Remove 'threat_hunting' ruleset (chainguard-dev#645)

* Remove 'threat_hunting' ruleset

* refresh testdata

README.md

@@ -24,7 +24,7 @@ malcontent is a bit paranoid and prone to false positives. It is currently focus
 
 ## Features
 
-* 16,000+ [YARA](YARA) detection rules
+* 14,500+ [YARA](YARA) detection rules
   * Including third-party rules from companies such as Avast, Elastic, FireEye, Mandiant, Nextron, ReversingLabs, and more!
 * Analyzes binaries from nearly any operating system (Linux, macOS, FreeBSD, Windows, etc.)
 * Analyzes scripts (Python, shell, Javascript, Typescript, PHP, Perl, AppleScript)

tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js: medium
-3P/threat_hunting/powershell: medium
 c2/addr/ip: medium
 c2/addr/server: medium
 collect/archives/unarchive: medium

tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js: medium
-3P/threat_hunting/powershell: medium
 anti-static/obfuscation/js: medium
 c2/addr/ip: medium
 c2/addr/server: medium

tests/javascript/clean/faker.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/faker.js: high
-3P/threat_hunting/3snake: medium
 anti-behavior/blocklist/user: low
 anti-static/base64/exec: high
 anti-static/base64/http_agent: high

tests/javascript/clean/faker.min.js.simple

@@ -1,5 +1,4 @@
 # javascript/clean/faker.min.js: medium
-3P/threat_hunting/3snake: medium
 anti-behavior/blocklist/user: low
 anti-static/obfuscation/obfuscate: low
 c2/addr/ip: medium

tests/javascript/clean/frequency_lists.js.simple

@@ -1,8 +1,4 @@
 # javascript/clean/frequency_lists.js: medium
-3P/threat_hunting/crowbar: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/johntheripper: medium
-3P/threat_hunting/sharpshooter: medium
 c2/tool_transfer/dropper: medium
 collect/databases/mysql: medium
 credential/gaming/minecraft: medium

tests/javascript/clean/securityDashboards.plugin.js.simple

@@ -1,8 +1,4 @@
 # javascript/clean/securityDashboards.plugin.js: medium
-3P/threat_hunting/crowbar: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/johntheripper: medium
-3P/threat_hunting/sharpshooter: medium
 anti-static/obfuscation/bitwise: medium
 anti-static/obfuscation/js: medium
 c2/tool_transfer/dropper: medium

tests/javascript/clean/zxcvbn.js.simple

@@ -1,8 +1,4 @@
 # javascript/clean/zxcvbn.js: medium
-3P/threat_hunting/crowbar: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/johntheripper: medium
-3P/threat_hunting/sharpshooter: medium
 c2/tool_transfer/dropper: medium
 collect/databases/mysql: medium
 credential/gaming/minecraft: medium

tests/linux/2020.bdvl/bdvl.so.simple

@@ -1,5 +1,4 @@
 # linux/2020.bdvl/bdvl.so: critical
-3P/threat_hunting/backdoor: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/process_check: high
 credential/password: low

tests/linux/2022.Conti/bb64b27.elf_x86_64.simple

@@ -1,6 +1,5 @@
 # linux/2022.Conti/bb64b27.elf_x86_64: critical
 3P/elastic/ransomware_conti: critical
-3P/threat_hunting/torproject: medium
 crypto/file_encrypter: medium
 fs/link_read: low
 fs/path/relative: medium

tests/linux/2022.Symbiote/kerneldev.so.bkp.simple

@@ -1,5 +1,4 @@
 # linux/2022.Symbiote/kerneldev.so.bkp: critical
-3P/threat_hunting/keylogger: medium
 c2/addr/ip: medium
 c2/discovery/ip_dns_resolver: medium
 credential/keylogger: medium

tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff

@@ -1,5 +1,4 @@
 *** changed: linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst
-+3P/threat_hunting/touch
 +anti-static/base64/exec
 +anti-static/base64/http_agent
 +data/base64/external

tests/linux/2023.Kinsing/install.sh.simple

@@ -1,9 +1,6 @@
 # linux/2023.Kinsing/install.sh: critical
 3P/elastic/kinsing: critical
 3P/sig_base/payload_f5_ip: critical
-3P/threat_hunting/netstat: medium
-3P/threat_hunting/shell: medium
-3P/threat_hunting/xmrig: medium
 anti-static/base64/exec: high
 c2/addr/ip: high
 c2/tool_transfer/download: medium

tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple

@@ -1,6 +1,5 @@
 # linux/2024.TellYouThePass/uranus-ack-mike-cat: critical
 3P/arkbird/solg_ran_elf: critical
-3P/threat_hunting/torat: medium
 c2/addr/ip: high
 collect/databases/mysql: medium
 collect/databases/postgresql: medium

tests/linux/2024.chisel/crondx.simple

@@ -1,6 +1,4 @@
 # linux/2024.chisel/crondx: critical
-3P/threat_hunting/ad_exploitation_cheat: medium
-3P/threat_hunting/chisel: medium
 c2/addr/ip: high
 collect/archives/zip: medium
 credential/password: low

tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple

@@ -1,6 +1,5 @@
 # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72: critical
 3P/elastic/threat: high
-3P/threat_hunting/xmrig: medium
 anti-static/base64/exec: high
 anti-static/base64/http_agent: high
 anti-static/elf/header: critical

tests/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple

@@ -1,6 +1,5 @@
 # linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf: critical
 3P/sig_base/ransom_lockbit: critical
-3P/threat_hunting/esxcli: medium
 c2/addr/tor_onion: critical
 credential/password: low
 crypto/rc4: low

tests/linux/2024.hadooken/drop1.sh.simple

@@ -1,5 +1,4 @@
 # linux/2024.hadooken/drop1.sh: critical
-3P/threat_hunting/base64: medium
 anti-static/base64/exec: critical
 anti-static/base64/function_names: critical
 c2/addr/ip: high

tests/linux/2024.hadooken/ssh_worm.sh.simple

@@ -1,5 +1,4 @@
 # linux/2024.hadooken/ssh_worm.sh: critical
-3P/threat_hunting/base64: medium
 anti-static/base64/exec: critical
 anti-static/base64/function_names: critical
 c2/addr/ip: high

tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple

@@ -1,8 +1,5 @@
 # linux/2024.kworker_pretenders/emp3r0r.agent: critical
 3P/elastic/exploit_cve_2021: critical
-3P/threat_hunting/hrshell: medium
-3P/threat_hunting/maccaronic2: medium
-3P/threat_hunting/tor: medium
 anti-behavior/vm_check: medium
 anti-static/elf/entropy: high
 c2/addr/http_dynamic: medium

tests/linux/2024.kworker_pretenders/gafgyt.simple

@@ -1,6 +1,5 @@
 # linux/2024.kworker_pretenders/gafgyt: critical
 3P/elastic/mirai: critical
-3P/threat_hunting/base64: medium
 anti-static/base64/exec: critical
 anti-static/elf/content: high
 credential/ssh/d: medium

tests/linux/clean/appsec-rules.json.simple

@@ -1,7 +1,4 @@
 # linux/clean/appsec-rules.json: critical
-3P/threat_hunting/gobuster: medium
-3P/threat_hunting/openvas: medium
-3P/threat_hunting/sqlninja: medium
 collect/databases/mysql: medium
 collect/databases/postgresql: medium
 collect/databases/sql: low

tests/linux/clean/buildah.simple

@@ -1,5 +1,4 @@
 # linux/clean/buildah: medium
-3P/threat_hunting/metasploit: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/discovery/ip_dns_resolver: medium

tests/linux/clean/caddy.simple

@@ -1,7 +1,4 @@
 # linux/clean/caddy: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/reverst: medium
-3P/threat_hunting/tailscale: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/discovery/ip_dns_resolver: medium

tests/linux/clean/chezmoi.simple

@@ -1,10 +1,4 @@
 # linux/clean/chezmoi: medium
-3P/threat_hunting/crowbar: medium
-3P/threat_hunting/gitleaks: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/johntheripper: medium
-3P/threat_hunting/sharpshooter: medium
-3P/threat_hunting/tailscale: medium
 c2/addr/discord: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium

tests/linux/clean/chrome.simple

@@ -1,6 +1,4 @@
 # linux/clean/chrome: medium
-3P/threat_hunting/metasploit: medium
-3P/threat_hunting/proxmark: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
 anti-static/obfuscation/obfuscate: low

tests/linux/clean/clickhouse.simple

@@ -1,8 +1,4 @@
 # linux/clean/clickhouse: high
-3P/threat_hunting/keylogger: medium
-3P/threat_hunting/pypykatz: medium
-3P/threat_hunting/shodan_io: medium
-3P/threat_hunting/torproject: medium
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium

tests/linux/clean/containerd.simple

@@ -1,6 +1,4 @@
 # linux/clean/containerd: medium
-3P/threat_hunting/hijacker: medium
-3P/threat_hunting/privilegeescalation: medium
 c2/addr/ip: medium
 c2/addr/server: medium
 collect/archives/zip: medium

tests/linux/clean/default_config.json.simple

@@ -1,8 +1,4 @@
 # linux/clean/default_config.json: critical
-3P/threat_hunting/gobuster: medium
-3P/threat_hunting/openvas: medium
-3P/threat_hunting/rapid7: medium
-3P/threat_hunting/sqlninja: medium
 collect/databases/mysql: medium
 collect/databases/postgresql: medium
 collect/databases/sql: low

tests/linux/clean/http-fingerprints.lua.simple

@@ -1,9 +1,5 @@
 # linux/clean/http-fingerprints.lua: high
 3P/sig_base/hacktool_strings_p0wnedshell: medium
-3P/threat_hunting/metasploit: medium
-3P/threat_hunting/nikto: medium
-3P/threat_hunting/rapid7: medium
-3P/threat_hunting/seclists: medium
 c2/tool_transfer/grayware: high
 collect/archives/zip: medium
 collect/databases/mysql: medium

tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple

@@ -1,23 +1,5 @@
 # linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium
 3P/sig_base/hacktool_strings_p0wnedshell: low
-3P/threat_hunting/arsenal: medium
-3P/threat_hunting/autordpwn: medium
-3P/threat_hunting/bruteratel: medium
-3P/threat_hunting/dbc2: medium
-3P/threat_hunting/fruityc2: medium
-3P/threat_hunting/github_username: medium
-3P/threat_hunting/kubesploit: medium
-3P/threat_hunting/merlin: medium
-3P/threat_hunting/merlin_agent_dll: medium
-3P/threat_hunting/netexec: medium
-3P/threat_hunting/nishang: medium
-3P/threat_hunting/powerpick: medium
-3P/threat_hunting/powershell_scripts_for: medium
-3P/threat_hunting/powersploit: medium
-3P/threat_hunting/psattack: medium
-3P/threat_hunting/pupy: medium
-3P/threat_hunting/redpill: medium
-3P/threat_hunting/sharpyshell: medium
 exec/shell/power: medium
 impact/infection/infected: medium
 mem/protect: low

tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple

@@ -1,5 +1,4 @@
 # linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: critical
-3P/threat_hunting/powershell: medium
 anti-static/obfuscation/powershell: critical
 exec/shell/command: medium
 exec/shell/power: medium

tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple

@@ -1,5 +1,4 @@
 # linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium
-3P/threat_hunting/seclists: medium
 impact/exploit: medium
 impact/exploit/cve: medium
 impact/exploit/pwnkit: low

tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple

@@ -1,15 +1,5 @@
 # linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium
 3P/sig_base/p0wnedpotato: low
-3P/threat_hunting/adape_script: medium
-3P/threat_hunting/autordpwn: medium
-3P/threat_hunting/github_username: medium
-3P/threat_hunting/inveigh: medium
-3P/threat_hunting/invoke_thehash: medium
-3P/threat_hunting/merlin: medium
-3P/threat_hunting/ninja: medium
-3P/threat_hunting/poshc2: medium
-3P/threat_hunting/precompiled_binaries: medium
-3P/threat_hunting/winpwn: medium
 exec/shell/power: medium
 net/download: medium
 net/rpc/ntlm: medium

tests/linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json.simple

@@ -1,17 +1,5 @@
 # linux/clean/kibana/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json: medium
 3P/sig_base/hacktool_strings_p0wnedshell: low
-3P/threat_hunting/arsenal: medium
-3P/threat_hunting/autordpwn: medium
-3P/threat_hunting/bruteratel: medium
-3P/threat_hunting/dbc2: medium
-3P/threat_hunting/dumpcreds: medium
-3P/threat_hunting/fruityc2: medium
-3P/threat_hunting/merlin: medium
-3P/threat_hunting/nishang: medium
-3P/threat_hunting/powersploit: medium
-3P/threat_hunting/psattack: medium
-3P/threat_hunting/redpill: medium
-3P/threat_hunting/sharpyshell: medium
 credential/password: low
 exec/shell/power: medium
 impact/infection/infected: medium

tests/linux/clean/kibana/cde1bafa-9f01-4f43-a872-605b678968b0_111.json.simple

@@ -3,47 +3,6 @@
 3P/sig_base/hktl_domainpasswordspray: low
 3P/sig_base/p0wnedpotato: low
 3P/sig_base/wmimplant: low
-3P/threat_hunting/ad_exploitation_cheat: medium
-3P/threat_hunting/adape_script: medium
-3P/threat_hunting/amnesiac: medium
-3P/threat_hunting/autordpwn: medium
-3P/threat_hunting/bloodhound: medium
-3P/threat_hunting/chimera: medium
-3P/threat_hunting/dbc2: medium
-3P/threat_hunting/domainpasswordspray: medium
-3P/threat_hunting/earth_lusca_operations: medium
-3P/threat_hunting/fruityc2: medium
-3P/threat_hunting/github_username: medium
-3P/threat_hunting/inceptor: medium
-3P/threat_hunting/inveigh: medium
-3P/threat_hunting/invoke_thehash: medium
-3P/threat_hunting/keethief: medium
-3P/threat_hunting/kubesploit: medium
-3P/threat_hunting/merlin: medium
-3P/threat_hunting/metasploit: medium
-3P/threat_hunting/netexec: medium
-3P/threat_hunting/netripper: medium
-3P/threat_hunting/ninja: medium
-3P/threat_hunting/nishang: medium
-3P/threat_hunting/picklec2: medium
-3P/threat_hunting/poshc2: medium
-3P/threat_hunting/powerbreach: medium
-3P/threat_hunting/powersharppack: medium
-3P/threat_hunting/powershell_scripts_for: medium
-3P/threat_hunting/powersploit: medium
-3P/threat_hunting/powerupsql: medium
-3P/threat_hunting/privesc: medium
-3P/threat_hunting/psattack: medium
-3P/threat_hunting/pupy: medium
-3P/threat_hunting/red_team_scripts: medium
-3P/threat_hunting/redpill: medium
-3P/threat_hunting/sessiongopher: medium
-3P/threat_hunting/sharpyshell: medium
-3P/threat_hunting/srdi: medium
-3P/threat_hunting/staykit: medium
-3P/threat_hunting/winpwn: medium
-3P/threat_hunting/wmimplant: medium
-3P/threat_hunting/wmisploit: medium
 c2/addr/ip: medium
 credential/password: low
 exec/cmd: medium

tests/linux/clean/kibana/securitySolution.chunk.22.js.simple

@@ -1,39 +1,4 @@
 # linux/clean/kibana/securitySolution.chunk.22.js: critical
-3P/threat_hunting/: medium
-3P/threat_hunting/arsenal: medium
-3P/threat_hunting/backdoor: medium
-3P/threat_hunting/beef: medium
-3P/threat_hunting/blackshades: medium
-3P/threat_hunting/burpsuite: medium
-3P/threat_hunting/dbc2: medium
-3P/threat_hunting/earth_lusca_operations: medium
-3P/threat_hunting/generate_macro: medium
-3P/threat_hunting/github_username: medium
-3P/threat_hunting/heartbleed: medium
-3P/threat_hunting/impacket: medium
-3P/threat_hunting/keylogger: medium
-3P/threat_hunting/kubesploit: medium
-3P/threat_hunting/localtunnel: medium
-3P/threat_hunting/localtunnels: medium
-3P/threat_hunting/merlin_agent_dll: medium
-3P/threat_hunting/metasploit: medium
-3P/threat_hunting/metasploitcoop: medium
-3P/threat_hunting/openvas: medium
-3P/threat_hunting/owasp: medium
-3P/threat_hunting/phishery: medium
-3P/threat_hunting/powershell_scripts_for: medium
-3P/threat_hunting/powersploit: medium
-3P/threat_hunting/pupy: medium
-3P/threat_hunting/pwdump: medium
-3P/threat_hunting/rapid7: medium
-3P/threat_hunting/routersploit: medium
-3P/threat_hunting/seclists: medium
-3P/threat_hunting/sqlmap: medium
-3P/threat_hunting/sqlninja: medium
-3P/threat_hunting/thc_hydra: medium
-3P/threat_hunting/torproject: medium
-3P/threat_hunting/traitor: medium
-3P/threat_hunting/wpscan: medium
 c2/addr/url: high
 c2/discovery/dyndns: medium
 c2/tool_transfer/download: high