diff --git a/Makefile b/Makefile index 8fbd1bd84..903648dbf 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= c1444cfe7941f0db6ef8ae3f75605fd5dc0c411e +SAMPLES_COMMIT ?= 8320e105a3b68ff63b8a840fea43ac9a858e4ea9 # BEGIN: lint-install ../malcontent # http://github.com/tinkerbell/lint-install diff --git a/rules/false_positives/kibana.yara b/rules/false_positives/kibana.yara new file mode 100644 index 000000000..6464b062b --- /dev/null +++ b/rules/false_positives/kibana.yara @@ -0,0 +1,28 @@ +rule kibana_powershell_evasion_rule: override { + meta: + description = "defense_evasion_defender_exclusion_via_powershell.json" + win_defender_exclusion = "low" + + strings: + $elastic = "Elastic" + $eql = "\"language\": \"eql\"" + $name = "Windows Defender Exclusions Added via PowerShell" + + condition: + filesize < 8KB and all of them +} + +rule security_solution_plugin: override { + meta: + linux_rootkit_terms = "low" + description = "securitySolution.chunk.9.js" + + strings: + $license = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V." + $license2 = "Licensed under the Elastic License 2.0" + $security_solution = "securitySolution" + $xpac = "xpac" + + condition: + filesize < 5MB and all of them +} diff --git a/tests/linux/clean/defense_evasion_defender_exclusion_via_powershell.json.simple b/tests/linux/clean/defense_evasion_defender_exclusion_via_powershell.json.simple new file mode 100644 index 000000000..9cbf22562 --- /dev/null +++ b/tests/linux/clean/defense_evasion_defender_exclusion_via_powershell.json.simple @@ -0,0 +1,6 @@ +# linux/clean/defense_evasion_defender_exclusion_via_powershell.json: medium +exec/shell/power: medium +impact/degrade/win_defender: low +impact/exploit: medium +net/url/embedded: low +sus/malicious: medium diff --git a/tests/linux/clean/securitySolution.chunk.9.js.simple b/tests/linux/clean/securitySolution.chunk.9.js.simple new file mode 100644 index 000000000..073ed4452 --- /dev/null +++ b/tests/linux/clean/securitySolution.chunk.9.js.simple @@ -0,0 +1,101 @@ +# linux/clean/securitySolution.chunk.9.js: critical +3P/threat_hunting/: medium +3P/threat_hunting/arsenal: medium +3P/threat_hunting/backdoor: medium +3P/threat_hunting/beef: medium +3P/threat_hunting/blackshades: medium +3P/threat_hunting/burpsuite: medium +3P/threat_hunting/dbc2: medium +3P/threat_hunting/earth_lusca_operations: medium +3P/threat_hunting/generate_macro: medium +3P/threat_hunting/github_username: medium +3P/threat_hunting/heartbleed: medium +3P/threat_hunting/impacket: medium +3P/threat_hunting/keylogger: medium +3P/threat_hunting/kubesploit: medium +3P/threat_hunting/localtunnel: medium +3P/threat_hunting/localtunnels: medium +3P/threat_hunting/merlin_agent_dll: medium +3P/threat_hunting/metasploit: medium +3P/threat_hunting/metasploitcoop: medium +3P/threat_hunting/openvas: medium +3P/threat_hunting/owasp: medium +3P/threat_hunting/phishery: medium +3P/threat_hunting/powershell_scripts_for: medium +3P/threat_hunting/powersploit: medium +3P/threat_hunting/pupy: medium +3P/threat_hunting/pwdump: medium +3P/threat_hunting/rapid7: medium +3P/threat_hunting/routersploit: medium +3P/threat_hunting/seclists: medium +3P/threat_hunting/sqlmap: medium +3P/threat_hunting/sqlninja: medium +3P/threat_hunting/thc_hydra: medium +3P/threat_hunting/torproject: medium +3P/threat_hunting/traitor: medium +3P/threat_hunting/wpscan: medium +anti-static/obfuscation/js/char_codes: medium +c2/addr/ip: medium +c2/addr/ip_port: medium +c2/addr/php: medium +c2/addr/url_unusual: high +c2/discovery/dyndns: medium +c2/tool_transfer/download: high +c2/tool_transfer/dropper: medium +c2/tool_transfer/exe_url: high +c2/tool_transfer/grayware: high +collect/databases/mysql: medium +credential/keylogger: medium +credential/password: low +crypto/blockchain: medium +data/embedded/base64_url: medium +data/encoding/base64: low +data/encoding/json_decode: low +data/encoding/json_encode: low +data/hash/md5: low +discover/network/mac_address: medium +evasion/hidden_paths/hidden: medium +exec/cmd: medium +exec/plugin: low +exec/shell/power: medium +exec/system_controls/apparmor: medium +exfil/upload: medium +fs/lock_update: low +fs/mount: low +fs/path/dev: medium +impact/cryptojacking/monero_pool: medium +impact/ddos: medium +impact/exploit: medium +impact/exploit/cve: medium +impact/exploit/known_s: medium +impact/exploit/overflow_shellcode: high +impact/infection/infected: medium +impact/remote_access/backdoor: high +impact/remote_access/botnet: medium +impact/remote_access/iptables: medium +impact/remote_access/reverse_shell: high +impact/remote_access/trojan: medium +impact/rootkit: low +impact/rootkit/refs: medium +lateral/scan/brute_force: low +net/dns/txt: low +net/download: medium +net/http/post: medium +net/http/request: low +net/ip/addr: medium +net/socket/listen: medium +net/socket/send: low +net/tcp/sftp: medium +net/url/embedded: low +net/url/parse: low +net/url/request: medium +os/kernel/seccomp: low +persist/daemon: medium +process/chroot: low +process/name_get: medium +process/parent_pid_get: low +sec-tool/net/masscan: high +sec-tool/net/nmap: medium +sec-tool/pentest/metasploit_ref: medium +sus/leetspeak: medium +sus/malicious: medium