Reduce Python CRITICAL false positives (setuptools, keylogger)

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 38d8faef6bcbd63f7cc02bb243b12aaa3e1ba70c
+SAMPLES_COMMIT ?= 528a7e975638d2c5ce06da1af32c5918aa4d6c7e
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

rules/exfil/stealer/keylogger.yara

@@ -14,7 +14,7 @@ rule keylogger_discord_telegram: high {
     filesize < 256KB and any of ($http*) and any of ($k*)
 }
 
-rule py_keylogger_pynput_exfil: critical {
+rule py_keylogger_pynput_exfil: high {
   meta:
     description = "listens for keyboard events and exfiltrates them"
     filetypes   = "py"
@@ -33,7 +33,7 @@ rule py_keylogger_pynput_exfil: critical {
     filesize < 256KB and any of ($http*) and all of ($f*)
 }
 
-rule py_keykeyboard_exfil: critical {
+rule py_keykeyboard_exfil: high {
   meta:
     description = "listens for keyboard events and exfiltrates them"
     filetypes   = "py"
@@ -44,7 +44,8 @@ rule py_keykeyboard_exfil: critical {
     $http_Discord   = "Discord"
     $http_keylogger = /[kK]eylogger/
     $http_Telegram  = "Telegram"
-    $f_pynput       = "keyboard" fullword
+    $f_pynput       = "pynput" fullword
+    $f_keyboard     = "keyboard" fullword
     $f_key          = ".name"
     $f_listener     = "on_release"
 

rules/false_positives/py_hatch.yara

@@ -1,7 +1,7 @@
 rule migrate_py: override {
   meta:
-    description     = "migrate.py"
-    setuptools_eval = "medium"
+    description          = "migrate.py"
+    setuptools_eval_high = "medium"
 
   strings:
     $env     = "'_HATCHLING_PORT_ADD_'"

rules/false_positives/setuptools.yara

@@ -1,25 +1,7 @@
-rule test_pyprojecttoml: override {
-  meta:
-    description     = "namespaces.py, test_pyprojecttoml.py"
-    setuptools_eval = "low"
-
-  strings:
-    $example   = "EXAMPLE"
-    $func1     = "def create_example("
-    $func2     = "def verify_example("
-    $func3     = "def test_read_configuration("
-    $import    = "import setuptools"
-    $kv        = "\"pyproject.toml\": EXAMPLE"
-    $pyproject = "pyproject.toml"
-
-  condition:
-    filesize < 16KB and all of them
-}
-
 rule setuptools_namespaces: override {
   meta:
-    description     = "namespaces.py"
-    setuptools_eval = "low"
+    description          = "namespaces.py"
+    setuptools_exec_high = "low"
 
   strings:
     $func1     = "def iter_namespace_pkgs("
@@ -36,30 +18,15 @@ rule setuptools_namespaces: override {
 
 rule numba_support: override {
   meta:
-    description     = "support.py"
-    setuptools_eval = "low"
+    description          = "support.py"
+    setuptools_exec_high = "low"
 
   strings:
     $comment    = "Assorted utilities for use in tests."
-    $gh_issue   = "numba#"
+    $gh_issue   = "numbsa#"
     $import     = "from numba"
     $repository = "https://github.com/numba/numba"
 
   condition:
     filesize < 64KB and all of them
 }
-
-rule setup_pydevd_cython: override {
-  meta:
-    description     = "setup_pydevd_cython.py"
-    setuptools_eval = "low"
-
-  strings:
-    $example = "python setup_pydevd_cython build_ext --inplace"
-    $header  = "A simpler setup version just to compile the speedup module."
-    $import  = "from setuptools import setup"
-    $pydevd  = "pydevd"
-
-  condition:
-    filesize < 16KB and all of them
-}

rules/impact/remote_access/py_setuptools.yara

@@ -39,7 +39,7 @@ rule setuptools_homedir: high {
     remote_access_pythonSetup and any of them
 }
 
-rule setuptools_cmd_exec: suspicious {
+rule setuptools_cmd_exec: high {
   meta:
     description = "Python library installer that executes external commands"
 
@@ -51,6 +51,8 @@ rule setuptools_cmd_exec: suspicious {
     $not_comment           = "Editable install to a prefix should be discoverable."
     $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')"
     $not_requests          = "'Documentation': 'https://requests.readthedocs.io'"
+    $not_sdist_publish     = "python setup.py sdist bdist_wheel"
+    $not_twine_upload      = "twine upload dist/*"
 
   condition:
     remote_access_pythonSetup and any of ($f*) and none of ($not*)
@@ -70,13 +72,46 @@ rule setuptools_cmd_exec_start: critical {
     remote_access_pythonSetup and any of ($f*)
 }
 
-rule setuptools_eval: critical {
+rule setuptools_eval: medium {
   meta:
     description = "Python library installer that evaluates arbitrary code"
 
   strings:
-    $f_sys_val           = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
-    $f_subprocess_val    = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
+    $f_eval = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+
+  condition:
+    remote_access_pythonSetup and any of ($f*)
+}
+
+rule setuptools_eval_high: high {
+  meta:
+    description = "Python library installer that evaluates arbitrary code"
+
+  strings:
+    $f_eval         = /eval\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+    $not_namespaced = /eval\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
+
+  condition:
+    remote_access_pythonSetup and any of ($f*) and none of ($not*)
+}
+
+rule setuptools_exec: medium {
+  meta:
+    description = "Python library installer that executes arbitrary code"
+
+  strings:
+    $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
+
+  condition:
+    remote_access_pythonSetup and any of ($f*)
+}
+
+rule setuptools_exec_high: high {
+  meta:
+    description = "Python library installer that evaluates arbitrary code"
+
+  strings:
+    $f_exec              = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
     $not_apache          = "# Licensed under the Apache License, Version 2.0 (the \"License\")"
     $not_comment         = "Editable install to a prefix should be discoverable."
     $not_google          = /# Copyright [1-2][0-9]{3} Google Inc/
@@ -86,6 +121,7 @@ rule setuptools_eval: critical {
     $not_pyspark_ioerror = "\"Failed to load PySpark version file for packaging. You must be in Spark's python dir.\""
     $not_requests        = "'Documentation': 'https://requests.readthedocs.io'"
     $not_test_egg_class  = "class TestEggInfo"
+    $not_namespaced      = /exec\([\w\.\(\)\"\/\']{4,16}, [a-z]{1,6}[,\)]/
 
   condition:
     remote_access_pythonSetup and any of ($f*) and none of ($not*)

tests/python/2021.DiscordSafety/setup.py.simple

@@ -15,6 +15,6 @@ exec/remote_commands/code_eval: critical
 exfil/stealer/browser: high
 fs/directory/create: low
 fs/path/users: medium
-impact/remote_access/py_setuptools: critical
+impact/remote_access/py_setuptools: high
 net/url/embedded: medium
 net/url/request: medium

tests/python/2024.Custom.RAT/output.py.simple

@@ -33,7 +33,7 @@ exec/shell/power: medium
 exfil/discord: critical
 exfil/stealer/browser: high
 exfil/stealer/discord: high
-exfil/stealer/keylogger: critical
+exfil/stealer/keylogger: high
 exfil/upload: high
 fs/directory/create: low
 fs/directory/list: low

tests/python/clean/airflow/botocore_config.py.simple

@@ -0,0 +1,7 @@
+# python/clean/airflow/botocore_config.py: medium
+exec/imports/python: low
+impact/remote_access/agent: medium
+net/http/request: low
+net/ip/host_port: medium
+net/socket/connect: medium
+net/url/embedded: low

tests/python/clean/airflow/db.py.simple

@@ -0,0 +1,13 @@
+# python/clean/airflow/db.py: medium
+collect/databases/leveldb: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/password: low
+credential/ssh: medium
+exec/plugin: low
+fs/tempdir: low
+net/ip/host_port: medium
+net/tcp/sftp: medium
+net/url/embedded: low
+os/fd/multiplex: low

tests/python/clean/airflow/kubernetes_engine.py.simple

@@ -0,0 +1,6 @@
+# python/clean/airflow/kubernetes_engine.py: medium
+anti-static/obfuscation/python: medium
+exec/imports/python: low
+net/http/auth: low
+net/url/embedded: low
+net/url/request: medium

tests/python/clean/conda-build/_load_setup_py_data.py.simple

@@ -3,7 +3,7 @@ exec/imports/python: low
 exec/remote_commands/code_eval: medium
 fs/file/exists: low
 fs/file/open: low
-impact/remote_access/py_setuptools: low
+impact/remote_access/py_setuptools: medium
 net/download: medium
 net/url/embedded: low
 os/fd/read: low

tests/python/clean/fonttools/psLib.py.simple

@@ -0,0 +1,3 @@
+# python/clean/fonttools/psLib.py: low
+anti-static/obfuscation/python: low
+exec/imports/python: low

tests/python/clean/google-auth-library-python/setup.py.simple

@@ -7,5 +7,6 @@ exec/remote_commands/code_eval: medium
 exec/shell/command: medium
 fs/file/open: low
 fs/file/read: low
+impact/remote_access/py_setuptools: medium
 net/url/embedded: low
 os/fd/read: low

tests/python/clean/google-cloud-sdk/requests_setup.py.simple

@@ -0,0 +1,12 @@
+# python/clean/google-cloud-sdk/requests_setup.py: medium
+exec/imports/python: low
+exec/program: medium
+exec/remote_commands/code_eval: medium
+exec/shell/command: medium
+fs/file/open: low
+fs/path/usr_bin: low
+impact/remote_access/py_setuptools: medium
+net/url/embedded: low
+net/url/parse: low
+os/fd/read: low
+process/multi: medium

tests/python/clean/idna/setup.py.simple

@@ -2,5 +2,6 @@
 exec/imports/python: low
 exec/remote_commands/code_eval: medium
 fs/file/open: low
+impact/remote_access/py_setuptools: medium
 net/url/embedded: low
 os/fd/read: low

tests/python/clean/matplotlib/_backend_tk.py.simple

@@ -0,0 +1,6 @@
+# python/clean/matplotlib/_backend_tk.py: medium
+anti-static/obfuscation/bitwise: low
+c2/tool_transfer/os: medium
+discover/system/platform: medium
+exec/imports/python: low
+net/url/embedded: low

tests/python/clean/matplotlib/backend_bases.py.simple

@@ -0,0 +1,7 @@
+# python/clean/matplotlib/backend_bases.py: medium
+c2/tool_transfer/os: low
+discover/system/platform: medium
+net/socket/connect: medium
+net/socket/listen: medium
+net/socket/pair: medium
+net/url/embedded: low

tests/python/clean/matplotlib/backend_qt.py.simple

@@ -0,0 +1,9 @@
+# python/clean/matplotlib/backend_qt.py: medium
+c2/tool_transfer/os: medium
+discover/system/platform: medium
+exec/imports/python: low
+exec/remote_commands/code_eval: medium
+net/socket/pair: medium
+net/socket/receive: low
+net/url/embedded: low
+os/time/clock_sleep: medium

tests/python/clean/matplotlib/backend_wx.py.simple

@@ -0,0 +1,5 @@
+# python/clean/matplotlib/backend_wx.py: medium
+c2/tool_transfer/os: medium
+discover/system/platform: medium
+exec/imports/python: low
+net/url/embedded: low

tests/python/clean/mitmproxy/raw_display.py.simple

@@ -0,0 +1,16 @@
+# python/clean/mitmproxy/raw_display.py: medium
+c2/tool_transfer/os: low
+exec/imports/python: low
+exec/program: medium
+exec/program/background: low
+exec/shell/TERM: low
+fs/file/write: low
+fs/path/usr_bin: low
+net/socket/connect: medium
+net/socket/pair: medium
+net/socket/receive: low
+net/socket/send: low
+net/url/embedded: low
+os/fd/write: low
+persist/daemon: medium
+process/multithreaded: medium

tests/python/clean/ml_sdk/setup.py.simple

@@ -2,5 +2,6 @@
 exec/imports/python: low
 exec/remote_commands/code_eval: medium
 fs/file/open: low
+impact/remote_access/py_setuptools: medium
 net/url/embedded: low
 os/fd/read: low

tests/python/clean/numba/support.py.simple

@@ -6,7 +6,6 @@ discover/system/platform: medium
 exec/imports/python: low
 exec/program: medium
 exec/remote_commands/code_eval: medium
-false-positives/setuptools: low
 fs/directory/create: low
 fs/directory/list: low
 fs/file/open: low

tests/python/clean/pydevd/setup_pydevd_cython.py.simple

@@ -9,6 +9,6 @@ fs/file/open: low
 fs/file/read: low
 fs/file/write: low
 fs/tempdir/TEMP: low
-impact/remote_access/py_setuptools: low
+impact/remote_access/py_setuptools: medium
 os/fd/read: low
 os/fd/write: low

tests/python/clean/requests/setup.py.simple

@@ -6,6 +6,7 @@ exec/remote_commands/code_eval: medium
 exec/shell/command: medium
 fs/file/open: low
 fs/path/usr_bin: low
+impact/remote_access/py_setuptools: medium
 net/ip/parse: medium
 net/url/embedded: low
 net/url/parse: low

tests/python/clean/setuptools/test_pyprojecttoml.py.simple

@@ -4,6 +4,5 @@ discover/system/platform: medium
 exec/imports/python: low
 exec/shell/command: medium
 fs/file/open: low
-impact/remote_access/py_setuptools: low
 net/url/embedded: low
 os/fd/write: low