Skip to content

Commit

Permalink
Add expected hashes to all MEDIUM+ rules, add YARA-CI (chainguard-dev…
Browse files Browse the repository at this point in the history
…#203)

* De-lint YARA rules, install YARA-CI

* Add checksums to notable and higher rules

* Settle on rule priorities
  • Loading branch information
tstromberg authored May 9, 2024
1 parent 5727316 commit f5fdb45
Show file tree
Hide file tree
Showing 518 changed files with 5,977 additions and 5,319 deletions.
12 changes: 12 additions & 0 deletions .yara-ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
branches:
accept:
- "**"
files:
accept:
- "**.yar"
- "**.yara"
ignore:
- "third_party/**"

false_positives:
disabled: true
2 changes: 1 addition & 1 deletion rules/admin/add_apt_key.yara
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
rule apt_add_key : notable {
rule apt_add_key : medium {
meta:
description = "Installs apt repository keys"
strings:
Expand Down
9 changes: 5 additions & 4 deletions rules/admin/dscl.yara
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
rule dscl_caller {

rule dscl_caller : medium {
meta:
description = "Calls dscl (Directory Service command line utility)"
hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
hash_2012_getshell_siggen = "11fb341008357bd55cee77678d9ce9609e6faae411219878d3db09cb6c125167"
description = "Calls dscl (Directory Service command line utility)"
hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
hash_2013_GetShell = "11fb341008357bd55cee77678d9ce9609e6faae411219878d3db09cb6c125167"
strings:
$dscl_local = /dscl +\. +-\w{1,128}/
$dsenableroot = "dsenableroot"
Expand Down
24 changes: 13 additions & 11 deletions rules/admin/logs/current_logins.yara
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
rule login_records : notable {
meta:
description = "accesses current logins"
strings:
$f_wtmp = "/var/log/wtmp" fullword
$f_wtmpx = "/var/log/wtmpx" fullword

// entries from include/paths.h
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
rule login_records : medium {
meta:
description = "accesses current logins"
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6"
hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237"
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500"
strings:
$f_wtmp = "/var/log/wtmp" fullword
$f_wtmpx = "/var/log/wtmpx" fullword
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
}
22 changes: 12 additions & 10 deletions rules/admin/logs/failed_logins.yara
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
rule failed_logins : suspicious {
meta:
description = "accesses failed logins"
strings:
$f_wtmp = "/var/log/btmp" fullword

// entries from include/paths.h
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
rule failed_logins : high {
meta:
description = "accesses failed logins"
hash_2023_FontOnLake_1829B0E34807765F2B254EA5514D7BB587AECA3F_elf = "5e9d356cdfc85a66f8fbab29bf43e95f19489c66d2a970e33d031f267298b482"
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6"
hash_2023_FontOnLake_8D6ACA824D1A717AE908669E356E2D4BB6F857B0_elf = "265e8236da27a35306cde4e57d73077c94c35e7a73da086273af09179f78f37a"
strings:
$f_wtmp = "/var/log/btmp" fullword
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
}
27 changes: 14 additions & 13 deletions rules/admin/logs/historical_logins.yara
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
rule login_records : suspicious {
meta:
description = "accesses historical login records"
strings:
$f_lastlog = "/var/log/lastlog" fullword
$f_utmp = "/var/log/utmp" fullword
$f_utmpx = "/var/log/utmpx" fullword

// entries from include/paths.h
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
rule login_records : high {
meta:
description = "accesses historical login records"
hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6"
hash_2023_Lightning_ad16 = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237"
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500"
strings:
$f_lastlog = "/var/log/lastlog" fullword
$f_utmp = "/var/log/utmp" fullword
$f_utmpx = "/var/log/utmpx" fullword
$not_cshell = "_PATH_CSHELL" fullword
$not_rwho = "_PATH_RWHODIR" fullword
condition:
any of ($f*) and none of ($not*)
}

2 changes: 1 addition & 1 deletion rules/admin/logs/install.yara
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
rule var_log_install : suspicious {
rule var_log_install : high {
meta:
description = "accesses software installation logs"
strings:
Expand Down
21 changes: 12 additions & 9 deletions rules/admin/logs/syslog.yara
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
rule var_log_syslog : suspicious {
meta:
description = "accesses system logs"
strings:
$ref = "/var/log/messages" fullword
$ref2 = "/var/log/syslog" fullword
condition:
any of them
}

rule var_log_syslog : high {
meta:
description = "accesses system logs"
hash_2023_init_d_abrt_oops = "192b763638d0be61c4ba45e08f86df22318ab741297d6841d1009cca9bddad30"
hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500"
hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97"
strings:
$ref = "/var/log/messages" fullword
$ref2 = "/var/log/syslog" fullword
condition:
any of them
}
59 changes: 36 additions & 23 deletions rules/admin/package-install.yara
Original file line number Diff line number Diff line change
@@ -1,64 +1,77 @@
rule yum_installer : notable {

rule yum_installer : medium {
meta:
description = "install software with yum"
description = "install software with yum"
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
strings:
$val = /yum install[ \w\-\_%]{0,32}/
condition:
$val
$val
}

rule dnf_installer : notable {
rule dnf_installer : medium {
meta:
description = "install software with dnf"
description = "install software with dnf"
strings:
$val = /dnf install[ \w\-\_%]{0,32}/
condition:
$val
$val
}

rule rpm_installer : notable {
rule rpm_installer : medium {
meta:
description = "install software with rpm"
description = "install software with rpm"
hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f"
strings:
$val = /rpm -i[ \w\-\_%]{0,32}/
condition:
$val
$val
}

rule apt_installer : notable {
rule apt_installer : medium {
meta:
description = "install software with apt"
description = "install software with apt"
hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f"
strings:
$val = /apt install[ \w\-\_%]{0,32}/
condition:
$val
$val
}

rule apt_get_installer : notable {
rule apt_get_installer : medium {
meta:
description = "install software with apt-get"
description = "install software with apt-get"
hash_2019_lib_restclient = "c9b67d3d9ef722facd1abce98bd7d80cec1cc1bb3e3a52c54bba91f19b5a6620"
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
strings:
$val = /apt-get install[ \w\-\_%]{0,32}/
$foo = "install foo"
$foo = "install foo"
condition:
$val and not $foo
$val and not $foo
}

rule apk_installer : notable {
rule apk_installer : medium {
meta:
description = "install software with APK"
description = "install software with APK"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
strings:
$val = /apk add[ \w\-\_%]{0,32}/
condition:
$val
$val
}

rule pip_installer_regex : notable {
rule pip_installer_regex : medium {
meta:
description = "Includes 'pip install' command for installing Python modules"
description = "Includes 'pip install' command for installing Python modules"
hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
hash_2022_2022_requests_3_0_0_README = "150fd62db4024e240040be44b32d7ce98df80ab86dfd564a173cd231f2254abc"
strings:
$regex = /pip[3 \'\"]{0,5}install[ \'\"\w\-\_%]{0,32}/
condition:
any of them
any of them
}
9 changes: 5 additions & 4 deletions rules/admin/pip_install.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
rule pip_installer : suspicious {

rule pip_installer : high {
meta:
description = "Installs software using pip from python"
description = "Installs software using pip from python"
hash_2022_2022_requests_3_0_0_setup = "15507092967fbd28ccb833d98c2ee49da09e7c79fd41759cd6f783672fe1c5cc"
strings:
$pip_install = "os.system('pip install"
$pip_install_spaces = "'pip', 'install'"
Expand All @@ -9,6 +11,5 @@ rule pip_installer : suspicious {
$pip3_install_spaces = "'pip3', 'install'"
$pip3_install_args = "'pip3','install'"
condition:
any of them
any of them
}

3 changes: 1 addition & 2 deletions rules/admin/set-default-application.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@

rule macos_setApp {
meta:
hash_2016_MacOS_Mac_File_Opener = "ae00bcacc5947754b018b043d3fa746caca850fe0715d5ea47ba94df58171690"
strings:
$setApp = "setApp:for"
$sda = "setting default application"
Expand Down
13 changes: 8 additions & 5 deletions rules/admin/shutdown.yara
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@

rule shutdown_val : notable {
rule shutdown_val : medium {
meta:
description = "calls shutdown command"
description = "calls shutdown command"
hash_2023_init_d_netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa"
hash_2023_rc0_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa"
hash_2023_rc1_d_K75netfs = "d8e9068316cfb0573fd86b4dbb60abb250ccf1bc9fbdc84b88b6452b01cbd8fa"
strings:
$ref = /shutdown -[\w ]{0,16}/
$ref2 = "shutdown now"
$ref = /shutdown -[\w ]{0,16}/
$ref2 = "shutdown now"
condition:
any of them
any of them
}
12 changes: 6 additions & 6 deletions rules/admin/sudoers-edit.yara
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@

rule sudo_editor : suspicious {
rule sudo_editor : high {
meta:
description = "references /etc/sudoers"
hash_2020_FinSpy_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0"
hash_2017_AptorDoc_Dok_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5"
description = "references /etc/sudoers"
hash_2017_MacOS_AppStore = "4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5"
hash_2018_org_logind_ctp_archive_helper2 = "af4ad3b8bf81a877a47ded430ac27fdcb3ddd33d3ace52395f76cbdde46dbfe0"
strings:
$etc_sudoers = "/etc/sudoers"
$nopasswd = "NOPASSWD:"
$not_sample = "sudoers man page"
$not_vim = "VIMRUNTIME"
$not_sample = "sudoers man page"
$not_vim = "VIMRUNTIME"
condition:
filesize < 5242880 and ($etc_sudoers or $nopasswd) and none of ($not*)
}
5 changes: 3 additions & 2 deletions rules/admin/system-configuration.yara
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
rule systemsetup_no_sleep : notable {

rule systemsetup_no_sleep : medium {
meta:
hash_2016_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
hash_2018_Calisto = "81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc"
strings:
$no_sleep = "systemsetup -setcomputersleep Never"
condition:
Expand Down
21 changes: 7 additions & 14 deletions rules/admin/system_directories.yara
Original file line number Diff line number Diff line change
@@ -1,20 +1,13 @@

rule system_fs_manipulator : notable {
rule system_fs_manipulator : medium {
meta:
description = "Modifies files within system directories"
hash_2023_QubitStrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
hash_2021_Tsunami_Kaiten = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3"
hash_2021_gjif_tsunami_Gafygt = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87"
hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"
hash_2023_init_d_acpid = "b0cd9065704d205ea7087a0b2d4d6461305a2d12b03b8d2827e8e05e2013244d"
hash_2023_init_d_auditd = "2617841f93faf85ba6d414bb79cce52fa69327d0546b10c9c1d99d8b7aee9db1"
hash_2023_init_d_autofs = "3e006eafd6fe2af4d115a270fef161e3c9d470dd07205d08180edd13abafa88f"
hash_2023_init_d_haldaemon = "cbf2a35e563d218d46153a50ab08545f033a14e1777f69e4edabea649710e05b"
description = "Modifies files within system directories"
hash_2023_Linux_Malware_Samples_3059 = "305901aa920493695729132cfd20cbddc9db2cf861071450a646c6a07b4a50f3"
hash_2023_Linux_Malware_Samples_e212 = "e2125d9ce884c0fb3674bd12308ed1c10651dc4ff917b5e393d7c56d7b809b87"
hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd"
strings:
$in_usr = /(mv|chattr|rm|touch) \/(bin|root|sbin|usr|var|lib|lib64|boot)\/[ \.\w\/]{0,64}/
$not_mdm = "/var/db/MDM_EnableManagedApps"
$not_mdm = "/var/db/MDM_EnableManagedApps"
condition:
$in_usr and none of ($not*)
$in_usr and none of ($not*)
}

9 changes: 6 additions & 3 deletions rules/archives/tar-command.yara
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@

rule executable_calls_archive_tool : suspicious {
rule executable_calls_archive_tool : high {
meta:
description = "command shells out to tar"
description = "command shells out to tar"
hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
hash_2023_Downloads_589d = "589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0"
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
strings:
$a_tar_c = "tar -c"
$a_tar_rX = "tar -r -X"
$a_tar_T = "tar -T"
$hash_bang = "#!"
condition:
any of ($a*) and not $hash_bang in (0..2)
}
}
21 changes: 12 additions & 9 deletions rules/archives/unarchive.yara
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@

rule unarchive : notable {
meta:
description = "unarchives files"
strings:
$ref = /unarchive[\w \@\%]{0,32}/
$ref2 = /Unarchive[\w \@\%]{0,32}/
condition:
any of them
}
rule unarchive : medium {
meta:
description = "unarchives files"
hash_2024_Downloads_0f66 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c"
hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965"
hash_2023_Linux_Malware_Samples_5c03 = "5c03ff30ccffc9d36c342510c7469682d3c411654ec52b0930d37a6c6aab9f72"
strings:
$ref = /unarchive[\w \@\%]{0,32}/
$ref2 = /Unarchive[\w \@\%]{0,32}/
condition:
any of them
}
Loading

0 comments on commit f5fdb45

Please sign in to comment.