forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
package-install.yara
80 lines (73 loc) · 2.84 KB
/
package-install.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
rule yum_installer : medium {
meta:
description = "install software with yum"
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
strings:
$val = /yum install[ \w\-\_%]{0,32}/
condition:
$val
}
rule dnf_installer : medium {
meta:
description = "install software with dnf"
strings:
$val = /dnf install[ \w\-\_%]{0,32}/
condition:
$val
}
rule rpm_installer : medium {
meta:
description = "install software with rpm"
hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f"
strings:
$val = /rpm -i[ \w\-\_%]{0,32}/
condition:
$val
}
rule apt_installer : medium {
meta:
description = "install software with apt"
hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
hash_2024_scripts_install_locutus = "1a80591019dea60785fff842da5f7347248e8ddf6a8a121d077210a06ba45e42"
hash_2024_static_demonizedshell_static = "b4e65c01ab90442cb5deda26660a3f81bd400c205e12605536483f979023aa15"
strings:
$val = /apt install[ \w\-\_%]{0,32}/
condition:
$val
}
rule apt_get_installer : medium {
meta:
description = "install software with apt-get"
hash_2019_lib_restclient = "c9b67d3d9ef722facd1abce98bd7d80cec1cc1bb3e3a52c54bba91f19b5a6620"
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
strings:
$val = /apt-get install[ \w\-\_%]{0,32}/
$foo = "install foo"
condition:
$val and not $foo
}
rule apk_installer : medium {
meta:
description = "install software with APK"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2024_enumeration_deepce = "76b0bcdf0ea0b62cee1c42537ff00d2100c54e40223bbcb8a4135a71582dfa5d"
strings:
$val = /apk add[ \w\-\_%]{0,32}/
condition:
$val
}
rule pip_installer_regex : medium {
meta:
description = "Includes 'pip install' command for installing Python modules"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
hash_2022_2022_requests_3_0_0_README = "150fd62db4024e240040be44b32d7ce98df80ab86dfd564a173cd231f2254abc"
strings:
$regex = /pip[3 \'\"]{0,5}install[ \'\"\w\-\_%]{0,32}/
condition:
any of them
}