bin/bunzip2", + "/usr/bin/bzcat", + "/usr/bin/bzip2", + "/usr/bin/cal", + "/usr/bin/chcon", + "/usr/bin/chpst", + "/usr/bin/chrt", + "/usr/bin/chvt", + "/usr/bin/cksum", + "/usr/bin/clear", + "/usr/bin/cmp", + "/usr/bin/comm", + "/usr/bin/crc32", + "/usr/bin/crontab", + "/usr/bin/cryptpw", + "/usr/bin/cut", + "/usr/bin/dc", + "/usr/bin/deallocvt", + "/usr/bin/diff", + "/usr/bin/dirname", + "/usr/bin/dos2unix", + "/usr/bin/dpkg-deb", + "/usr/bin/dumpleases", + "/usr/bin/eject", + "/usr/bin/envdir", + "/usr/bin/envuidgid", + "/usr/bin/expand", + "/usr/bin/expr", + "/usr/bin/factor", + "/usr/bin/fallocate", + "/usr/bin/fgconsole", + "/usr/bin/find", + "/usr/bin/flock", + "/usr/bin/fold", + "/usr/bin/free", + "/usr/bin/ftpget", + "/usr/bin/ftpput", + "/usr/bin/fuser", + "/usr/bin/groups", + "/usr/bin/hd", + "/usr/bin/head", + "/usr/bin/hexdump", + "/usr/bin/hexedit", + "/usr/bin/hostid", + "/usr/bin/id", + "/usr/bin/install", + "/usr/bin/ipcrm", + "/usr/bin/ipcs", + "/usr/bin/killall", + "/usr/bin/last", + "/usr/bin/less", + "/usr/bin/logger", + "/usr/bin/logname", + "/usr/bin/lpq", + "/usr/bin/lpr", + "/usr/bin/lsof", + "/usr/bin/lspci", + "/usr/bin/lsscsi", + "/usr/bin/lsusb", + "/usr/bin/lzcat", + "/usr/bin/lzma", + "/usr/bin/lzopcat", + "/usr/bin/man", + "/usr/bin/md5sum", + "/usr/bin/mesg", + "/usr/bin/microcom", + "/usr/bin/mkfifo", + "/usr/bin/mkpasswd", + "/usr/bin/nc", + "/usr/bin/netcat", + "/usr/bin/nl", + "/usr/bin/nmeter", + "/usr/bin/nohup", + "/usr/bin/nproc", + "/usr/bin/nsenter", + "/usr/bin/nslookup", + "/usr/bin/od", + "/usr/bin/openvt", + "/usr/bin/passwd", + "/usr/bin/paste", + "/usr/bin/patch", + "/usr/bin/pgrep", + "/usr/bin/pkill", + "/usr/bin/pmap", + "/usr/bin/printf", + "/usr/bin/pscan", + "/usr/bin/pstree", + "/usr/bin/pwdx", + "/usr/bin/readlink", + "/usr/bin/realpath", + "/usr/bin/renice", + "/usr/bin/reset", + "/usr/bin/resize", + "/usr/bin/rpm2cpio", + "/usr/bin/runcon", + "/usr/bin/runsvdir", + "/usr/bin/rx", + "/usr/bin/script", + "/usr/bin/seq", + "/usr/bin/setfattr", + "/usr/bin/setkeycodes", + "/usr/bin/setsid", + "/usr/bin/setuidgid", + "/usr/bin/sha1sum", + "/usr/bin/sha256sum", + "/usr/bin/sha3sum", + "/usr/bin/sha512sum", + "/usr/bin/showkey", + "/usr/bin/shred", + "/usr/bin/shuf", + "/usr/bin/smemcap", + "/usr/bin/softlimit", + "/usr/bin/sort", + "/usr/bin/split", + "/usr/bin/ssl_client", + "/usr/bin/strings", + "/usr/bin/sum", + "/usr/bin/svc", + "/usr/bin/svok", + "/usr/bin/tac", + "/usr/bin/tail", + "/usr/bin/taskset", + "/usr/bin/tcpsvd", + "/usr/bin/tee", + "/usr/bin/telnet", + "/usr/bin/test", + "/usr/bin/tftp", + "/usr/bin/timeout", + "/usr/bin/top", + "/usr/bin/traceroute6", + "/usr/bin/tree", + "/usr/bin/truncate", + "/usr/bin/tsortVERSION_ID", + "/usr/bin/ttysize", + "/usr/bin/udhcpc6", + "/usr/bin/udpsvd", + "/usr/bin/unexpand", + "/usr/bin/uniq", + "/usr/bin/unit", + "/usr/bin/unix2dos", + "/usr/bin/unlink", + "/usr/bin/unlzma", + "/usr/bin/unlzop", + "/usr/bin/unshare", + "/usr/bin/unxz", + "/usr/bin/unzip", + "/usr/bin/uptime", + "/usr/bin/users", + "/usr/bin/uudecode", + "/usr/bin/uuencode", + "/usr/bin/vlock", + "/usr/bin/volname", + "/usr/bin/wall", + "/usr/bin/wc", + "/usr/bin/wget", + "/usr/bin/which", + "/usr/bin/whoami", + "/usr/bin/whois", + "/usr/bin/xargs", + "/usr/bin/xxd", + "/usr/bin/xzcat", + "/usr/bin/yes" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path", + "ID": "fs/path/usr_bin", + "RuleName": "usr_bin_path" + }, + { + "Description": "path reference within /usr/local/bin", + "MatchStrings": [ + "/usr/local/bin" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path", + "ID": "fs/path/usr_local", + "RuleName": "usr_local_bin_path" + }, + { + "Description": "path reference within /usr/sbin", + "MatchStrings": [ + "/usr/sbin/add-shell/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdete", + "/usr/sbin/addgroup/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/u", + "/usr/sbin/adduser/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/s", + "/usr/sbin/arping/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/", + "/usr/sbin/brctl/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inet", + "/usr/sbin/chat/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr", + "/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/u", + "/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/", + "/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdat", + "/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/u", + "/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/s", + "/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwri", + "/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr", + "/usr/sbin/ether-wake/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/gete", + "/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-", + "/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftp", + "/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/u", + "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping", + "/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popm", + "/usr/sbin/flash_unlock/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbi", + "/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/s", + "/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/u", + "/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr", + "/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/sete", + "/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partpro", + "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd", + "/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahe", + "/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/s", + "/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/", + "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd", + "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile", + "/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/s", + "/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/u", + "/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/u", + "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree", + "/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerati", + "/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/u", + "/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebo", + "/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setl", + "/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/s", + "/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERS", + "/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiatta", + "/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setlogconsapko-generated", + "/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/u", + "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID", + "/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubideta", + "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating", + "/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY", + "/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/u", + "/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolge", + "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME", + "/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirena", + "/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirename", + "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-sbin.yara#usr_sbin_path", + "ID": "fs/path/usr_sbin", + "RuleName": "usr_sbin_path" + }, + { + "Description": "path reference within /var", + "MatchStrings": [ + "/var/cache%s", + "/var/cache/apk/etc/apk/worldCalculateWorldcache", + "/var/cache/miscAPKINDEX.tar.gzfetchAlpineKeyscfg.MapTo", + "/var/lib/db/sbomSPDXRef-Package-remote", + "/var/run/docker.sockopen" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path", + "ID": "fs/path/var", + "RuleName": "var_path" + }, + { + "Description": "Changes file ownership", + "MatchStrings": [ + "Chown" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown", + "ID": "fs/permission/chown", + "RuleName": "Chown" + }, + { + "Description": "modifies file permissions", + "MatchStrings": [ + "Chmod", + "chmod" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod", + "ReferenceURL": "https://linux.die.net/man/1/chmod", + "ID": "fs/permission/modify", + "RuleName": "chmod" + }, + { + "Description": "stop swapping to a file/device", + "MatchStrings": [ + "swapoff" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff", + "ID": "fs/swap/off", + "RuleName": "swapoff" + }, + { + "Description": "start swapping to a file/device", + "MatchStrings": [ + "swapon" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-on.yara#swapon", + "ID": "fs/swap/on", + "RuleName": "swapon" + }, + { + "Description": "creates symbolic links", + "MatchStrings": [ + "symlink" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-create.yara#symlink", + "ID": "fs/symlink_create", + "RuleName": "symlink" + }, + { + "Description": "resolves symbolic links", + "MatchStrings": [ + "realpath" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath", + "ReferenceURL": "https://man7.org/linux/man-pages/man3/realpath.3.html", + "ID": "fs/symlink_resolve", + "RuleName": "realpath" + }, + { + "Description": "temp", + "MatchStrings": [ + "getenv", + "temp" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp", + "ID": "fs/tempdir/TEMP", + "RuleName": "temp" + }, + { + "Description": "creates temporary files", + "MatchStrings": [ + "mktemp", + "temp file", + "tmpfile" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp", + "ID": "fs/tempfile", + "RuleName": "mktemp" + }, + { + "Description": "unmount file system", + "MatchStrings": [ + "umount" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount", + "ID": "fs/unmount", + "RuleName": "umount" + }, + { + "Description": "references /dev/urandom", + "MatchStrings": [ + "/dev/urandom" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/urandom.yara#urandom", + "ID": "hw/urandom", + "RuleName": "urandom" + }, + { + "Description": "references a 'heartbeat'", + "MatchStrings": [ + "HeartbeatPeriod", + "HeartbeatTick" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat", + "ID": "impact/remote_access/heartbeat", + "RuleName": "heartbeat" + }, + { + "Description": "parse command-line arguments", + "MatchStrings": [ + "getopt" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/parses-arguments.yara#argparse", + "ID": "impact/ui/parses_arguments", + "RuleName": "argparse" + }, + { + "Description": "give advice about use of memory", + "MatchStrings": [ + "madvise" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/advise.yara#madvise", + "ID": "mem/advise", + "RuleName": "madvise" + }, + { + "Description": "Uses DNS (Domain Name Service)", + "MatchStrings": [ + "CNAMEResource", + "SetEDNS0", + "dnsmessage" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs", + "ID": "net/dns", + "RuleName": "go_dns_refs" + }, + { + "Description": "looks up the reverse hostname for an IP", + "MatchStrings": [ + ".in-addr.arpa", + "ip6.arpa" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa", + "ID": "net/dns/reverse", + "RuleName": "in_addr_arpa" + }, + { + "Description": "Examines local DNS servers", + "MatchStrings": [ + "CNAMEResource" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local", + "ID": "net/dns/servers", + "RuleName": "go_dns_refs_local" + }, + { + "Description": "Uses DNS TXT (text) records", + "MatchStrings": [ + "TXT", + "dns" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt", + "ID": "net/dns/txt", + "RuleName": "dns_txt" + }, + { + "Description": "download files", + "MatchStrings": [ + "DownloadLocation", + "downloadLocation", + "to registrySkip downloading" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download", + "ID": "net/download", + "RuleName": "download" + }, + { + "Description": "Invokes curl", + "MatchStrings": [ + "curl -H \"" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value", + "ID": "net/download/fetch", + "RuleName": "curl_value" + }, + { + "Description": "Uses the HTTP/2 protocol", + "MatchStrings": [ + "HTTP/2" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2", + "ID": "net/http/2", + "RuleName": "http2" + }, + { + "Description": "accepts binary files via HTTP", + "MatchStrings": [ + "Accept", + "application/octet-stream" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary", + "ID": "net/http/accept", + "RuleName": "http_accept_binary" + }, + { + "Description": "set HTTP response encoding format (example: gzip)", + "MatchStrings": [ + "Accept-Encoding" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type", + "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding", + "ID": "net/http/accept_encoding", + "RuleName": "content_type" + }, + { + "Description": "makes HTTP requests with Bearer authentication", + "MatchStrings": [ + "WWW-Authenticate", + "Www-Authenticate", + "www-authenticate" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth", + "ID": "net/http/auth", + "RuleName": "http_auth" + }, + { + "Description": "Sets HTTP content length to zero", + "MatchStrings": [ + "Content-Length: 0" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0", + "ID": "net/http/content_length", + "RuleName": "content_length_0" + }, + { + "Description": "access HTTP resources using cookies", + "MatchStrings": [ + "Cookie", + "HTTP" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie", + "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies", + "ID": "net/http/cookies", + "RuleName": "http_cookie" + }, + { + "Description": "upload content via HTTP form", + "MatchStrings": [ + "POST", + "application/json", + "application/x-www-form-urlencoded", + "post" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload", + "ID": "net/http/form_upload", + "RuleName": "http_form_upload" + }, + { + "Description": "submits content to websites", + "MatchStrings": [ + "Content-Type for PUTeach colon", + "Content-Type headerdid not find expected alp", + "Content-Type isn", + "Content-Type: text/plain", + "Content-TypeCookie.Valuecontent", + "Content-Typenet/http: timeout awaiting respo", + "HTTP", + "POST" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post", + "ID": "net/http/post", + "RuleName": "http_post" + }, + { + "Description": "use HTTP proxy that requires authentication", + "MatchStrings": [ + "Proxy-Authorization" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth", + "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization", + "ID": "net/http/proxy", + "RuleName": "proxy_auth" + }, + { + "Description": "makes HTTP requests", + "MatchStrings": [ + "HTTP/1.", + "Referer", + "User-Agent" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request", + "ID": "net/http/request", + "RuleName": "http_request" + }, + { + "Description": "access the internet", + "MatchStrings": [ + "invalid packet" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets", + "ID": "net/ip", + "RuleName": "packets" + }, + { + "Description": "connects to an arbitrary hostname:port", + "MatchStrings": [ + "host to transport" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref", + "ID": "net/ip/host_port", + "RuleName": "host_port_ref" + }, + { + "Description": "parses IP address (IPv4 or IPv6)", + "MatchStrings": [ + "IsLinkLocalUnicast", + "IsSingleIP" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go", + "ID": "net/ip/parse", + "RuleName": "ip_go" + }, + { + "Description": "Supports SOCK5 proxies", + "MatchStrings": [ + "SOCKS5", + "socks5" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5", + "ID": "net/proxy/socks5", + "RuleName": "socks5" + }, + { + "Description": "resolve network host name to IP address", + "MatchStrings": [ + "net.hostLookup" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#net_hostlookup", + "ID": "net/resolve/hostname", + "RuleName": "net_hostlookup" + }, + { + "Description": "listen on a socket", + "MatchStrings": [ + "accept", + "listen", + "socket" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen", + "ID": "net/socket/listen", + "RuleName": "listen" + }, + { + "Description": "get local address of connected socket", + "MatchStrings": [ + "getsockname" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/getsockname.2.html", + "ID": "net/socket/local_addr", + "RuleName": "getsockname" + }, + { + "Description": "get socket options", + "MatchStrings": [ + "getsockopt" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-get.yara#getsockopt", + "ID": "net/socket/options_get", + "RuleName": "getsockopt" + }, + { + "Description": "set socket options", + "MatchStrings": [ + "setsockopt" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-set.yara#setsockopt", + "ID": "net/socket/options_set", + "RuleName": "setsockopt" + }, + { + "Description": "get peer address of connected socket", + "MatchStrings": [ + "getpeername" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/getpeername.2.html", + "ID": "net/socket/peer_address", + "RuleName": "getpeername" + }, + { + "Description": "receive a message from a socket", + "MatchStrings": [ + "recvfrom", + "recvmsg" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg", + "ReferenceURL": "https://linux.die.net/man/2/recvmsg", + "ID": "net/socket/receive", + "RuleName": "recvmsg" + }, + { + "Description": "send a message to a socket", + "MatchStrings": [ + "sendmsg", + "sendto" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg", + "ReferenceURL": "https://linux.die.net/man/2/sendmsg", + "ID": "net/socket/send", + "RuleName": "sendmsg" + }, + { + "Description": "connects to a TCP port", + "MatchStrings": [ + "dialTCP" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp", + "ID": "net/tcp/connect", + "RuleName": "connect_tcp" + }, + { + "Description": "Uses crypto/ssh to connect to the SSH (secure shell) service", + "MatchStrings": [ + "SSH" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh", + "ID": "net/tcp/ssh", + "RuleName": "ssh" + }, + { + "Description": "Listens for UDP responses", + "MatchStrings": [ + "ReadFromUDP", + "listenUDP" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen", + "ID": "net/udp/receive", + "RuleName": "udp_listen" + }, + { + "Description": "Sends UDP packets", + "MatchStrings": [ + "DialUDP", + "WriteMsgUDP" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send", + "ID": "net/udp/send", + "RuleName": "udp_send" + }, + { + "Description": "contains embedded HTTPS URLs", + "MatchStrings": [ + "https://GoString01234567beEfFgGvsignal", + "https://alpinelinux.org/releases.jsondid", + "https://github.com/chainguard-dev/apkocould", + "https://github.com/google/go-containerregistry/issues/377internal", + "https://github.com/spf13/cobra/issues/1279", + "https://github.com/spf13/cobra/issues/1508", + "https://index.docker.io/v1/Path", + "https://index.docker.io/v2/library/ubuntu/tags/list", + "https://pkg.go.dev/text/template", + "https://reproducible-builds.org/docs/source-date-epoch/directory", + "https://spdx.org/spdxdocs/apko/directory" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url", + "ID": "net/url/embedded", + "RuleName": "https_url" + }, + { + "Description": "encodes URL, likely to pass GET variables", + "MatchStrings": [ + "urlencode" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode", + "ID": "net/url/encode", + "RuleName": "url_encode" + }, + { + "Description": "Handles URL strings", + "MatchStrings": [ + "RequestURI" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle", + "ID": "net/url/parse", + "RuleName": "url_handle" + }, + { + "Description": "requests resources via URL", + "MatchStrings": [ + "http.request", + "net/url" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls", + "ID": "net/url/request", + "RuleName": "requests_urls" + }, + { + "Description": "Retrieve environment variables", + "MatchStrings": [ + "Getenv" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#getenv", + "ID": "os/env/get", + "RuleName": "getenv" + }, + { + "Description": "places a variable into the environment", + "MatchStrings": [ + "setenv" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/set.yara#setenv_putenv", + "ID": "os/env/set", + "RuleName": "setenv_putenv" + }, + { + "Description": "unsetenv", + "MatchStrings": [ + "unsetenv" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/unset.yara#unsetenv", + "ID": "os/env/unset", + "RuleName": "unsetenv" + }, + { + "Description": " close", + "MatchStrings": [ + "_close" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/access.yara#_close", + "ID": "os/fd/access", + "RuleName": "_close" + }, + { + "Description": "manipulate file descriptor with fcntl", + "MatchStrings": [ + "fcntl" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/manipulate.yara#fcntl", + "ID": "os/fd/manipulate", + "RuleName": "fcntl" + }, + { + "Description": "Reads from file descriptors", + "MatchStrings": [ + "pread" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#fd_read", + "ID": "os/fd/read", + "RuleName": "fd_read" + }, + { + "Description": "transfer data between file descriptors", + "MatchStrings": [ + "sendfile", + "syscall.Sendfile" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/sendfile.2.html", + "ID": "os/fd/sendfile", + "RuleName": "sendfile" + }, + { + "Description": "write to file descriptor", + "MatchStrings": [ + "pwrite" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#fd_write", + "ID": "os/fd/write", + "RuleName": "fd_write" + }, + { + "Description": "communicate with kernel services", + "MatchStrings": [ + "netlink" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink", + "ID": "os/kernel/netlink", + "RuleName": "netlink" + }, + { + "Description": "get or set kernel stat", + "MatchStrings": [ + "Sysctl", + "sysctl" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/sysctl.yara#sysctl", + "ID": "os/kernel/sysctl", + "RuleName": "sysctl" + }, + { + "Description": "libc", + "MatchStrings": [ + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle.yara#libc", + "ID": "os/signal/handle", + "RuleName": "libc" + }, + { + "Description": "Listen for SIGALRM (timeout) events", + "MatchStrings": [ + "ALRM", + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-ALRM.yara#sigaction_ALRM", + "ID": "os/signal/handle_ALRM", + "RuleName": "sigaction_ALRM" + }, + { + "Description": "Listen for SIGHUP (hangup) events", + "MatchStrings": [ + "HUP", + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-HUP.yara#sigaction_SIGHUP", + "ID": "os/signal/handle_HUP", + "RuleName": "sigaction_SIGHUP" + }, + { + "Description": "Listen for SIGINT (ctrl-C) events", + "MatchStrings": [ + "SIGINT", + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-INT.yara#sigaction_SIGINT", + "ID": "os/signal/handle_INT", + "RuleName": "sigaction_SIGINT" + }, + { + "Description": "Listen for SIGQUIT (kill) events", + "MatchStrings": [ + "QUIT", + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-QUIT.yara#sigaction_SIGQUIT", + "ID": "os/signal/handle_QUIT", + "RuleName": "sigaction_SIGQUIT" + }, + { + "Description": "Listen for SIGWINCH (terminal window change) events", + "MatchStrings": [ + "WINCH", + "sigaction" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_WINCH", + "ID": "os/signal/handle_WINCH", + "RuleName": "sigaction_WINCH" + }, + { + "Description": "sigprocmask", + "MatchStrings": [ + "sigprocmask" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/mask.yara#sigprocmask", + "ID": "os/signal/mask", + "RuleName": "sigprocmask" + }, + { + "Description": "kill", + "MatchStrings": [ + "syscall.Kill" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/send.yara#kill", + "ID": "os/signal/send", + "RuleName": "kill" + }, + { + "Description": "bsd time conversion", + "MatchStrings": [ + "ctime" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-convert.yara#bsd_time_conversion", + "ID": "os/time/clock_convert", + "RuleName": "bsd_time_conversion" + }, + { + "Description": "set time via system clock", + "MatchStrings": [ + "adjtimex" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-set.yara#linux_adjtimex", + "ID": "os/time/clock_set", + "RuleName": "linux_adjtimex" + }, + { + "Description": "lists crontab entries, may also persist", + "MatchStrings": [ + "crontab" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support", + "ID": "persist/cron/tab", + "RuleName": "crontab_support" + }, + { + "Description": "changes working directory", + "MatchStrings": [ + "cd u" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell", + "ID": "process/chdir", + "RuleName": "chdir_shell" + }, + { + "Description": "change the location of root for the process", + "MatchStrings": [ + "chroot" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot", + "ID": "process/chroot", + "RuleName": "chroot" + }, + { + "Description": "create child process", + "MatchStrings": [ + "clone" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_clone", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/clone.2.html", + "ID": "process/create", + "RuleName": "syscall_clone" + }, + { + "Description": "creates a session and sets the process group ID", + "MatchStrings": [ + "setsid" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/group/create.yara#syscalls", + "ReferenceURL": "https://man7.org/linux/man-pages/man2/setsid.2.html", + "ID": "process/group/create", + "RuleName": "syscalls" + }, + { + "Description": "set group access list", + "MatchStrings": [ + "setgroups" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups", + "ID": "process/groups_set", + "RuleName": "setgroups" + }, + { + "Description": "set resource limits", + "MatchStrings": [ + "setrlimit" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/limit-set.yara#setrlimit", + "ID": "process/limit_set", + "RuleName": "setrlimit" + }, + { + "Description": "adjust the process nice value", + "MatchStrings": [ + "renice" + ], + "RiskScore": 0, + "RiskLevel": "NONE", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/setpriority.yara#nice", + "ID": "process/setpriority", + "RuleName": "nice" + }, + { + "Description": "disassociate parts of the process execution context", + "MatchStrings": [ + "unshare" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare", + "ID": "process/unshare", + "RuleName": "syscall_unshare" + }, + { + "Description": "gets very excited", + "MatchStrings": [ + "does not work!!!", + "ontain alphanumerical characters onlyexplicitly tagged !!" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations", + "ID": "sus/exclamation", + "RuleName": "exclamations" + } + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM" + } + } +} diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index adc792128..2ae857b78 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -82,6 +82,18 @@ rule setuptools_eval: medium { remote_access_pythonSetup and any of ($f*) } + +rule setuptools_eval_high: high { + meta: + description = "Python library installer that evaluates arbitrary code" + + strings: + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + condition: + remote_access_pythonSetup and any of ($f*) and none of ($not*) +} + rule setuptools_exec: medium { meta: description = "Python library installer that executes arbitrary code" @@ -107,21 +119,11 @@ rule setuptools_exec_high: high { $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\"" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" $not_test_egg_class = "class TestEggInfo" - $not_requests_about = "exec(f.read(), about)" - $not_exec_ns = "exec(code, ns, ns)" + $not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } -rule setuptools_eval_high: high { - meta: - description = "Python library installer that evaluates arbitrary code" - - strings: - $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword - condition: - remote_access_pythonSetup and any of ($f*) -} rule setuptools_b64decode: suspicious { meta: diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index e69de29bb..e2f9da111 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -0,0 +1,173 @@ +# linux/2024.kworker_pretenders/emp3r0r.agent: critical +3P/elastic/exploit_cve_2021: critical +anti-behavior/vm_check: medium +anti-static/elf/entropy: high +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/discovery/ip_dns_resolver: medium +c2/refs: high +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/os: medium +collect/archives/unarchive: medium +collect/archives/zip: medium +credential/os/shadow: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssh/d: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/xz: medium +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/blake2b: low +data/hash/md5: low +data/hash/sha256: low +discover/network/connectivity: low +discover/network/netstat: medium +discover/processes/list: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/file/location/chdir_unusual: medium +evasion/file/location/dev_shm: medium +evasion/file/prefix: high +evasion/file/prefix/dev: high +evasion/file/prefix/tmp: high +evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/logging/current_logins: medium +evasion/logging/hide_shell_history: high +evasion/mimicry/fake_process: critical +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/remote_commands/code_eval: medium +exec/script/shell: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/arbitrary_command_dev_null: medium +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/tty/open: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/mount: low +fs/path/bin_su: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/path/var_log: medium +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/1_cgroup: medium +fs/proc/arbitrary_pid: medium +fs/proc/cpuinfo: medium +fs/symlink_resolve: low +fs/tempdir/TEMP: low +fs/tempfile: low +hw/cpu: medium +impact/exploit: high +impact/exploit/GCONV_PATH: high +impact/exploit/pwnkit: critical +impact/remote_access/heartbeat: medium +impact/remote_access/kill_rm: medium +impact/remote_access/net_exec: medium +impact/remote_access/pseudo_terminal: medium +impact/remote_access/reverse_shell: high +malware/family/emp3r0r: critical +net/dns: low +net/dns/over_https: medium +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/tcp_state_tracker: medium +net/proxy/shadowsocks: high +net/proxy/socks5: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/raw: medium +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/sftp: medium +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: medium +net/url/embedded: medium +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +persist/cron/tab: medium +persist/pid_file: medium +persist/shell/bash: high +privesc/linpeas: high +privesc/setuid: low +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +process/terminate/killed_all: medium +sus/exclamation: medium diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index e69de29bb..60a4df47e 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -0,0 +1,159 @@ +# linux/clean/buildah: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/sqlite: medium +credential/keychain: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/xz: medium +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/blake2b: low +data/hash/md5: low +discover/network/mac_address: medium +discover/process/name: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/bypass_security/linux/iptables: medium +evasion/file/location/dev_mqueue: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium +evasion/file/prefix/dev: low +exec/cmd: medium +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/reconfigure/hostname_set: low +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/event_monitoring: low +fs/fifo_create: low +fs/file/create: medium +fs/file/delete: low +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/lib_dynamic: medium +fs/path/relative: medium +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/self_cgroup: medium +fs/proc/self_cmdline: medium +fs/proc/self_exe: medium +fs/proc/self_mountinfo: medium +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/dev/block_ice: medium +impact/degrade/linux_paths: medium +impact/remote_access/iptables: medium +mem/anonymous_file: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/kcore: low +os/kernel/key_management: low +os/kernel/netlink: low +os/kernel/seccomp: low +persist/pid_file: medium +privesc/setuid: low +process/chroot: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +process/unshare: low +sus/exclamation: medium +sus/intercept: medium diff --git a/tests/linux/clean/buildkitd.simple b/tests/linux/clean/buildkitd.simple index e69de29bb..b0efb5b9c 100644 --- a/tests/linux/clean/buildkitd.simple +++ b/tests/linux/clean/buildkitd.simple @@ -0,0 +1,132 @@ +# linux/clean/buildkitd: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/code/github_api: low +credential/password: low +credential/sniffer/pcap: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/md5: low +discover/network/mac_address: medium +discover/network/netstat: medium +discover/process/name: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/file/location/dev_mqueue: medium +evasion/file/prefix: medium +evasion/process_injection/ptrace: medium +exec/cmd: medium +exec/plugin: low +exec/program: medium +exec/reconfigure/hostname_set: low +exec/shell/SHELL: low +exec/shell/exec: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +fs/attributes/set: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/event_monitoring: low +fs/file/copy: medium +fs/file/delete: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/usr_local: medium +fs/path/var: low +fs/path/windows_root: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low +fs/tempdir/create: low +fs/tempfile: low +fs/watch: low +impact/remote_access/heartbeat: medium +impact/remote_access/iptables: medium +impact/remote_access/pseudo_terminal: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/kcore: low +os/kernel/netlink: low +os/kernel/seccomp: low +persist/pid_file: medium +persist/service/start: low +process/chroot: low +process/unshare: low +sus/intercept: medium +sus/leetspeak: medium diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index e69de29bb..7e0bbcea5 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -0,0 +1,163 @@ +# linux/clean/caddy: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/refs: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/password: low +credential/server/htpasswd: medium +credential/sniffer/bpf: medium +credential/ssh/d: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/gzip: low +data/compression/zstd: low +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/pem_private_key: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: low +data/random/insecure: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/group/lookup: medium +discover/network/mac_address: medium +discover/process/parent: low +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: low +evasion/file/location/var_run: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/install_additional/package_install: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/system_controls/stop: low +exec/system_controls/systemd: low +exfil/office_file_ext: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/capabilities_set: low +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/write: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/relative: medium +fs/path/tmp: medium +fs/path/users: medium +fs/path/var: low +fs/path/windows_root: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/pid_stat: medium +fs/proc/pid_statistics: low +fs/proc/self_cgroup: medium +fs/proc/self_exe: medium +fs/proc/self_mountinfo: medium +fs/swap/off: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempfile: low +fs/watch: low +hw/wireless: low +net/dns: low +net/dns/over_https: medium +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/http/websocket: medium +net/ip: low +net/ip/connect: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/spoof: medium +net/proxy/reverse: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +net/webrtc: medium +os/env/get: low +os/fd/sendfile: low +os/kernel/netlink: low +persist/kernel_module/unload: medium +persist/pid_file: medium +privesc/sudo: medium +process/chroot: low +process/groups_set: low +sus/exclamation: medium +sus/intercept: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index e69de29bb..3340aff74 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -0,0 +1,172 @@ +# linux/clean/chezmoi: medium +anti-static/xor/functions: medium +c2/addr/discord: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/telegram: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/dropper: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/code/github_api: low +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/clipboard: medium +credential/gaming/minecraft: medium +credential/keychain: medium +credential/password: low +credential/server/htpasswd: medium +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/encrypt: medium +crypto/public_key: low +crypto/tls: low +crypto/uuid: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/xz: medium +data/compression/zlib: low +data/compression/zstd: low +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/ssh_signature: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/blake2b: low +data/hash/md5: low +data/random/insecure: low +discover/group/lookup: medium +discover/network/mac_address: medium +discover/process/parent: low +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/system_controls/systemd: low +exfil/upload: medium +fs/attributes/chattr: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/users: medium +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/swap/off: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempfile: low +fs/watch: low +hw/dev/block_ice: medium +hw/wireless: low +impact/exploit: medium +impact/infection/worm: medium +impact/remote_access/heartbeat: medium +impact/remote_access/implant: medium +impact/remote_access/pseudo_terminal: medium +impact/remote_access/trojan: medium +malware/ref: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/spoof: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +net/webrtc: medium +os/env/get: low +os/fd/sendfile: low +os/kernel/netlink: low +persist/kernel_module/unload: medium +persist/pid_file: medium +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/groups_set: low +sus/exclamation: medium +sus/intercept: medium +sus/malicious: medium diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index e69de29bb..b6271f90b 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -0,0 +1,184 @@ +# linux/clean/chrome: medium +anti-behavior/LD_DEBUG: medium +anti-behavior/LD_PROFILE: medium +anti-static/elf/multiple: medium +anti-static/obfuscation/obfuscate: low +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/refs: medium +c2/tool_transfer/arch: low +c2/tool_transfer/dropper: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/leveldb: medium +collect/databases/sqlite: medium +credential/keychain: medium +credential/keychain/gnome_keyring_daemon: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssh: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/rc4: medium +crypto/tls: low +crypto/uuid: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/sha1: low +data/random/insecure: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/process/name: medium +discover/process/parent: low +discover/process/runtime_deps: medium +discover/processes/list: medium +discover/system/hostname: low +discover/system/platform: low +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/bypass_security/linux/ufw: medium +evasion/file/location/dev_shm: medium +evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/process_injection/ptrace: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/shell/TERM: low +exec/shell/echo: medium +exec/shell/pipe_sh: medium +exec/system_controls/apparmor: medium +exec/system_controls/stop: low +exfil/collection: medium +exfil/office_file_ext: medium +exfil/stealer/credit_card: medium +exfil/upload: medium +fs/directory/create: low +fs/directory/remove: low +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/mounts_read: medium +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/home_config: low +fs/path/root: medium +fs/path/tmp: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/var: low +fs/permission/chown: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/cpuinfo: medium +fs/proc/meminfo: medium +fs/proc/self_cmdline: medium +fs/proc/self_exe: medium +fs/proc/self_status: medium +fs/proc/stat: medium +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/cpu: medium +hw/dev/block_ice: medium +hw/wireless: low +impact/remote_access/heartbeat: medium +lateral/scan/target_ip: medium +malware/ref: medium +mem/anonymous_file: medium +net/dns/over_https: medium +net/dns/servers: low +net/dns/txt: low +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/fake_user_agent: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/p_request: low +net/ip/parse: medium +net/ip/string: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/rpc/ntlm: medium +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/ssh: medium +net/udp/kcp: medium +net/udp/upnp: medium +net/url/embedded: medium +net/url/encode: medium +net/url/parse: low +net/url/request: medium +net/webrtc: medium +os/fd/epoll: low +os/kernel/netlink: low +os/kernel/opencl: medium +os/kernel/seccomp: low +persist/service/start: low +privesc/setuid: low +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/create: low +process/groups_set: low +process/multithreaded: low +sus/exclamation: medium +sus/intercept: medium +sus/malicious: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index e69de29bb..1d49e3f55 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -0,0 +1,205 @@ +# linux/clean/clickhouse: medium +anti-static/elf/multiple: medium +anti-static/obfuscation/obfuscate: low +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/client: medium +c2/discovery/dyndns: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/dropper: medium +c2/tool_transfer/grayware: medium +c2/tool_transfer/os: medium +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/cloud/g: medium +credential/gaming/minecraft: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ed25519: low +crypto/encrypt: medium +crypto/gost89: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/base64/decode: medium +data/base64/encode: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_private_key: medium +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: low +data/hash/sha1: low +data/hash/sha256: low +data/hash/whirlpool: medium +data/random/insecure: low +discover/cloud/google_metadata: low +discover/network/interface: low +discover/network/interface_list: medium +discover/permissions/capabilities: medium +discover/process/name: medium +discover/process/runtime_deps: medium +discover/processes/list: medium +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low +discover/system/platform: low +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: low +evasion/bypass_security/linux/ufw: medium +evasion/file/location/dev_shm: medium +evasion/file/prefix: medium +evasion/hijack_execution/DYLD_LIBRARY_PATH: medium +evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/logging/acct: low +evasion/process_injection/ptrace: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +exec/install_additional/package_install: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/program/hidden: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/echo: medium +exec/shell/ignore_output: medium +exec/shell/pipe_sh: medium +exec/system_controls/systemd: low +exfil/collection: medium +exfil/proxy: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/capabilities_set: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/mounts_read: medium +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/root: medium +fs/path/tmp: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/var: low +fs/path/var_log: medium +fs/permission/chown: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/cpuinfo: medium +fs/proc/meminfo: medium +fs/proc/net_dev: medium +fs/proc/pid_maps: medium +fs/proc/pid_status: medium +fs/proc/self_cgroup: medium +fs/proc/self_exe: medium +fs/proc/self_status: medium +fs/proc/stat: medium +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/watch: low +hw/cpu: medium +hw/dev/block_ice: medium +impact/infection/worm: medium +impact/remote_access/heartbeat: medium +impact/shutdown: medium +net/dns/over_https: medium +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download/fetch: medium +net/email/exotic_addr: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/ip/resolve: low +net/ip/string: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/rpc/ntlm: medium +net/socket/connect: medium +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/grpc: low +net/tcp/ssh: medium +net/url/embedded: medium +net/url/encode: medium +net/url/parse: low +os/fd/epoll: low +os/fd/print: low +os/fd/read: low +os/fd/sendfile: low +os/kernel/netlink: low +os/kernel/opencl: medium +os/time/tzinfo: low +persist/pid_file: medium +privesc/setuid: low +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/create: low +process/groupid_set: low +process/multithreaded: low +sus/exclamation: medium +sus/intercept: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index e69de29bb..4270357c9 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -0,0 +1,192 @@ +## linux/clean/code-oss [🟡 MEDIUM] + +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--|--|--|--| +| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | +| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | +| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | +| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[bIp](https://github.com/search?q=bIp&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[gIp](https://github.com/search?q=gIp&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[maxPort](https://github.com/search?q=maxPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[minPort](https://github.com/search?q=minPort&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_ip](https://github.com/search?q=quic_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)
[server_address_](https://github.com/search?q=server_address_&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | +| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | +| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | +| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | +| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | +| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | +| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | +| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | +| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | +| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)
[bash](https://github.com/search?q=bash&type=code)
[exec](https://github.com/search?q=exec&type=code)
[system](https://github.com/search?q=system&type=code) | +| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | +| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) | +| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | +| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | +| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root-legacy.js](https://github.com/search?q=%2Froot%2Froot-legacy.js&type=code)
[/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | +| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code) | +| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | +| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | +| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | +| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | +| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) | +| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | +| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)
[Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | +| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | +| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlm](https://github.com/search?q=ntlm&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | +| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | +| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | +| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | +| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)
[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[EE !!](https://github.com/search?q=EE++++%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)
[interceptorEv](https://github.com/search?q=interceptorEv&type=code)
[interceptor_config](https://github.com/search?q=interceptor_config&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://127.0.0.1](http://127.0.0.1)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)
[http://applicationslink](http://applicationslink)
[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)
[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)
[http://buscador.softonic.com/](http://buscador.softonic.com/)
[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)
[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)
[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)
[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)
[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)
[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)
[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)
[http://code.google.com/p/closure](http://code.google.com/p/closure)
[http://crbug.com/1138528](http://crbug.com/1138528)
[http://crbug.com/660005.](http://crbug.com/660005.)
[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)
[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)
[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)
[http://crl.globalsign.net/root](http://crl.globalsign.net/root)
[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)
[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://dts.search](http://dts.search)
[http://en.softonic.com/s/](http://en.softonic.com/s/)
[http://encoding=](http://encoding=)
[http://exslt.org/common](http://exslt.org/common)
[http://familiar](http://familiar)
[http://feed.snap.do/](http://feed.snap.do/)
[http://feed.snapdo.com/](http://feed.snapdo.com/)
[http://feross.org](http://feross.org)
[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)
[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)
[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)
[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)
[http://icl.com/saxon](http://icl.com/saxon)
[http://imEnglish](http://imEnglish)
[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://isearch.avg.com/search](http://isearch.avg.com/search)
[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)
[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)
[http://localhost](http://localhost)
[http://mathematicsmargin](http://mathematicsmargin)
[http://mixidj.delta](http://mixidj.delta)
[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)
[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)
[http://mystart.incredibar.com/](http://mystart.incredibar.com/)
[http://narwhaljs.org](http://narwhaljs.org)
[http://navigation](http://navigation)
[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)
[http://nl.softonic.com/s/](http://nl.softonic.com/s/)
[http://nova.rambler.ru/search](http://nova.rambler.ru/search)
[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)
[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)
[http://ns.adobe.com/data](http://ns.adobe.com/data)
[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)
[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)
[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)
[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)
[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)
[http://ok.hu/katalogus](http://ok.hu/katalogus)
[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)
[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)
[http://radce.centrum.cz/](http://radce.centrum.cz/)
[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)
[http://search.avg.com/route/](http://search.avg.com/route/)
[http://search.avg.com/search](http://search.avg.com/search)
[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)
[http://search.babylon.com/home](http://search.babylon.com/home)
[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)
[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)
[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)
[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)
[http://search.imesh.net/music](http://search.imesh.net/music)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)
[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)
[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)
[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)
[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)
[http://search.snap.do/](http://search.snap.do/)
[http://search.snapdo.com/](http://search.snapdo.com/)
[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)
[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)
[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)
[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)
[http://search.walla.co.il/](http://search.walla.co.il/)
[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)
[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)
[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)
[http://site_name](http://site_name)
[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)
[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)
[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)
[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)
[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)
[http://staticsuggested](http://staticsuggested)
[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)
[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)
[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)
[http://unisolated.invalid](http://unisolated.invalid)
[http://userguide.icu](http://userguide.icu)
[http://wpad/wpad.dat](http://wpad/wpad.dat)
[http://www./div](http://www./div)
[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)
[http://www.C//DTD](http://www.C//DTD)
[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)
[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)
[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)
[http://www.color.org](http://www.color.org)
[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)
[http://www.conduit.com/search](http://www.conduit.com/search)
[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)
[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)
[http://www.delta](http://www.delta)
[http://www.example.com](http://www.example.com)
[http://www.hortcut](http://www.hortcut)
[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)
[http://www.icon](http://www.icon)
[http://www.iec.ch](http://www.iec.ch)
[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)
[http://www.interpretation](http://www.interpretation)
[http://www.jclark.com/xt](http://www.jclark.com/xt)
[http://www.language=](http://www.language=)
[http://www.midnight](http://www.midnight)
[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)
[http://www.neti.ee/cgi](http://www.neti.ee/cgi)
[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)
[http://www.search.delta](http://www.search.delta)
[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)
[http://www.searchnu.com/web](http://www.searchnu.com/web)
[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)
[http://www.softonic.com/s/](http://www.softonic.com/s/)
[http://www.squid](http://www.squid)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)
[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)
[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)
[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)
[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)
[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)
[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)
[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)
[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)
[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)
[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)
[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)
[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)
[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)
[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)
[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)
[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)
[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)
[http://www.years](http://www.years)
[http://www.yhs.delta](http://www.yhs.delta)
[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)
[http://www1.delta](http://www1.delta)
[http://www2.delta](http://www2.delta)
[http://www2.public](http://www2.public)
[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)
[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)
[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)
[https://alekberg.net/privacy](https://alekberg.net/privacy)
[https://android.com/pay](https://android.com/pay)
[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)
[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)
[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)
[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)
[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)
[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)
[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)
[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)
[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)
[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)
[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)
[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)
[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)
[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)
[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)
[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)
[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)
[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)
[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)
[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)
[https://bit.ly/audio](https://bit.ly/audio)
[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)
[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)
[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)
[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)
[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)
[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)
[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)
[https://buscador.softonic.com/](https://buscador.softonic.com/)
[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)
[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)
[https://c.android.clients.google.com/](https://c.android.clients.google.com/)
[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)
[https://c.docs.google.com/](https://c.docs.google.com/)
[https://c.drive.google.com/](https://c.drive.google.com/)
[https://c.googlesyndication.com/](https://c.googlesyndication.com/)
[https://c.pack.google.com/](https://c.pack.google.com/)
[https://c.play.google.com/](https://c.play.google.com/)
[https://c.youtube.com/](https://c.youtube.com/)
[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)
[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)
[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)
[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)
[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)
[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)
[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)
[https://chrome.cloudflare](https://chrome.cloudflare)
[https://chrome.google.com/webstore](https://chrome.google.com/webstore)
[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)
[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)
[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)
[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)
[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)
[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)
[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)
[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)
[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)
[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)
[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)
[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)
[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)
[https://coccoc.com/search](https://coccoc.com/search)
[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)
[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)
[https://crbug.com/1025266](https://crbug.com/1025266)
[https://crbug.com/1038223.](https://crbug.com/1038223.)
[https://crbug.com/1053756](https://crbug.com/1053756)
[https://crbug.com/1144908.](https://crbug.com/1144908.)
[https://crbug.com/1154140](https://crbug.com/1154140)
[https://crbug.com/1161355](https://crbug.com/1161355)
[https://crbug.com/1214923](https://crbug.com/1214923)
[https://crbug.com/1302249](https://crbug.com/1302249)
[https://crbug.com/1313172](https://crbug.com/1313172)
[https://crbug.com/401439](https://crbug.com/401439)
[https://crbug.com/619103.](https://crbug.com/619103.)
[https://crbug.com/638180.](https://crbug.com/638180.)
[https://crbug.com/824383](https://crbug.com/824383)
[https://crbug.com/824647](https://crbug.com/824647)
[https://crbug.com/927119](https://crbug.com/927119)
[https://crbug.com/981419](https://crbug.com/981419)
[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)
[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)
[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)
[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)
[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)
[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)
[https://crbug.com/dawn/136](https://crbug.com/dawn/136)
[https://crbug.com/dawn/145](https://crbug.com/dawn/145)
[https://crbug.com/dawn/155](https://crbug.com/dawn/155)
[https://crbug.com/dawn/193](https://crbug.com/dawn/193)
[https://crbug.com/dawn/237](https://crbug.com/dawn/237)
[https://crbug.com/dawn/271](https://crbug.com/dawn/271)
[https://crbug.com/dawn/286](https://crbug.com/dawn/286)
[https://crbug.com/dawn/342](https://crbug.com/dawn/342)
[https://crbug.com/dawn/343](https://crbug.com/dawn/343)
[https://crbug.com/dawn/36](https://crbug.com/dawn/36)
[https://crbug.com/dawn/402](https://crbug.com/dawn/402)
[https://crbug.com/dawn/42](https://crbug.com/dawn/42)
[https://crbug.com/dawn/434](https://crbug.com/dawn/434)
[https://crbug.com/dawn/480](https://crbug.com/dawn/480)
[https://crbug.com/dawn/56](https://crbug.com/dawn/56)
[https://crbug.com/dawn/582](https://crbug.com/dawn/582)
[https://crbug.com/dawn/633](https://crbug.com/dawn/633)
[https://crbug.com/dawn/666](https://crbug.com/dawn/666)
[https://crbug.com/dawn/667](https://crbug.com/dawn/667)
[https://crbug.com/dawn/673](https://crbug.com/dawn/673)
[https://crbug.com/dawn/776](https://crbug.com/dawn/776)
[https://crbug.com/dawn/792](https://crbug.com/dawn/792)
[https://crbug.com/dawn/838](https://crbug.com/dawn/838)
[https://crbug.com/dawn/840](https://crbug.com/dawn/840)
[https://crbug.com/dawn/960](https://crbug.com/dawn/960)
[https://crbug.com/new](https://crbug.com/new)
[https://crbug.com/tint.](https://crbug.com/tint.)
[https://crbug.com/tint/1003](https://crbug.com/tint/1003)
[https://crbug.com/v8/7848](https://crbug.com/v8/7848)
[https://crbug.com/v8/8520](https://crbug.com/v8/8520)
[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)
[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)
[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)
[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)
[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)
[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)
[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)
[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)
[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)
[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)
[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)
[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)
[https://developer.mozilla.org/en](https://developer.mozilla.org/en)
[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)
[https://developers.google.com/speed/public](https://developers.google.com/speed/public)
[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)
[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)
[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)
[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)
[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)
[https://dns.google/dns](https://dns.google/dns)
[https://dns.quad9.net/dns](https://dns.quad9.net/dns)
[https://dns.sb/privacy/](https://dns.sb/privacy/)
[https://dns.switch.ch/dns](https://dns.switch.ch/dns)
[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)
[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)
[https://dns64.dns.google/dns](https://dns64.dns.google/dns)
[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)
[https://docs.google.com/](https://docs.google.com/)
[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)
[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)
[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)
[https://doh.cox.net/dns](https://doh.cox.net/dns)
[https://doh.dns.sb/dns](https://doh.dns.sb/dns)
[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)
[https://doh.opendns.com/dns](https://doh.opendns.com/dns)
[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)
[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)
[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)
[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)
[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)
[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)
[https://en.softonic.com/s/](https://en.softonic.com/s/)
[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)
[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)
[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)
[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)
[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)
[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)
[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)
[https://example.org](https://example.org)
[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)
[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)
[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)
[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)
[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)
[https://gcp.gvt2.com/](https://gcp.gvt2.com/)
[https://gcp.gvt6.com/](https://gcp.gvt6.com/)
[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)
[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)
[https://github.com/WICG/construct](https://github.com/WICG/construct)
[https://github.com/WICG/conversion](https://github.com/WICG/conversion)
[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)
[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)
[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)
[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)
[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)
[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)
[https://github.com/chalk/ansi](https://github.com/chalk/ansi)
[https://github.com/chalk/supports](https://github.com/chalk/supports)
[https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)
[https://github.com/da](https://github.com/da)
[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)
[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)
[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)
[https://github.com/google/closure](https://github.com/google/closure)
[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)
[https://github.com/isaacs/color](https://github.com/isaacs/color)
[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)
[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)
[https://github.com/mafintosh/end](https://github.com/mafintosh/end)
[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)
[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)
[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)
[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)
[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)
[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)
[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)
[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)
[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)
[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)
[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)
[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)
[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)
[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)
[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)
[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)
[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)
[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)
[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)
[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)
[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)
[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)
[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)
[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)
[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)
[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)
[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)
[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)
[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)
[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)
[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)
[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)
[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)
[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)
[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)
[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)
[https://github.com/standard](https://github.com/standard)
[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)
[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)
[https://github.com/tc39/proposal](https://github.com/tc39/proposal)
[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)
[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)
[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)
[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)
[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)
[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)
[https://go.mail.ru/msearch](https://go.mail.ru/msearch)
[https://go.mail.ru/search](https://go.mail.ru/search)
[https://goo.gl/4NeimX](https://goo.gl/4NeimX)
[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)
[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)
[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)
[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)
[https://goo.gl/LdLk22](https://goo.gl/LdLk22)
[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)
[https://goo.gl/rStTGz](https://goo.gl/rStTGz)
[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)
[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)
[https://goo.gl/ximf56](https://goo.gl/ximf56)
[https://goo.gl/yabPex](https://goo.gl/yabPex)
[https://google.com/pay](https://google.com/pay)
[https://googlevideo.com/](https://googlevideo.com/)
[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)
[https://gvt1.com/](https://gvt1.com/)
[https://gvt2.com/](https://gvt2.com/)
[https://gvt6.com/](https://gvt6.com/)
[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)
[https://history.report](https://history.report)
[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)
[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)
[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)
[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)
[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)
[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)
[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)
[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)
[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)
[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)
[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)
[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)
[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)
[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)
[https://invisible](https://invisible)
[https://isearch.avg.com/search](https://isearch.avg.com/search)
[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)
[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)
[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)
[https://m.so.com/index.php](https://m.so.com/index.php)
[https://m.so.com/s](https://m.so.com/s)
[https://m.sogou.com/web/](https://m.sogou.com/web/)
[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)
[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)
[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)
[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)
[https://matteomarescotti.report](https://matteomarescotti.report)
[https://metager.de/favicon.ico](https://metager.de/favicon.ico)
[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)
[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)
[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)
[https://mths.be/punycode](https://mths.be/punycode)
[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)
[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)
[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)
[https://nextdns.io/privacy](https://nextdns.io/privacy)
[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)
[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)
[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)
[https://nl.softonic.com/s/](https://nl.softonic.com/s/)
[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)
[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)
[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)
[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)
[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)
[https://nova.rambler.ru/search](https://nova.rambler.ru/search)
[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)
[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)
[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)
[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)
[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)
[https://oceanhero.today/web](https://oceanhero.today/web)
[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)
[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)
[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)
[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)
[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)
[https://petalsearch.com/search](https://petalsearch.com/search)
[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)
[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)
[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)
[https://play.google.com/billing](https://play.google.com/billing)
[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)
[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)
[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)
[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)
[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)
[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)
[https://scotthelme.report](https://scotthelme.report)
[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)
[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)
[https://search.avg.com/route/](https://search.avg.com/route/)
[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)
[https://search.daum.net/search](https://search.daum.net/search)
[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)
[https://search.gmx.com/web/result](https://search.gmx.com/web/result)
[https://search.gmx.es/web/result](https://search.gmx.es/web/result)
[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)
[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)
[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)
[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)
[https://search.naver.com/search.naver](https://search.naver.com/search.naver)
[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)
[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)
[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)
[https://search.softonic.com/](https://search.softonic.com/)
[https://search.walla.co.il/](https://search.walla.co.il/)
[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)
[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)
[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)
[https://search.yahoo.com/search](https://search.yahoo.com/search)
[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)
[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)
[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)
[https://server1.example](https://server1.example)
[https://server2.example](https://server2.example)
[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)
[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)
[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)
[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)
[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)
[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)
[https://ssl.gstatic.com/](https://ssl.gstatic.com/)
[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)
[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)
[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)
[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)
[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)
[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)
[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)
[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)
[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)
[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)
[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)
[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)
[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)
[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)
[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)
[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)
[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)
[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)
[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)
[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)
[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)
[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)
[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)
[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)
[https://tc39.es/ecma262/](https://tc39.es/ecma262/)
[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)
[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)
[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)
[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)
[https://tobiassachs.report](https://tobiassachs.report)
[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)
[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)
[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)
[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)
[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)
[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)
[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)
[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)
[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)
[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)
[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)
[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)
[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)
[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)
[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)
[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)
[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)
[https://v8.dev/blog/v8](https://v8.dev/blog/v8)
[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)
[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)
[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)
[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)
[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)
[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)
[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)
[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)
[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)
[https://webrtc.org/web](https://webrtc.org/web)
[https://wiki.squid](https://wiki.squid)
[https://www.World](https://www.World)
[https://www.ask.com/web](https://www.ask.com/web)
[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)
[https://www.baidu.com/s](https://www.baidu.com/s)
[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)
[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)
[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)
[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)
[https://www.bing.com/search](https://www.bing.com/search)
[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)
[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)
[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)
[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)
[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)
[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)
[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)
[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)
[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)
[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)
[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)
[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)
[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)
[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)
[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)
[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)
[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)
[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)
[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)
[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)
[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)
[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)
[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)
[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)
[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)
[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)
[https://www.ecma](https://www.ecma)
[https://www.ecosia.org/search](https://www.ecosia.org/search)
[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)
[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)
[https://www.givero.com/search](https://www.givero.com/search)
[https://www.givero.com/suggest](https://www.givero.com/suggest)
[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)
[https://www.google.com/speech](https://www.google.com/speech)
[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)
[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)
[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)
[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)
[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)
[https://www.info.com/serp](https://www.info.com/serp)
[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)
[https://www.microsoft.com/en](https://www.microsoft.com/en)
[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)
[https://www.neti.ee/cgi](https://www.neti.ee/cgi)
[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)
[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)
[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)
[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)
[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)
[https://www.recent](https://www.recent)
[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)
[https://www.so.com/s](https://www.so.com/s)
[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)
[https://www.softonic.com/s/](https://www.softonic.com/s/)
[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)
[https://www.sogou.com/web](https://www.sogou.com/web)
[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)
[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)
[https://www.verisign.com/rpa](https://www.verisign.com/rpa)
[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)
[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)
[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)
[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)
[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)
[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)
[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)
[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)
[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)
[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)
[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)
[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)
[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)
[https://yandex.by/images/search/](https://yandex.by/images/search/)
[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)
[https://yandex.com/images/search](https://yandex.com/images/search)
[https://yandex.com/search/](https://yandex.com/search/)
[https://yandex.kz/images/search/](https://yandex.kz/images/search/)
[https://yandex.ru/images/search/](https://yandex.ru/images/search/)
[https://yandex.ua/images/search/](https://yandex.ua/images/search/)
[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)
[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[const has_password](https://github.com/search?q=const+has_password&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)
[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)
[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)
[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)
[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password_specifics](https://github.com/search?q=password_specifics&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | +| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | +| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | +| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)
[Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | +| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | +| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | +| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginprH](https://github.com/search?q=pluginprH&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | +| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | +| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)
[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | +| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | +| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | +| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)
[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | +| LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) | +| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | +| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | +| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | +| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | +| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)
[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | +| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | +| LOW | [os/kernel/perfmon](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/perfmon.yara#perf_event_open) | set up performance monitoring | [perf_event_open](https://github.com/search?q=perf_event_open&type=code) | +| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | +| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_vfork) | [create child process](https://man7.org/linux/man-pages/man2/vfork.2.html) | [vfork](https://github.com/search?q=vfork&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | + diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index e69de29bb..d979ac232 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -0,0 +1,134 @@ +# linux/clean/containerd: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/mysql: medium +credential/password: low +credential/sniffer/bpf: medium +credential/sniffer/pcap: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/md5: low +discover/network/mac_address: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/user/USER: low +evasion/file/location/dev_mqueue: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium +evasion/process_injection/ptrace: medium +exec/plugin: low +exec/program: medium +exec/reconfigure/hostname_set: low +exec/shell/TERM: low +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +fs/attributes/set: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/event_monitoring: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: low +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/usr_local: medium +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/net_route: medium +fs/proc/self_cgroup: medium +fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low +fs/tempdir/create: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/dev/block_ice: medium +hw/dev/mapper: medium +impact/remote_access/heartbeat: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/http/websocket: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/send_unicast: low +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/kcore: low +os/kernel/netlink: low +os/kernel/seccomp: low +persist/pid_file: medium +process/chdir: low +process/groupid_set: low +process/groups_set: low +process/terminate/kill_multiple: medium +sus/exclamation: medium +sus/intercept: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple index e69de29bb..a78a1d8a9 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple @@ -0,0 +1,48 @@ +# linux/clean/kibana/securitySolution.chunk.22.js: medium +c2/addr/url: low +c2/discovery/dyndns: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: low +c2/tool_transfer/dropper: medium +c2/tool_transfer/exe_url: low +c2/tool_transfer/grayware: low +c2/tool_transfer/os: medium +collect/databases/mysql: medium +credential/keylogger: medium +credential/password: low +crypto/blockchain: medium +crypto/openssl: medium +data/encoding/json_decode: low +evasion/file/prefix: medium +evasion/rootkit/refs: medium +evasion/rootkit/userspace: low +exec/plugin: low +exec/shell/power: medium +exfil/upload: medium +fs/lock_update: low +fs/path/dev: medium +impact/cryptojacking/monero_pool: medium +impact/ddos: medium +impact/exploit: medium +impact/exploit/cve: medium +impact/exploit/known_s: medium +impact/infection/infected: medium +impact/infection/worm: medium +impact/remote_access/backdoor: medium +impact/remote_access/iptables: medium +impact/remote_access/reverse_shell: low +impact/remote_access/trojan: medium +lateral/scan/brute_force: low +malware/ref: medium +net/dns/txt: low +net/download: medium +net/tcp/sftp: medium +net/url/embedded: medium +net/url/parse: low +persist/daemon: medium +process/chroot: low +sec-tool/net/masscan: low +sec-tool/net/nmap: medium +sec-tool/pentest/metasploit_ref: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index e69de29bb..3478ac9b6 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -0,0 +1,70 @@ +# linux/clean/kibana/securitySolution.chunk.9.js: medium +anti-static/obfuscation/js: medium +anti-static/obfuscation/reverse: medium +c2/addr/ip: medium +c2/addr/url: low +c2/discovery/dyndns: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: low +c2/tool_transfer/dropper: medium +c2/tool_transfer/exe_url: low +c2/tool_transfer/grayware: low +c2/tool_transfer/os: medium +collect/databases/mysql: medium +credential/keylogger: medium +credential/password: low +crypto/blockchain: medium +crypto/encrypt: medium +crypto/openssl: medium +data/embedded/base64_url: medium +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/md5: low +discover/network/mac_address: medium +discover/process/name: medium +discover/process/parent: low +evasion/file/prefix: medium +evasion/rootkit/refs: medium +evasion/rootkit/userspace: low +exec/cmd: medium +exec/plugin: low +exec/shell/power: medium +exec/system_controls/apparmor: medium +exfil/upload: medium +fs/lock_update: low +fs/mount: low +fs/path/dev: medium +impact/cryptojacking/monero_pool: medium +impact/ddos: medium +impact/exploit: medium +impact/exploit/cve: medium +impact/exploit/known_s: medium +impact/infection/infected: medium +impact/infection/worm: medium +impact/remote_access/backdoor: medium +impact/remote_access/iptables: medium +impact/remote_access/reverse_shell: low +impact/remote_access/trojan: medium +lateral/scan/brute_force: low +malware/ref: medium +net/dns/txt: low +net/download: medium +net/http/post: medium +net/http/request: low +net/ip/addr: medium +net/ip/host_port: medium +net/socket/listen: medium +net/socket/send: low +net/tcp/sftp: medium +net/url/embedded: medium +net/url/parse: low +net/url/request: medium +os/kernel/seccomp: low +persist/daemon: medium +process/chroot: low +sec-tool/net/masscan: low +sec-tool/net/nmap: medium +sec-tool/pentest/metasploit_ref: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index e69de29bb..59142a2a1 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -0,0 +1,142 @@ +# linux/clean/kuma-cp: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +credential/password: low +credential/server/htpasswd: medium +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +crypto/uuid: medium +data/base64/external: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_test_key: low +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/md5: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/network/netstat: medium +discover/processes/list: medium +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/bypass_security/linux/iptables: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/plugin: low +exec/program: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exfil/collection: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/copy: medium +fs/file/delete: low +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/write: low +fs/link_read: low +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/tmp: medium +fs/path/usr_bin: low +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/quota_manipulate: low +fs/swap/on: low +fs/tempdir/TEMP: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/dev/block_ice: medium +impact/remote_access/heartbeat: medium +impact/remote_access/iptables: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/http/websocket: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +os/kernel/seccomp: low +persist/cron/tab: medium +privesc/sudo: medium +process/chroot: low +process/groupid_set: low +sus/exclamation: medium +sus/intercept: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index e69de29bb..65b554ce3 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -0,0 +1,103 @@ +# linux/clean/libgcj.so.17.0.0: medium +3P/JPCERT/cobaltstrike_v3v4: medium +anti-behavior/random_behavior: low +c2/addr/ip: medium +c2/addr/url: low +c2/tool_transfer/os: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/public_key: low +crypto/tls: low +crypto/uuid: medium +data/compression/bzip2: low +data/compression/gzip: low +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/encoding/base64: low +data/hash/md5: low +data/hash/sha1: low +data/hash/sha256: low +data/hash/whirlpool: medium +discover/network/interface_list: medium +discover/process/name: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +discover/user/HOME: low +discover/user/USER: low +evasion/hijack_execution/LD_LIBRARY_PATH: low +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/shell/SHELL: low +exec/shell/command: medium +exfil/office_file_ext: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: medium +fs/file/open: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/mounts_read: medium +fs/path/dev: medium +fs/path/etc: low +fs/path/root: medium +fs/path/usr_local: medium +fs/path/var: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/mounts: medium +fs/proc/stat: medium +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempfile: low +hw/iokit_registry: low +impact/remote_access/agent: medium +lateral/scan/tool: medium +net/dns/txt: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip: low +net/ip/connect: medium +net/ip/host_port: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/send_unicast: low +net/ip/string: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +process/multithreaded: low +sus/exclamation: medium +sus/intercept: medium +sus/leetspeak: medium diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index e69de29bb..4a19eb230 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -0,0 +1,103 @@ +# linux/clean/libgcj.so.17: medium +3P/JPCERT/cobaltstrike_v3v4: medium +anti-behavior/random_behavior: low +c2/addr/ip: medium +c2/addr/url: low +c2/tool_transfer/os: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/public_key: low +crypto/tls: low +crypto/uuid: medium +data/compression/bzip2: low +data/compression/gzip: low +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/encoding/base64: low +data/hash/md5: low +data/hash/sha1: low +data/hash/sha256: low +data/hash/whirlpool: medium +discover/network/interface_list: medium +discover/process/name: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: low +discover/user/HOME: low +discover/user/USER: low +evasion/hijack_execution/LD_LIBRARY_PATH: low +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/shell/SHELL: low +exec/shell/command: medium +exfil/office_file_ext: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: medium +fs/file/open: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/mounts_read: medium +fs/path/dev: medium +fs/path/etc: low +fs/path/root: medium +fs/path/usr_local: medium +fs/path/var: low +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/mounts: medium +fs/proc/stat: medium +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempfile: low +hw/iokit_registry: low +impact/remote_access/agent: medium +lateral/scan/tool: medium +net/dns/txt: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip: low +net/ip/connect: medium +net/ip/host_port: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/send_unicast: low +net/ip/string: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +process/multithreaded: low +sus/exclamation: medium +sus/intercept: medium +sus/leetspeak: medium diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index e69de29bb..afce3a926 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -0,0 +1,160 @@ +# linux/clean/melange: medium +anti-static/elf/multiple: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/refs: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/tar_command: medium +collect/archives/zip: medium +collect/code/github_api: low +credential/cloud/g: medium +credential/keychain: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/base64/external: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/ssh_signature: medium +data/embedded/zstd: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/cloud/google_storage: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/network/netstat: medium +discover/processes/pgrep: medium +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/file/location/system_directory: medium +evasion/file/prefix: medium +evasion/hide_artifacts/pivot_root: medium +exec/cmd: medium +exec/install_additional/pip_install: medium +exec/plugin: low +exec/program: medium +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/shell/pipe_sh: medium +fs/blkid: low +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/node_create: low +fs/path/bin_su: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/relative: medium +fs/path/root: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/swap/off: low +fs/swap/on: low +fs/symlink_resolve: low +fs/tempdir/TEMP: low +fs/tempdir/create: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +impact/remote_access/heartbeat: medium +impact/remote_access/kill_rm: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/parse: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/env/get: low +os/fd/sendfile: low +os/kernel/netlink: low +os/time/clock_set: low +persist/cron/tab: medium +privesc/setuid: low +process/chdir: low +process/chroot: low +process/groupid_set: low +process/multithreaded: low +process/unshare: low +sus/exclamation: medium +sus/intercept: medium diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index e69de29bb..9ef86ed4a 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -0,0 +1,194 @@ +# linux/clean/mongosh: medium +anti-static/obfuscation/hex: medium +anti-static/obfuscation/obfuscate: low +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/addr/url: low +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/os: medium +collect/archives/unarchive: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/password: low +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ed25519: low +crypto/encrypt: medium +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +crypto/uuid: medium +data/base64/decode: medium +data/base64/encode: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/zlib: low +data/compression/zstd: low +data/embedded/base64_gzip: medium +data/embedded/base64_terms: medium +data/embedded/base64_url: medium +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/pem_private_key: medium +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/sha256: low +data/random/insecure: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/group/lookup: medium +discover/network/interface: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/process/name: medium +discover/process/parent: low +discover/process/working_directory: low +discover/processes/list: medium +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/APPDATA: low +discover/user/HOME: low +discover/user/USER: low +discover/user/USERPROFILE: medium +discover/user/info: medium +discover/user/name_get: low +evasion/file/prefix: medium +evasion/logging/acct: low +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/address_check: low +exec/dylib/iterate: low +exec/dylib/symbol_address: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/script/activex: medium +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/command: medium +exec/shell/echo: medium +exec/shell/exec: medium +exec/shell/pipe_sh: medium +exec/shell/power: medium +exec/system_controls/systemd: low +exec/tty/pathname: medium +exfil/office_file_ext: medium +exfil/stealer/credit_card: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/capabilities_set: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/etc: low +fs/path/file_url: low +fs/path/home_library: low +fs/path/tmp: medium +fs/path/usr_bin: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/cpuinfo: medium +fs/proc/meminfo: medium +fs/proc/self_cgroup: medium +fs/proc/self_exe: medium +fs/proc/stat: medium +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/watch: low +hw/cpu: medium +hw/wireless: low +impact/remote_access/heartbeat: medium +impact/remote_access/kill_rm: medium +lateral/scan/tool: medium +mem/anonymous_file: medium +net/dns: low +net/dns/over_https: medium +net/dns/reverse: medium +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/ftp: low +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/ip/send_unicast: low +net/ip/spoof: medium +net/ip/string: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/resolve/hostport_parse: low +net/socket/connect: medium +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/ssh: medium +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +net/webrtc: medium +os/env/get: low +os/fd/read: low +os/fd/sendfile: low +os/fd/write: low +persist/daemon/detach: medium +privesc/setuid: low +process/chdir: low +process/chroot: low +process/create: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +process/namespace_set: low +process/terminate: medium +process/terminate/taskkill: medium +sec-tool/net/nmap: medium +sus/compiler: medium +sus/exclamation: medium +sus/intercept: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index e69de29bb..86b5cdc89 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -0,0 +1,106 @@ +# linux/clean/opa: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/base64/decode: medium +data/base64/encode: medium +data/compression/gzip: low +data/compression/zstd: low +data/embedded/html: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/md5: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/USER: low +exec/cmd: medium +exec/plugin: low +exec/program: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: low +fs/file/write: low +fs/link_read: low +fs/mount: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/relative: medium +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/self_cgroup: medium +fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low +fs/tempfile: low +fs/watch: low +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/send_unicast: low +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +os/time/tzinfo: low +persist/pid_file: medium +process/chdir: low +process/groups_set: low +sus/exclamation: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index e69de29bb..064d08aba 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -0,0 +1,175 @@ +## linux/clean/pandoc [🟡 MEDIUM] + +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--|--|--|--| +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) | +| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | +| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | +| MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) | +| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | +| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | +| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | +| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) | +| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | +| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | +| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/shell/command](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/command.yara#system) | [execute a shell command](https://man7.org/linux/man-pages/man3/system.3.html) | [system](https://github.com/search?q=system&type=code) | +| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#system_call) | executes a shell command | [system](https://github.com/search?q=system&type=code) | +| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | +| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershellcode](https://github.com/search?q=powershellcode&type=code) | +| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)
[docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppam](https://github.com/search?q=ppam&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFile](https://github.com/search?q=CreateFile&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | +| MEDIUM | [fs/mounts_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mounts-read.yara#mount_files) | [Parses active mounts (/etc/fstab, /etc/mtab)](https://linux.die.net/man/3/setmntent) | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code)
[/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code) | +| MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_lib_path) | path reference within /usr/local/lib | [/usr/local/lib/lua/5.4/loadall.so](https://github.com/search?q=%2Fusr%2Flocal%2Flib%2Flua%2F5.4%2Floadall.so&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | +| MEDIUM | [fs/proc/mounts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/mounts.yara#proc_mounts) | Parses active mounts (/proc/mounts | [/proc/mounts](https://github.com/search?q=%2Fproc%2Fmounts&type=code) | +| MEDIUM | [fs/proc/pid_maps](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-maps.yara#proc_maps) | access process memory maps | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) | +| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | +| MEDIUM | [impact/infection/worm](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/infection/worm.yara#worm) | References 'Worm' | [worm](https://github.com/search?q=worm&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)
[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)
[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)
[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)
[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)
[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)
[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)
[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)
[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)
[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)
[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)
[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)
[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)
[heartbeat](https://github.com/search?q=heartbeat&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)
[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)
[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code) | +| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | +| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)
[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)
[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)
[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)
[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)
[http_cookie](https://github.com/search?q=http_cookie&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)
[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)
[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | +| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)
[htons](https://github.com/search?q=htons&type=code)
[ntohs](https://github.com/search?q=ntohs&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)
[port](https://github.com/search?q=port&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)
[spoofchecker](https://github.com/search?q=spoofchecker&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)
[inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [.Socks5](https://github.com/search?q=.Socks5&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [connect](https://github.com/search?q=connect&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | +| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [IPPROTO_RAW](https://github.com/search?q=IPPROTO_RAW&type=code)
[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code)
[SO_REUSEPORT](https://github.com/search?q=SO_REUSEPORT&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) | +| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [openURL](https://github.com/search?q=openURL&type=code) | +| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | +| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | +| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) | +| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) | +| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | +| MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) | +| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)
[obfuscates](https://github.com/search?q=obfuscates&type=code) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)
[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)
[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)
[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)
[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)
[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)
[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)
[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)
[JPasswordField](https://github.com/search?q=JPasswordField&type=code)
[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)
[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)
[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)
[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)
[PasswordView](https://github.com/search?q=PasswordView&type=code)
[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)
[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)
[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)
[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)
[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)
[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)
[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)
[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)
[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)
[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)
[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)
[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)
[fbsql_password](https://github.com/search?q=fbsql_password&type=code)
[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)
[groupPassword](https://github.com/search?q=groupPassword&type=code)
[init_with_password](https://github.com/search?q=init_with_password&type=code)
[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)
[ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)
[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)
[oci_password_change](https://github.com/search?q=oci_password_change&type=code)
[param_default_password](https://github.com/search?q=param_default_password&type=code)
[password for entry](https://github.com/search?q=password+for+entry&type=code)
[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)
[password_default](https://github.com/search?q=password_default&type=code)
[password_field_tag](https://github.com/search?q=password_field_tag&type=code)
[password_get_info](https://github.com/search?q=password_get_info&type=code)
[password_grace_time](https://github.com/search?q=password_grace_time&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[password_life_time](https://github.com/search?q=password_life_time&type=code)
[password_lock_time](https://github.com/search?q=password_lock_time&type=code)
[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)
[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)
[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)
[password_verify_function](https://github.com/search?q=password_verify_function&type=code)
[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)
[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)
[radius_user_password](https://github.com/search?q=radius_user_password&type=code)
[sam_password](https://github.com/search?q=sam_password&type=code)
[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)
[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)
[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)
[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)
[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)
[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)
[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)
[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)
[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)
[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)
[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)
[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)
[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)
[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)
[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)
[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)
[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)
[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)
[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)
[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)
[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)
[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)
[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)
[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)
[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)
[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)
[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)
[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)
[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)
[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)
[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)
[edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)
[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)
[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)
[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)
[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)
[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)
[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)
[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)
[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)
[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)
[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)
[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)
[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)
[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)
[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)
[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)
[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)
[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)
[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)
[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)
[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)
[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)
[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)
[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)
[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)
[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)
[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)
[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)
[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)
[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)
[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)
[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)
[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)
[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)
[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)
[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)
[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)
[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)
[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)
[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)
[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)
[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)
[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)
[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)
[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)
[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)
[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)
[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)
[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)
[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)
[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)
[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)
[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)
[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)
[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)
[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)
[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)
[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) | +| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)
[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)
[MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)
[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)
[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)
[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)
[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)
[MD5_info](https://github.com/search?q=MD5_info&type=code)
[MD5_str](https://github.com/search?q=MD5_str&type=code)
[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)
[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)
[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)
[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)
[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)
[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)
[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)
[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)
[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)
[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)
[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)
[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)
[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)
[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)
[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)
[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)
[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)
[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)
[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)
[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)
[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)
[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)
[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)
[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)
[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)
[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)
[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)
[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)
[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)
[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)
[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)
[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)
[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)
[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)
[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)
[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)
[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)
[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)
[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)
[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)
[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code) | +| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | +| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | +| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)
[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)
[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)
[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)
[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)
[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)
[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)
[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)
[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)
[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)
[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)
[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)
[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)
[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)
[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)
[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)
[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)
[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)
[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[js plugins](https://github.com/search?q=js+plugins&type=code)
[msession_plugin](https://github.com/search?q=msession_plugin&type=code)
[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)
[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)
[plugin_path](https://github.com/search?q=plugin_path&type=code)
[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)
[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectory](https://github.com/search?q=CreateDirectory&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [removeDirectory](https://github.com/search?q=removeDirectory&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) | +| LOW | [fs/file/capabilities_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-capabilities-set.yara#setfcap) | [Set file capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) | [setcap](https://github.com/search?q=setcap&type=code) | +| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) | +| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code)
[renameFile](https://github.com/search?q=renameFile&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)
[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)
[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)
[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)
[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)
[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)
[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)
[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)
[29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)
[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)
[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)
[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)
[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)
[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)
[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)
[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)
[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)
[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)
[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)
[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)
[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)
[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)
[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)
[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)
[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)
[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)
[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)
[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)
[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)
[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)
[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)
[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)
[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)
[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)
[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)
[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)
[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)
[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)
[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)
[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)
[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)
[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)
[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)
[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)
[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)
[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)
[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)
[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)
[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code)
[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)
[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)
[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)
[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)
[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)
[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)
[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code)
[/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)
[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | +| LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_addr](https://github.com/search?q=client_addr&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | +| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| LOW | [process/alarm](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/alarm.yara#alarm) | [set an alarm clock for delivery of a signal](https://man7.org/linux/man-pages/man2/alarm.2.html) | [alarm](https://github.com/search?q=alarm&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)
[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)
[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)
[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)
[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)
[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)
[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)
[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)
[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)
[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)
[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)
[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)
[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)
[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)
[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)
[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)
[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)
[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)
[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)
[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)
[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)
[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)
[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)
[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)
[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)
[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)
[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)
[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)
[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)
[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)
[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)
[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code)
[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)
[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)
[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)
[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)
[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) | +| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) | + diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index e69de29bb..8b17cd939 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -0,0 +1,159 @@ +# linux/clean/pulumi: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/os: medium +collect/archives/zip: medium +collect/code/github_api: low +collect/databases/mysql: medium +collect/databases/postgresql: medium +credential/clipboard: medium +credential/cloud/g: medium +credential/keychain: medium +credential/password: low +credential/ssl/private_key: low +crypto/aes: low +crypto/blockchain: medium +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/zlib: low +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/pem_test_key: low +data/embedded/ssh_signature: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: low +data/hash/sha1: low +data/hash/sha256: low +data/random/insecure: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/cloud/google_storage: low +discover/group/lookup: medium +discover/network/mac_address: medium +discover/process/parent: low +discover/process/working_directory: low +discover/processes/list: medium +discover/system/cpu: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/install_additional/pip_install: medium +exec/plugin: low +exec/program: medium +exec/program/background: low +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/shell/pipe_sh: medium +exec/system_controls/systemd: low +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: low +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/times_set: medium +fs/file/write: low +fs/link_read: low +fs/lock_update: low +fs/mount: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/root: medium +fs/path/usr_bin: low +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/swap/off: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +hw/wireless: low +impact/remote_access/heartbeat: medium +lateral/scan/tool: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download: medium +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/resolve: low +net/proxy/socks5: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/pair: medium +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: low +net/url/encode: medium +net/url/parse: low +net/url/request: medium +net/webrtc: medium +os/env/get: low +os/fd/sendfile: low +os/kernel/netlink: low +persist/kernel_module/unload: medium +persist/pid_file: medium +privesc/sudo: medium +process/chroot: low +sus/exclamation: medium +sus/intercept: medium +sus/lang: medium +sus/leetspeak: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index e69de29bb..89d44ca7c 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -0,0 +1,193 @@ +## linux/clean/slack [🟡 MEDIUM] + +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--|--|--|--| +| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) | +| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) | +| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)
[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) | +| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)
[eye_dropper](https://github.com/search?q=eye_dropper&type=code)
[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://)
[macOS](https://github.com/search?q=macOS&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | +| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)
[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)
[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)
[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)
[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)
[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)
[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)
[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)
[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)
[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)
[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)
[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)
[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)
[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)
[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)
[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)
[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)
[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)
[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)
[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)
[leveldbH](https://github.com/search?q=leveldbH&type=code)
[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)
[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)
[leveldb_database](https://github.com/search?q=leveldb_database&type=code)
[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)
[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)
[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)
[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)
[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | +| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | +| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | +| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | +| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)
[openssl](https://github.com/search?q=openssl&type=code) | +| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | +| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code)
[ifconfig](https://github.com/search?q=ifconfig&type=code)
[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) | +| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) | +| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | +| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | +| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | +| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | +| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | +| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) | +| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) | +| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[eml](https://github.com/search?q=eml&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code)
[drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code) | +| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)
[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)
[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code)
[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)
[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)
[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)
[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)
[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code)
[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | +| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | +| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) | +| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) | +| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | +| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) | +| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup/sys/fs/cgroupcgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup%2Fsys%2Ffs%2Fcgroupcgroup&type=code) | +| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) | +| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) | +| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | +| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) | +| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) | +| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)
[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)
[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)
[PostHeartbeatTask](https://github.com/search?q=PostHeartbeatTask&type=code)
[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) | +| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code) | +| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) | +| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | +| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | +| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)
[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)
[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)
[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)
[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)
[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)
[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketError](https://github.com/search?q=WebSocketError&type=code)
[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)
[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)
[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)
[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | +| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)
[ntlm](https://github.com/search?q=ntlm&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) | +| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[openURL](https://github.com/search?q=openURL&type=code)
[openUrl](https://github.com/search?q=openUrl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) | +| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) | +| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) | +| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)
[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)
[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)
[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)
[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)
[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)
[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)
[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)
[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)
[GG !!](https://github.com/search?q=GG++++%21%21&type=code)
[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)
[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)
[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)
[return !!](https://github.com/search?q=return+%21%21&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)
[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)
[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)
[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)
[interceptResponse](https://github.com/search?q=interceptResponse&type=code)
[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)
[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)
[intercepted](https://github.com/search?q=intercepted&type=code)
[intercepting](https://github.com/search?q=intercepting&type=code)
[interceptionId](https://github.com/search?q=interceptionId&type=code)
[interceptionStage](https://github.com/search?q=interceptionStage&type=code)
[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)
[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)
[interceptors](https://github.com/search?q=interceptors&type=code)
[intercepts](https://github.com/search?q=intercepts&type=code) | +| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) | +| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)
[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[fade-out-password](https://github.com/search?q=fade-out-password&type=code)
[for password](https://github.com/search?q=for+password&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[input-password](https://github.com/search?q=input-password&type=code)
[kPassword](https://github.com/search?q=kPassword&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-manager](https://github.com/search?q=password-manager&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[password-strong-label](https://github.com/search?q=password-strong-label&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[reveal-password](https://github.com/search?q=reveal-password&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)
[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)
[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)
[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)
[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)
[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)
[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)
[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)
[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)
[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)
[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)
[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)
[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)
[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)
[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)
[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)
[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)
[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)
[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)
[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)
[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)
[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)
[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)
[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)
[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)
[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)
[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)
[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)
[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)
[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)
[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)
[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)
[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)
[kDecryptError](https://github.com/search?q=kDecryptError&type=code)
[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)
[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)
[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)
[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) | +| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | +| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[Public-key](https://github.com/search?q=Public-key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)
[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | +| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) | +| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)
[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)
[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)
[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)
[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)
[GetPlugins](https://github.com/search?q=GetPlugins&type=code)
[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)
[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)
[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)
[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)
[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)
[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)
[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)
[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)
[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)
[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)
[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)
[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)
[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)
[PluginArray](https://github.com/search?q=PluginArray&type=code)
[PluginData](https://github.com/search?q=PluginData&type=code)
[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)
[PluginLoad](https://github.com/search?q=PluginLoad&type=code)
[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)
[PluginResource](https://github.com/search?q=PluginResource&type=code)
[PluginService](https://github.com/search?q=PluginService&type=code)
[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)
[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)
[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)
[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)
[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)
[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)
[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)
[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)
[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)
[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)
[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)
[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)
[as a plugin](https://github.com/search?q=as+a+plugin&type=code)
[browserplugin](https://github.com/search?q=browserplugin&type=code)
[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)
[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)
[kPluginObject](https://github.com/search?q=kPluginObject&type=code)
[loadplugin](https://github.com/search?q=loadplugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)
[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)
[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)
[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)
[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)
[plugin data](https://github.com/search?q=plugin+data&type=code)
[pluginObject](https://github.com/search?q=pluginObject&type=code)
[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)
[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)
[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)
[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)
[plugin_module](https://github.com/search?q=plugin_module&type=code)
[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)
[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)
[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)
[pluginspace](https://github.com/search?q=pluginspace&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[pluginurl](https://github.com/search?q=pluginurl&type=code)
[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)
[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)
[r PluginH](https://github.com/search?q=r+PluginH&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)
[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)
[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)
[suggestplugin](https://github.com/search?q=suggestplugin&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)
[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)
[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)
[createFolder](https://github.com/search?q=createFolder&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)
[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) | +| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) | +| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)
[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)
[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)
[writeFileSync](https://github.com/search?q=writeFileSync&type=code)
[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)
[writeToFile](https://github.com/search?q=writeToFile&type=code) | +| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)
[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)
[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)
[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)
[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)
[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)
[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)
[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)
[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)
[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)
[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)
[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)
[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)
[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)
[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)
[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)
[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)
[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) | +| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) | +| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)
[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)
[bssid](https://github.com/search?q=bssid&type=code) | +| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) | +| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | +| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)
[client_addresses_ca](https://github.com/search?q=client_addresses_ca&type=code)
[getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmmsg](https://github.com/search?q=sendmmsg&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)
[new URL](https://github.com/search?q=new+URL&type=code) | +| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)
[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)
[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)
[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)
[env.FORCE](https://github.com/search?q=env.FORCE&type=code)
[env.JEST](https://github.com/search?q=env.JEST&type=code)
[env.NODE](https://github.com/search?q=env.NODE&type=code)
[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)
[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)
[env.TEMP](https://github.com/search?q=env.TEMP&type=code)
[env.TERM](https://github.com/search?q=env.TERM&type=code)
[env.TMP](https://github.com/search?q=env.TMP&type=code)
[env.TMUX](https://github.com/search?q=env.TMUX&type=code)
[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)
[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)
[env.WATCH](https://github.com/search?q=env.WATCH&type=code)
[env.XDG](https://github.com/search?q=env.XDG&type=code) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)
[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)
[req.read()](https://github.com/search?q=req.read%28%29&type=code)
[self.read()](https://github.com/search?q=self.read%28%29&type=code)
[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)
[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)
[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) | +| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) | +| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)
[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)
[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)
[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)
[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)
[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)
[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)
[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)
[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)
[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)
[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)
[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)
[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)
[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)
[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)
[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)
[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)
[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)
[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)
[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)
[stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)
[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)
[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)
[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)
[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)
[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)
[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)
[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) | +| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | +| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | +| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | + diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index e69de29bb..8d67345fb 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -0,0 +1,201 @@ +# linux/clean/trivy: medium +anti-static/elf/multiple: medium +c2/addr/discord: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/server: medium +c2/client: medium +c2/discovery/ip_dns_resolver: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/github: medium +c2/tool_transfer/os: medium +collect/archives/unarchive: medium +collect/archives/zip: medium +collect/code/github_api: low +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/cloud/aws: medium +credential/cloud/g: medium +credential/keychain: medium +credential/password: low +credential/server/htpasswd: medium +credential/sniffer/bpf: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/blockchain: medium +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/base64/decode: medium +data/base64/encode: medium +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/xz: medium +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/pem_private_key: medium +data/embedded/pem_test_key: low +data/embedded/ssh_signature: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: medium +data/hash/sha1: low +data/random/insecure: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/cloud/google_storage: low +discover/network/mac_address: medium +discover/network/netstat: medium +discover/process/name: medium +discover/processes/list: medium +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +evasion/bypass_security/linux/iptables: medium +evasion/file/location/chdir_unusual: medium +evasion/file/location/dev_shm: medium +evasion/file/location/var_run: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/symbol_address: medium +exec/install_additional/package_install: medium +exec/install_additional/pip_install: medium +exec/plugin: low +exec/program: medium +exec/script/osa: medium +exec/shell/SHELL: low +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/pipe_sh: medium +exec/system_controls/apparmor: medium +exec/system_controls/systemd: low +exfil/collection: medium +exfil/upload: medium +fs/attributes/set: medium +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home: low +fs/path/home_config: low +fs/path/root: medium +fs/path/tmp: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/usr_lib_python: medium +fs/path/usr_local: medium +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/self_mountinfo: medium +fs/swap/off: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/watch: low +hw/dev/block_ice: medium +hw/wireless: low +impact/remote_access/heartbeat: medium +impact/remote_access/iptables: medium +impact/remote_access/kill_rm: medium +impact/remote_access/trojan: medium +lateral/scan/brute_force: low +malware/ref: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/http/websocket: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/ip/syncookie: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: medium +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +os/kernel/opencl: medium +os/kernel/seccomp: low +os/time/tzinfo: low +privesc/setuid: low +privesc/sudo: medium +process/chdir: low +process/chroot: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +sus/exclamation: medium +sus/intercept: medium +sus/leetspeak: medium +sus/malicious: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index e69de29bb..547b61558 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -0,0 +1,194 @@ +## linux/clean/trufflehog [🟡 MEDIUM] + +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--|--|--|--| +| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | +| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head | +| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | +| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) | +| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) | +| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) | +| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)
[telegram.org](https://github.com/search?q=telegram.org&type=code) | +| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)
[clientId](https://github.com/search?q=clientId&type=code)
[client_id](https://github.com/search?q=client_id&type=code) | +| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) | +| MEDIUM | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)
[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)
[pastebin.go](https://github.com/search?q=pastebin.go&type=code)
[pastebin.init](https://github.com/search?q=pastebin.init&type=code) | +| MEDIUM | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#shodan_io) | References shodan.io | [shodan.io](https://github.com/search?q=shodan.io&type=code) | +| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)
[Linux](https://github.com/search?q=Linux&type=code)
[Windows](https://github.com/search?q=Windows&type=code)
[http://](http://)
[https://](https://) | +| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | +| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | +| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | +| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | +| MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) | +| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)
[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) | +| MEDIUM | [credential/gaming/minecraft](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/gaming/minecraft.yara#minecraft) | Has references to Minecraft | [minecraft](https://github.com/search?q=minecraft&type=code) | +| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | +| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | +| MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) | +| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | +| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | +| MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) | +| MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) | +| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)
[getgrent](https://github.com/search?q=getgrent&type=code)
[setgrent](https://github.com/search?q=setgrent&type=code) | +| MEDIUM | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.org](https://github.com/search?q=ipify.org&type=code) | +| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | +| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | +| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)
[systeminfo](https://github.com/search?q=systeminfo&type=code) | +| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) | +| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)
[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)
[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)
[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)
[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)
[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)
[execTxCommand](https://github.com/search?q=execTxCommand&type=code)
[executeCommand](https://github.com/search?q=executeCommand&type=code)
[processRunCommand](https://github.com/search?q=processRunCommand&type=code)
[runGitCommand](https://github.com/search?q=runGitCommand&type=code)
[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | +| MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) | +| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) | +| MEDIUM | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) | +| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)
[ppt](https://github.com/search?q=ppt&type=code)
[pst](https://github.com/search?q=pst&type=code)
[xlsx](https://github.com/search?q=xlsx&type=code) | +| MEDIUM | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)
[Binance](https://github.com/search?q=Binance&type=code)
[Chrome](https://github.com/search?q=Chrome&type=code)
[Discord](https://github.com/search?q=Discord&type=code)
[Firefox](https://github.com/search?q=Firefox&type=code)
[History](https://github.com/search?q=History&type=code)
[OpenVPN](https://github.com/search?q=OpenVPN&type=code)
[Snowflake](https://github.com/search?q=Snowflake&type=code)
[Telegram](https://github.com/search?q=Telegram&type=code) | +| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)
[file.io](https://github.com/search?q=file.io&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utime](https://github.com/search?q=utime&type=code) | +| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/mysql.sockclientFoundRowsmultiStatementsUNSIGNED](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiStatementsUNSIGNED&type=code)
[/tmp/placeholder/%v](https://github.com/search?q=%2Ftmp%2Fplaceholder%2F%25v&type=code) | +| MEDIUM | [fs/path/users](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/users.yara#home_path_users) | references path within /Users | [/Users/%vorganizations/%v/team/%v/projectssql](https://github.com/search?q=%2FUsers%2F%25vorganizations%2F%25v%2Fteam%2F%25v%2Fprojectssql&type=code) | +| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/statSHA256](https://github.com/search?q=%2Fproc%2F%25d%2FstatSHA256&type=code) | +| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroupcpu](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu&type=code) | +| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | +| MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)
[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)
[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)
[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)
[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)
[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)
[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)
[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)
[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)
[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)
[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)
[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)
[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)
[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)
[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)
[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)
[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)
[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)
[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)
[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)
[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)
[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)
[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)
[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)
[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)
[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)
[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)
[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)
[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)
[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)
[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)
[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)
[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)
[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)
[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)
[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) | +| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)
[Probe](https://github.com/search?q=Probe&type=code)
[Target](https://github.com/search?q=Target&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | +| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)
[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)
[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)
[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)
[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)
[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)
[ExportDownload](https://github.com/search?q=ExportDownload&type=code)
[FTPDownload](https://github.com/search?q=FTPDownload&type=code)
[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)
[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)
[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)
[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)
[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)
[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)
[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)
[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)
[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)
[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)
[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)
[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)
[NextDownloader](https://github.com/search?q=NextDownloader&type=code)
[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)
[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)
[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)
[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)
[addDownloader](https://github.com/search?q=addDownloader&type=code)
[archive_download_url](https://github.com/search?q=archive_download_url&type=code)
[browser_download_url](https://github.com/search?q=browser_download_url&type=code)
[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)
[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)
[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)
[downloadH](https://github.com/search?q=downloadH&type=code)
[downloadLocation](https://github.com/search?q=downloadLocation&type=code)
[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)
[downloadPatches](https://github.com/search?q=downloadPatches&type=code)
[download_count](https://github.com/search?q=download_count&type=code)
[downloader id](https://github.com/search?q=downloader+id&type=code)
[downloads_url](https://github.com/search?q=downloads_url&type=code)
[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)
[failed_downloads](https://github.com/search?q=failed_downloads&type=code)
[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)
[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)
[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)
[has_downloads](https://github.com/search?q=has_downloads&type=code)
[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)
[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)
[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)
[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)
[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)
[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)
[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)
[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)
[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)
[successful_downloads](https://github.com/search?q=successful_downloads&type=code)
[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)
[temp_download_token](https://github.com/search?q=temp_download_token&type=code)
[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)
[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)
[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)
[total_download_time](https://github.com/search?q=total_download_time&type=code)
[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)
[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)
[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)
[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)
[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)
[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) | +| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) | +| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)
[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) | +| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | +| MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)
[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)
[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)
[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)
[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)
[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)
[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)
[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)
[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code) | +| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)
[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)
[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)
[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)
[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)
[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)
[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)
[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)
[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)
[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)
[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)
[WebhookAction](https://github.com/search?q=WebhookAction&type=code)
[WebhookH](https://github.com/search?q=WebhookH&type=code)
[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)
[WebhookResult](https://github.com/search?q=WebhookResult&type=code)
[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)
[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)
[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)
[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)
[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)
[discordwebhook](https://github.com/search?q=discordwebhook&type=code)
[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)
[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)
[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)
[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)
[readwebhooks](https://github.com/search?q=readwebhooks&type=code)
[slackwebhook](https://github.com/search?q=slackwebhook&type=code)
[tineswebhook](https://github.com/search?q=tineswebhook&type=code)
[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)
[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)
[webhook_read](https://github.com/search?q=webhook_read&type=code)
[webhook_secret](https://github.com/search?q=webhook_secret&type=code)
[webhook_write](https://github.com/search?q=webhook_write&type=code)
[webhookaction](https://github.com/search?q=webhookaction&type=code)
[webhookb2](https://github.com/search?q=webhookb2&type=code)
[writewebhooks](https://github.com/search?q=writewebhooks&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | +| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)
[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | +| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | +| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlmssp](https://github.com/search?q=ntlmssp&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) | +| MEDIUM | [net/tcp/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp) | connects to a TCP port | [dialTCP](https://github.com/search?q=dialTCP&type=code) | +| MEDIUM | [net/tcp/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/listen.yara#listen_tcp) | listen on a TCP port | [listening on tcp](https://github.com/search?q=listening+on+tcp&type=code) | +| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses crypto/ssh to connect to the SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)
[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)
[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)
[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) | +| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | +| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) | +| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) | +| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)
[interceptor](https://github.com/search?q=interceptor&type=code) | +| MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) | +| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://169.254.169.254/latest/api/tokennonce](http://169.254.169.254/latest/api/tokennonce)
[http://169.254.169.254/latest/meta](http://169.254.169.254/latest/meta)
[http://169.254.169.254/latestProcessProviderExecutionErrorfailed](http://169.254.169.254/latestProcessProviderExecutionErrorfailed)
[http://169.254.169.254/metadata/identity/oauth2/token](http://169.254.169.254/metadata/identity/oauth2/token)
[http://169.254.169.254BalancerAttributes](http://169.254.169.254BalancerAttributes)
[http://169.254.170.2/redis](http://169.254.170.2/redis)
[http://169.254.170.2RequestLimitExceededinvalid](http://169.254.170.2RequestLimitExceededinvalid)
[http://Descriptionrelatively](http://Descriptionrelatively)
[http://according](http://according)
[http://addEventListenerresponsible](http://addEventListenerresponsible)
[http://applicationslink](http://applicationslink)
[http://chunkednosniffCreatedIM](http://chunkednosniffCreatedIM)
[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)
[http://earth.google.com/kml/2.0](http://earth.google.com/kml/2.0)
[http://earth.google.com/kml/2.1](http://earth.google.com/kml/2.1)
[http://earth.google.com/kml/2.2](http://earth.google.com/kml/2.2)
[http://encoding=](http://encoding=)
[http://familiar](http://familiar)
[http://google.com](http://google.com)
[http://html4/loose.dtd](http://html4/loose.dtd)
[http://imEnglish](http://imEnglish)
[http://interested](http://interested)
[http://interpreted](http://interpreted)
[http://iparticipation](http://iparticipation)
[http://localhost/truncate](http://localhost/truncate)
[http://mathematicsmargin](http://mathematicsmargin)
[http://metadata/computeMetadata/v1/instance/service](http://metadata/computeMetadata/v1/instance/service)
[http://navigation](http://navigation)
[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)
[http://ocsp.snowflakecomputing.comFailed](http://ocsp.snowflakecomputing.comFailed)
[http://portal.microsoftazure.de/https](http://portal.microsoftazure.de/https)
[http://s3.amazonaws.com/doc/2006](http://s3.amazonaws.com/doc/2006)
[http://schemas.microsoft.com/3dmanufacturing/core/2015/02](http://schemas.microsoft.com/3dmanufacturing/core/2015/02)
[http://site_name](http://site_name)
[http://staticsuggested](http://staticsuggested)
[http://www./div](http://www./div)
[http://www.C//DTD](http://www.C//DTD)
[http://www.collada.org/2005/11/COLLADASchema](http://www.collada.org/2005/11/COLLADASchema)
[http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2](http://www.garmin.com/xmlschemas/TrainingCenterDatabase/v2)
[http://www.hortcut](http://www.hortcut)
[http://www.icon](http://www.icon)
[http://www.interpretation](http://www.interpretation)
[http://www.language=](http://www.language=)
[http://www.opengis.net/gml/3.2](http://www.opengis.net/gml/3.2)
[http://www.opengis.net/gml/3.3/exr](http://www.opengis.net/gml/3.3/exr)
[http://www.opengis.net/kml/2.2](http://www.opengis.net/kml/2.2)
[http://www.style=](http://www.style=)
[http://www.text](http://www.text)
[http://www.topografix.com/GPX/1/1](http://www.topografix.com/GPX/1/1)
[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)
[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)
[http://www.w3.org/2002/07/owl](http://www.w3.org/2002/07/owl)
[http://www.w3.org/2005/Atom](http://www.w3.org/2005/Atom)
[http://www.w3.org/TR/2001/REC](http://www.w3.org/TR/2001/REC)
[http://www.w3.org/XML/1998/namespacexml](http://www.w3.org/XML/1998/namespacexml)
[http://www.w3.org/shortcut](http://www.w3.org/shortcut)
[http://www.wencodeURIComponent](http://www.wencodeURIComponent)
[http://www.years](http://www.years)
[https://a.klaviyo.com/api/profileshttps](https://a.klaviyo.com/api/profileshttps)
[https://accounts.google.com/o/oauth2/authhttps](https://accounts.google.com/o/oauth2/authhttps)
[https://amplitude.com/api/2/taxonomy/categoryhttps](https://amplitude.com/api/2/taxonomy/categoryhttps)
[https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/](https://anypoint.mulesoft.com/apiplatform/repository/v2/organizations/)
[https://anypointapi2cartapiflashBasic](https://anypointapi2cartapiflashBasic)
[https://api.abuseipdb.com/api/v2/check](https://api.abuseipdb.com/api/v2/check)
[https://api.abyssale.com/ready](https://api.abyssale.com/ready)
[https://api.adzuna.com](https://api.adzuna.com)
[https://api.aeroworkflow.com/api/unexpected](https://api.aeroworkflow.com/api/unexpected)
[https://api.agora.io/dev/v1/projectshttps](https://api.agora.io/dev/v1/projectshttps)
[https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht](https://api.airbrake.io/api/v4/projects/grant_type=client_credentials&client_id=ht)
[https://api.airtable.com/v0/AWS](https://api.airtable.com/v0/AWS)
[https://api.airvisual.com/v2/countries](https://api.airvisual.com/v2/countries)
[https://api.aiven.io/v1/project](https://api.aiven.io/v1/project)
[https://api.alegra.com/api/v1/users](https://api.alegra.com/api/v1/users)
[https://api.aletheiaapi.com/StockData](https://api.aletheiaapi.com/StockData)
[https://api.ambeedata.com/latest/by](https://api.ambeedata.com/latest/by)
[https://api.anthropic.com/v1/messageshttps](https://api.anthropic.com/v1/messageshttps)
[https://api.api2cart.com/v1.1/account.cart.list.json](https://api.api2cart.com/v1.1/account.cart.list.json)
[https://api.apiflash.com/v1/urltoimage](https://api.apiflash.com/v1/urltoimage)
[https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc](https://api.apifonica.com/v2/accounts&my=true&offset=10&limit=99&desc)
[https://api.apify.com/v2/acts](https://api.apify.com/v2/acts)
[https://api.apilayer.com/number_verification/countrieshttps](https://api.apilayer.com/number_verification/countrieshttps)
[https://api.apiscience.com/v1/monitorshttps](https://api.apiscience.com/v1/monitorshttps)
[https://api.apitemplate.io/v1/list](https://api.apitemplate.io/v1/list)
[https://api.app.shortcut.com/api/v3/member](https://api.app.shortcut.com/api/v3/member)
[https://api.appcues.com/v2/accounts/](https://api.appcues.com/v2/accounts/)
[https://api.appfollow.io/api/v2/account/usershttps](https://api.appfollow.io/api/v2/account/usershttps)
[https://api.appointedd.com/v1/availability/slots](https://api.appointedd.com/v1/availability/slots)
[https://api.appoptics.com/v1/metricshost](https://api.appoptics.com/v1/metricshost)
[https://api.apptivo.com/app/dao/v6/leads](https://api.apptivo.com/app/dao/v6/leads)
[https://api.artsy.net/api/tokens/xapp_token](https://api.artsy.net/api/tokens/xapp_token)
[https://api.assemblyai.com/v2/transcripthttps](https://api.assemblyai.com/v2/transcripthttps)
[https://api.atlassian.com/admin/v1/orgshttps](https://api.atlassian.com/admin/v1/orgshttps)
[https://api.audd.io/setCallbackUrl/](https://api.audd.io/setCallbackUrl/)
[https://api.autoklose.com/api/campaigns/](https://api.autoklose.com/api/campaigns/)
[https://api.avaza.com/api/Account.blob.core.windows.net/](https://api.avaza.com/api/Account.blob.core.windows.net/)
[https://api.aviationstack.com/v1/flights](https://api.aviationstack.com/v1/flights)
[https://api.aylien.com/news/stories](https://api.aylien.com/news/stories)
[https://api.bannerbear.com/v2/authhttps](https://api.bannerbear.com/v2/authhttps)
[https://api.baremetrics.com/v1/accounthttps](https://api.baremetrics.com/v1/accounthttps)
[https://api.bitbucket.org/2.0/repositoriesMake](https://api.bitbucket.org/2.0/repositoriesMake)
[https://api.blocknative.com/gasprices/blockpriceshttps](https://api.blocknative.com/gasprices/blockpriceshttps)
[https://api.bombbomb.com/v2/lists/https](https://api.bombbomb.com/v2/lists/https)
[https://api.borgbase.com/graphqlhttps](https://api.borgbase.com/graphqlhttps)
[https://api.brandfetch.io/v1/color](https://api.brandfetch.io/v1/color)
[https://api.browshot.com/api/v1/instance/list](https://api.browshot.com/api/v1/instance/list)
[https://api.bscscan.com/api](https://api.bscscan.com/api)
[https://api.bugsnag.com/user/organizations](https://api.bugsnag.com/user/organizations)
[https://api.buildkite.com/v2/access](https://api.buildkite.com/v2/access)
[https://api.bulksms.com/v1/messageshttps](https://api.bulksms.com/v1/messageshttps)
[https://api.buttercms.com/v2/posts/](https://api.buttercms.com/v2/posts/)
[https://api.calendly.com/users/mehttps](https://api.calendly.com/users/mehttps)
[https://api.calorieninjas.com/v1/nutrition](https://api.calorieninjas.com/v1/nutrition)
[https://api.capsulecrm.com/api/v2/usershttps](https://api.capsulecrm.com/api/v2/usershttps)
[https://api.captaindata.co/v2/https](https://api.captaindata.co/v2/https)
[https://api.cashboardapp.com/account.xmlhttps](https://api.cashboardapp.com/account.xmlhttps)
[https://api.centralstationcrm.net/api/users.jsonhttps](https://api.centralstationcrm.net/api/users.jsonhttps)
[https://api.chartmogul.com/v1/pinghttps](https://api.chartmogul.com/v1/pinghttps)
[https://api.chatbot.com/storieshttps](https://api.chatbot.com/storieshttps)
[https://api.chec.io/v1/categorieshttps](https://api.chec.io/v1/categorieshttps)
[https://api.chec.io/v1/products](https://api.chec.io/v1/products)
[https://api.checklyhq.com/v1/checks](https://api.checklyhq.com/v1/checks)
[https://api.clarifai.com/v2/inputshttps](https://api.clarifai.com/v2/inputshttps)
[https://api.clarifai.com/v2/users/mehttps](https://api.clarifai.com/v2/users/mehttps)
[https://api.clickup.com/api/v2/userhttps](https://api.clickup.com/api/v2/userhttps)
[https://api.cliengo.com/1.0/account](https://api.cliengo.com/1.0/account)
[https://api.clockify.me/api/v1/userhttps](https://api.clockify.me/api/v1/userhttps)
[https://api.close.com/api/v1/me/https](https://api.close.com/api/v1/me/https)
[https://api.cloudconvert.com/v2/users/mehttps](https://api.cloudconvert.com/v2/users/mehttps)
[https://api.cloudflare.com/client/v4/certificates](https://api.cloudflare.com/client/v4/certificates)
[https://api.cloudflare.com/client/v4/user/tokens/verify](https://api.cloudflare.com/client/v4/user/tokens/verify)
[https://api.cloudflare.com/client/v4/userhttps](https://api.cloudflare.com/client/v4/userhttps)
[https://api.cloudimage.com/invalidatehttps](https://api.cloudimage.com/invalidatehttps)
[https://api.cloudmersive.com/validate/address/parsehttps](https://api.cloudmersive.com/validate/address/parsehttps)
[https://api.cloudplan.biz/api/user/me](https://api.cloudplan.biz/api/user/me)
[https://api.cloudsmith.io/v1/user/self/https](https://api.cloudsmith.io/v1/user/self/https)
[https://api.cloverly.com/2019](https://api.cloverly.com/2019)
[https://api.cloze.com/v1/profile](https://api.cloze.com/v1/profile)
[https://api.codeclimate.com/v1/userhttps](https://api.codeclimate.com/v1/userhttps)
[https://api.codemagic.io/appsunexpected](https://api.codemagic.io/appsunexpected)
[https://api.coinbase.com/v2/userhttps](https://api.coinbase.com/v2/userhttps)
[https://api.coinlayer.com/api/livelive](https://api.coinlayer.com/api/livelive)
[https://api.column.com/entities](https://api.column.com/entities)
[https://api.companyhub.com/v1/me](https://api.companyhub.com/v1/me)
[https://api.confluent.cloud/iam/v2/api](https://api.confluent.cloud/iam/v2/api)
[https://api.contentful.com/organizationshttps](https://api.contentful.com/organizationshttps)
[https://api.conversiontools.io/v1/taskshttps](https://api.conversiontools.io/v1/taskshttps)
[https://api.convertkit.com/v3/forms](https://api.convertkit.com/v3/forms)
[https://api.copper.com/developer_api/v1/tasks/searchhttps](https://api.copper.com/developer_api/v1/tasks/searchhttps)
[https://api.countrylayer.com/v2/all](https://api.countrylayer.com/v2/all)
[https://api.courier.com/preferences](https://api.courier.com/preferences)
[https://api.craftmypdf.com/v1/get](https://api.craftmypdf.com/v1/get)
[https://api.crowdin.com/api/v2/storageshttps](https://api.crowdin.com/api/v2/storageshttps)
[https://api.currencyfreaks.com/latest](https://api.currencyfreaks.com/latest)
[https://api.currencylayer.com/live](https://api.currencylayer.com/live)
[https://api.currencyscoop.com/v1/latest](https://api.currencyscoop.com/v1/latest)
[https://api.currentsapi.services/v1/latest](https://api.currentsapi.services/v1/latest)
[https://api.dandelion.eu/datatxt/li/v1/](https://api.dandelion.eu/datatxt/li/v1/)
[https://api.dareboost.com/0.8/confighttps](https://api.dareboost.com/0.8/confighttps)
[https://api.datadoghq.comhttps](https://api.datadoghq.comhttps)
[https://api.deepai.org/api/text](https://api.deepai.org/api/text)
[https://api.deepgram.com/v1/projects](https://api.deepgram.com/v1/projects)
[https://api.delighted.com/v1/people.jsonapplication/vnd.docusign](https://api.delighted.com/v1/people.jsonapplication/vnd.docusign)
[https://api.deno.com/user](https://api.deno.com/user)
[https://api.detectify.com/rest/v2/assets/https](https://api.detectify.com/rest/v2/assets/https)
[https://api.developer.coinbase.com/waas/pools/protoc](https://api.developer.coinbase.com/waas/pools/protoc)
[https://api.developer.coinbase.com/waas/poolsquery](https://api.developer.coinbase.com/waas/poolsquery)
[https://api.diffbot.com/v4/account](https://api.diffbot.com/v4/account)
[https://api.digitalocean.com/v2/accounthttps](https://api.digitalocean.com/v2/accounthttps)
[https://api.dittowords.com/variantshttps](https://api.dittowords.com/variantshttps)
[https://api.docparser.com/v1/parsers](https://api.docparser.com/v1/parsers)
[https://api.documo.com/v1/me](https://api.documo.com/v1/me)
[https://api.doppler.com/v3/mehttps](https://api.doppler.com/v3/mehttps)
[https://api.dovico.com/Employees/](https://api.dovico.com/Employees/)
[https://api.dropboxapi.com/2/users/get_current_account](https://api.dropboxapi.com/2/users/get_current_account)
[https://api.dyspatch.io/templateshttps](https://api.dyspatch.io/templateshttps)
[https://api.ecostruxureit.com/rest/v1/organizationshttps](https://api.ecostruxureit.com/rest/v1/organizationshttps)
[https://api.edamam.com/auto](https://api.edamam.com/auto)
[https://api.edenai.run/v1/automl/text/projecthttps](https://api.edenai.run/v1/automl/text/projecthttps)
[https://api.elasticemail.com/v2/account/profileoverview](https://api.elasticemail.com/v2/account/profileoverview)
[https://api.elevenlabs.io/v1/user](https://api.elevenlabs.io/v1/user)
[https://api.enablex.io/voice/v1/call/api/access](https://api.enablex.io/voice/v1/call/api/access)
[https://api.endorlabs.com/v1/auth/api](https://api.endorlabs.com/v1/auth/api)
[https://api.enigma.com/businesses/matchhttps](https://api.enigma.com/businesses/matchhttps)
[https://api.envoy.com/v1/locations](https://api.envoy.com/v1/locations)
[https://api.ers.usda.gov/data/arms/state](https://api.ers.usda.gov/data/arms/state)
[https://api.etherscan.io/api](https://api.etherscan.io/api)
[https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal](https://api.eu.newrelic.com/v2/users.jsonapplication/vnd.onesignal)
[https://api.eu.sendgrid.comtag](https://api.eu.sendgrid.comtag)
[https://api.everhour.com/clientshttps](https://api.everhour.com/clientshttps)
[https://api.exchangeratesapi.io/v1/latest](https://api.exchangeratesapi.io/v1/latest)
[https://api.exportsdk.com/v1/pdfhttps](https://api.exportsdk.com/v1/pdfhttps)
[https://api.fastforex.io/fetch](https://api.fastforex.io/fetch)
[https://api.fastly.com/current_userhttps](https://api.fastly.com/current_userhttps)
[https://api.feedier.com/v1/carriers](https://api.feedier.com/v1/carriers)
[https://api.figma.com/v1/me](https://api.figma.com/v1/me)
[https://api.finage.co.uk/symbol](https://api.finage.co.uk/symbol)
[https://api.findl.com/v1.0/query](https://api.findl.com/v1.0/query)
[https://api.flat.io/v2/meapplication](https://api.flat.io/v2/meapplication)
[https://api.fleetbase.io/v1/contacts/](https://api.fleetbase.io/v1/contacts/)
[https://api.flightapi.io/iata/](https://api.flightapi.io/iata/)
[https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields](https://api.flightstats.com/flex/aircraft/rest/v1/json/availableFields)
[https://api.float.com/v3/people](https://api.float.com/v3/people)
[https://api.flutterwave.com/v3/subaccountshttps](https://api.flutterwave.com/v3/subaccountshttps)
[https://api.fmfw.io/api/3/spot/balancegithub](https://api.fmfw.io/api/3/spot/balancegithub)
[https://api.foursquare.com/v2/venues/trending](https://api.foursquare.com/v2/venues/trending)
[https://api.frame.io/v2/mehttps](https://api.frame.io/v2/mehttps)
[https://api.fulcrumapp.com/api/v2/forms.jsonhttps](https://api.fulcrumapp.com/api/v2/forms.jsonhttps)
[https://api.fullstory.com/operations/v1https](https://api.fullstory.com/operations/v1https)
[https://api.fullstory.com/v2/users](https://api.fullstory.com/v2/users)
[https://api.geckoboard.com/](https://api.geckoboard.com/)
[https://api.gemini.com/v1/accounthttps](https://api.gemini.com/v1/accounthttps)
[https://api.gengo.com/v2/account/me](https://api.gengo.com/v2/account/me)
[https://api.geoapify.com/v1/geocode/search](https://api.geoapify.com/v1/geocode/search)
[https://api.geocod.io/v1.6/geocode](https://api.geocod.io/v1.6/geocode)
[https://api.geocodify.com/v2/geocode](https://api.geocodify.com/v2/geocode)
[https://api.getbeamer.com/v0/url](https://api.getbeamer.com/v0/url)
[https://api.getgeoapi.com/v2/currency/list](https://api.getgeoapi.com/v2/currency/list)
[https://api.getgist.com/contacts/](https://api.getgist.com/contacts/)
[https://api.getpostman.com/collections/0/ch1/0/](https://api.getpostman.com/collections/0/ch1/0/)
[https://api.getpostman.com/environments/](https://api.getpostman.com/environments/)
[https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser](https://api.getpostman.com/meaccess_settings.activity.readmail_settings.template.updatesuppression.spam_reports.readsuppression.unsubscribes.readtracking_settings.open.updateuser)
[https://api.getpostman.com/workspaces/](https://api.getpostman.com/workspaces/)
[https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps](https://api.getpostman.com/workspacestracking_settings.subscription.updateworkflows.triggers.permissions.removehttps)
[https://api.getresponse.com/v3/accountshttps](https://api.getresponse.com/v3/accountshttps)
[https://api.github.com/2006](https://api.github.com/2006)
[https://api.github.com/apphttps](https://api.github.com/apphttps)
[https://api.github.com/graphqlfailed](https://api.github.com/graphqlfailed)
[https://api.github.com/repos/exec](https://api.github.com/repos/exec)
[https://api.github.com/user/interaction](https://api.github.com/user/interaction)
[https://api.github.com/user/social_accountssql](https://api.github.com/user/social_accountssql)
[https://api.github.comInclude](https://api.github.comInclude)
[https://api.gitter.im/v1/user/me](https://api.gitter.im/v1/user/me)
[https://api.glassnode.com/v1/metrics/indicators/sopr](https://api.glassnode.com/v1/metrics/indicators/sopr)
[https://api.gocardless.com/customers/](https://api.gocardless.com/customers/)
[https://api.goodday.work/2.0/users](https://api.goodday.work/2.0/users)
[https://api.groovehq.com/v1/meexpected](https://api.groovehq.com/v1/meexpected)
[https://api.groq.com/openai/v1/models](https://api.groq.com/openai/v1/models)
[https://api.gumroad.com/v2/products](https://api.gumroad.com/v2/products)
[https://api.gyazo.com/api/images](https://api.gyazo.com/api/images)
[https://api.harvestapp.com/v2/users/me](https://api.harvestapp.com/v2/users/me)
[https://api.hellosign.com/v3/accounthttps](https://api.hellosign.com/v3/accounthttps)
[https://api.helpcrunch.com/v1/departmentshttps](https://api.helpcrunch.com/v1/departmentshttps)
[https://api.heroku.com/apps](https://api.heroku.com/apps)
[https://api.holistic.dev/api/v1/projecthttps](https://api.holistic.dev/api/v1/projecthttps)
[https://api.honeycomb.io/1/authhttps](https://api.honeycomb.io/1/authhttps)
[https://api.html2pdf.app/v1/generatehttps](https://api.html2pdf.app/v1/generatehttps)
[https://api.hubapi.com/contacts/v1/lists](https://api.hubapi.com/contacts/v1/lists)
[https://api.hunter.io/v2/leads_lists](https://api.hunter.io/v2/leads_lists)
[https://api.hybiscus.dev/api/v1/get](https://api.hybiscus.dev/api/v1/get)
[https://api.iconfinder.com/v4/iconsetslogin](https://api.iconfinder.com/v4/iconsetslogin)
[https://api.imagekit.io/v1/fileshttps](https://api.imagekit.io/v1/fileshttps)
[https://api.imagga.com/v2/usagehttps](https://api.imagga.com/v2/usagehttps)
[https://api.instabot.io/v1spring.datasource.password](https://api.instabot.io/v1spring.datasource.password)
[https://api.instamojo.com/oauth2/token/https](https://api.instamojo.com/oauth2/token/https)
[https://api.intercom.io/contacts](https://api.intercom.io/contacts)
[https://api.intra.42.fr/oauth/token](https://api.intra.42.fr/oauth/token)
[https://api.ip2location.io/](https://api.ip2location.io/)
[https://api.ipapi.com/49.146.239.251](https://api.ipapi.com/49.146.239.251)
[https://api.ipgeolocation.io/ipgeo](https://api.ipgeolocation.io/ipgeo)
[https://api.ipinfodb.com/v3/ip](https://api.ipinfodb.com/v3/ip)
[https://api.ipstack.com/134.201.250.155](https://api.ipstack.com/134.201.250.155)
[https://api.jotform.com/user](https://api.jotform.com/user)
[https://api.juro.com/v3/templates](https://api.juro.com/v3/templates)
[https://api.keen.io/3.0/organizations/](https://api.keen.io/3.0/organizations/)
[https://api.kickbox.com/v2/verify](https://api.kickbox.com/v2/verify)
[https://api.knapsackpro.com/v1/builds](https://api.knapsackpro.com/v1/builds)
[https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill](https://api.kraken.com/0/private/Balanceapplication/vnd.loadmill)
[https://api.kucoin.com](https://api.kucoin.com)
[https://api.kylas.io/v1/contactshttps](https://api.kylas.io/v1/contactshttps)
[https://api.languagelayer.com/languages](https://api.languagelayer.com/languages)
[https://api.leadfeeder.com/accountsunexpected](https://api.leadfeeder.com/accountsunexpected)
[https://api.lemlist.com/api/teamhttps](https://api.lemlist.com/api/teamhttps)
[https://api.lemonsqueezy.com/v1/products/](https://api.lemonsqueezy.com/v1/products/)
[https://api.lessannoyingcrm.com](https://api.lessannoyingcrm.com)
[https://api.lexigram.io/v1/lexigraph/search](https://api.lexigram.io/v1/lexigraph/search)
[https://api.linear.app/graphqlhttps](https://api.linear.app/graphqlhttps)
[https://api.linkpreview.net/](https://api.linkpreview.net/)
[https://api.livestorm.co/v1/ping](https://api.livestorm.co/v1/ping)
[https://api.loganalytics.iohttps](https://api.loganalytics.iohttps)
[https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot](https://api.loganalytics.usservicebus.chinacloudapi.cndocuments.microsoftazure.denot)
[https://api.loginradius.com/identity/v2/serverinfo](https://api.loginradius.com/identity/v2/serverinfo)
[https://api.logz.io/v2/whoami](https://api.logz.io/v2/whoami)
[https://api.lokalise.com/api2/system/languages](https://api.lokalise.com/api2/system/languages)
[https://api.loyverse.com/v1.0/merchant/https](https://api.loyverse.com/v1.0/merchant/https)
[https://api.luno.com/api/1/balancehttps](https://api.luno.com/api/1/balancehttps)
[https://api.madkudu.com/v1/pinghttps](https://api.madkudu.com/v1/pinghttps)
[https://api.magicbell.com/notification_preferenceshttps](https://api.magicbell.com/notification_preferenceshttps)
[https://api.mailerlite.com/api/v2/campaigns](https://api.mailerlite.com/api/v2/campaigns)
[https://api.mailgun.net/v3/domainshttps](https://api.mailgun.net/v3/domainshttps)
[https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates](https://api.mailgun.net/v4/domainstracking_settings.google_analyticsmail_settings.plain_content.updatetemplates.versions.activate.createtemplates.versions.activate.deletetemplates)
[https://api.mailjet.com/v3/REST/messagehttps](https://api.mailjet.com/v3/REST/messagehttps)
[https://api.mailjet.com/v4/sms](https://api.mailjet.com/v4/sms)
[https://api.mailmodo.com/api/v1/campaigns](https://api.mailmodo.com/api/v1/campaigns)
[https://api.mapbox.com/tokens/v2/](https://api.mapbox.com/tokens/v2/)
[https://api.marketstack.com/v1/eod](https://api.marketstack.com/v1/eod)
[https://api.mavenlink.com/api/v1/workspaces.jsonhttps](https://api.mavenlink.com/api/v1/workspaces.jsonhttps)
[https://api.meaningcloud.com/lang](https://api.meaningcloud.com/lang)
[https://api.mediastack.com/v1/news](https://api.mediastack.com/v1/news)
[https://api.mesibo.com/api.php](https://api.mesibo.com/api.php)
[https://api.meta](https://api.meta)
[https://api.miro.com/v1/users/mehttps](https://api.miro.com/v1/users/mehttps)
[https://api.mixmax.com/v1/users/meNvidia](https://api.mixmax.com/v1/users/meNvidia)
[https://api.mockaroo.com/api/types](https://api.mockaroo.com/api/types)
[https://api.monday.com/v2](https://api.monday.com/v2)
[https://api.monkeylearn.com/v3/classifiers](https://api.monkeylearn.com/v3/classifiers)
[https://api.moonclerk.com/forms](https://api.moonclerk.com/forms)
[https://api.moosend.com/v3/lists.json](https://api.moosend.com/v3/lists.json)
[https://api.mux.com/video/v1/assetshttps](https://api.mux.com/video/v1/assetshttps)
[https://api.myintervals.com/client/https](https://api.myintervals.com/client/https)
[https://api.na1.insightly.com/v3.1/Contacts](https://api.na1.insightly.com/v3.1/Contacts)
[https://api.netlify.com/api/v1/siteshttps](https://api.netlify.com/api/v1/siteshttps)
[https://api.newrelic.com/v2/users.json](https://api.newrelic.com/v2/users.json)
[https://api.newscatcherapi.com/v2/search](https://api.newscatcherapi.com/v2/search)
[https://api.nftport.xyz/me/contractshttps](https://api.nftport.xyz/me/contractshttps)
[https://api.ngc.nvidia.com/v3/keys/get](https://api.ngc.nvidia.com/v3/keys/get)
[https://api.ngrok.com/agent_ingressesapplication/vnd.nylas](https://api.ngrok.com/agent_ingressesapplication/vnd.nylas)
[https://api.nicereply.com/v1/users/statshttps](https://api.nicereply.com/v1/users/statshttps)
[https://api.nightfall.ai/v3/uploadhttps](https://api.nightfall.ai/v3/uploadhttps)
[https://api.noticeable.io/graphql](https://api.noticeable.io/graphql)
[https://api.notion.com/v1/usershttps](https://api.notion.com/v1/usershttps)
[https://api.nylas.com/account](https://api.nylas.com/account)
[https://api.omnisend.com/v3/contacts](https://api.omnisend.com/v3/contacts)
[https://api.oopspam.com/v1/spamdetectionhttps](https://api.oopspam.com/v1/spamdetectionhttps)
[https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin](https://api.openai.com/v1/assistantsmail_settings.address_whitelist.readuser.multifactor_authentication.readadmin.conversations.convertToPrivateadmin.conversations.disconnectSharedadmin)
[https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings](https://api.openai.com/v1/filesmail_settings.address_whitelistuser.multifactor_authenticationmail_settings.bounce_purge.readmail_settings.forward_spam.readpartner_settings)
[https://api.openai.com/v1/fine_tuning/jobsfailed](https://api.openai.com/v1/fine_tuning/jobsfailed)
[https://api.openai.com/v1/images/generations](https://api.openai.com/v1/images/generations)
[https://api.openai.com/v1/me](https://api.openai.com/v1/me)
[https://api.openai.com/v1/modelsuser.scheduled_sends](https://api.openai.com/v1/modelsuser.scheduled_sends)
[https://api.openai.com/v1/organizationsfailed](https://api.openai.com/v1/organizationsfailed)
[https://api.openai.com/v1/threads/1error](https://api.openai.com/v1/threads/1error)
[https://api.openai.com/v1/threadshttps](https://api.openai.com/v1/threadshttps)
[https://api.opencagedata.com/geocode/v1/json](https://api.opencagedata.com/geocode/v1/json)
[https://api.openuv.io/api/v1/uv](https://api.openuv.io/api/v1/uv)
[https://api.openweathermap.org/data/2.5/weather](https://api.openweathermap.org/data/2.5/weather)
[https://api.opsgenie.com/v2/account](https://api.opsgenie.com/v2/account)
[https://api.opsgenie.com/v2/alerts/](https://api.opsgenie.com/v2/alerts/)
[https://api.opsgenie.com/v2/users](https://api.opsgenie.com/v2/users)
[https://api.optimizely.com/v2/projectsapplication/vnd.planyo](https://api.optimizely.com/v2/projectsapplication/vnd.planyo)
[https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty](https://api.overloop.com/public/v1/usersapplication/vnd.pagerduty)
[https://api.pagar.me/1/balance](https://api.pagar.me/1/balance)
[https://api.pagerduty.com/usershttps](https://api.pagerduty.com/usershttps)
[https://api.pandadoc.com/public/v1/documentshttps](https://api.pandadoc.com/public/v1/documentshttps)
[https://api.pandascore.co/videogames](https://api.pandascore.co/videogames)
[https://api.paperform.co/v1/formshttps](https://api.paperform.co/v1/formshttps)
[https://api.parsers.dev/api/v1/parse/postgresql/https](https://api.parsers.dev/api/v1/parse/postgresql/https)
[https://api.parseur.com/postgresql](https://api.parseur.com/postgresql)
[https://api.partnerstack.com/api/v2/partnershipshttps](https://api.partnerstack.com/api/v2/partnershipshttps)
[https://api.paymongo.com/v1/payment_methodshttps](https://api.paymongo.com/v1/payment_methodshttps)
[https://api.paystack.co/customerhttps](https://api.paystack.co/customerhttps)
[https://api.pdflayer.com/api/convert](https://api.pdflayer.com/api/convert)
[https://api.pdfshift.io/v3/credits/usagehttps](https://api.pdfshift.io/v3/credits/usagehttps)
[https://api.peopledatalabs.com/v5/person/enrich](https://api.peopledatalabs.com/v5/person/enrich)
[https://api.pepipost.com/v5.1/domain/getDomains](https://api.pepipost.com/v5.1/domain/getDomains)
[https://api.pinata.cloud/pinning/pinJSONToIPFS](https://api.pinata.cloud/pinning/pinJSONToIPFS)
[https://api.pipedream.com/v1/users/mehttps](https://api.pipedream.com/v1/users/mehttps)
[https://api.planetscale.com/v1/organizationshttps](https://api.planetscale.com/v1/organizationshttps)
[https://api.plivo.com/v1/Account/](https://api.plivo.com/v1/Account/)
[https://api.podio.com/user](https://api.podio.com/user)
[https://api.pollsapi.com/v1/get/polls](https://api.pollsapi.com/v1/get/polls)
[https://api.polygon.io/v2/reference/locales](https://api.polygon.io/v2/reference/locales)
[https://api.positionstack.com/v1/forward](https://api.positionstack.com/v1/forward)
[https://api.postageapp.com/v.1.0/get_account_info.json](https://api.postageapp.com/v.1.0/get_account_info.json)
[https://api.postbacks.io/v1/requestPostbackhttps](https://api.postbacks.io/v1/requestPostbackhttps)
[https://api.postmarkapp.com/deliverystatshttps](https://api.postmarkapp.com/deliverystatshttps)
[https://api.prefect.cloud/auth/loginInclude](https://api.prefect.cloud/auth/loginInclude)
[https://api.privacy.com/v1/card](https://api.privacy.com/v1/card)
[https://api.prodpad.com/v1/tagshttps](https://api.prodpad.com/v1/tagshttps)
[https://api.proxycrawl.com/leads](https://api.proxycrawl.com/leads)
[https://api.pulumi.com/api/user/stackshttps](https://api.pulumi.com/api/user/stackshttps)
[https://api.pushbullet.com/v2/users/mehttps](https://api.pushbullet.com/v2/users/mehttps)
[https://api.qase.io/v1/user](https://api.qase.io/v1/user)
[https://api.qualaroo.com/api/v1/nudgeshttps](https://api.qualaroo.com/api/v1/nudgeshttps)
[https://api.ramp.com/developer/v1/tokenhttps](https://api.ramp.com/developer/v1/tokenhttps)
[https://api.rawg.io/api/platforms](https://api.rawg.io/api/platforms)
[https://api.razorpay.com/v1/items](https://api.razorpay.com/v1/items)
[https://api.rebrandly.com/v1/accounthttps](https://api.rebrandly.com/v1/accounthttps)
[https://api.rechargeapps.com/token_information&url=https](https://api.rechargeapps.com/token_information&url=https)
[https://api.refiner.io/v1/identify](https://api.refiner.io/v1/identify)
[https://api.rentman.net/filesAPI](https://api.rentman.net/filesAPI)
[https://api.replicate.com/v1/predictionshttps](https://api.replicate.com/v1/predictionshttps)
[https://api.reply.io/v1/peoplehttps](https://api.reply.io/v1/peoplehttps)
[https://api.request.finance/invoiceshttps](https://api.request.finance/invoiceshttps)
[https://api.ritekit.com/v1/stats/multiple](https://api.ritekit.com/v1/stats/multiple)
[https://api.roaring.io/token](https://api.roaring.io/token)
[https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore](https://api.rocketreach.co/v2/api/accountapplication/vnd.semaphore)
[https://api.route4me.com/api.v4/address_book.php](https://api.route4me.com/api.v4/address_book.php)
[https://api.rownd.io/applications/https](https://api.rownd.io/applications/https)
[https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps](https://api.rs2.usw2.rockset.com/v1/orgs/self/querieshttps)
[https://api.runscope.com/accounthttps](https://api.runscope.com/accounthttps)
[https://api.salesflare.com/me/contacts](https://api.salesflare.com/me/contacts)
[https://api.sandbox.checkout.com/customers/https](https://api.sandbox.checkout.com/customers/https)
[https://api.sandbox.signaturit.com/v3/signatures.jsonhttps](https://api.sandbox.signaturit.com/v3/signatures.jsonhttps)
[https://api.scaleway.com/instance/v1/zones/fr](https://api.scaleway.com/instance/v1/zones/fr)
[https://api.scrapeowl.com/v1/scrape](https://api.scrapeowl.com/v1/scrape)
[https://api.scraperapi.com](https://api.scraperapi.com)
[https://api.scraperbox.com/scrape](https://api.scraperbox.com/scrape)
[https://api.scrapestack.com/scrape](https://api.scrapestack.com/scrape)
[https://api.scrapfly.io/scrape](https://api.scrapfly.io/scrape)
[https://api.scrapingant.com/v1/general](https://api.scrapingant.com/v1/general)
[https://api.screenshotlayer.com/api/capture](https://api.screenshotlayer.com/api/capture)
[https://api.securitytrails.com/v1/pinghttps](https://api.securitytrails.com/v1/pinghttps)
[https://api.semaphore.co/api/v4/account](https://api.semaphore.co/api/v4/account)
[https://api.sendgrid.com/v3/scopesfailed](https://api.sendgrid.com/v3/scopesfailed)
[https://api.sendgrid.comShopify](https://api.sendgrid.comShopify)
[https://api.sendinblue.com/v3/account](https://api.sendinblue.com/v3/account)
[https://api.serphouse.com/account/info](https://api.serphouse.com/account/info)
[https://api.serpstack.com/search](https://api.serpstack.com/search)
[https://api.sheety.co/](https://api.sheety.co/)
[https://api.sherpadesk.com/organizations/https](https://api.sherpadesk.com/organizations/https)
[https://api.shipday.com/carriers](https://api.shipday.com/carriers)
[https://api.shodan.io/api](https://api.shodan.io/api)
[https://api.shotstack.io/stage/renderhttps](https://api.shotstack.io/stage/renderhttps)
[https://api.shutterstock.com/v2/images/searchhttps](https://api.shutterstock.com/v2/images/searchhttps)
[https://api.shutterstock.com/v2/userhelper](https://api.shutterstock.com/v2/userhelper)
[https://api.signable.co.uk/v1/templates](https://api.signable.co.uk/v1/templates)
[https://api.signupgenius.com/v2/k/user/profile/](https://api.signupgenius.com/v2/k/user/profile/)
[https://api.sigopt.com/v1/experimentshttps](https://api.sigopt.com/v1/experimentshttps)
[https://api.simplesat.io/api/answers/](https://api.simplesat.io/api/answers/)
[https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps](https://api.simplynoted.com/api/productsfakeTruffleHogAccessTokenForVerificationhttps)
[https://api.sirv.com/v2/tokenSlack](https://api.sirv.com/v2/tokenSlack)
[https://api.siteleaf.com/v2/siteshttps](https://api.siteleaf.com/v2/siteshttps)
[https://api.skrapp.io/api/v2/accounthttps](https://api.skrapp.io/api/v2/accounthttps)
[https://api.skybiometry.com/fc/account/authenticate](https://api.skybiometry.com/fc/account/authenticate)
[https://api.smartsheet.com/2.0/sheetshttps](https://api.smartsheet.com/2.0/sheetshttps)
[https://api.smooch.io/v2/appsunable](https://api.smooch.io/v2/appsunable)
[https://api.speechtext.ai/recognize](https://api.speechtext.ai/recognize)
[https://api.spoonacular.com/recipes/random](https://api.spoonacular.com/recipes/random)
[https://api.squarespace.com/1.0/profiles](https://api.squarespace.com/1.0/profiles)
[https://api.statuscake.com/v1/sslhttps](https://api.statuscake.com/v1/sslhttps)
[https://api.statuspage.io/v1/pageshttps](https://api.statuspage.io/v1/pageshttps)
[https://api.stitchdata.com/v4/sourceshttps](https://api.stitchdata.com/v4/sourceshttps)
[https://api.stockdata.org/v1/data/quote](https://api.stockdata.org/v1/data/quote)
[https://api.storecove.com/api/v2/discovery/identifiershttps](https://api.storecove.com/api/v2/discovery/identifiershttps)
[https://api.stormboard.com/users/profileapplication/vnd.timecamp](https://api.stormboard.com/users/profileapplication/vnd.timecamp)
[https://api.stormglass.io/v2/weather/point](https://api.stormglass.io/v2/weather/point)
[https://api.storyblok.com/v1/cdn/spaces/me/](https://api.storyblok.com/v1/cdn/spaces/me/)
[https://api.storychief.io/1.0/users](https://api.storychief.io/1.0/users)
[https://api.stripe.com/v1/account/login_links](https://api.stripe.com/v1/account/login_links)
[https://api.stripe.com/v1/account_links](https://api.stripe.com/v1/account_links)
[https://api.stripe.com/v1/apple_pay/domains](https://api.stripe.com/v1/apple_pay/domains)
[https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds](https://api.stripe.com/v1/application_fees/nowaythiscanexist/refunds)
[https://api.stripe.com/v1/balance](https://api.stripe.com/v1/balance)
[https://api.stripe.com/v1/billing/meter_event_adjustments](https://api.stripe.com/v1/billing/meter_event_adjustments)
[https://api.stripe.com/v1/billing/meter_events](https://api.stripe.com/v1/billing/meter_events)
[https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries](https://api.stripe.com/v1/billing/meters/nowaythiscanexist/event_summaries)
[https://api.stripe.com/v1/billing_portal/sessions](https://api.stripe.com/v1/billing_portal/sessions)
[https://api.stripe.com/v1/chargesx509](https://api.stripe.com/v1/chargesx509)
[https://api.stripe.com/v1/checkout/sessions](https://api.stripe.com/v1/checkout/sessions)
[https://api.stripe.com/v1/climate/orders](https://api.stripe.com/v1/climate/orders)
[https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist](https://api.stripe.com/v1/confirmation_tokens/nowaythiscanexist)
[https://api.stripe.com/v1/coupons](https://api.stripe.com/v1/coupons)
[https://api.stripe.com/v1/credit_notes/nowaythiscanexsit](https://api.stripe.com/v1/credit_notes/nowaythiscanexsit)
[https://api.stripe.com/v1/customer_sessions](https://api.stripe.com/v1/customer_sessions)
[https://api.stripe.com/v1/customers/nowaythiscanexist](https://api.stripe.com/v1/customers/nowaythiscanexist)
[https://api.stripe.com/v1/disputes/nowaycanthisexist](https://api.stripe.com/v1/disputes/nowaycanthisexist)
[https://api.stripe.com/v1/ephemeral_keys](https://api.stripe.com/v1/ephemeral_keys)
[https://api.stripe.com/v1/events](https://api.stripe.com/v1/events)
[https://api.stripe.com/v1/files](https://api.stripe.com/v1/files)
[https://api.stripe.com/v1/identity/verification_sessions](https://api.stripe.com/v1/identity/verification_sessions)
[https://api.stripe.com/v1/invoices](https://api.stripe.com/v1/invoices)
[https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist](https://api.stripe.com/v1/issuing/authorizations/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist](https://api.stripe.com/v1/issuing/cardholders/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/cards/nowaythiscanexist](https://api.stripe.com/v1/issuing/cards/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist](https://api.stripe.com/v1/issuing/disputes/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/funding_instructions](https://api.stripe.com/v1/issuing/funding_instructions)
[https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist](https://api.stripe.com/v1/issuing/tokens/nowaythiscanexist)
[https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist](https://api.stripe.com/v1/issuing/transactions/nowaythiscanexist)
[https://api.stripe.com/v1/orders](https://api.stripe.com/v1/orders)
[https://api.stripe.com/v1/payment_intents](https://api.stripe.com/v1/payment_intents)
[https://api.stripe.com/v1/payment_links](https://api.stripe.com/v1/payment_links)
[https://api.stripe.com/v1/payment_method_domains](https://api.stripe.com/v1/payment_method_domains)
[https://api.stripe.com/v1/payment_methods/nowaycanthisexist](https://api.stripe.com/v1/payment_methods/nowaycanthisexist)
[https://api.stripe.com/v1/payouts](https://api.stripe.com/v1/payouts)
[https://api.stripe.com/v1/prices](https://api.stripe.com/v1/prices)
[https://api.stripe.com/v1/products](https://api.stripe.com/v1/products)
[https://api.stripe.com/v1/promotion_codes](https://api.stripe.com/v1/promotion_codes)
[https://api.stripe.com/v1/quotes/nowaythiscanexist](https://api.stripe.com/v1/quotes/nowaythiscanexist)
[https://api.stripe.com/v1/reporting/report_runs](https://api.stripe.com/v1/reporting/report_runs)
[https://api.stripe.com/v1/reviews/nowaycanthisexist/approve](https://api.stripe.com/v1/reviews/nowaycanthisexist/approve)
[https://api.stripe.com/v1/setup_intents/nowaycanthisexist](https://api.stripe.com/v1/setup_intents/nowaycanthisexist)
[https://api.stripe.com/v1/shipping_rates](https://api.stripe.com/v1/shipping_rates)
[https://api.stripe.com/v1/skus](https://api.stripe.com/v1/skus)
[https://api.stripe.com/v1/sources/nowaycanthisexist](https://api.stripe.com/v1/sources/nowaycanthisexist)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_record_summaries)
[https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records](https://api.stripe.com/v1/subscription_items/nowaythiscanexist/usage_records)
[https://api.stripe.com/v1/subscriptions](https://api.stripe.com/v1/subscriptions)
[https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items](https://api.stripe.com/v1/tax/calculations/nowaycanthisexist/line_items)
[https://api.stripe.com/v1/tax/registrations/nowaycanthisexist](https://api.stripe.com/v1/tax/registrations/nowaycanthisexist)
[https://api.stripe.com/v1/tax/settings](https://api.stripe.com/v1/tax/settings)
[https://api.stripe.com/v1/tax_ids](https://api.stripe.com/v1/tax_ids)
[https://api.stripe.com/v1/tax_rates](https://api.stripe.com/v1/tax_rates)
[https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist](https://api.stripe.com/v1/terminal/configurations/nowaythiscanexist)
[https://api.stripe.com/v1/terminal/locations](https://api.stripe.com/v1/terminal/locations)
[https://api.stripe.com/v1/terminal/readers](https://api.stripe.com/v1/terminal/readers)
[https://api.stripe.com/v1/test_helpers/confirmation_tokens](https://api.stripe.com/v1/test_helpers/confirmation_tokens)
[https://api.stripe.com/v1/test_helpers/test_clocks](https://api.stripe.com/v1/test_helpers/test_clocks)
[https://api.stripe.com/v1/tokens/nowaycanthisexist](https://api.stripe.com/v1/tokens/nowaycanthisexist)
[https://api.stripe.com/v1/topups](https://api.stripe.com/v1/topups)
[https://api.stripe.com/v1/transfers](https://api.stripe.com/v1/transfers)
[https://api.stripe.com/v1/webhook_endpoints](https://api.stripe.com/v1/webhook_endpoints)
[https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio](https://api.stytch.com/v1/users/pendingapplication/vnd.tatumio)
[https://api.supabase.com/v1/projectshttps](https://api.supabase.com/v1/projectshttps)
[https://api.supernotes.app/v1/userhttps](https://api.supernotes.app/v1/userhttps)
[https://api.surveyanyplace.com/v1/surveys/https](https://api.surveyanyplace.com/v1/surveys/https)
[https://api.surveysparrow.com/v1/contactshttps](https://api.surveysparrow.com/v1/contactshttps)
[https://api.swell.store/products](https://api.swell.store/products)
[https://api.tailscale.com/api/v2/secret](https://api.tailscale.com/api/v2/secret)
[https://api.tallyfy.com/me](https://api.tallyfy.com/me)
[https://api.taxjar.com/v2/categorieshttps](https://api.taxjar.com/v2/categorieshttps)
[https://api.teamgate.com/v4/usershttps](https://api.teamgate.com/v4/usershttps)
[https://api.telegram.org/bot](https://api.telegram.org/bot)
[https://api.teletype.app/public/api/v1/messageshttps](https://api.teletype.app/public/api/v1/messageshttps)
[https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor](https://api.telnyx.com/v2/messaging_profilesapplication/vnd.tickettailor)
[https://api.testingbot.com/v1/userhttps](https://api.testingbot.com/v1/userhttps)
[https://api.textanywhere.com/API/v1.0/REST/statushttps](https://api.textanywhere.com/API/v1.0/REST/statushttps)
[https://api.thinkific.com/api/public/v1/collectionshttps](https://api.thinkific.com/api/public/v1/collectionshttps)
[https://api.thousandeyes.com/v6/endpoint](https://api.thousandeyes.com/v6/endpoint)
[https://api.tickettailor.com/v1/ordershttps](https://api.tickettailor.com/v1/ordershttps)
[https://api.tiingo.com/tiingo/fundamentals/definitionshttps](https://api.tiingo.com/tiingo/fundamentals/definitionshttps)
[https://api.todoist.com/rest/v2/projectshttps](https://api.todoist.com/rest/v2/projectshttps)
[https://api.tomorrow.io/v4/alerts](https://api.tomorrow.io/v4/alerts)
[https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png](https://api.tomtom.com/map/1/tile/basic/main/0/0/0.png)
[https://api.tradier.com/v1/watchlistshttps](https://api.tradier.com/v1/watchlistshttps)
[https://api.transferwise.com/v2/profileshttps](https://api.transferwise.com/v2/profileshttps)
[https://api.travelpayouts.com/v2/prices/latest](https://api.travelpayouts.com/v2/prices/latest)
[https://api.travis](https://api.travis)
[https://api.trello.com/1/members/me](https://api.trello.com/1/members/me)
[https://api.twelvedata.com/earliest_timestamp](https://api.twelvedata.com/earliest_timestamp)
[https://api.twilio.com/2010](https://api.twilio.com/2010)
[https://api.twist.com/api/v3/users/get_session_userhttps](https://api.twist.com/api/v3/users/get_session_userhttps)
[https://api.twitter.com/2/tweets/20https](https://api.twitter.com/2/tweets/20https)
[https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare](https://api.twitter.com/oauth2/tokenapplication/vnd.uploadcare)
[https://api.tyntec.com/2fa/v1/applicationerror](https://api.tyntec.com/2fa/v1/applicationerror)
[https://api.typeform.com/me](https://api.typeform.com/me)
[https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived](https://api.uclassify.com/v1/uClassify/Sentiment/classifyReceived)
[https://api.unify.id/v1/humandetect/verifyhttps](https://api.unify.id/v1/humandetect/verifyhttps)
[https://api.unplu.gg/forecasthttps](https://api.unplu.gg/forecasthttps)
[https://api.unsplash.com/photos/](https://api.unsplash.com/photos/)
[https://api.upcdatabase.org/product/0111222333446](https://api.upcdatabase.org/product/0111222333446)
[https://api.uplead.com/v2/creditshttps](https://api.uplead.com/v2/creditshttps)
[https://api.uploadcare.com/files/https](https://api.uploadcare.com/files/https)
[https://api.uptimerobot.com/v2/getMonitors](https://api.uptimerobot.com/v2/getMonitors)
[https://api.upwave.io/workspaces/https](https://api.upwave.io/workspaces/https)
[https://api.us1.signalfx.com/v2/dashboard](https://api.us1.signalfx.com/v2/dashboard)
[https://api.us2.sumologic.com/api/v1/users](https://api.us2.sumologic.com/api/v1/users)
[https://api.userflow.com/users](https://api.userflow.com/users)
[https://api.userstack.com/detect](https://api.userstack.com/detect)
[https://api.vbout.com/1/app/me.json](https://api.vbout.com/1/app/me.json)
[https://api.vercel.com/www/userenumerating](https://api.vercel.com/www/userenumerating)
[https://api.verimail.io/v3/verify](https://api.verimail.io/v3/verify)
[https://api.veriphone.io/v2/verify](https://api.veriphone.io/v2/verify)
[https://api.voicegain.ai/v1/sa/confighttps](https://api.voicegain.ai/v1/sa/confighttps)
[https://api.voodoosms.com/creditsError](https://api.voodoosms.com/creditsError)
[https://api.vultr.com/v2/accounterror](https://api.vultr.com/v2/accounterror)
[https://api.vyte.in/v2/events](https://api.vyte.in/v2/events)
[https://api.weatherbit.io/v2.0/history/airquality](https://api.weatherbit.io/v2.0/history/airquality)
[https://api.weatherstack.com/current](https://api.weatherstack.com/current)
[https://api.web3.storage/user/uploadshttps](https://api.web3.storage/user/uploadshttps)
[https://api.webflow.com/info](https://api.webflow.com/info)
[https://api.webscraper.io/api/v1/sitemaps](https://api.webscraper.io/api/v1/sitemaps)
[https://api.webscrapingapi.com/v1](https://api.webscrapingapi.com/v1)
[https://api.websitepulse.com/textserver.php](https://api.websitepulse.com/textserver.php)
[https://api.whoxy.com/](https://api.whoxy.com/)
[https://api.wistia.com/v1/stats/account.json](https://api.wistia.com/v1/stats/account.json)
[https://api.worksnaps.com/api/projects.xmlunable](https://api.worksnaps.com/api/projects.xmlunable)
[https://api.worldweatheronline.com/premium/v1/search.ashx](https://api.worldweatheronline.com/premium/v1/search.ashx)
[https://api.yelp.com/v3/businesses/search](https://api.yelp.com/v3/businesses/search)
[https://api.youneedabudget.com/v1/user](https://api.youneedabudget.com/v1/user)
[https://api.zenrows.com/v1/](https://api.zenrows.com/v1/)
[https://api.zeplin.dev/v1/users/meerror](https://api.zeplin.dev/v1/users/meerror)
[https://api.zerobounce.net/v1/activity](https://api.zerobounce.net/v1/activity)
[https://api.zerotier.com/api/v1/networkBranch](https://api.zerotier.com/api/v1/networkBranch)
[https://api.zipbooks.com/v2/auth/loginTotal](https://api.zipbooks.com/v2/auth/loginTotal)
[https://api2.autopilothq.com/v1/account](https://api2.autopilothq.com/v1/account)
[https://api2.frontapp.com/accountshttps](https://api2.frontapp.com/accountshttps)
[https://api4.nozbe.com/v1/api/usershttps](https://api4.nozbe.com/v1/api/usershttps)
[https://apilayer.net/api/check](https://apilayer.net/api/check)
[https://apilayer.net/api/validate](https://apilayer.net/api/validate)
[https://apis.paralleldots.com/v4/intenterror](https://apis.paralleldots.com/v4/intenterror)
[https://apiv2.allsportsapi.com/football/](https://apiv2.allsportsapi.com/football/)
[https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps](https://apiv2.bitcoinaverage.com/websocket/v3/get_tickethttps)
[https://apiv4.reallysimplesystems.com/accountshttps](https://apiv4.reallysimplesystems.com/accountshttps)
[https://app.apacta.com/api/v1/time_entries](https://app.apacta.com/api/v1/time_entries)
[https://app.asana.com/api/1.0/users/meRead](https://app.asana.com/api/1.0/users/meRead)
[https://app.atera.com/api/v3/alertshttps](https://app.atera.com/api/v3/alertshttps)
[https://app.ayrshare.com/api/analytics/links](https://app.ayrshare.com/api/analytics/links)
[https://app.besnappy.com/api/v1/accountshttps](https://app.besnappy.com/api/v1/accountshttps)
[https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps](https://app.caflou.com/api/v1/accounts.currencycloud.com/v2/authenticate/apihttps)
[https://app.circleci.com/pipelines/](https://app.circleci.com/pipelines/)
[https://app.codacy.com/api/v3/user](https://app.codacy.com/api/v3/user)
[https://app.eraser.io/api/render/elements](https://app.eraser.io/api/render/elements)
[https://app.goflightlabs.com/airports](https://app.goflightlabs.com/airports)
[https://app.karmacrm.com/api/v3/contacts.json](https://app.karmacrm.com/api/v3/contacts.json)
[https://app.klipfolio.com/api/1.0/users](https://app.klipfolio.com/api/1.0/users)
[https://app.launchdarkly.com/api/v2/caller](https://app.launchdarkly.com/api/v2/caller)
[https://app.lendflow.io/api/v1/deals](https://app.lendflow.io/api/v1/deals)
[https://app.loadmill.com/api/v1/labels](https://app.loadmill.com/api/v1/labels)
[https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes](https://app.magnetichq.com/Magnetic/rest/accountsAPI/itemTypes)
[https://app.nimble.com/api/v1/myselfhttps](https://app.nimble.com/api/v1/myselfhttps)
[https://app.onedesk.com/rest/2.0/login/loginUserhttps](https://app.onedesk.com/rest/2.0/login/loginUserhttps)
[https://app.onepagecrm.com/api/v3/contacts.json](https://app.onepagecrm.com/api/v3/contacts.json)
[https://app.paymoapp.com/api/me](https://app.paymoapp.com/api/me)
[https://app.posthog.com/api/event/](https://app.posthog.com/api/event/)
[https://app.revampcrm.com/api/1.0/User/WhoAmIhttps](https://app.revampcrm.com/api/1.0/User/WhoAmIhttps)
[https://app.satismeter.com/api/users](https://app.satismeter.com/api/users)
[https://app.scrapingbee.com/api/v1/](https://app.scrapingbee.com/api/v1/)
[https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=](https://app.snipcart.com/api/ordersgrant_type=refresh_token&client_id=)
[https://app.surveybot.io/api/v1/surveys](https://app.surveybot.io/api/v1/surveys)
[https://app.terraform.io/api/v2/account/detailshttps](https://app.terraform.io/api/v2/account/detailshttps)
[https://app.ticketmaster.com/discovery/v2/events.json](https://app.ticketmaster.com/discovery/v2/events.json)
[https://app.timecamp.com/third_party/api/user](https://app.timecamp.com/third_party/api/user)
[https://app.tmetric.com/api/v3/userhttps](https://app.tmetric.com/api/v3/userhttps)
[https://app.travis](https://app.travis)
[https://app.vagrantup.com/api/v2/authenticateunexpected](https://app.vagrantup.com/api/v2/authenticateunexpected)
[https://app.workstack.io/api/team](https://app.workstack.io/api/team)
[https://app.zenscrape.com/api/v1/statushttps](https://app.zenscrape.com/api/v1/statushttps)
[https://app.zenserp.com/api/v2/search](https://app.zenserp.com/api/v2/search)
[https://app.zipcodebase.com/api/v1/search](https://app.zipcodebase.com/api/v1/search)
[https://apple.comhttps](https://apple.comhttps)
[https://auth.app.wiz.io/oauth/tokenerror](https://auth.app.wiz.io/oauth/tokenerror)
[https://auth.dfuse.io/v1/auth/issuehttps](https://auth.dfuse.io/v1/auth/issuehttps)
[https://auth.freshbooks.com/oauth/authorize](https://auth.freshbooks.com/oauth/authorize)
[https://authn.nvidia.com/token](https://authn.nvidia.com/token)
[https://axonaut.com/api/v2/companies](https://axonaut.com/api/v2/companies)
[https://backboard.railway.app/graphql/v2application/vnd.sugester](https://backboard.railway.app/graphql/v2application/vnd.sugester)
[https://base.zenkit.com/api/v1/users/mehttps](https://base.zenkit.com/api/v1/users/mehttps)
[https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps](https://batch.chinacloudapi.cn/mysql.database.chinacloudapi.cnhttps)
[https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative](https://batch.cloudapi.de/mysql.database.cloudapi.decloudapp.microsoftazure.denegative)
[https://batch.core.usgovcloudapi.net/https](https://batch.core.usgovcloudapi.net/https)
[https://batch.core.windows.net/https](https://batch.core.windows.net/https)
[https://besttime.app/api/v1/keys/https](https://besttime.app/api/v1/keys/https)
[https://blitapp.com/api/apps/allhttps](https://blitapp.com/api/apps/allhttps)
[https://boostnote.io/api/docshttps](https://boostnote.io/api/docshttps)
[https://budibase.app/api/public/v1/applications/searchhttps](https://budibase.app/api/public/v1/applications/searchhttps)
[https://calendarific.com/api/v2/holidays](https://calendarific.com/api/v2/holidays)
[https://campayn.com/api/v1/lists](https://campayn.com/api/v1/lists)
[https://canny.io/api/v1/boards/listhttps](https://canny.io/api/v1/boards/listhttps)
[https://capi.tokeet.com/v1/user](https://capi.tokeet.com/v1/user)
[https://cex.io/api/balance/](https://cex.io/api/balance/)
[https://checkvist.com/auth/login.json](https://checkvist.com/auth/login.json)
[https://cicero.azavea.com/v3.1/account/credits_remaining](https://cicero.azavea.com/v3.1/account/credits_remaining)
[https://circleci.com/api/v1.1/invalid](https://circleci.com/api/v1.1/invalid)
[https://circleci.com/api/v2/mehttps](https://circleci.com/api/v2/mehttps)
[https://cloud.bitbar.com/api/mehttps](https://cloud.bitbar.com/api/mehttps)
[https://cloud.digitalocean.com/v1/oauth/token](https://cloud.digitalocean.com/v1/oauth/token)
[https://cloud.drone.io/api/userhttps](https://cloud.drone.io/api/userhttps)
[https://cloud.google.com/docs/authentication/external/set](https://cloud.google.com/docs/authentication/external/set)
[https://cloud.iexapis.com/stable/stock/aapl/quote](https://cloud.iexapis.com/stable/stock/aapl/quote)
[https://cloud.iexapis.com/v1/stock/aapl/quote](https://cloud.iexapis.com/v1/stock/aapl/quote)
[https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase](https://cloud.viewneo.com/api/v1.0/playlistapplication/vnd.zipcodebase)
[https://clustdoc.com/api/usershttps](https://clustdoc.com/api/usershttps)
[https://coda.io/apis/v1/whoami](https://coda.io/apis/v1/whoami)
[https://codequiry.com/api/v1/checks](https://codequiry.com/api/v1/checks)
[https://coinlib.io/api/v1/global](https://coinlib.io/api/v1/global)
[https://collect2.com/api/](https://collect2.com/api/)
[https://commodities](https://commodities)
[https://connect.squareup.com/oauth2/authorize](https://connect.squareup.com/oauth2/authorize)
[https://connect.squareup.com/oauth2/token/statusx509](https://connect.squareup.com/oauth2/token/statusx509)
[https://connect.squareup.com/v2/team](https://connect.squareup.com/v2/team)
[https://connect.squareupsandbox.com/oauth2/revokehttps](https://connect.squareupsandbox.com/oauth2/revokehttps)
[https://connect.squareupsandbox.com/v2/merchantshttps](https://connect.squareupsandbox.com/v2/merchantshttps)
[https://console.jumpcloud.com/api/v2/systemgroupshttps](https://console.jumpcloud.com/api/v2/systemgroupshttps)
[https://content.guardianapis.com/search](https://content.guardianapis.com/search)
[https://convier.me/api/eventhttps](https://convier.me/api/eventhttps)
[https://cosmos.azure.comfailed](https://cosmos.azure.comfailed)
[https://coveralls.io/api/repos/github/secretscanner02/scanner](https://coveralls.io/api/repos/github/secretscanner02/scanner)
[https://customer.guru/export/customers](https://customer.guru/export/customers)
[https://dash.readme.com/api/v1https](https://dash.readme.com/api/v1https)
[https://dashboard.chatfuel.com/api/botshttps](https://dashboard.chatfuel.com/api/botshttps)
[https://data.fixer.io/api/latest](https://data.fixer.io/api/latest)
[https://database.chinacloudapi.cn/expected](https://database.chinacloudapi.cn/expected)
[https://database.cloudapi.de/not](https://database.cloudapi.de/not)
[https://database.usgovcloudapi.net/data](https://database.usgovcloudapi.net/data)
[https://database.windows.net/postgres.database.cloudapi.dehttps](https://database.windows.net/postgres.database.cloudapi.dehttps)
[https://datalake.azure.net/https](https://datalake.azure.net/https)
[https://dataservice.accuweather.com/locations/v1/cities/autocomplete](https://dataservice.accuweather.com/locations/v1/cities/autocomplete)
[https://deliver.kontent.ai/](https://deliver.kontent.ai/)
[https://dev.azure.com/](https://dev.azure.com/)
[https://dev.azuresynapse.nethttps](https://dev.azuresynapse.nethttps)
[https://dev.azuresynapse.usgovcloudapi.netdata](https://dev.azuresynapse.usgovcloudapi.netdata)
[https://dev.lunchmoney.app/v1/categories](https://dev.lunchmoney.app/v1/categories)
[https://developer.api.autodesk.com/authentication/v1/authenticateimage](https://developer.api.autodesk.com/authentication/v1/authenticateimage)
[https://dictionary.yandex.net/api/v1/dicservice.json/getLangs](https://dictionary.yandex.net/api/v1/dicservice.json/getLangs)
[https://discord.com/api/v8/users/https](https://discord.com/api/v8/users/https)
[https://discord.com/api/webhooks/https](https://discord.com/api/webhooks/https)
[https://disqus.com/api/3.0/trends/listThreads.json](https://disqus.com/api/3.0/trends/listThreads.json)
[https://docs.airbrake.io/docs/devops](https://docs.airbrake.io/docs/devops)
[https://docs.stripe.com/api/account_links](https://docs.stripe.com/api/account_links)
[https://docs.stripe.com/api/application_fees/list](https://docs.stripe.com/api/application_fees/list)
[https://docs.stripe.com/api/balance](https://docs.stripe.com/api/balance)
[https://docs.stripe.com/api/billing/meter/create](https://docs.stripe.com/api/billing/meter/create)
[https://docs.stripe.com/api/billing/meter/list](https://docs.stripe.com/api/billing/meter/list)
[https://docs.stripe.com/api/charges/list](https://docs.stripe.com/api/charges/list)
[https://docs.stripe.com/api/charges/update](https://docs.stripe.com/api/charges/update)
[https://docs.stripe.com/api/checkout/sessions/create](https://docs.stripe.com/api/checkout/sessions/create)
[https://docs.stripe.com/api/checkout/sessions/list](https://docs.stripe.com/api/checkout/sessions/list)
[https://docs.stripe.com/api/climate/order/create](https://docs.stripe.com/api/climate/order/create)
[https://docs.stripe.com/api/climate/order/list](https://docs.stripe.com/api/climate/order/list)
[https://docs.stripe.com/api/confirmation_tokens/retrieve](https://docs.stripe.com/api/confirmation_tokens/retrieve)
[https://docs.stripe.com/api/confirmation_tokens/test_create](https://docs.stripe.com/api/confirmation_tokens/test_create)
[https://docs.stripe.com/api/coupons/create](https://docs.stripe.com/api/coupons/create)
[https://docs.stripe.com/api/coupons/list](https://docs.stripe.com/api/coupons/list)
[https://docs.stripe.com/api/credit_notes/list](https://docs.stripe.com/api/credit_notes/list)
[https://docs.stripe.com/api/credit_notes/update](https://docs.stripe.com/api/credit_notes/update)
[https://docs.stripe.com/api/customer_portal/sessions/create](https://docs.stripe.com/api/customer_portal/sessions/create)
[https://docs.stripe.com/api/customer_sessions/create](https://docs.stripe.com/api/customer_sessions/create)
[https://docs.stripe.com/api/customers/list](https://docs.stripe.com/api/customers/list)
[https://docs.stripe.com/api/customers/update](https://docs.stripe.com/api/customers/update)
[https://docs.stripe.com/api/disputes/list](https://docs.stripe.com/api/disputes/list)
[https://docs.stripe.com/api/disputes/update](https://docs.stripe.com/api/disputes/update)
[https://docs.stripe.com/api/events/list](https://docs.stripe.com/api/events/list)
[https://docs.stripe.com/api/fee_refunds/create](https://docs.stripe.com/api/fee_refunds/create)
[https://docs.stripe.com/api/identity/verification_sessions/create](https://docs.stripe.com/api/identity/verification_sessions/create)
[https://docs.stripe.com/api/identity/verification_sessions/list](https://docs.stripe.com/api/identity/verification_sessions/list)
[https://docs.stripe.com/api/invoices/create](https://docs.stripe.com/api/invoices/create)
[https://docs.stripe.com/api/invoices/list](https://docs.stripe.com/api/invoices/list)
[https://docs.stripe.com/api/issuing/authorizations/retrieve](https://docs.stripe.com/api/issuing/authorizations/retrieve)
[https://docs.stripe.com/api/issuing/authorizations/update](https://docs.stripe.com/api/issuing/authorizations/update)
[https://docs.stripe.com/api/issuing/cardholders/create](https://docs.stripe.com/api/issuing/cardholders/create)
[https://docs.stripe.com/api/issuing/cardholders/retrieve](https://docs.stripe.com/api/issuing/cardholders/retrieve)
[https://docs.stripe.com/api/issuing/cards/create](https://docs.stripe.com/api/issuing/cards/create)
[https://docs.stripe.com/api/issuing/cards/retrieve](https://docs.stripe.com/api/issuing/cards/retrieve)
[https://docs.stripe.com/api/issuing/disputes/retrieve](https://docs.stripe.com/api/issuing/disputes/retrieve)
[https://docs.stripe.com/api/issuing/disputes/update](https://docs.stripe.com/api/issuing/disputes/update)
[https://docs.stripe.com/api/issuing/funding_instructions/create](https://docs.stripe.com/api/issuing/funding_instructions/create)
[https://docs.stripe.com/api/issuing/funding_instructions/list](https://docs.stripe.com/api/issuing/funding_instructions/list)
[https://docs.stripe.com/api/issuing/tokens/retrieve](https://docs.stripe.com/api/issuing/tokens/retrieve)
[https://docs.stripe.com/api/issuing/tokens/update](https://docs.stripe.com/api/issuing/tokens/update)
[https://docs.stripe.com/api/issuing/transactions/retrieve](https://docs.stripe.com/api/issuing/transactions/retrieve)
[https://docs.stripe.com/api/issuing/transactions/update](https://docs.stripe.com/api/issuing/transactions/update)
[https://docs.stripe.com/api/payment_intents/create](https://docs.stripe.com/api/payment_intents/create)
[https://docs.stripe.com/api/payment_intents/list](https://docs.stripe.com/api/payment_intents/list)
[https://docs.stripe.com/api/payment_links/payment_links/create](https://docs.stripe.com/api/payment_links/payment_links/create)
[https://docs.stripe.com/api/payment_links/payment_links/list](https://docs.stripe.com/api/payment_links/payment_links/list)
[https://docs.stripe.com/api/payment_method_domains/create](https://docs.stripe.com/api/payment_method_domains/create)
[https://docs.stripe.com/api/payment_method_domains/list](https://docs.stripe.com/api/payment_method_domains/list)
[https://docs.stripe.com/api/payouts/create](https://docs.stripe.com/api/payouts/create)
[https://docs.stripe.com/api/payouts/list](https://docs.stripe.com/api/payouts/list)
[https://docs.stripe.com/api/prices/create](https://docs.stripe.com/api/prices/create)
[https://docs.stripe.com/api/prices/list](https://docs.stripe.com/api/prices/list)
[https://docs.stripe.com/api/products/create](https://docs.stripe.com/api/products/create)
[https://docs.stripe.com/api/products/list](https://docs.stripe.com/api/products/list)
[https://docs.stripe.com/api/promotion_codes/create](https://docs.stripe.com/api/promotion_codes/create)
[https://docs.stripe.com/api/promotion_codes/list](https://docs.stripe.com/api/promotion_codes/list)
[https://docs.stripe.com/api/quotes/list](https://docs.stripe.com/api/quotes/list)
[https://docs.stripe.com/api/quotes/update](https://docs.stripe.com/api/quotes/update)
[https://docs.stripe.com/api/radar/reviews/approve](https://docs.stripe.com/api/radar/reviews/approve)
[https://docs.stripe.com/api/radar/reviews/list](https://docs.stripe.com/api/radar/reviews/list)
[https://docs.stripe.com/api/reporting/report_run/list](https://docs.stripe.com/api/reporting/report_run/list)
[https://docs.stripe.com/api/setup_intents/create](https://docs.stripe.com/api/setup_intents/create)
[https://docs.stripe.com/api/setup_intents/list](https://docs.stripe.com/api/setup_intents/list)
[https://docs.stripe.com/api/shipping_rates/create](https://docs.stripe.com/api/shipping_rates/create)
[https://docs.stripe.com/api/shipping_rates/list](https://docs.stripe.com/api/shipping_rates/list)
[https://docs.stripe.com/api/sources/retrieve](https://docs.stripe.com/api/sources/retrieve)
[https://docs.stripe.com/api/sources/update](https://docs.stripe.com/api/sources/update)
[https://docs.stripe.com/api/subscriptions/create](https://docs.stripe.com/api/subscriptions/create)
[https://docs.stripe.com/api/subscriptions/list](https://docs.stripe.com/api/subscriptions/list)
[https://docs.stripe.com/api/tax/calculations/create](https://docs.stripe.com/api/tax/calculations/create)
[https://docs.stripe.com/api/tax/calculations/line_items](https://docs.stripe.com/api/tax/calculations/line_items)
[https://docs.stripe.com/api/tax/registrations/update](https://docs.stripe.com/api/tax/registrations/update)
[https://docs.stripe.com/api/tax/settings/retrieve](https://docs.stripe.com/api/tax/settings/retrieve)
[https://docs.stripe.com/api/tax_ids/create](https://docs.stripe.com/api/tax_ids/create)
[https://docs.stripe.com/api/tax_ids/list](https://docs.stripe.com/api/tax_ids/list)
[https://docs.stripe.com/api/tax_rates/create](https://docs.stripe.com/api/tax_rates/create)
[https://docs.stripe.com/api/tax_rates/list](https://docs.stripe.com/api/tax_rates/list)
[https://docs.stripe.com/api/terminal/configuration/list](https://docs.stripe.com/api/terminal/configuration/list)
[https://docs.stripe.com/api/terminal/configuration/update](https://docs.stripe.com/api/terminal/configuration/update)
[https://docs.stripe.com/api/terminal/locations/create](https://docs.stripe.com/api/terminal/locations/create)
[https://docs.stripe.com/api/terminal/locations/list](https://docs.stripe.com/api/terminal/locations/list)
[https://docs.stripe.com/api/terminal/readers/create](https://docs.stripe.com/api/terminal/readers/create)
[https://docs.stripe.com/api/terminal/readers/list](https://docs.stripe.com/api/terminal/readers/list)
[https://docs.stripe.com/api/test_clocks/create](https://docs.stripe.com/api/test_clocks/create)
[https://docs.stripe.com/api/test_clocks/list](https://docs.stripe.com/api/test_clocks/list)
[https://docs.stripe.com/api/tokens/create_card](https://docs.stripe.com/api/tokens/create_card)
[https://docs.stripe.com/api/tokens/retrieve](https://docs.stripe.com/api/tokens/retrieve)
[https://docs.stripe.com/api/topups/create](https://docs.stripe.com/api/topups/create)
[https://docs.stripe.com/api/topups/list](https://docs.stripe.com/api/topups/list)
[https://docs.stripe.com/api/transfers/create](https://docs.stripe.com/api/transfers/create)
[https://docs.stripe.com/api/transfers/list](https://docs.stripe.com/api/transfers/list)
[https://docs.stripe.com/api/usage_records/create](https://docs.stripe.com/api/usage_records/create)
[https://docs.stripe.com/api/usage_records/subscription_item_summary_list](https://docs.stripe.com/api/usage_records/subscription_item_summary_list)
[https://docs.stripe.com/api/webhook_endpoints/create](https://docs.stripe.com/api/webhook_endpoints/create)
[https://docs.stripe.com/api/webhook_endpoints/list](https://docs.stripe.com/api/webhook_endpoints/list)
[https://docsapi.helpscout.net/v1/collectionshttps](https://docsapi.helpscout.net/v1/collectionshttps)
[https://dummysite.com](https://dummysite.com)
[https://dynalist.io/api/v1/file/listhttps](https://dynalist.io/api/v1/file/listhttps)
[https://ecs.aliyuncs.com](https://ecs.aliyuncs.com)
[https://eu.posthog.com/api/event/](https://eu.posthog.com/api/event/)
[https://example.teamwork.com/crm/api/v2/users.jsonhttps](https://example.teamwork.com/crm/api/v2/users.jsonhttps)
[https://example.teamwork.com/desk/api/v2/me.jsonRepository](https://example.teamwork.com/desk/api/v2/me.jsonRepository)
[https://example.teamwork.com/spaces/api/v1/users.jsonhttps](https://example.teamwork.com/spaces/api/v1/users.jsonhttps)
[https://extractorapi.com/api/v1/extractor](https://extractorapi.com/api/v1/extractor)
[https://fetchrss.com/api/v1/feed/list](https://fetchrss.com/api/v1/feed/list)
[https://file.io/](https://file.io/)
[https://files.stripe.com/v1/files](https://files.stripe.com/v1/files)
[https://financialmodelingprep.com/api/v3/financial](https://financialmodelingprep.com/api/v3/financial)
[https://finnhub.io/api/v1/calendar/economic](https://finnhub.io/api/v1/calendar/economic)
[https://foo.com/bar](https://foo.com/bar)
[https://formcrafts.com/api/v1/https](https://formcrafts.com/api/v1/https)
[https://formio.form.io/currentapplication/vnd.github.v3](https://formio.form.io/currentapplication/vnd.github.v3)
[https://fxmarketapi.com/apilive](https://fxmarketapi.com/apilive)
[https://gallery.azure.com/https](https://gallery.azure.com/https)
[https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps](https://gallery.chinacloudapi.cn/mariadb.database.chinacloudapi.cnhttps)
[https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed](https://gallery.cloudapi.de/mariadb.database.cloudapi.defailed)
[https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps](https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.netpostgres.database.chinacloudapi.cnhttps)
[https://gate.sendbird.com/api/v2/applicationshttps](https://gate.sendbird.com/api/v2/applicationshttps)
[https://gen.duply.co/v1/usagegrant_type=client_credentials](https://gen.duply.co/v1/usagegrant_type=client_credentials)
[https://geo.ipify.org/api/v2/country](https://geo.ipify.org/api/v2/country)
[https://geocode.xyz/51.4647](https://geocode.xyz/51.4647)
[https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https](https://geoip.maxmind.com/geoip/v2.1/country/8.8.8.8https)
[https://getsandbox.com/api/1/sandboxes/](https://getsandbox.com/api/1/sandboxes/)
[https://gist.github.comMetaDataValidationErrorunable](https://gist.github.comMetaDataValidationErrorunable)
[https://github.com/airbrake/airbrake](https://github.com/airbrake/airbrake)
[https://github.com/dustin](https://github.com/dustin)
[https://github.com/golang/protobuf/issues/1609](https://github.com/golang/protobuf/issues/1609)
[https://github.com/google/go](https://github.com/google/go)
[https://github.com/llvm/llvm](https://github.com/llvm/llvm)
[https://github.com/login/device/codeDiff](https://github.com/login/device/codeDiff)
[https://github.com/login/oauth/access_tokenexpected](https://github.com/login/oauth/access_tokenexpected)
[https://github.com/login/oauth/authorizekey](https://github.com/login/oauth/authorizekey)
[https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.](https://github.com/pygments/pygments/blob/15f222adefd2bf7835bfd74a12d720028ae68d29/pygments/lexers/dalvik.py.)
[https://github.com/trufflesecurity/test_keyscannot](https://github.com/trufflesecurity/test_keyscannot)
[https://github.com/trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)
[https://gitlab.com/Skipping](https://gitlab.com/Skipping)
[https://gitlab.com/api/v4/metadatahttps](https://gitlab.com/api/v4/metadatahttps)
[https://gitlab.com/api/v4/personal_access_tokens/self](https://gitlab.com/api/v4/personal_access_tokens/self)
[https://gitlab.com/api/v4/projectshttps](https://gitlab.com/api/v4/projectshttps)
[https://gitlab.com/org/repo.gitAWS](https://gitlab.com/org/repo.gitAWS)
[https://gitlab.com/org/repo.gitNumber](https://gitlab.com/org/repo.gitNumber)
[https://gitlab.comScan](https://gitlab.comScan)
[https://go.postman.co/collection/tls](https://go.postman.co/collection/tls)
[https://go.postman.co/environments/could](https://go.postman.co/environments/could)
[https://go.postman.co/example/error](https://go.postman.co/example/error)
[https://go.postman.co/folder/TLS](https://go.postman.co/folder/TLS)
[https://go.postman.co/request/https](https://go.postman.co/request/https)
[https://go.postman.co/workspace/could](https://go.postman.co/workspace/could)
[https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers](https://go.postman.co/workspaces/mail_settings.bounce_purge.updatemail_settings.forward_bounce.readmail_settings.forward_spam.updatepartner_settings.new_relic.updatesubusers)
[https://go.urbanairship.com/api/schedules](https://go.urbanairship.com/api/schedules)
[https://google.com&width=1920&height=1080xoxb](https://google.com&width=1920&height=1080xoxb)
[https://google.comcrypto/ecdh](https://google.comcrypto/ecdh)
[https://google.comhttps](https://google.comhttps)
[https://grafana.com/api/v1/tokens](https://grafana.com/api/v1/tokens)
[https://graph.chinacloudapi.cn/https](https://graph.chinacloudapi.cn/https)
[https://graph.cloudapi.de/https](https://graph.cloudapi.de/https)
[https://graph.facebook.com/me](https://graph.facebook.com/me)
[https://graph.microsoft.com/https](https://graph.microsoft.com/https)
[https://graph.microsoft.us/https](https://graph.microsoft.us/https)
[https://graph.windows.net/mariadb.database.azure.comhttps](https://graph.windows.net/mariadb.database.azure.comhttps)
[https://graphhopper.com/api/1/geocode](https://graphhopper.com/api/1/geocode)
[https://graphql.us.jupiterone.io/https](https://graphql.us.jupiterone.io/https)
[https://gtmetrix.com/api/2.0/statushttps](https://gtmetrix.com/api/2.0/statushttps)
[https://hg.mozilla.org/releases/mozilla](https://hg.mozilla.org/releases/mozilla)
[https://holidayapi.com/v1/holidays](https://holidayapi.com/v1/holidays)
[https://hooman.pipedrive.com/api/v1/users](https://hooman.pipedrive.com/api/v1/users)
[https://host.io/api/domains/ip/8.8.8.8](https://host.io/api/domains/ip/8.8.8.8)
[https://howtorotate.com/docs/tutorials/airbrake/https](https://howtorotate.com/docs/tutorials/airbrake/https)
[https://howtorotate.com/docs/tutorials/atlassian/https](https://howtorotate.com/docs/tutorials/atlassian/https)
[https://howtorotate.com/docs/tutorials/aws/request](https://howtorotate.com/docs/tutorials/aws/request)
[https://howtorotate.com/docs/tutorials/azure/https](https://howtorotate.com/docs/tutorials/azure/https)
[https://howtorotate.com/docs/tutorials/elevenlabs/https](https://howtorotate.com/docs/tutorials/elevenlabs/https)
[https://howtorotate.com/docs/tutorials/eraser/https](https://howtorotate.com/docs/tutorials/eraser/https)
[https://howtorotate.com/docs/tutorials/gcp/https](https://howtorotate.com/docs/tutorials/gcp/https)
[https://howtorotate.com/docs/tutorials/github/https](https://howtorotate.com/docs/tutorials/github/https)
[https://howtorotate.com/docs/tutorials/gitlab/https](https://howtorotate.com/docs/tutorials/gitlab/https)
[https://howtorotate.com/docs/tutorials/groq/https](https://howtorotate.com/docs/tutorials/groq/https)
[https://howtorotate.com/docs/tutorials/mailchimp/https](https://howtorotate.com/docs/tutorials/mailchimp/https)
[https://howtorotate.com/docs/tutorials/maxmind/https](https://howtorotate.com/docs/tutorials/maxmind/https)
[https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps](https://howtorotate.com/docs/tutorials/microsoftteams/.myfreshworks.com/crm/sales/api/sales_accounts/filtershttps)
[https://howtorotate.com/docs/tutorials/mongo/https](https://howtorotate.com/docs/tutorials/mongo/https)
[https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata](https://howtorotate.com/docs/tutorials/netlify//services/rest/record/v1/metadata)
[https://howtorotate.com/docs/tutorials/npm/](https://howtorotate.com/docs/tutorials/npm/)
[https://howtorotate.com/docs/tutorials/railwayapp/https](https://howtorotate.com/docs/tutorials/railwayapp/https)
[https://howtorotate.com/docs/tutorials/sendbird/https](https://howtorotate.com/docs/tutorials/sendbird/https)
[https://howtorotate.com/docs/tutorials/sendgrid/https](https://howtorotate.com/docs/tutorials/sendgrid/https)
[https://howtorotate.com/docs/tutorials/slack/](https://howtorotate.com/docs/tutorials/slack/)
[https://howtorotate.com/docs/tutorials/sourcegraph/https](https://howtorotate.com/docs/tutorials/sourcegraph/https)
[https://howtorotate.com/docs/tutorials/square/https](https://howtorotate.com/docs/tutorials/square/https)
[https://howtorotate.com/docs/tutorials/stripe/https](https://howtorotate.com/docs/tutorials/stripe/https)
[https://howtorotate.com/docs/tutorials/sumologic/https](https://howtorotate.com/docs/tutorials/sumologic/https)
[https://howtorotate.com/docs/tutorials/twilio/](https://howtorotate.com/docs/tutorials/twilio/)
[https://httpbin.org/anythingAPI](https://httpbin.org/anythingAPI)
[https://httpbin.org/status/200https](https://httpbin.org/status/200https)
[https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11](https://hub.docker.com/v2/users/loginapplication/vnd.dyspatch.2020.11)
[https://huggingface.co/api/modelsparsing](https://huggingface.co/api/modelsparsing)
[https://huggingface.co/api/whoami](https://huggingface.co/api/whoami)
[https://huggingface.cofailed](https://huggingface.cofailed)
[https://iam.googleapis.com/v1/roleshttps](https://iam.googleapis.com/v1/roleshttps)
[https://iamcredentials..](https://iamcredentials..)
[https://iamcredentials.UNIVERSE_DOMAIN/failed](https://iamcredentials.UNIVERSE_DOMAIN/failed)
[https://iamcredentials.googleapis.com/openpgp](https://iamcredentials.googleapis.com/openpgp)
[https://iamcredentials.googleapis.com/v1/](https://iamcredentials.googleapis.com/v1/)
[https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32](https://iamcredentials.mtls.googleapis.com/buffered_file_writer_total_write_size_byteshash/adler32)
[https://id.twitch.tv/oauth2/token](https://id.twitch.tv/oauth2/token)
[https://index.docker.io/v1/Unreachable](https://index.docker.io/v1/Unreachable)
[https://industrial.api.ubidots.com/api/v1.6/variables/https](https://industrial.api.ubidots.com/api/v1.6/variables/https)
[https://interseller.io/api/campaigns/listhttps](https://interseller.io/api/campaigns/listhttps)
[https://io.adafruit.com/api/v2/ladybugtest/feeds/](https://io.adafruit.com/api/v2/ladybugtest/feeds/)
[https://jenkins.example.com](https://jenkins.example.com)
[https://keychecker.trufflesecurity.com/fingerprint/](https://keychecker.trufflesecurity.com/fingerprint/)
[https://learning.postman.com/docs/collaborating](https://learning.postman.com/docs/collaborating)
[https://linkedin.com/in/williamhgates](https://linkedin.com/in/williamhgates)
[https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam](https://localhost/deprecated_featureconnection_failureprotocol_violationindicator_overflowrestrict_violationnot_null_violationcollation_mismatchundefined_functionduplicate_databaseduplicate_functionam)
[https://login.chinacloudapi.cn/https](https://login.chinacloudapi.cn/https)
[https://login.eagleeyenetworks.com/g/aaa/authenticatehttps](https://login.eagleeyenetworks.com/g/aaa/authenticatehttps)
[https://login.microsoftonline.com/semaphore](https://login.microsoftonline.com/semaphore)
[https://login.microsoftonline.de/2006](https://login.microsoftonline.de/2006)
[https://login.microsoftonline.us/https](https://login.microsoftonline.us/https)
[https://mailsac.com/api/addresseshttps](https://mailsac.com/api/addresseshttps)
[https://mainnet.infura.io/v3/KNAPSACK](https://mainnet.infura.io/v3/KNAPSACK)
[https://manage.chinacloudapi.com/https](https://manage.chinacloudapi.com/https)
[https://manage.chinacloudapi.com/publishsettings/indexhttps](https://manage.chinacloudapi.com/publishsettings/indexhttps)
[https://manage.microsoftazure.de/publishsettings/indexhttp](https://manage.microsoftazure.de/publishsettings/indexhttp)
[https://manage.windowsazure.com/https](https://manage.windowsazure.com/https)
[https://manage.windowsazure.com/publishsettings/indexraw](https://manage.windowsazure.com/publishsettings/indexraw)
[https://manage.windowsazure.us/https](https://manage.windowsazure.us/https)
[https://manage.windowsazure.us/publishsettings/indexunrecognized](https://manage.windowsazure.us/publishsettings/indexunrecognized)
[https://managedhsm.azure.net/https](https://managedhsm.azure.net/https)
[https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps](https://managedhsm.azure.netservicebus.usgovcloudapi.nethttps)
[https://management.azure.com/https](https://management.azure.com/https)
[https://management.chinacloudapi.cn/https](https://management.chinacloudapi.cn/https)
[https://management.core.chinacloudapi.cn/https](https://management.core.chinacloudapi.cn/https)
[https://management.core.cloudapi.de/data](https://management.core.cloudapi.de/data)
[https://management.core.usgovcloudapi.net/https](https://management.core.usgovcloudapi.net/https)
[https://management.core.windows.net/https](https://management.core.windows.net/https)
[https://management.microsoftazure.de/expected](https://management.microsoftazure.de/expected)
[https://management.usgovcloudapi.net/https](https://management.usgovcloudapi.net/https)
[https://mandrillapp.com/api/1.0/users/infohttps](https://mandrillapp.com/api/1.0/users/infohttps)
[https://microsoftgraph.chinacloudapi.cn/server_duration](https://microsoftgraph.chinacloudapi.cn/server_duration)
[https://microsoftgraph.chinacloudapi.cngo](https://microsoftgraph.chinacloudapi.cngo)
[https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus](https://mltb8350.hiveage.com/api/networkapplication/vnd.hybiscus)
[https://moderationapi.com/api/v1/analyze/languagePostgres](https://moderationapi.com/api/v1/analyze/languagePostgres)
[https://mrticktock.com/app/api/is_timer_active](https://mrticktock.com/app/api/is_timer_active)
[https://my.demio.com/api/v1/ping/query](https://my.demio.com/api/v1/ping/query)
[https://nethunt.com/api/v1/zapier/triggers/readable](https://nethunt.com/api/v1/zapier/triggers/readable)
[https://neutrinoapi.net/url](https://neutrinoapi.net/url)
[https://newsapi.org/v2/everything](https://newsapi.org/v2/everything)
[https://oauth2.googleapis.com/device/codemssql](https://oauth2.googleapis.com/device/codemssql)
[https://oauth2.googleapis.com/tokenoauth2/google](https://oauth2.googleapis.com/tokenoauth2/google)
[https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb](https://oauth2.mtls.googleapis.com/tokengrpc.io/server/received_messages_per_rpcgrpc.io/client/received_messages_per_rpcgrpclb)
[https://onesignal.com/api/v1/appshttps](https://onesignal.com/api/v1/appshttps)
[https://onfleet.com/api/v2/organizationhttps](https://onfleet.com/api/v2/organizationhttps)
[https://open.larksuite.com/open](https://open.larksuite.com/open)
[https://opentelemetry.io/schemas/1.17.0grpclb](https://opentelemetry.io/schemas/1.17.0grpclb)
[https://oss.trufflehog.org/updatesillegal](https://oss.trufflehog.org/updatesillegal)
[https://ossrdbms](https://ossrdbms)
[https://otx.alienvault.com/api/v1/users/mehttps](https://otx.alienvault.com/api/v1/users/mehttps)
[https://owlbot.info/api/v4/dictionary/securityhttps](https://owlbot.info/api/v4/dictionary/securityhttps)
[https://packagecloud.io/api/v1/reposhttps](https://packagecloud.io/api/v1/reposhttps)
[https://partner_settingscategories.statsGoogle](https://partner_settingscategories.statsGoogle)
[https://pastebin.com/api/api_post.phpapplication/vnd.percy](https://pastebin.com/api/api_post.phpapplication/vnd.percy)
[https://paydirtapp.com/api/v1/clients](https://paydirtapp.com/api/v1/clients)
[https://payments.braintree](https://payments.braintree)
[https://payments.sandbox.braintree](https://payments.sandbox.braintree)
[https://pdflayer.com/downloads/invoice.htmlPlanetScale](https://pdflayer.com/downloads/invoice.htmlPlanetScale)
[https://percy.io/api/v1/projectshttps](https://percy.io/api/v1/projectshttps)
[https://person.clearbit.com/v1/people/email/alex](https://person.clearbit.com/v1/people/email/alex)
[https://pixabay.com/api/](https://pixabay.com/api/)
[https://pkg.go.dev/cloud.google.com/go/storage](https://pkg.go.dev/cloud.google.com/go/storage)
[https://pkg.go.dev/go.mongodb.org/mongo](https://pkg.go.dev/go.mongodb.org/mongo)
[https://platform.devtest.ringcentral.com/restapi/oauth/authorize](https://platform.devtest.ringcentral.com/restapi/oauth/authorize)
[https://platform.segmentapis.com/v1beta/workspaceshttps](https://platform.segmentapis.com/v1beta/workspaceshttps)
[https://plugin.api.dronahq.com/users/](https://plugin.api.dronahq.com/users/)
[https://poloniex.com/tradingApihttps](https://poloniex.com/tradingApihttps)
[https://powrbot.com/api/v1/search/single/](https://powrbot.com/api/v1/search/single/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://ps.pndsn.com/signal/https](https://ps.pndsn.com/signal/https)
[https://ps.pndsn.com/v2/objects/https](https://ps.pndsn.com/v2/objects/https)
[https://push.databox.com](https://push.databox.com)
[https://registry.npmjs.org/](https://registry.npmjs.org/)
[https://rendyplayground.simvoly.com/api/site/members](https://rendyplayground.simvoly.com/api/site/members)
[https://rest.clicksend.com/v3/accounthttps](https://rest.clicksend.com/v3/accounthttps)
[https://rest.coinapi.io/v1/exchangeshttps](https://rest.coinapi.io/v1/exchangeshttps)
[https://rest.messagebird.com/messageshttps](https://rest.messagebird.com/messageshttps)
[https://rest.nexmo.com/account/get](https://rest.nexmo.com/account/get)
[https://rest.textmagic.com/api/v2/userhttps](https://rest.textmagic.com/api/v2/userhttps)
[https://restpack.io/api/html2pdf/usagehttps](https://restpack.io/api/html2pdf/usagehttps)
[https://restpack.io/api/screenshot/usagehttps](https://restpack.io/api/screenshot/usagehttps)
[https://rubygems.org/api/v1/gems.jsonerror](https://rubygems.org/api/v1/gems.jsonerror)
[https://run.salesblink.io/api/public/listshttps](https://run.salesblink.io/api/public/listshttps)
[https://runrun.it/api/v1.0/users](https://runrun.it/api/v1.0/users)
[https://salescookie.com/app/Api/CreateTransaction](https://salescookie.com/app/Api/CreateTransaction)
[https://sandbox.impala.travel/v1/bookings](https://sandbox.impala.travel/v1/bookings)
[https://scrutinizer](https://scrutinizer)
[https://search.censys.io/api/v1/accounthttps](https://search.censys.io/api/v1/accounthttps)
[https://selectpdf.com/api2/convert/](https://selectpdf.com/api2/convert/)
[https://sentry.io/api/0/projects/https](https://sentry.io/api/0/projects/https)
[https://service.zipapi.us/zipcode/90210/](https://service.zipapi.us/zipcode/90210/)
[https://servicebus.azure.net/https](https://servicebus.azure.net/https)
[https://servicebus.chinacloudapi.cn/https](https://servicebus.chinacloudapi.cn/https)
[https://servicebus.cloudapi.de/https](https://servicebus.cloudapi.de/https)
[https://servicebus.usgovcloudapi.net/https](https://servicebus.usgovcloudapi.net/https)
[https://servicebus.windows.net/https](https://servicebus.windows.net/https)
[https://services.reachmail.net/administration/users/current](https://services.reachmail.net/administration/users/current)
[https://shot.screenshotapi.net/screenshot](https://shot.screenshotapi.net/screenshot)
[https://simfin.com/api/v2/companies/list](https://simfin.com/api/v2/companies/list)
[https://slack.com/api/auth.testCreateCustomerCard](https://slack.com/api/auth.testCreateCustomerCard)
[https://sms.8x8.com/api/v1/subaccounts/](https://sms.8x8.com/api/v1/subaccounts/)
[https://sms.api.sinch.com/xms/v1/https](https://sms.api.sinch.com/xms/v1/https)
[https://snyk.io/api/v1/user/mefailed](https://snyk.io/api/v1/user/mefailed)
[https://soccer.sportmonks.com/api/v2.0/leagues](https://soccer.sportmonks.com/api/v2.0/leagues)
[https://sourcegraph.com/.api/graphql](https://sourcegraph.com/.api/graphql)
[https://sslmate.com/api/v2/certs/example.com](https://sslmate.com/api/v2/certs/example.com)
[https://staging.cloud](https://staging.cloud)
[https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps](https://statuspal.io/api/v1/status_pages/secretscanner/subscriptionshttps)
[https://storage.UNIVERSE_DOMAIN/storage/v1/gccl](https://storage.UNIVERSE_DOMAIN/storage/v1/gccl)
[https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps](https://storage.azure.com/database.usgovcloudapi.netcloudapp.usgovcloudapi.nethttps)
[https://storage.googleapis.com/storage/v1/b/](https://storage.googleapis.com/storage/v1/b/)
[https://storage.mtls.googleapis.com/storage/v1/storage](https://storage.mtls.googleapis.com/storage/v1/storage)
[https://stripo.email/emailgeneration/v1/emails](https://stripo.email/emailgeneration/v1/emails)
[https://sts.UNIVERSE_DOMAIN/v1/tokenurn](https://sts.UNIVERSE_DOMAIN/v1/tokenurn)
[https://sts.amazonaws.com/](https://sts.amazonaws.com/)
[https://sts.amazonaws.comnot](https://sts.amazonaws.comnot)
[https://technical](https://technical)
[https://test.api.amadeus.com/v1/security/oauth2/tokenhttps](https://test.api.amadeus.com/v1/security/oauth2/tokenhttps)
[https://timezoneapi.io/api/ip/](https://timezoneapi.io/api/ip/)
[https://track.customer.io/api/v1/customers/5/eventshttps](https://track.customer.io/api/v1/customers/5/eventshttps)
[https://trackapi.nutritionix.com/v2/natural/nutrients](https://trackapi.nutritionix.com/v2/natural/nutrients)
[https://trading.robinhood.com/https](https://trading.robinhood.com/https)
[https://transit.walkscore.com/transit/search/stops/](https://transit.walkscore.com/transit/search/stops/)
[https://trk.mtrl.me/categoryunexpected](https://trk.mtrl.me/categoryunexpected)
[https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https](https://trufflesecurity.com/canariesDefaultEndpointsProtocol=https)
[https://trufflesecurity.com/canariesGetGeoAPI](https://trufflesecurity.com/canariesGetGeoAPI)
[https://trufflesecurity.com/contacted25519](https://trufflesecurity.com/contacted25519)
[https://trufflesecurity.com/trufflehogmax](https://trufflesecurity.com/trufflehogmax)
[https://typetalk.com/oauth2/access_token](https://typetalk.com/oauth2/access_token)
[https://unify.apideck.com/vault/consumerscouldn](https://unify.apideck.com/vault/consumerscouldn)
[https://upload.pypi.org/legacy/](https://upload.pypi.org/legacy/)
[https://uploads.github.com//dependency](https://uploads.github.com//dependency)
[https://uptime.betterstack.com/api/v2/monitorshttps](https://uptime.betterstack.com/api/v2/monitorshttps)
[https://urlscan.io/user/quotashttps](https://urlscan.io/user/quotashttps)
[https://us.qubole.com/api/v1.2/accounthttps](https://us.qubole.com/api/v1.2/accounthttps)
[https://us1.locationiq.com/v1/reverse.php](https://us1.locationiq.com/v1/reverse.php)
[https://v2.convertapi.com/user](https://v2.convertapi.com/user)
[https://v3.api.hypertrack.com/trips/expected](https://v3.api.hypertrack.com/trips/expected)
[https://v6.exchangerate](https://v6.exchangerate)
[https://vault.azure.cn/vault.microsoftazure.denot](https://vault.azure.cn/vault.microsoftazure.denot)
[https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot](https://vault.azure.cnazuretrafficmanager.deservicebus.cloudapi.deAZUREUSGOVERNMENTCLOUDAZURE_GO_SDK_LOG_LEVELnot)
[https://vault.azure.net/mysql.database.azure.comhttps](https://vault.azure.net/mysql.database.azure.comhttps)
[https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps](https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps)
[https://vault.microsoftazure.de/specific](https://vault.microsoftazure.de/specific)
[https://vault.microsoftazure.dedata](https://vault.microsoftazure.dedata)
[https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp](https://vault.usgovcloudapi.net/mysql.database.usgovcloudapi.nethttp)
[https://vault.usgovcloudapi.nethttps](https://vault.usgovcloudapi.nethttps)
[https://verifier.meetchopra.com/verify/](https://verifier.meetchopra.com/verify/)
[https://verify.twilio.com/v2/Servicesif](https://verify.twilio.com/v2/Servicesif)
[https://vpnapi.io/api/8.8.8.8](https://vpnapi.io/api/8.8.8.8)
[https://weather.ls.hereapi.com/weather/1.0/report.json](https://weather.ls.hereapi.com/weather/1.0/report.json)
[https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA](https://weather.visualcrossing.com/VisualCrossingWebServices/rest/services/timeline/LA)
[https://webexapis.com/v1/access_tokenhttps](https://webexapis.com/v1/access_tokenhttps)
[https://ws.detectlanguage.com/0.2/user/statushttps](https://ws.detectlanguage.com/0.2/user/statushttps)
[https://www.World](https://www.World)
[https://www.apilayer.net/api/validate](https://www.apilayer.net/api/validate)
[https://www.apimatic.io/api/code](https://www.apimatic.io/api/code)
[https://www.appsynergy.com/api](https://www.appsynergy.com/api)
[https://www.bitmex.com](https://www.bitmex.com)
[https://www.browserstack.com/automate/plan.jsonhttps](https://www.browserstack.com/automate/plan.jsonhttps)
[https://www.buddyns.com/api/v2/zone/https](https://www.buddyns.com/api/v2/zone/https)
[https://www.bugherd.com/api_v2/projects.jsonhttps](https://www.bugherd.com/api_v2/projects.jsonhttps)
[https://www.carboninterface.com/api/v1/estimateshttps](https://www.carboninterface.com/api/v1/estimateshttps)
[https://www.clinchpad.com/api/v1/pipelines](https://www.clinchpad.com/api/v1/pipelines)
[https://www.diggernaut.com/api/projectshttps](https://www.diggernaut.com/api/projectshttps)
[https://www.dnscheck.co/api/v1/groups/https](https://www.dnscheck.co/api/v1/groups/https)
[https://www.easy](https://www.easy)
[https://www.eventbriteapi.com/v3/users/me/](https://www.eventbriteapi.com/v3/users/me/)
[https://www.flickr.com/services/rest/](https://www.flickr.com/services/rest/)
[https://www.formbucket.com/v1/profilehttps](https://www.formbucket.com/v1/profilehttps)
[https://www.gocanvas.com/apiv2/forms.xml](https://www.gocanvas.com/apiv2/forms.xml)
[https://www.googleapis.com/auth/cloud](https://www.googleapis.com/auth/cloud)
[https://www.googleapis.com/auth/devstorage.full_controlstorage](https://www.googleapis.com/auth/devstorage.full_controlstorage)
[https://www.googleapis.com/auth/devstorage.read_onlywildcards](https://www.googleapis.com/auth/devstorage.read_onlywildcards)
[https://www.googleapis.com/auth/devstorage.read_writeB](https://www.googleapis.com/auth/devstorage.read_writeB)
[https://www.googleapis.com/auth/devstorage.read_writecredentials](https://www.googleapis.com/auth/devstorage.read_writecredentials)
[https://www.googleapis.com/blogger/v3/blogs/2399953](https://www.googleapis.com/blogger/v3/blogs/2399953)
[https://www.googleapis.com/oauth2/v3/tokeninfo](https://www.googleapis.com/oauth2/v3/tokeninfo)
[https://www.googleapis.com/youtube/v3/channelSections](https://www.googleapis.com/youtube/v3/channelSections)
[https://www.happyscribe.com/api/v1/transcriptionshttps](https://www.happyscribe.com/api/v1/transcriptionshttps)
[https://www.humanity.com/api/v2/me](https://www.humanity.com/api/v2/me)
[https://www.ipqualityscore.com/api/json/account/](https://www.ipqualityscore.com/api/json/account/)
[https://www.mapquestapi.com/datamanager/v2/get](https://www.mapquestapi.com/datamanager/v2/get)
[https://www.meistertask.com/api/projectsapplication/vnd.moonclerk](https://www.meistertask.com/api/projectsapplication/vnd.moonclerk)
[https://www.mindmeister.com/services/rest/oauth2](https://www.mindmeister.com/services/rest/oauth2)
[https://www.mongodb.com/supportability/cosmosdb](https://www.mongodb.com/supportability/cosmosdb)
[https://www.mongodb.com/supportability/documentdbAzure](https://www.mongodb.com/supportability/documentdbAzure)
[https://www.nuget.org/api/v2/packagehttps](https://www.nuget.org/api/v2/packagehttps)
[https://www.parsehub.com/api/v2/projects](https://www.parsehub.com/api/v2/projects)
[https://www.pivotaltracker.com/services/v5/mehttps](https://www.pivotaltracker.com/services/v5/mehttps)
[https://www.planyo.com/rest/](https://www.planyo.com/rest/)
[https://www.postman.com/_api/workspace/](https://www.postman.com/_api/workspace/)
[https://www.protocols.io/api/v3/session/profilerequest](https://www.protocols.io/api/v3/session/profilerequest)
[https://www.recent](https://www.recent)
[https://www.strava.com/oauth/tokenhttps](https://www.strava.com/oauth/tokenhttps)
[https://www.streak.com/api/v1/pipelineshttps](https://www.streak.com/api/v1/pipelineshttps)
[https://www.tefter.io/api/bookmarks](https://www.tefter.io/api/bookmarks)
[https://www.versioneye.com/api/v1/scanshttps](https://www.versioneye.com/api/v1/scanshttps)
[https://www.virustotal.com/api/v3/metadatahttps](https://www.virustotal.com/api/v3/metadatahttps)
[https://www.worldcoinindex.com/apiservice/ticker](https://www.worldcoinindex.com/apiservice/ticker)
[https://www.zipcodeapi.com/rest/](https://www.zipcodeapi.com/rest/)
[https://yourdomain.com/samplecallback](https://yourdomain.com/samplecallback)
[https://yourwebsite.com/callbacks_handler/BuddyNS](https://yourwebsite.com/callbacks_handler/BuddyNS) | +| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)
[amd64](https://github.com/search?q=amd64&type=code)
[arm64](https://github.com/search?q=arm64&type=code)
[http://](http://)
[https://](https://)
[x86_64](https://github.com/search?q=x86_64&type=code) | +| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)
[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)
[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)
[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)
[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)
[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)
[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)
[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)
[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)
[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)
[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)
[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)
[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)
[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)
[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)
[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)
[GetPassword](https://github.com/search?q=GetPassword&type=code)
[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)
[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)
[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)
[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)
[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)
[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)
[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)
[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)
[Password from](https://github.com/search?q=Password+from&type=code)
[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)
[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)
[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)
[PasswordModify](https://github.com/search?q=PasswordModify&type=code)
[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)
[PasswordSet](https://github.com/search?q=PasswordSet&type=code)
[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)
[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)
[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)
[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)
[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)
[certificatePassword](https://github.com/search?q=certificatePassword&type=code)
[certificate_password](https://github.com/search?q=certificate_password&type=code)
[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)
[changepassword](https://github.com/search?q=changepassword&type=code)
[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)
[empty password](https://github.com/search?q=empty+password&type=code)
[encryptPassword](https://github.com/search?q=encryptPassword&type=code)
[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)
[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)
[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)
[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)
[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)
[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)
[manglePassword](https://github.com/search?q=manglePassword&type=code)
[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)
[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)
[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)
[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)
[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)
[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)
[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)
[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordFunc](https://github.com/search?q=passwordFunc&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[password_change_date](https://github.com/search?q=password_change_date&type=code)
[password_hash](https://github.com/search?q=password_hash&type=code)
[passwordattachment](https://github.com/search?q=passwordattachment&type=code)
[passwordf](https://github.com/search?q=passwordf&type=code)
[passworduser](https://github.com/search?q=passworduser&type=code)
[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)
[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)
[saltPassword](https://github.com/search?q=saltPassword&type=code)
[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)
[scramblePassword](https://github.com/search?q=scramblePassword&type=code)
[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)
[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)
[username AND password](https://github.com/search?q=username+AND+password&type=code)
[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)
[vcs_password](https://github.com/search?q=vcs_password&type=code)
[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)
[winvalid password](https://github.com/search?q=winvalid+password&type=code) | +| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code)
[privatekey](https://github.com/search?q=privatekey&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | +| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)
[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)
[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)
[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)
[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)
[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)
[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)
[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)
[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)
[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)
[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)
[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)
[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)
[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)
[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)
[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)
[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)
[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)
[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)
[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)
[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)
[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)
[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)
[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)
[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)
[newDecrypter](https://github.com/search?q=newDecrypter&type=code)
[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)
[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code)
[pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)
[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)
[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)
[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)
[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code) | +| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | +| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | +| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)
[PublicKey](https://github.com/search?q=PublicKey&type=code)
[public key](https://github.com/search?q=public+key&type=code)
[public-key](https://github.com/search?q=public-key&type=code)
[publicKey](https://github.com/search?q=publicKey&type=code)
[public_key](https://github.com/search?q=public_key&type=code)
[publickey](https://github.com/search?q=publickey&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | +| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) | +| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) | +| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) | +| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [data/encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) | +| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSONDecode](https://github.com/search?q=JSONDecode&type=code)
[json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) | +| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSONEncode](https://github.com/search?q=JSONEncode&type=code) | +| LOW | [data/hash/blake2b](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b) | Uses blake2b encryption algorithm | [blake2b](https://github.com/search?q=blake2b&type=code) | +| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:copy](https://github.com/search?q=md5%3Acopy&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) | +| LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) | +| LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) | +| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) | +| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | +| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)
[USER](https://github.com/search?q=USER&type=code)
[environ](https://github.com/search?q=environ&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)
[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)
[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)
[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)
[PluginStats](https://github.com/search?q=PluginStats&type=code)
[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)
[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)
[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)
[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)
[extended_plugins](https://github.com/search?q=extended_plugins&type=code)
[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)
[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)
[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)
[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)
[pluginVersion](https://github.com/search?q=pluginVersion&type=code)
[pluginclose](https://github.com/search?q=pluginclose&type=code)
[pluginopen](https://github.com/search?q=pluginopen&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code)
[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)
[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)
[pluginstats](https://github.com/search?q=pluginstats&type=code)
[pluginswithin](https://github.com/search?q=pluginswithin&type=code)
[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [SYSTEMD](https://github.com/search?q=SYSTEMD&type=code)
[systemd](https://github.com/search?q=systemd&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryFn](https://github.com/search?q=CreateDirectoryFn&type=code)
[mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) | +| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)
[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) | +| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)
[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) | +| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)
[os.rename](https://github.com/search?q=os.rename&type=code) | +| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)
[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)
[writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)
[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)
[writeFilestat](https://github.com/search?q=writeFilestat&type=code)
[writeRawFile](https://github.com/search?q=writeRawFile&type=code)
[writerFile](https://github.com/search?q=writerFile&type=code) | +| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | +| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)
[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)
[/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)
[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)
[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)
[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)
[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) | +| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | +| LOW | [fs/path/file_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/file-url.yara#file_url) | file url | [file:///tmp](https://github.com/search?q=file%3A%2F%2F%2Ftmp&type=code) | +| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | +| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code)
[NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code) | +| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/envcomments_pop_1comments_pop_2c](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2c&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) | +| LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) | +| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | +| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)
[temp file](https://github.com/search?q=temp+file&type=code)
[tmpfile](https://github.com/search?q=tmpfile&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) | +| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code) | +| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) | +| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)
[oauth2](https://github.com/search?q=oauth2&type=code) | +| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | +| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | +| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | +| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) | +| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)
[sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) | +| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)
[listenUDP](https://github.com/search?q=listenUDP&type=code) | +| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)
[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) | +| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) | +| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.ANSIC](https://github.com/search?q=env.ANSIC&type=code)
[env.RGBC](https://github.com/search?q=env.RGBC&type=code) | +| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)
[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) | +| LOW | [os/kernel/key_management](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/key-management.yara#syscall_keyctl) | kernel key management facility | [keyctl](https://github.com/search?q=keyctl&type=code) | +| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | +| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) | +| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | + diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index e69de29bb..5a76c42d3 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -0,0 +1,192 @@ +# linux/clean/wolfictl: medium +anti-static/elf/multiple: medium +c2/addr/http_dynamic: medium +c2/addr/ip: medium +c2/addr/url: low +c2/client: medium +c2/tool_transfer/arch: low +c2/tool_transfer/download: medium +c2/tool_transfer/dropper: medium +c2/tool_transfer/os: medium +collect/archives/tar_command: medium +collect/archives/unarchive: medium +collect/archives/zip: medium +collect/code/github_api: low +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/clipboard: medium +credential/cloud/g: medium +credential/keychain: medium +credential/password: low +credential/server/htpasswd: medium +credential/ssl/private_key: low +crypto/aes: low +crypto/blockchain: medium +crypto/cipher: medium +crypto/decrypt: low +crypto/ecdsa: low +crypto/ed25519: low +crypto/openssl: medium +crypto/public_key: low +crypto/tls: low +data/compression/bzip2: low +data/compression/gzip: low +data/compression/lzma: low +data/compression/xz: medium +data/compression/zlib: low +data/compression/zstd: low +data/embedded/html: medium +data/embedded/pem_certificate: low +data/embedded/ssh_signature: medium +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/blake2b: low +data/hash/md5: low +discover/cloud/aws_metadata: low +discover/cloud/google_metadata: low +discover/cloud/google_storage: low +discover/network/interface_list: medium +discover/network/mac_address: medium +discover/network/netstat: medium +discover/processes/pgrep: medium +discover/system/cpu: low +discover/system/dmesg: low +discover/system/hostname: low +discover/system/platform: medium +discover/system/sysinfo: medium +discover/user/HOME: low +discover/user/USER: low +discover/user/name_get: medium +evasion/bypass_security/linux/se: medium +evasion/bypass_security/macos/xprotect: medium +evasion/file/location/dev_shm: medium +evasion/file/location/system_directory: medium +evasion/file/prefix: medium +exec/cmd: medium +exec/conditional/LANG: low +exec/dylib/symbol_address: medium +exec/install_additional/pip_install: medium +exec/plugin: low +exec/program: medium +exec/shell/TERM: low +exec/shell/background_sleep: medium +exec/shell/pipe_sh: medium +exec/system_controls/systemd: low +exfil/office_file_ext: medium +fs/attributes/set: medium +fs/blkid: low +fs/directory/create: low +fs/directory/list: low +fs/directory/remove: low +fs/fifo_create: low +fs/file/copy: medium +fs/file/create: medium +fs/file/delete: medium +fs/file/delete_forcibly: medium +fs/file/open: low +fs/file/read: low +fs/file/rename: low +fs/file/stat: low +fs/file/times_set: medium +fs/file/truncate: low +fs/file/write: low +fs/link_create: low +fs/link_read: low +fs/lock_update: low +fs/loopback: medium +fs/mount: low +fs/node_create: low +fs/path/bin_su: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_resolv.conf: low +fs/path/home_config: low +fs/path/root: medium +fs/path/users: medium +fs/path/usr_bin: low +fs/path/usr_local: medium +fs/path/usr_sbin: low +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +fs/proc/arbitrary_pid: medium +fs/proc/self_mountinfo: medium +fs/swap/off: low +fs/swap/on: low +fs/symlink_resolve: low +fs/tempdir: low +fs/tempdir/TEMP: low +fs/tempdir/TMPDIR: low +fs/tempdir/create: low +fs/tempfile: low +fs/unmount: low +fs/watch: low +hw/wireless: low +impact/ddos/raw_flooder: medium +impact/remote_access/heartbeat: medium +impact/remote_access/kill_rm: medium +lateral/scan/brute_force: low +lateral/scan/tool: medium +malware/ref: medium +net/dns: low +net/dns/reverse: medium +net/dns/servers: low +net/dns/txt: low +net/download/fetch: medium +net/http/2: low +net/http/accept: medium +net/http/accept_encoding: low +net/http/auth: low +net/http/content_length: medium +net/http/cookies: medium +net/http/form_upload: medium +net/http/oauth2: low +net/http/post: medium +net/http/proxy: low +net/http/request: low +net/http/webhook: medium +net/ip: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/proxy/reverse: medium +net/proxy/socks5: medium +net/proxy/tunnel: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/reuseport: medium +net/socket/send: low +net/tcp/connect: medium +net/tcp/grpc: low +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/embedded: medium +net/url/encode: medium +net/url/parse: low +net/url/request: medium +os/env/get: low +os/fd/sendfile: low +os/kernel/netlink: low +os/kernel/seccomp: low +os/time/clock_set: low +persist/cron/tab: medium +persist/pid_file: medium +privesc/setuid: low +process/chdir: low +process/chroot: low +process/create: low +process/groupid_set: low +process/groups_set: low +process/multithreaded: low +process/unshare: low +sus/exclamation: medium +sus/intercept: medium +sus/malicious: medium diff --git a/tests/python/clean/airflow/botocore_config.py.simple b/tests/python/clean/airflow/botocore_config.py.simple index e69de29bb..c71e9a94f 100644 --- a/tests/python/clean/airflow/botocore_config.py.simple +++ b/tests/python/clean/airflow/botocore_config.py.simple @@ -0,0 +1,7 @@ +# python/clean/airflow/botocore_config.py: medium +exec/imports/python: low +impact/remote_access/agent: medium +net/http/request: low +net/ip/host_port: medium +net/socket/connect: medium +net/url/embedded: low diff --git a/tests/python/clean/airflow/db.py.simple b/tests/python/clean/airflow/db.py.simple index e69de29bb..78f3cd6e7 100644 --- a/tests/python/clean/airflow/db.py.simple +++ b/tests/python/clean/airflow/db.py.simple @@ -0,0 +1,13 @@ +# python/clean/airflow/db.py: medium +collect/databases/leveldb: medium +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/password: low +credential/ssh: medium +exec/plugin: low +fs/tempdir: low +net/ip/host_port: medium +net/tcp/sftp: medium +net/url/embedded: low +os/fd/multiplex: low diff --git a/tests/python/clean/airflow/kubernetes_engine.py.simple b/tests/python/clean/airflow/kubernetes_engine.py.simple index e69de29bb..07bd2598a 100644 --- a/tests/python/clean/airflow/kubernetes_engine.py.simple +++ b/tests/python/clean/airflow/kubernetes_engine.py.simple @@ -0,0 +1,6 @@ +# python/clean/airflow/kubernetes_engine.py: medium +anti-static/obfuscation/python: medium +exec/imports/python: low +net/http/auth: low +net/url/embedded: low +net/url/request: medium diff --git a/tests/python/clean/fonttools/psLib.py.simple b/tests/python/clean/fonttools/psLib.py.simple index e69de29bb..136b64901 100644 --- a/tests/python/clean/fonttools/psLib.py.simple +++ b/tests/python/clean/fonttools/psLib.py.simple @@ -0,0 +1,3 @@ +# python/clean/fonttools/psLib.py: low +anti-static/obfuscation/python: low +exec/imports/python: low diff --git a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple index e69de29bb..ba66aa37b 100644 --- a/tests/python/clean/google-cloud-sdk/requests_setup.py.simple +++ b/tests/python/clean/google-cloud-sdk/requests_setup.py.simple @@ -0,0 +1,12 @@ +# python/clean/google-cloud-sdk/requests_setup.py: medium +exec/imports/python: low +exec/program: medium +exec/remote_commands/code_eval: medium +exec/shell/command: medium +fs/file/open: low +fs/path/usr_bin: low +impact/remote_access/py_setuptools: medium +net/url/embedded: low +net/url/parse: low +os/fd/read: low +process/multi: medium diff --git a/tests/python/clean/matplotlib/_backend_tk.py.simple b/tests/python/clean/matplotlib/_backend_tk.py.simple index e69de29bb..c2b033ac2 100644 --- a/tests/python/clean/matplotlib/_backend_tk.py.simple +++ b/tests/python/clean/matplotlib/_backend_tk.py.simple @@ -0,0 +1,6 @@ +# python/clean/matplotlib/_backend_tk.py: medium +anti-static/obfuscation/bitwise: low +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +net/url/embedded: low diff --git a/tests/python/clean/matplotlib/backend_bases.py.simple b/tests/python/clean/matplotlib/backend_bases.py.simple index e69de29bb..14e0fc17c 100644 --- a/tests/python/clean/matplotlib/backend_bases.py.simple +++ b/tests/python/clean/matplotlib/backend_bases.py.simple @@ -0,0 +1,7 @@ +# python/clean/matplotlib/backend_bases.py: medium +c2/tool_transfer/os: low +discover/system/platform: medium +net/socket/connect: medium +net/socket/listen: medium +net/socket/pair: medium +net/url/embedded: low diff --git a/tests/python/clean/matplotlib/backend_qt.py.simple b/tests/python/clean/matplotlib/backend_qt.py.simple index e69de29bb..2fe4bb7b5 100644 --- a/tests/python/clean/matplotlib/backend_qt.py.simple +++ b/tests/python/clean/matplotlib/backend_qt.py.simple @@ -0,0 +1,9 @@ +# python/clean/matplotlib/backend_qt.py: medium +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +exec/remote_commands/code_eval: medium +net/socket/pair: medium +net/socket/receive: low +net/url/embedded: low +os/time/clock_sleep: medium diff --git a/tests/python/clean/matplotlib/backend_wx.py.simple b/tests/python/clean/matplotlib/backend_wx.py.simple index e69de29bb..045e6a281 100644 --- a/tests/python/clean/matplotlib/backend_wx.py.simple +++ b/tests/python/clean/matplotlib/backend_wx.py.simple @@ -0,0 +1,5 @@ +# python/clean/matplotlib/backend_wx.py: medium +c2/tool_transfer/os: medium +discover/system/platform: medium +exec/imports/python: low +net/url/embedded: low diff --git a/tests/python/clean/mitmproxy/raw_display.py.simple b/tests/python/clean/mitmproxy/raw_display.py.simple index e69de29bb..f8393396d 100644 --- a/tests/python/clean/mitmproxy/raw_display.py.simple +++ b/tests/python/clean/mitmproxy/raw_display.py.simple @@ -0,0 +1,16 @@ +# python/clean/mitmproxy/raw_display.py: medium +c2/tool_transfer/os: low +exec/imports/python: low +exec/program: medium +exec/program/background: low +exec/shell/TERM: low +fs/file/write: low +fs/path/usr_bin: low +net/socket/connect: medium +net/socket/pair: medium +net/socket/receive: low +net/socket/send: low +net/url/embedded: low +os/fd/write: low +persist/daemon: medium +process/multithreaded: medium From b0aa34b66f28a28d973835f9f62ce2ff03a58b42 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 17 Dec 2024 16:30:48 -0500 Subject: [PATCH 3/4] yara fmt --- rules/exfil/stealer/keylogger.yara | 4 ++-- rules/false_positives/py_hatch.yara | 2 +- rules/false_positives/setuptools.yara | 6 ++--- rules/impact/remote_access/py_setuptools.yara | 24 ++++++++++--------- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/rules/exfil/stealer/keylogger.yara b/rules/exfil/stealer/keylogger.yara index 185dba0ed..4065e768a 100644 --- a/rules/exfil/stealer/keylogger.yara +++ b/rules/exfil/stealer/keylogger.yara @@ -44,8 +44,8 @@ rule py_keykeyboard_exfil: high { $http_Discord = "Discord" $http_keylogger = /[kK]eylogger/ $http_Telegram = "Telegram" - $f_pynput = "pynput" fullword - $f_keyboard = "keyboard" fullword + $f_pynput = "pynput" fullword + $f_keyboard = "keyboard" fullword $f_key = ".name" $f_listener = "on_release" diff --git a/rules/false_positives/py_hatch.yara b/rules/false_positives/py_hatch.yara index 4075c71cf..3c0f1f9e4 100644 --- a/rules/false_positives/py_hatch.yara +++ b/rules/false_positives/py_hatch.yara @@ -1,6 +1,6 @@ rule migrate_py: override { meta: - description = "migrate.py" + description = "migrate.py" setuptools_eval_high = "medium" strings: diff --git a/rules/false_positives/setuptools.yara b/rules/false_positives/setuptools.yara index 1d03fe06f..1080e5a56 100644 --- a/rules/false_positives/setuptools.yara +++ b/rules/false_positives/setuptools.yara @@ -1,6 +1,6 @@ rule setuptools_namespaces: override { meta: - description = "namespaces.py" + description = "namespaces.py" setuptools_exec_high = "low" strings: @@ -18,7 +18,7 @@ rule setuptools_namespaces: override { rule numba_support: override { meta: - description = "support.py" + description = "support.py" setuptools_exec_high = "low" strings: @@ -33,7 +33,7 @@ rule numba_support: override { rule setup_pydevd_cython: override { meta: - description = "setup_pydevd_cython.py" + description = "setup_pydevd_cython.py" setuptools_exec_high = "low" strings: diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara index 2ae857b78..61bcbf970 100644 --- a/rules/impact/remote_access/py_setuptools.yara +++ b/rules/impact/remote_access/py_setuptools.yara @@ -51,8 +51,9 @@ rule setuptools_cmd_exec: high { $not_comment = "Editable install to a prefix should be discoverable." $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" - $not_sdist_publish = "python setup.py sdist bdist_wheel" - $not_twine_upload = "twine upload dist/*" + $not_sdist_publish = "python setup.py sdist bdist_wheel" + $not_twine_upload = "twine upload dist/*" + condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } @@ -71,25 +72,25 @@ rule setuptools_cmd_exec_start: critical { remote_access_pythonSetup and any of ($f*) } - rule setuptools_eval: medium { meta: description = "Python library installer that evaluates arbitrary code" strings: - $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + condition: remote_access_pythonSetup and any of ($f*) } - rule setuptools_eval_high: high { meta: description = "Python library installer that evaluates arbitrary code" strings: - $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword - $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } @@ -99,7 +100,8 @@ rule setuptools_exec: medium { description = "Python library installer that executes arbitrary code" strings: - $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + condition: remote_access_pythonSetup and any of ($f*) } @@ -109,7 +111,7 @@ rule setuptools_exec_high: high { description = "Python library installer that evaluates arbitrary code" strings: - $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword + $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword $not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")" $not_comment = "Editable install to a prefix should be discoverable." $not_google = /# Copyright [1-2][0-9]{3} Google Inc/ @@ -119,12 +121,12 @@ rule setuptools_exec_high: high { $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\"" $not_requests = "'Documentation': 'https://requests.readthedocs.io'" $not_test_egg_class = "class TestEggInfo" - $not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + $not_namespaced = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/ + condition: remote_access_pythonSetup and any of ($f*) and none of ($not*) } - rule setuptools_b64decode: suspicious { meta: description = "Python library installer that does base64 decoding" From 533dc12a989067930e38be582b3107fe7901fb35 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 17 Dec 2024 16:47:26 -0500 Subject: [PATCH 4/4] rule tuning --- rules/false_positives/setuptools.yara | 15 --------------- .../clean/pydevd/setup_pydevd_cython.py.simple | 1 - 2 files changed, 16 deletions(-) diff --git a/rules/false_positives/setuptools.yara b/rules/false_positives/setuptools.yara index 1080e5a56..510c127ae 100644 --- a/rules/false_positives/setuptools.yara +++ b/rules/false_positives/setuptools.yara @@ -30,18 +30,3 @@ rule numba_support: override { condition: filesize < 64KB and all of them } - -rule setup_pydevd_cython: override { - meta: - description = "setup_pydevd_cython.py" - setuptools_exec_high = "low" - - strings: - $example = "python setup_pydevd_cython build_ext --inplace" - $header = "A simpler setup version just to compile the speedup module." - $import = "from setuptools import setup" - $pydevd = "pydevd" - - condition: - filesize < 16KB and all of them -} diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple index 15c3ffce6..7534b61bc 100644 --- a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple +++ b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple @@ -2,7 +2,6 @@ discover/system/platform: medium exec/imports/python: low exec/remote_commands/code_eval: medium -false-positives/setuptools: low fs/directory/list: low fs/file/delete: low fs/file/exists: low