forked from chainguard-dev/malcontent
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add expected hashes to all MEDIUM+ rules, add YARA-CI (chainguard-dev…
…#203) * De-lint YARA rules, install YARA-CI * Add checksums to notable and higher rules * Settle on rule priorities
- Loading branch information
1 parent
5727316
commit f5fdb45
Showing
518 changed files
with
5,977 additions
and
5,319 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
branches: | ||
accept: | ||
- "**" | ||
files: | ||
accept: | ||
- "**.yar" | ||
- "**.yara" | ||
ignore: | ||
- "third_party/**" | ||
|
||
false_positives: | ||
disabled: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,15 @@ | ||
rule login_records : notable { | ||
meta: | ||
description = "accesses current logins" | ||
strings: | ||
$f_wtmp = "/var/log/wtmp" fullword | ||
$f_wtmpx = "/var/log/wtmpx" fullword | ||
|
||
// entries from include/paths.h | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
rule login_records : medium { | ||
meta: | ||
description = "accesses current logins" | ||
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" | ||
hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" | ||
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" | ||
strings: | ||
$f_wtmp = "/var/log/wtmp" fullword | ||
$f_wtmpx = "/var/log/wtmpx" fullword | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,14 @@ | ||
rule failed_logins : suspicious { | ||
meta: | ||
description = "accesses failed logins" | ||
strings: | ||
$f_wtmp = "/var/log/btmp" fullword | ||
|
||
// entries from include/paths.h | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
rule failed_logins : high { | ||
meta: | ||
description = "accesses failed logins" | ||
hash_2023_FontOnLake_1829B0E34807765F2B254EA5514D7BB587AECA3F_elf = "5e9d356cdfc85a66f8fbab29bf43e95f19489c66d2a970e33d031f267298b482" | ||
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" | ||
hash_2023_FontOnLake_8D6ACA824D1A717AE908669E356E2D4BB6F857B0_elf = "265e8236da27a35306cde4e57d73077c94c35e7a73da086273af09179f78f37a" | ||
strings: | ||
$f_wtmp = "/var/log/btmp" fullword | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,16 @@ | ||
rule login_records : suspicious { | ||
meta: | ||
description = "accesses historical login records" | ||
strings: | ||
$f_lastlog = "/var/log/lastlog" fullword | ||
$f_utmp = "/var/log/utmp" fullword | ||
$f_utmpx = "/var/log/utmpx" fullword | ||
|
||
// entries from include/paths.h | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
rule login_records : high { | ||
meta: | ||
description = "accesses historical login records" | ||
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" | ||
hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" | ||
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" | ||
strings: | ||
$f_lastlog = "/var/log/lastlog" fullword | ||
$f_utmp = "/var/log/utmp" fullword | ||
$f_utmpx = "/var/log/utmpx" fullword | ||
$not_cshell = "_PATH_CSHELL" fullword | ||
$not_rwho = "_PATH_RWHODIR" fullword | ||
condition: | ||
any of ($f*) and none of ($not*) | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,13 @@ | ||
rule var_log_syslog : suspicious { | ||
meta: | ||
description = "accesses system logs" | ||
strings: | ||
$ref = "/var/log/messages" fullword | ||
$ref2 = "/var/log/syslog" fullword | ||
condition: | ||
any of them | ||
} | ||
|
||
rule var_log_syslog : high { | ||
meta: | ||
description = "accesses system logs" | ||
hash_2023_init_d_abrt_oops = "192b763638d0be61c4ba45e08f86df22318ab741297d6841d1009cca9bddad30" | ||
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" | ||
hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" | ||
strings: | ||
$ref = "/var/log/messages" fullword | ||
$ref2 = "/var/log/syslog" fullword | ||
condition: | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,64 +1,77 @@ | ||
rule yum_installer : notable { | ||
|
||
rule yum_installer : medium { | ||
meta: | ||
description = "install software with yum" | ||
description = "install software with yum" | ||
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" | ||
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
strings: | ||
$val = /yum install[ \w\-\_%]{0,32}/ | ||
condition: | ||
$val | ||
$val | ||
} | ||
|
||
rule dnf_installer : notable { | ||
rule dnf_installer : medium { | ||
meta: | ||
description = "install software with dnf" | ||
description = "install software with dnf" | ||
strings: | ||
$val = /dnf install[ \w\-\_%]{0,32}/ | ||
condition: | ||
$val | ||
$val | ||
} | ||
|
||
rule rpm_installer : notable { | ||
rule rpm_installer : medium { | ||
meta: | ||
description = "install software with rpm" | ||
description = "install software with rpm" | ||
hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" | ||
strings: | ||
$val = /rpm -i[ \w\-\_%]{0,32}/ | ||
condition: | ||
$val | ||
$val | ||
} | ||
|
||
rule apt_installer : notable { | ||
rule apt_installer : medium { | ||
meta: | ||
description = "install software with apt" | ||
description = "install software with apt" | ||
hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" | ||
strings: | ||
$val = /apt install[ \w\-\_%]{0,32}/ | ||
condition: | ||
$val | ||
$val | ||
} | ||
|
||
rule apt_get_installer : notable { | ||
rule apt_get_installer : medium { | ||
meta: | ||
description = "install software with apt-get" | ||
description = "install software with apt-get" | ||
hash_2019_lib_restclient = "c9b67d3d9ef722facd1abce98bd7d80cec1cc1bb3e3a52c54bba91f19b5a6620" | ||
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" | ||
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" | ||
strings: | ||
$val = /apt-get install[ \w\-\_%]{0,32}/ | ||
$foo = "install foo" | ||
$foo = "install foo" | ||
condition: | ||
$val and not $foo | ||
$val and not $foo | ||
} | ||
|
||
rule apk_installer : notable { | ||
rule apk_installer : medium { | ||
meta: | ||
description = "install software with APK" | ||
description = "install software with APK" | ||
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
strings: | ||
$val = /apk add[ \w\-\_%]{0,32}/ | ||
condition: | ||
$val | ||
$val | ||
} | ||
|
||
rule pip_installer_regex : notable { | ||
rule pip_installer_regex : medium { | ||
meta: | ||
description = "Includes 'pip install' command for installing Python modules" | ||
description = "Includes 'pip install' command for installing Python modules" | ||
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" | ||
hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2" | ||
hash_2022_2022_requests_3_0_0_README = "150fd62db4024e240040be44b32d7ce98df80ab86dfd564a173cd231f2254abc" | ||
strings: | ||
$regex = /pip[3 \'\"]{0,5}install[ \'\"\w\-\_%]{0,32}/ | ||
condition: | ||
any of them | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,13 @@ | ||
|
||
rule shutdown_val : notable { | ||
rule shutdown_val : medium { | ||
meta: | ||
description = "calls shutdown command" | ||
description = "calls shutdown command" | ||
hash_2023_init_d_netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" | ||
hash_2023_rc0_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" | ||
hash_2023_rc1_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa" | ||
strings: | ||
$ref = /shutdown -[\w ]{0,16}/ | ||
$ref2 = "shutdown now" | ||
$ref = /shutdown -[\w ]{0,16}/ | ||
$ref2 = "shutdown now" | ||
condition: | ||
any of them | ||
any of them | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
|
||
rule sudo_editor : suspicious { | ||
rule sudo_editor : high { | ||
meta: | ||
description = "references /etc/sudoers" | ||
hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" | ||
hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" | ||
description = "references /etc/sudoers" | ||
hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5" | ||
hash_2018_org_logind_ctp_archive_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0" | ||
strings: | ||
$etc_sudoers = "/etc/sudoers" | ||
$nopasswd = "NOPASSWD:" | ||
$not_sample = "sudoers man page" | ||
$not_vim = "VIMRUNTIME" | ||
$not_sample = "sudoers man page" | ||
$not_vim = "VIMRUNTIME" | ||
condition: | ||
filesize < 5242880 and ($etc_sudoers or $nopasswd) and none of ($not*) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,13 @@ | ||
|
||
rule system_fs_manipulator : notable { | ||
rule system_fs_manipulator : medium { | ||
meta: | ||
description = "Modifies files within system directories" | ||
hash_2023_QubitStrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" | ||
hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" | ||
hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" | ||
hash_2023_init_d_acpid = "b0cd9065704d205ea7087a0b2d4d6461305a2d12b03b8d2827e8e05e2013244d" | ||
hash_2023_init_d_auditd = "2617841f93faf85ba6d414bb79cce52fa69327d0546b10c9c1d99d8b7aee9db1" | ||
hash_2023_init_d_autofs = "3e006eafd6fe2af4d115a270fef161e3c9d470dd07205d08180edd13abafa88f" | ||
hash_2023_init_d_haldaemon = "cbf2a35e563d218d46153a50ab08545f033a14e1777f69e4edabea649710e05b" | ||
description = "Modifies files within system directories" | ||
hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3" | ||
hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87" | ||
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" | ||
strings: | ||
$in_usr = /(mv|chattr|rm|touch) \/(bin|root|sbin|usr|var|lib|lib64|boot)\/[ \.\w\/]{0,64}/ | ||
$not_mdm = "/var/db/MDM_EnableManagedApps" | ||
$not_mdm = "/var/db/MDM_EnableManagedApps" | ||
condition: | ||
$in_usr and none of ($not*) | ||
$in_usr and none of ($not*) | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,15 @@ | ||
|
||
rule executable_calls_archive_tool : suspicious { | ||
rule executable_calls_archive_tool : high { | ||
meta: | ||
description = "command shells out to tar" | ||
description = "command shells out to tar" | ||
hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad" | ||
hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0" | ||
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7" | ||
strings: | ||
$a_tar_c = "tar -c" | ||
$a_tar_rX = "tar -r -X" | ||
$a_tar_T = "tar -T" | ||
$hash_bang = "#!" | ||
condition: | ||
any of ($a*) and not $hash_bang in (0..2) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,13 @@ | ||
|
||
rule unarchive : notable { | ||
meta: | ||
description = "unarchives files" | ||
strings: | ||
$ref = /unarchive[\w \@\%]{0,32}/ | ||
$ref2 = /Unarchive[\w \@\%]{0,32}/ | ||
condition: | ||
any of them | ||
} | ||
rule unarchive : medium { | ||
meta: | ||
description = "unarchives files" | ||
hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" | ||
hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965" | ||
hash_2023_Linux_Malware_Samples_5c03 = "5c03ff30ccffc9d36c342510c7469682d3c411654ec52b0930d37a6c6aab9f72" | ||
strings: | ||
$ref = /unarchive[\w \@\%]{0,32}/ | ||
$ref2 = /Unarchive[\w \@\%]{0,32}/ | ||
condition: | ||
any of them | ||
} |
Oops, something went wrong.