diff --git a/Makefile b/Makefile index 3b0116e5..e8b49f9b 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= 8c02e6ef4d3a67e4e45f58e1b1b05a586e8bc24f +SAMPLES_COMMIT ?= 35fa24a7f08b2363b0f4df9b86d6ecee7a0f6ead # BEGIN: lint-install ../malcontent # http://github.com/tinkerbell/lint-install diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive index 69a61f02..9fa7efaa 100644 --- a/pkg/action/testdata/scan_archive +++ b/pkg/action/testdata/scan_archive @@ -196,15 +196,15 @@ "RuleName": "crypto_aes" }, { - "Description": "Uses crypto/cipher", + "Description": "mentions 'ciphertext'", "MatchStrings": [ - "XORKeyStream" + "ciphertext" ], - "RiskScore": 0, - "RiskLevel": "NONE", - "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#go_cipher", + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext", "ID": "crypto/cipher", - "RuleName": "go_cipher" + "RuleName": "ciphertext" }, { "Description": "Uses the Go crypto/ecdsa library", @@ -1740,6 +1740,18 @@ "ID": "fs/symlink_resolve", "RuleName": "realpath" }, + { + "Description": "temp", + "MatchStrings": [ + "getenv", + "temp" + ], + "RiskScore": 1, + "RiskLevel": "LOW", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp", + "ID": "fs/tempdir/TEMP", + "RuleName": "temp" + }, { "Description": "Uses mktemp to create temporary files", "MatchStrings": [ @@ -1904,7 +1916,7 @@ "RuleName": "content_type" }, { - "Description": "makes HTTP requests with basic authentication", + "Description": "makes HTTP requests with Bearer authentication", "MatchStrings": [ "WWW-Authenticate", "Www-Authenticate", @@ -1945,7 +1957,8 @@ "MatchStrings": [ "POST", "application/json", - "application/x-www-form-urlencoded" + "application/x-www-form-urlencoded", + "post" ], "RiskScore": 2, "RiskLevel": "MEDIUM", @@ -2003,6 +2016,17 @@ "ID": "net/ip", "RuleName": "packets" }, + { + "Description": "connects to an arbitrary hostname:port", + "MatchStrings": [ + "host to transport" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port", + "ID": "net/ip/host_port", + "RuleName": "host_port" + }, { "Description": "parses IP address (IPv4 or IPv6)", "MatchStrings": [ diff --git a/rules/anti-static/base64/import.yara b/rules/anti-static/base64/import.yara new file mode 100644 index 00000000..1d877813 --- /dev/null +++ b/rules/anti-static/base64/import.yara @@ -0,0 +1,19 @@ +rule b64_as_int: critical { + meta: + description = "hides term 'base64' within an integer array" + + strings: + $f_decode = "decode" + $f_ord = "ord" + + $ib = "98," + $ia = "97," + $is = "115," + $ie = "101," + $i6 = "54," + $i4 = "52" + + condition: + any of ($f*) and all of ($i*) and @ia > @ib and @is > @ia and @ie > @is and @i6 > @ie and @i4 > @i6 and @i6 - @ib <= 48 + +} diff --git a/rules/anti-static/obfuscation/hex.yara b/rules/anti-static/obfuscation/hex.yara index b62510e7..22017b88 100644 --- a/rules/anti-static/obfuscation/hex.yara +++ b/rules/anti-static/obfuscation/hex.yara @@ -55,3 +55,18 @@ rule hex_parse_base64_high: high { filesize < 32KB and any of ($lang*) and any of ($b*) and none of ($not*) } +rule mega_string: high { + meta: + description = "python script decodes large hexadecimal string" + + strings: + $unhexlify = "unhexlify" + $hex_multiline_single = /= {0,2}'''[\/\da-fA-F]{1024}/ + $hex_multiline_double = /= {0,2}"""[\/\da-fA-F]{1024}/ + $hex_line_single = /= '[\/\da-fA-F]{1024}/ + $hex_line_double = /= "[\/\da-fA-F]{1024}/ + + condition: + filesize < 5MB and $unhexlify and any of ($hex*) + +} diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara index 14146905..6b575495 100644 --- a/rules/anti-static/obfuscation/python.yara +++ b/rules/anti-static/obfuscation/python.yara @@ -2,22 +2,12 @@ private rule probably_python { strings: $f_function = "import" fullword $f_for = "for x in" fullword + $f_return = "return self." + $f_def = "def _" + $f_ord = " ord(" condition: - filesize < 512KB and any of ($f*) -} - -rule Vare_Obfuscator: critical { - meta: - description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" - filetype = "py" - - strings: - $var = "__VareObfuscator__" - $var2 = "Vare Obfuscator" - - condition: - any of them + filesize < 10MB and any of ($f*) } rule py_indirect_builtins: suspicious { @@ -42,7 +32,19 @@ rule join_map_chr: high { $ref2 = /join\(chr\([a-z]{1,5}\) for [a-z]{1,5} in \[\d{1,3}, {0,2}\d{1,3}, {0,2}[\d\,]{1,32}/ condition: - filesize < 256KB and any of them + filesize < 10MB and any of them +} + +rule for_join_ord: high { + meta: + description = "decodes numbers from an obfuscated string" + filetypes = "py" + + strings: + $ref = /for [\w]{1,10} in ["']{2}\.join\(chr\(ord\(\w{1,8}\)[-\w\), ]{0,16}/ + + condition: + filesize < 10MB and any of them } rule codecs_decode: high { @@ -55,6 +57,7 @@ rule codecs_decode: high { condition: $val } + import "math" rule python_exec_eval_one_line: critical { @@ -71,30 +74,6 @@ rule python_exec_eval_one_line: critical { any of ($f*) and none of ($not*) } -rule python_exec_near_enough_decrypt: high { - meta: - description = "Evaluates code from encrypted content" - - strings: - $exec = "exec(" fullword - $decrypt = "decrypt(" fullword - - condition: - all of them and math.abs(@decrypt - @exec) <= 256 -} - -rule python_exec_near_enough_fernet: critical { - meta: - description = "Evaluates code from encrypted content" - - strings: - $exec = "exec(" fullword - $fernet = "Fernet" - - condition: - all of them and math.abs(@fernet - @exec) <= 256 -} - rule dynamic_require: high { meta: description = "imports a library dynamically" @@ -235,7 +214,7 @@ rule python_long_hex: medium { $assign = /\w{0,16}=["'][a-z0-9]{1024}/ condition: - filesize < 1MB and $assign + filesize < 10MB and $assign } rule python_long_hex_multiple: high { @@ -247,7 +226,7 @@ rule python_long_hex_multiple: high { $assign = /\w{0,16}=["'][a-z0-9]{1024}/ condition: - filesize < 1MB and #assign > 3 + filesize < 10MB and #assign > 3 } rule python_hex_decimal: high { @@ -266,7 +245,7 @@ rule python_hex_decimal: high { $not_testing_t = "*testing.T" fullword condition: - filesize < 1MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) + filesize < 10MB and any of ($f*) and #trash in (filesize - 1024..filesize) > 100 and none of ($not*) } rule dumb_int_compares: high { @@ -279,7 +258,7 @@ rule dumb_int_compares: high { $decode_or_b64decode = /if \d{2,16} == \d{2,16}/ condition: - filesize < 1MB and all of them + filesize < 10MB and all of them } rule py_lib_alias_val: medium { @@ -303,7 +282,7 @@ rule multi_decode_3: high { $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode\(.{0,256}\.[b64]{0,3}decode/ condition: - filesize < 1MB and all of them + filesize < 10MB and all of them } rule multi_decode: medium { @@ -316,7 +295,7 @@ rule multi_decode: medium { $decode_or_b64decode = /\.[b64]{0,3}decode\(.{0,32}\.[b64]{0,3}decode\(/ condition: - filesize < 1MB and all of them + filesize < 10MB and all of them } rule rename_requests: medium { @@ -327,7 +306,7 @@ rule rename_requests: medium { $ref = /import requests as \w{0,64}/ condition: - filesize < 512KB and all of them + filesize < 10MB and all of them } rule rename_requests_2char: high { @@ -362,7 +341,7 @@ rule rename_marshal: critical { $ref = /import marshal as \w{0,64}/ condition: - filesize < 512KB and all of them + filesize < 10MB and all of them } rule rename_base64: critical { @@ -373,7 +352,7 @@ rule rename_base64: critical { $ref = /import base64 as \w{0,64}/ condition: - filesize < 1MB and all of them + filesize < 10MB and all of them } rule rename_zlib: high { @@ -384,7 +363,7 @@ rule rename_zlib: high { $ref = /import zlib as \w{0,64}/ condition: - filesize < 512KB and all of them + filesize < 10MB and all of them } rule too_many_lambdas_small: high { @@ -406,12 +385,12 @@ rule too_many_lambdas_large: high { $ref = /lambda \W: \W [\+\-\*]/ condition: - filesize < 512KB and #ref > 100 + filesize < 10MB and #ref > 100 } rule lambda_funk: high { meta: - description = "likely obfuscated" + description = "likely obfuscated with lambda functions" strings: $ = "__builtins__.__dict__" @@ -422,7 +401,7 @@ rule lambda_funk: high { $ = ".decode('utf-8'))" condition: - filesize < 512KB and 80 % of them + filesize < 10MB and 80 % of them } rule lambda_funk_high: high { @@ -438,7 +417,7 @@ rule lambda_funk_high: high { $ = ".decode('utf-8'))" condition: - filesize < 512KB and all of them + filesize < 10MB and all of them } rule confusing_function_name: high { @@ -446,11 +425,14 @@ rule confusing_function_name: high { description = "obfuscated with confusing function names" strings: - $def = /def [Il]{4,64}/ fullword - $eq = /[Il]{4,64} = / fullword + $def = /def [Il]{6,64}/ + $eq = /[Il]{6,64} = / fullword + $return = /return [Il]{6,64}\(/ + $func = / \+ [Il]{6,64}\([Il]{6,64}\)/ + $func2 = /\)\+[Il]{6,64}\([Il]{6,64}\)\+/ condition: - filesize < 512KB and (#def > 1 or #eq > 1) + filesize < 10MB and any of them } rule decompress_base64_entropy: high { @@ -470,7 +452,7 @@ rule decompress_base64_entropy: high { $long_str = /[\'\"][\+\w\/]{96}/ condition: - filesize < 1MB and any of ($k*) and $b64decode and $long_str and any of ($f*) + filesize < 10MB and any of ($k*) and $b64decode and $long_str and any of ($f*) } rule join: low { @@ -494,5 +476,47 @@ rule urllib_as_int_array: critical { $urllib_dot2 = "117, 114, 108, 108, 105, 98, 46" condition: - filesize < 1MB and any of them + filesize < 10MB and any of them +} + +rule import_manipulator: critical { + meta: + description = "manipulates globals and imports into executing obfuscated code" + + strings: + $import = "__import__(" + $getattr = "getattr(" + $setattr = "setattr(" + $update = "update(" + $chr = /chr\(\w{1,8}\)/ + $globals = "globals" + $dict = "__dict__" + $def = "def " + + condition: + filesize < 10MB and all of them +} + +rule bloated_hex_python: high { + meta: + description = "python script bloated with obfuscated content" + + strings: + $f_unhexlify = "unhexlify" fullword + $f_join = "join(" + $f_split = "split" fullword + $f_lambda = "lambda" fullword + $f_ord = "ord" fullword + $f_def = "def" fullword + $f_decode = "decode" fullword + $f_exec = "exec" fullword + $f_eval = "eval" + $f_alphabet = "abcdefghijkl" + + $not_js = "function(" + $not_highlight = "highlight" + + condition: + filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*) + } diff --git a/rules/anti-static/packer/decompyle.yara b/rules/anti-static/packer/decompyle.yara new file mode 100644 index 00000000..ff81480b --- /dev/null +++ b/rules/anti-static/packer/decompyle.yara @@ -0,0 +1,13 @@ +rule py_kramer_packer: critical python { + meta: + description = "packed with Kramer" + ref = "https://github.com/billythegoat356/Kramer" + filetypes = "py" + + strings: + $ = "Source Generated with Decompyle++" + $ = /_{1,16} = eval\(getattr\(__import__\(bytes\(\[/ + + condition: + filesize < 8MB and any of them +} diff --git a/rules/anti-static/packer/py_kramer.yara b/rules/anti-static/packer/py_kramer.yara index 9ed7d006..c5e5aae4 100644 --- a/rules/anti-static/packer/py_kramer.yara +++ b/rules/anti-static/packer/py_kramer.yara @@ -1,7 +1,8 @@ rule kramer: critical { meta: - description = "packed with kramer" + description = "packed with Kramer" ref = "https://github.com/billythegoat356/Kramer" + filetypes = "py" strings: $ = ".__init__...." @@ -13,5 +14,37 @@ rule kramer: critical { $ = "obf.py" condition: - filesize < 8MB and all of them + filesize < 10MB and all of them +} + +rule py_kramer_packer2: critical python { + meta: + description = "packed with Kramer" + ref = "https://github.com/billythegoat356/Kramer" + filetypes = "py" + + strings: + $ = "class Kramer():" + $ = "def __decode__(self:object,_execute:str)->exec:return" + $ = "def __init__(self:object,_delete:float=False" + $ = "self._exit,_delete,self._eval," + $ = "_delete=False,_bit=False,_sparkle='''" + + condition: + filesize < 10MB and 3 of them +} + +rule py_kramer_packer3: critical python { + meta: + description = "packed with Kramer" + ref = "https://github.com/billythegoat356/Kramer" + filetypes = "py" + + strings: + $ = "Kramer.__decode__" + $ = "Kramer.__init__...." + $ = "Kramer.__init__.." + + condition: + filesize < 10MB and any of them } diff --git a/rules/anti-static/packer/py_vare.yara b/rules/anti-static/packer/py_vare.yara new file mode 100644 index 00000000..fb53abc5 --- /dev/null +++ b/rules/anti-static/packer/py_vare.yara @@ -0,0 +1,12 @@ +rule Vare_Obfuscator: critical { + meta: + description = "obfuscated with https://github.com/saintdaddy/Vare-Obfuscator" + filetype = "py" + + strings: + $var = "__VareObfuscator__" + $var2 = "Vare Obfuscator" + + condition: + any of them +} diff --git a/rules/anti-static/packer/pyobfuscate.yara b/rules/anti-static/packer/pyobfuscate.yara new file mode 100644 index 00000000..a6575957 --- /dev/null +++ b/rules/anti-static/packer/pyobfuscate.yara @@ -0,0 +1,11 @@ +rule pyobfuscate: high { + meta: + description = "uses 'pyobfuscate' packer" + + strings: + $def = "def" fullword + $pyobfuscate = "pyobfuscate" fullword + + condition: + filesize < 1MB and all of them +} diff --git a/rules/c2/addr/discord.yara b/rules/c2/addr/discord.yara new file mode 100644 index 00000000..3e4bfee4 --- /dev/null +++ b/rules/c2/addr/discord.yara @@ -0,0 +1,12 @@ +rule discord: medium { + meta: + description = "may report back to 'Discord'" + + strings: + $t1 = "discordapp.com" + $t2 = "Discord" + + condition: + any of them +} + diff --git a/rules/c2/addr/telegram.yara b/rules/c2/addr/telegram.yara new file mode 100644 index 00000000..342357ad --- /dev/null +++ b/rules/c2/addr/telegram.yara @@ -0,0 +1,12 @@ +rule telegram: medium { + meta: + discription = "may report back to 'Telegram'" + + strings: + $t1 = "telegram.org" + $t2 = "Telegram" + + condition: + any of them +} + diff --git a/rules/c2/refs.yara b/rules/c2/refs.yara index 701babb0..0a7ff5dd 100644 --- a/rules/c2/refs.yara +++ b/rules/c2/refs.yara @@ -3,10 +3,16 @@ rule command_and_control: medium { description = "Uses terms that may reference a command and control server" strings: - $c_and_c = "command & control" - $c2_addr = "c2_addr" - $c2_port = "c2_port" - $c2_event = "c2_event" + $c_and_c = "command & control" + $c2_addr = "c2_addr" + $c2_port = "c2_port" + $c2_event = "c2_event" + $c2host = "c2host" + $C2Host = "C2Host" + $C2Port = "C2Port" + $c2port = "c2port" + $C2_ADDRESS = "C2_ADDRESS" + $C2_PORT = "C2_PORT" condition: any of them @@ -18,6 +24,7 @@ rule send_to_c2: high { strings: $send_to = "SendDataToC2" + $c2_send = "c2.send" fullword condition: any of them diff --git a/rules/collect/archives/zip.yara b/rules/collect/archives/zip.yara index d7eca9ea..8ef25299 100644 --- a/rules/collect/archives/zip.yara +++ b/rules/collect/archives/zip.yara @@ -8,6 +8,7 @@ rule zip: medium { $ref3 = "zip_writer" fullword $ref4 = "ZIP archive" fullword $ref5 = "zip files" fullword + $ref6 = "zipfile" condition: any of them diff --git a/rules/crypto/aes.yara b/rules/crypto/aes.yara index 6fe11764..e03365ad 100644 --- a/rules/crypto/aes.yara +++ b/rules/crypto/aes.yara @@ -8,7 +8,24 @@ rule crypto_aes { $ref3 = "openssl/aes" $ref4 = "aes_256_cbc" $ref5 = "aes_encrypt" + $ref6 = "pyaes" fullword + $ref7 = "AESModeOfOperationGCM" condition: any of them } + +rule aes_key_iv: high { + meta: + description = "hardcoded AES key/iv pair" + + strings: + $aes = "aes" fullword + $aese2 = "AES" fullword + + $key = /key = [\w\.\(,]{0,32}['"][\w=\/\+]{8,256}['"]/ + $iv = /iv = [\w\.\(,]{0,32}['"][\w=\/]{8,256}['"]/ + + condition: + any of ($aes*) and ($key and $iv) +} diff --git a/rules/crypto/cipher.yara b/rules/crypto/cipher.yara index 40602e87..dfebf184 100644 --- a/rules/crypto/cipher.yara +++ b/rules/crypto/cipher.yara @@ -8,3 +8,14 @@ rule go_cipher: harmless { condition: any of them } + +rule ciphertext: medium { + meta: + description = "mentions 'ciphertext'" + + strings: + $ref = "ciphertext" + + condition: + any of them +} diff --git a/rules/crypto/ssl.yara b/rules/crypto/ssl.yara new file mode 100644 index 00000000..b6da5b47 --- /dev/null +++ b/rules/crypto/ssl.yara @@ -0,0 +1,11 @@ +rule py_ssl { + meta: + description = "uses Python SSL library" + + strings: + $ssl = "import ssl" fullword + $ssl2 = "ssl.create_default_context" + + condition: + any of them +} diff --git a/rules/discover/network/connectivity.yara b/rules/discover/network/connectivity.yara index 5a4feaef..01323af1 100644 --- a/rules/discover/network/connectivity.yara +++ b/rules/discover/network/connectivity.yara @@ -8,3 +8,14 @@ rule network_connectivity: low { condition: any of them } + +rule bypass_gfw: medium { + meta: + description = "GFW bypass (Great Firewall of China)" + + strings: + $ref = "bypass GFW" + + condition: + any of them +} diff --git a/rules/discover/user/APPDATA.yara b/rules/discover/user/APPDATA.yara new file mode 100644 index 00000000..5bb00aad --- /dev/null +++ b/rules/discover/user/APPDATA.yara @@ -0,0 +1,22 @@ +rule APPDATA: windows low { + meta: + description = "Looks up the application data directory for the current user" + + strings: + $ref = "APPDATA" fullword + + condition: + all of them +} + +rule APPDATA_microsoft: windows medium { + meta: + description = "Looks up the 'Microsoft' application data directory for the current user" + + strings: + $ref = "APPDATA" fullword + $ref2 = "'Microsoft'" + + condition: + all of them +} diff --git a/rules/discover/user/USERPROFILE.yara b/rules/discover/user/USERPROFILE.yara new file mode 100644 index 00000000..7fe31250 --- /dev/null +++ b/rules/discover/user/USERPROFILE.yara @@ -0,0 +1,22 @@ +rule USERPROFILE: windows low { + meta: + description = "Looks up the user profile directory for the current user" + + strings: + $ref = "USERPROFILE" fullword + + condition: + all of them +} + +rule USERPROFILE_Desktop: windows medium { + meta: + description = "Looks up the Desktop directory for the current user" + + strings: + $ref = "USERPROFILE" fullword + $ref2 = "Desktop" + + condition: + all of them +} diff --git a/rules/evasion/covert-location/python_file.yara b/rules/evasion/covert-location/python_file.yara new file mode 100644 index 00000000..1272fbd1 --- /dev/null +++ b/rules/evasion/covert-location/python_file.yara @@ -0,0 +1,11 @@ +rule python_reads_itself: high { + meta: + description = "python file reads itself, possibly hiding additional instructions" + filetype = "py" + + strings: + $ref = "open(__file__," fullword + + condition: + filesize < 1MB and any of them +} diff --git a/rules/exec/dylib/windll.yara b/rules/exec/dylib/windll.yara new file mode 100644 index 00000000..5e3b88cc --- /dev/null +++ b/rules/exec/dylib/windll.yara @@ -0,0 +1,11 @@ +rule windll_user: medium windows { + meta: + description = "executes code from Windows dynamic libraries" + + strings: + $ctypes = "ctypes" + $windll = /windll\.[\w\.]{4,64}/ + + condition: + all of them +} diff --git a/rules/exec/imports/python.yara b/rules/exec/imports/python.yara index 29544898..7e74c2ea 100644 --- a/rules/exec/imports/python.yara +++ b/rules/exec/imports/python.yara @@ -59,3 +59,41 @@ rule single_line_import_multiple_comma: medium { filesize < 64KB and any of them } +rule __import__: medium { + meta: + description = "directly imports code using built-in __import__" + + strings: + $import = /__import__\([\w\(\[]\)\],]{0,64}/ + + condition: + filesize < 4MB and any of them +} + +rule zipimport: medium { + meta: + description = "loads external module using zipimporter" + + strings: + $zipimporter = "zipimporter" + $load_module = "load_module" + + condition: + filesize < 4MB and all of them +} + +rule zipimport_obfuscated: high { + meta: + description = "loads obfuscated enccrypted module using zipimporter" + + strings: + $must_import = "import" fullword + $must_zipimporter = "zipimporter" + $must_load_module = "load_module" + $decompress = "decompress" + $decode = "decode" + $decrypt = "decrypt" + + condition: + filesize < 4MB and all of ($must*) and any of ($de*) +} diff --git a/rules/exec/remote_commands/code_eval.yara b/rules/exec/remote_commands/code_eval.yara index e2f5da0d..2ae150a6 100644 --- a/rules/exec/remote_commands/code_eval.yara +++ b/rules/exec/remote_commands/code_eval.yara @@ -5,7 +5,7 @@ rule eval: medium { description = "evaluate code dynamically using eval()" strings: - $val = /eval\([a-zA-Z\"\'\(\,\)]{1,32}/ fullword + $val = /eval\([\.\+ _a-zA-Z\"\'\(\,\)]{1,32}/ fullword $val2 = "eval(this.toString());" $not_empty = "eval()" @@ -38,6 +38,30 @@ rule python_exec_near_enough_chr: high { all of them and math.abs(@chr - @exec) < 100 } +rule python_exec_near_enough_fernet: high { + meta: + description = "Likely executes Fernet encrypted content" + + strings: + $exec = "exec(" + $fernet = "Fernet(" + + condition: + all of them and math.abs(@exec - @fernet) < 100 +} + +rule python_exec_near_enough_decrypt: high { + meta: + description = "Likely executes encrypted content" + + strings: + $exec = "exec(" + $fernet = "decrypt(" + + condition: + all of them and math.abs(@exec - @fernet) < 100 +} + rule python_exec_chr: critical { meta: description = "Executes encoded character content" @@ -49,6 +73,41 @@ rule python_exec_chr: critical { filesize < 512KB and all of them } +rule python_exec_bytes: critical { + meta: + description = "Executes a transformed bytestream" + + strings: + $exec = /exec\([\w\.\(]{0,16}\(b['"].{8,16}/ + + condition: + filesize < 512KB and all of them +} + +rule python_exec_complex: high { + meta: + description = "Executes code from a complex expression" + + strings: + $exec = /exec\([\w\. =]{1,32}\(.{0,8192}\)\)/ fullword + $not_javascript = "function(" + $not_pyparser = "exec(compile(open(self.parsedef).read(), self.parsedef, 'exec'))" + + condition: + filesize < 512KB and $exec and none of ($not*) +} + +rule python_exec_fernet: critical { + meta: + description = "Executes Fernet encrypted content" + + strings: + $exec = /exec\(.{0,16}Fernet\(.{0,64}/ + + condition: + filesize < 512KB and all of them +} + rule shell_eval: medium { meta: description = "evaluate shell code dynamically using eval" diff --git a/rules/exec/script/python.yara b/rules/exec/script/python.yara new file mode 100644 index 00000000..d5bec163 --- /dev/null +++ b/rules/exec/script/python.yara @@ -0,0 +1,23 @@ +rule python_calls_itself: medium { + meta: + description = "Python program executes Python subprocess" + + strings: + $sub = /subprocess\.\w{2,10}\(\['python'/ + $popen = /Popen\(\['python'/ + + condition: + any of them +} + +rule python_calls_itself_no_window: high { + meta: + description = "Python program executes Python subprocess via hidden window" + + strings: + $subproc = /subprocess\.\w{2,10}\(\['python'.{0,64}CREATE_NO_WINDOW/ + $popen = /Popen\(\['python'.{0,64}CREATE_NO_WINDOW/ + + condition: + any of them +} diff --git a/rules/exec/shell/shell32.yara b/rules/exec/shell/shell32.yara new file mode 100644 index 00000000..cda00c0b --- /dev/null +++ b/rules/exec/shell/shell32.yara @@ -0,0 +1,11 @@ +rule shell32_ShellExecuteW: high windows { + meta: + description = "Runs command using shell32.ShellExecuteW" + filetypes = "py,pyc" + + strings: + $shell = "shell32.ShellExecuteW" + + condition: + filesize < 52428800 and any of them +} diff --git a/rules/exfil/stealer/keylogger.yara b/rules/exfil/stealer/keylogger.yara index 7e2dcb14..843dfa43 100644 --- a/rules/exfil/stealer/keylogger.yara +++ b/rules/exfil/stealer/keylogger.yara @@ -1,15 +1,52 @@ -rule py_keylogger_exfil: high { +rule keylogger_discord_telegram: high { + meta: + description = "likely exfiltrates keyboard events" + + strings: + $http_Discord = "Discord" + $http_Telegram = "Telegram" + $http_discord = "Discord" + $http_telegram = "Telegram" + $k_keylogger = "keylogger" + $k_Keylogger = "Keylogger" + + condition: + filesize < 256KB and any of ($http*) and any of ($k*) +} + +rule py_keylogger_pynput_exfil: critical { + meta: + description = "listens for keyboard events and exfiltrates them" + filetypes = "py" + + strings: + $http = "http" + $http_POST = /POST[ \/\w]{0,32}/ + $http_Discord = "Discord" + $http_Telegram = "Telegram" + $http_keylogger = /[kK]eylogger/ + $f_pynput = "pynput.keyboard" + $f_key = "Key" fullword + $f_listener = "Listener" fullword + + condition: + filesize < 256KB and any of ($http*) and all of ($f*) +} + +rule py_keykeyboard_exfil: critical { meta: description = "listens for keyboard events and exfiltrates them" filetypes = "py" strings: - $http = "http" - $http_POST = /POST[ \/\w]{0,32}/ - $http_Discord = "Discord" - $f_pynput = "pynput.keyboard" - $f_key = "Key" fullword - $f_listener = "Listener" fullword + $http = "http" + $http_POST = /POST[ \/\w]{0,32}/ + $http_Discord = "Discord" + $http_keylogger = /[kK]eylogger/ + $http_Telegram = "Telegram" + $f_pynput = "keyboard" fullword + $f_key = ".name" + $f_listener = "on_release" condition: filesize < 256KB and any of ($http*) and all of ($f*) diff --git a/rules/exfil/stealer/stealer.yara b/rules/exfil/stealer/stealer.yara new file mode 100644 index 00000000..cb75a944 --- /dev/null +++ b/rules/exfil/stealer/stealer.yara @@ -0,0 +1,21 @@ +rule stealer: high { + meta: + description = "literally calls itself a stealer" + + strings: + $Stealer = "Stealer" fullword + $Stealer2 = "stealer" fullword + + $o_requests = "requests" fullword + $o_telegram = "Telegram" fullword + $o_cookies = "Cookies" fullword + $o_Password = "Password" fullword + $o_roblox = "Roblox" fullword + $o_Discord = "Discord" fullword + $o_Steam = "Steam" fullword + $o_riot = "Riot Games" fullword + + condition: + filesize < 64KB and any of ($Stealer*) and any of ($o*) +} + diff --git a/rules/fs/file/exists.yara b/rules/fs/file/exists.yara new file mode 100644 index 00000000..a59cf2e5 --- /dev/null +++ b/rules/fs/file/exists.yara @@ -0,0 +1,10 @@ +rule exists: low { + meta: + description = "check if a file exists" + + strings: + $ref = "path.exists" fullword + + condition: + any of them +} diff --git a/rules/fs/file/file-delete.yara b/rules/fs/file/file-delete.yara index 3a7bfd9a..d473323b 100644 --- a/rules/fs/file/file-delete.yara +++ b/rules/fs/file/file-delete.yara @@ -8,7 +8,7 @@ rule unlink: posix { strings: $unlink = "unlink" fullword $unlinkat = "unlinkat" fullword - $py = "os.remove(" + $py = /os.remove\([\w\.\(\), ]{0,64}/ $objc = "deleteFile" fullword condition: @@ -50,3 +50,15 @@ rule DeleteFile: medium { condition: any of them } + +rule delete_files_in_dir: medium { + meta: + description = "deletes files in a directory" + + strings: + $remove = /os.remove\([\w\.\(\), ]{0,64}/ + $listdir = /os.listdir\([\w\.\(\), ]{0,64}/ + + condition: + all of them and @remove > @listdir and (@remove - @listdir) < 32 +} diff --git a/rules/fs/file/file-write.yara b/rules/fs/file/file-write.yara index 55bb3f61..1175aea1 100644 --- a/rules/fs/file/file-write.yara +++ b/rules/fs/file/file-write.yara @@ -16,7 +16,8 @@ rule python_file_write { description = "writes to a file" strings: - $val = /open\([\"\w\.]{1,32}\, {0,2}["'][wa]["']\)/ + $val = /open\([\"\'\w\.]{1,32}\, {0,2}["'][wa]["']\)/ + $x = "file.write(" condition: filesize < 1MB and any of them diff --git a/rules/fs/permission/permission-chown.yara b/rules/fs/permission/permission-chown.yara index 15cabdc2..e54fc775 100644 --- a/rules/fs/permission/permission-chown.yara +++ b/rules/fs/permission/permission-chown.yara @@ -53,3 +53,26 @@ rule Chown: medium { condition: any of them } + +rule takeown: medium windows { + meta: + description = "takes ownership of files" + + strings: + $takeown = /(takeown|TAKEOWN)/ + + condition: + any of them +} + +rule takeown_force: high windows { + meta: + description = "forcibly takes ownership of files recursively" + + strings: + $takeown_fr = /(takeown|TAKEOWN).{1,8}\/[fF].{1,8}\/[rR] .{0,32}[yY]/ + $takeown_rf = /(takeown|TAKEOWN).{1,8}\/[rR].{1,8}\/[fF] .{0,32}[yY]/ + + condition: + any of them +} diff --git a/rules/fs/permission/permission-get.yara b/rules/fs/permission/permission-get.yara index 2dd5ee99..4fe69701 100644 --- a/rules/fs/permission/permission-get.yara +++ b/rules/fs/permission/permission-get.yara @@ -9,3 +9,15 @@ rule getmode { condition: any of them } + +rule icacls: windows { + meta: + description = "looks up file permissions via icacls" + pledge = "rpath" + + strings: + $icacls = "icacls" fullword + + condition: + any of them +} diff --git a/rules/fs/tempdir/TEMP.yara b/rules/fs/tempdir/TEMP.yara index bb7b4965..64af88c3 100644 --- a/rules/fs/tempdir/TEMP.yara +++ b/rules/fs/tempdir/TEMP.yara @@ -1,8 +1,10 @@ -rule tmpdir { +rule temp { strings: - $ref = "TEMP" fullword - $getenv = "getenv" + $ref = "temp" fullword + $ref2 = "TEMP" fullword + $env_get = "os.environ" + $env_os = "getenv" condition: - all of them + any of ($env*) and any of ($ref*) } diff --git a/rules/fs/tempdir/_MEIPASS.yara b/rules/fs/tempdir/_MEIPASS.yara new file mode 100644 index 00000000..1167e54e --- /dev/null +++ b/rules/fs/tempdir/_MEIPASS.yara @@ -0,0 +1,10 @@ +rule sys_MEIPASS: low { + meta: + description = "references PyInstaller bundle folder" + + strings: + $ref = "sys._MEIPASS" + + condition: + any of them +} diff --git a/rules/hw/keyboard.yara b/rules/hw/keyboard.yara new file mode 100644 index 00000000..feca401e --- /dev/null +++ b/rules/hw/keyboard.yara @@ -0,0 +1,12 @@ +rule keyboard_library: medium { + meta: + description = "accesses keyboard events" + + strings: + $import_pynput = "import pynput" + $import_keyboard = "import keyboard" + $keyboard = "keyboard" fullword + + condition: + filesize < 256KB and $keyboard and any of ($import*) +} diff --git a/rules/impact/degrade/bluescreen.yara b/rules/impact/degrade/bluescreen.yara new file mode 100644 index 00000000..2a05b870 --- /dev/null +++ b/rules/impact/degrade/bluescreen.yara @@ -0,0 +1,10 @@ +rule python_bluesscreen: high windows { + meta: + description = "causes a blue screne (crash)" + + strings: + $bluescreen = "RtlAdjustPrivilege(19, 1," + + condition: + filesize < 256KB and any of them +} diff --git a/rules/impact/shutdown.yara b/rules/impact/shutdown.yara index 593329ed..96bf1c0b 100644 --- a/rules/impact/shutdown.yara +++ b/rules/impact/shutdown.yara @@ -9,3 +9,14 @@ rule shutdown_val: medium { condition: any of them } + +rule shutdown_windows: high windows { + meta: + description = "shuts machine down" + + strings: + $powerstate = "SetSystemPowerState(0," + + condition: + any of them +} diff --git a/rules/impact/wipe/desktop.yara b/rules/impact/wipe/desktop.yara new file mode 100644 index 00000000..694a3dbb --- /dev/null +++ b/rules/impact/wipe/desktop.yara @@ -0,0 +1,26 @@ +rule USERPROFILE_delete: high { + meta: + description = "deletes files in the USERPROFILE directory" + + strings: + $appdata = "USERPROFILE" fullword + $remove = /os.remove\([\w\.\(\), ]{0,64}/ + $listdir = /os.listdir\([\w\.\(\), ]{0,64}/ + + condition: + all of them and @remove > @listdir and (@remove - @listdir) < 32 +} + +rule Desktop_delete: critical { + meta: + description = "deletes files in the Desktop directory" + + strings: + $appdata = "USERPROFILE" fullword + $desktop = "Desktop" fullword + $remove = /os.remove\([\w\.\(\), ]{0,64}/ + $listdir = /os.listdir\(.{0,8}[dD]esktop[\w\.\(\), ]{0,64}/ + + condition: + all of them and @remove > @listdir and (@remove - @listdir) < 32 +} diff --git a/rules/impact/wipe/format.yara b/rules/impact/wipe/format.yara new file mode 100644 index 00000000..8ff32edf --- /dev/null +++ b/rules/impact/wipe/format.yara @@ -0,0 +1,10 @@ +rule format_c: critical windows { + meta: + description = "forcibly formats the C:\\ drive" + + strings: + $format = /(format|FORMAT).{1,4}[Cc]:\\.{1,4}\/[yY]/ + + condition: + any of them +} diff --git a/rules/net/http/auth.yara b/rules/net/http/auth.yara index 11ede824..d9f6d410 100644 --- a/rules/net/http/auth.yara +++ b/rules/net/http/auth.yara @@ -10,3 +10,16 @@ rule http_auth { condition: any of them } + +rule bearer_auth { + meta: + description = "makes HTTP requests with Bearer authentication" + + strings: + $ref = "Authorization" fullword + $ref2 = "Bearer" fullword + $ref3 = /[A-Z_]{0,16}TOKEN/ + + condition: + all of them or ($ref and $ref2) +} diff --git a/rules/net/http/form-upload.yara b/rules/net/http/form-upload.yara index eaabcde6..877f42c7 100644 --- a/rules/net/http/form-upload.yara +++ b/rules/net/http/form-upload.yara @@ -7,7 +7,8 @@ rule http_form_upload: medium { $content_form = "application/x-www-form-urlencoded" $content_json = "application/json" $POST = "POST" fullword + $POST2 = "post" fullword condition: - $POST and any of ($content*) + any of ($POST*) and any of ($content*) } diff --git a/rules/net/http/oauth2.yara b/rules/net/http/oauth2.yara index 4e61bb12..35d2096d 100644 --- a/rules/net/http/oauth2.yara +++ b/rules/net/http/oauth2.yara @@ -3,7 +3,8 @@ rule oauth2 { description = "supports OAuth2" strings: - $ref = "oauth2" fullword + $ref = "oauth2" fullword + $ref2 = "OAuth 2" condition: any of them diff --git a/rules/net/http/post.yara b/rules/net/http/post.yara index f6b4bb2c..8d25e4bb 100644 --- a/rules/net/http/post.yara +++ b/rules/net/http/post.yara @@ -24,6 +24,19 @@ rule hardcoded_post: high { filesize < 20MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of them } +rule requests_post: medium { + meta: + description = "posts content to websites" + filetype = "py" + + strings: + $requests = "import requests" + $post = ".post(" + + condition: + filesize < 4MB and all of them +} + rule axios_post: medium { meta: description = "posts content to websites" diff --git a/rules/net/http/webhook.yara b/rules/net/http/webhook.yara new file mode 100644 index 00000000..9a8782a2 --- /dev/null +++ b/rules/net/http/webhook.yara @@ -0,0 +1,10 @@ +rule webhook: medium { + meta: + description = "supports webhooks" + + strings: + $ref = /[a-zA-Z]{0,16}[wW]eb[hH]ook[\w]{0,32}/ fullword + + condition: + any of them +} diff --git a/rules/net/ip/host_port.yara b/rules/net/ip/host_port.yara index 4e413389..3323392e 100644 --- a/rules/net/ip/host_port.yara +++ b/rules/net/ip/host_port.yara @@ -11,3 +11,38 @@ rule go_scan_tool_val: medium { condition: $j_port and any of ($j_h*) } + +rule host_port: medium { + meta: + description = "connects to an arbitrary host:port" + + strings: + $host_port = /host.{0,12}port/ + + condition: + any of them +} + +rule hostname_port: medium { + meta: + description = "connects to an arbitrary hostname:port" + + strings: + $hostname = "hostname" fullword + $port = "port" fullword + + condition: + all of them +} + +rule port_number: medium { + meta: + description = "references a 'port number'" + + strings: + $port_sp_number = "port number" fullword + $port_number = "port_number" fullword + + condition: + any of them +} diff --git a/rules/net/ip/spoof.yara b/rules/net/ip/spoof.yara index 8189ef4e..2f54f9b8 100644 --- a/rules/net/ip/spoof.yara +++ b/rules/net/ip/spoof.yara @@ -11,3 +11,15 @@ rule spoof: medium { condition: any of ($s*) and none of ($not*) } + +rule spoof_attack: high { + meta: + description = "references spoof attack" + + strings: + $spoof = /[a-zA-Z\-_ ]{0,16}spoofAttack[a-zA-Z\-_ ]{0,16}/ fullword + $spoof2 = /[a-zA-Z\-_ ]{0,16}SpoofAttack[a-zA-Z\-_ ]{0,16}/ fullword + + condition: + any of ($s*) +} diff --git a/rules/net/socket/raw.yara b/rules/net/socket/raw.yara index 5c8c7141..4e826e52 100644 --- a/rules/net/socket/raw.yara +++ b/rules/net/socket/raw.yara @@ -13,6 +13,7 @@ rule raw_sockets: medium { $make_ip = "makeIPPacket" $impacket = "impacket." $makePackets = "makePacket" fullword + $scapy = /scapy.{0,32}Raw/ fullword condition: any of them diff --git a/rules/net/ssl/no_verify.yara b/rules/net/ssl/no_verify.yara new file mode 100644 index 00000000..6eb9e1c6 --- /dev/null +++ b/rules/net/ssl/no_verify.yara @@ -0,0 +1,11 @@ +rule disable_verify: medium { + meta: + description = "disables SSL verification" + + strings: + $ref1 = /verify_mode.{0,8}ssl\.CERT_NONE/ + $ref2 = "ssl" fullword + + condition: + all of them +} diff --git a/rules/net/ssl/socket.yara b/rules/net/ssl/socket.yara new file mode 100644 index 00000000..3f9c9b97 --- /dev/null +++ b/rules/net/ssl/socket.yara @@ -0,0 +1,12 @@ +rule py_ssl_socket: medium { + meta: + description = "manually encrypts a socket with SSL" + + strings: + $ref1 = /\.wrap_socket\([\w\.,= \)]{2,64}/ + $ref2 = "ssl" fullword + + condition: + all of them +} + diff --git a/rules/net/tcp/attack.yara b/rules/net/tcp/attack.yara new file mode 100644 index 00000000..14c09e34 --- /dev/null +++ b/rules/net/tcp/attack.yara @@ -0,0 +1,11 @@ +rule tcp_attack: medium { + meta: + description = "References TCP attack" + + strings: + $ref = "tcp_attack" fullword + $ref2 = "attack_tcp" fullword + + condition: + any of them +} diff --git a/rules/net/tcp/synflood.yara b/rules/net/tcp/synflood.yara index 3ae874d6..0055e344 100644 --- a/rules/net/tcp/synflood.yara +++ b/rules/net/tcp/synflood.yara @@ -3,7 +3,8 @@ rule synflood: medium { description = "References SYN flooding" strings: - $ref = "synflood" fullword + $ref = "synflood" fullword + $ref2 = "attack_SYN" fullword condition: any of them diff --git a/rules/net/udp/attack.yara b/rules/net/udp/attack.yara new file mode 100644 index 00000000..cf884ad0 --- /dev/null +++ b/rules/net/udp/attack.yara @@ -0,0 +1,11 @@ +rule udp_attack: high { + meta: + description = "References UDP attack" + + strings: + $ref = "udp_attack" fullword + $ref2 = "attack_udp" fullword + + condition: + any of them +} diff --git a/rules/privesc/runas.yara b/rules/privesc/runas.yara index 03b8059e..237ac555 100644 --- a/rules/privesc/runas.yara +++ b/rules/privesc/runas.yara @@ -3,8 +3,21 @@ rule runas_admin: high { description = "Uses RunAs to execute code as another user" strings: - $exclusion = /[\w \'\:\\\"\-\%]{0,32}Start-Process.{0,32}RunAs[\w \'\:\\\"\-\%]{0,32}/ + $start_process = /[\w \'\:\\\"\-\%]{0,32}Start-Process.{0,32}RunAs[\w \'\:\\\"\-\%]{0,32}/ + $py_shell_exec = "ShellExecuteW(None, \"runas\"" condition: - $exclusion + any of them +} + +rule py_runas_admin: high { + meta: + description = "Uses RunAs to execute itself as another user" + + strings: + $double = "\"runas\", sys.executable," + $single = "'runas', sys.executable," + + condition: + any of them } diff --git a/rules/sec-tool/net/trojan.yara b/rules/sec-tool/net/trojan.yara new file mode 100644 index 00000000..7168c9cb --- /dev/null +++ b/rules/sec-tool/net/trojan.yara @@ -0,0 +1,11 @@ +rule trojan_project: low { + meta: + description = "Trojan GFW bypass" + + strings: + $ref1 = "part of the trojan project." + $ref2 = "Copyright (C) 2017-2020 The Trojan Authors" + + condition: + any of them +} diff --git a/tests/javascript/2022.an-instance.99.10.9/index.js.simple b/tests/javascript/2022.an-instance.99.10.9/index.js.simple index 0496f8c2..7afe714d 100644 --- a/tests/javascript/2022.an-instance.99.10.9/index.js.simple +++ b/tests/javascript/2022.an-instance.99.10.9/index.js.simple @@ -13,5 +13,6 @@ net/dns: low net/dns/servers: low net/http/form_upload: medium net/http/post: medium +net/ip/host_port: medium net/url/encode: medium os/fd/write: low diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff index 7d72bbed..4e361c2e 100644 --- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff +++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff @@ -1,17 +1,20 @@ ## Changed: javascript/2024.lottie-player/lottie-player.min.js [🟡 MEDIUM → 😈 CRITICAL] -### 39 new behaviors +### 43 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | +CRITICAL | **[anti-static/obfuscation/js](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js.yara#ebe)** | highly obfuscated javascript (eBe) | [charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[eBe(-1)](https://github.com/search?q=eBe%28-1%29&type=code)
[eBe(-10)](https://github.com/search?q=eBe%28-10%29&type=code)
[eBe(-11)](https://github.com/search?q=eBe%28-11%29&type=code)
[eBe(-12)](https://github.com/search?q=eBe%28-12%29&type=code)
[eBe(-13)](https://github.com/search?q=eBe%28-13%29&type=code)
[eBe(-14)](https://github.com/search?q=eBe%28-14%29&type=code)
[eBe(-15)](https://github.com/search?q=eBe%28-15%29&type=code)
[eBe(-16)](https://github.com/search?q=eBe%28-16%29&type=code)
[eBe(-17)](https://github.com/search?q=eBe%28-17%29&type=code)
[eBe(-18)](https://github.com/search?q=eBe%28-18%29&type=code)
[eBe(-19)](https://github.com/search?q=eBe%28-19%29&type=code)
[eBe(-2)](https://github.com/search?q=eBe%28-2%29&type=code)
[eBe(-20)](https://github.com/search?q=eBe%28-20%29&type=code)
[eBe(-21)](https://github.com/search?q=eBe%28-21%29&type=code)
[eBe(-22)](https://github.com/search?q=eBe%28-22%29&type=code)
[eBe(-23)](https://github.com/search?q=eBe%28-23%29&type=code)
[eBe(-24)](https://github.com/search?q=eBe%28-24%29&type=code)
[eBe(-25)](https://github.com/search?q=eBe%28-25%29&type=code)
[eBe(-26)](https://github.com/search?q=eBe%28-26%29&type=code)
[eBe(-27)](https://github.com/search?q=eBe%28-27%29&type=code)
[eBe(-28)](https://github.com/search?q=eBe%28-28%29&type=code)
[eBe(-29)](https://github.com/search?q=eBe%28-29%29&type=code)
[eBe(-3)](https://github.com/search?q=eBe%28-3%29&type=code)
[eBe(-30)](https://github.com/search?q=eBe%28-30%29&type=code)
[eBe(-31)](https://github.com/search?q=eBe%28-31%29&type=code)
[eBe(-32)](https://github.com/search?q=eBe%28-32%29&type=code)
[eBe(-4)](https://github.com/search?q=eBe%28-4%29&type=code)
[eBe(-5)](https://github.com/search?q=eBe%28-5%29&type=code)
[eBe(-6)](https://github.com/search?q=eBe%28-6%29&type=code)
[eBe(-7)](https://github.com/search?q=eBe%28-7%29&type=code)
[eBe(-8)](https://github.com/search?q=eBe%28-8%29&type=code)
[eBe(-9)](https://github.com/search?q=eBe%28-9%29&type=code)
[function(](https://github.com/search?q=function%28&type=code) | | +CRITICAL | **[exfil/stealer/wallet](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/wallet.yara#crypto_stealer_names)** | makes HTTPS connections and references multiple wallets by name | [BraveWallet](https://github.com/search?q=BraveWallet&type=code)
[CoinbaseBrowser](https://github.com/search?q=CoinbaseBrowser&type=code)
[CoinbaseConnector](https://github.com/search?q=CoinbaseConnector&type=code)
[CoinbaseInjectedProvider](https://github.com/search?q=CoinbaseInjectedProvider&type=code)
[CoinbaseInjectedSigner](https://github.com/search?q=CoinbaseInjectedSigner&type=code)
[CoinbaseOnRampURL](https://github.com/search?q=CoinbaseOnRampURL&type=code)
[CoinbaseTransactions](https://github.com/search?q=CoinbaseTransactions&type=code)
[CoinbaseWalletDeeplink](https://github.com/search?q=CoinbaseWalletDeeplink&type=code)
[CoinbaseWalletLogo](https://github.com/search?q=CoinbaseWalletLogo&type=code)
[CoinbaseWalletProvider](https://github.com/search?q=CoinbaseWalletProvider&type=code)
[CoinbaseWalletRound](https://github.com/search?q=CoinbaseWalletRound&type=code)
[CoinbaseWalletSDK](https://github.com/search?q=CoinbaseWalletSDK&type=code)
[CoinbaseWalletSteps](https://github.com/search?q=CoinbaseWalletSteps&type=code)
[Coinbase_Wordmark_SubBrands_ALL](https://github.com/search?q=Coinbase_Wordmark_SubBrands_ALL&type=code)
[Ronin](https://github.com/search?q=Ronin&type=code)
[http](https://github.com/search?q=http&type=code) | | +HIGH | **[anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#unsigned_bitwise_math_excess)** | [uses an excessive amount of unsigned bitwise math](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [a>>>0](https://github.com/search?q=a%3E%3E%3E0&type=code)
[a>>>11](https://github.com/search?q=a%3E%3E%3E11&type=code)
[a>>>13](https://github.com/search?q=a%3E%3E%3E13&type=code)
[a>>>15](https://github.com/search?q=a%3E%3E%3E15&type=code)
[a>>>16](https://github.com/search?q=a%3E%3E%3E16&type=code)
[a>>>22](https://github.com/search?q=a%3E%3E%3E22&type=code)
[a>>>24](https://github.com/search?q=a%3E%3E%3E24&type=code)
[a>>>25](https://github.com/search?q=a%3E%3E%3E25&type=code)
[a>>>26](https://github.com/search?q=a%3E%3E%3E26&type=code)
[a>>>31](https://github.com/search?q=a%3E%3E%3E31&type=code)
[a>>>32](https://github.com/search?q=a%3E%3E%3E32&type=code)
[a>>>6](https://github.com/search?q=a%3E%3E%3E6&type=code)
[a>>>8](https://github.com/search?q=a%3E%3E%3E8&type=code)
[b>>>0](https://github.com/search?q=b%3E%3E%3E0&type=code)
[b>>>29](https://github.com/search?q=b%3E%3E%3E29&type=code)
[b>>>31](https://github.com/search?q=b%3E%3E%3E31&type=code)
[c>>>0](https://github.com/search?q=c%3E%3E%3E0&type=code)
[c>>>16](https://github.com/search?q=c%3E%3E%3E16&type=code)
[c>>>24](https://github.com/search?q=c%3E%3E%3E24&type=code)
[c>>>31](https://github.com/search?q=c%3E%3E%3E31&type=code)
[c>>>5](https://github.com/search?q=c%3E%3E%3E5&type=code)
[c>>>8](https://github.com/search?q=c%3E%3E%3E8&type=code)
[charAt(a](https://github.com/search?q=charAt%28a&type=code)
[charAt(c](https://github.com/search?q=charAt%28c&type=code)
[charAt(n](https://github.com/search?q=charAt%28n&type=code)
[charAt(s](https://github.com/search?q=charAt%28s&type=code)
[charAt(t](https://github.com/search?q=charAt%28t&type=code)
[charAt(u](https://github.com/search?q=charAt%28u&type=code)
[charAt(w](https://github.com/search?q=charAt%28w&type=code)
[d>>>16](https://github.com/search?q=d%3E%3E%3E16&type=code)
[d>>>24](https://github.com/search?q=d%3E%3E%3E24&type=code)
[d>>>26](https://github.com/search?q=d%3E%3E%3E26&type=code)
[d>>>29](https://github.com/search?q=d%3E%3E%3E29&type=code)
[d>>>31](https://github.com/search?q=d%3E%3E%3E31&type=code)
[d>>>6](https://github.com/search?q=d%3E%3E%3E6&type=code)
[d>>>7](https://github.com/search?q=d%3E%3E%3E7&type=code)
[d>>>8](https://github.com/search?q=d%3E%3E%3E8&type=code)
[e>>>0](https://github.com/search?q=e%3E%3E%3E0&type=code)
[e>>>10](https://github.com/search?q=e%3E%3E%3E10&type=code)
[e>>>11](https://github.com/search?q=e%3E%3E%3E11&type=code)
[e>>>12](https://github.com/search?q=e%3E%3E%3E12&type=code)
[e>>>13](https://github.com/search?q=e%3E%3E%3E13&type=code)
[e>>>14](https://github.com/search?q=e%3E%3E%3E14&type=code)
[e>>>16](https://github.com/search?q=e%3E%3E%3E16&type=code)
[e>>>17](https://github.com/search?q=e%3E%3E%3E17&type=code)
[e>>>18](https://github.com/search?q=e%3E%3E%3E18&type=code)
[e>>>19](https://github.com/search?q=e%3E%3E%3E19&type=code)
[e>>>22](https://github.com/search?q=e%3E%3E%3E22&type=code)
[e>>>24](https://github.com/search?q=e%3E%3E%3E24&type=code)
[e>>>25](https://github.com/search?q=e%3E%3E%3E25&type=code)
[e>>>26](https://github.com/search?q=e%3E%3E%3E26&type=code)
[e>>>27](https://github.com/search?q=e%3E%3E%3E27&type=code)
[e>>>28](https://github.com/search?q=e%3E%3E%3E28&type=code)
[e>>>29](https://github.com/search?q=e%3E%3E%3E29&type=code)
[e>>>31](https://github.com/search?q=e%3E%3E%3E31&type=code)
[e>>>32](https://github.com/search?q=e%3E%3E%3E32&type=code)
[e>>>4](https://github.com/search?q=e%3E%3E%3E4&type=code)
[e>>>5](https://github.com/search?q=e%3E%3E%3E5&type=code)
[e>>>64](https://github.com/search?q=e%3E%3E%3E64&type=code)
[e>>>7](https://github.com/search?q=e%3E%3E%3E7&type=code)
[e>>>8](https://github.com/search?q=e%3E%3E%3E8&type=code)
[f>>>13](https://github.com/search?q=f%3E%3E%3E13&type=code)
[f>>>24](https://github.com/search?q=f%3E%3E%3E24&type=code)
[f>>>31](https://github.com/search?q=f%3E%3E%3E31&type=code)
[f>>>8](https://github.com/search?q=f%3E%3E%3E8&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[g>>>16](https://github.com/search?q=g%3E%3E%3E16&type=code)
[h>>>11](https://github.com/search?q=h%3E%3E%3E11&type=code)
[h>>>16](https://github.com/search?q=h%3E%3E%3E16&type=code)
[h>>>19](https://github.com/search?q=h%3E%3E%3E19&type=code)
[h>>>24](https://github.com/search?q=h%3E%3E%3E24&type=code)
[h>>>25](https://github.com/search?q=h%3E%3E%3E25&type=code)
[h>>>29](https://github.com/search?q=h%3E%3E%3E29&type=code)
[h>>>31](https://github.com/search?q=h%3E%3E%3E31&type=code)
[h>>>6](https://github.com/search?q=h%3E%3E%3E6&type=code)
[h>>>7](https://github.com/search?q=h%3E%3E%3E7&type=code)
[h>>>8](https://github.com/search?q=h%3E%3E%3E8&type=code)
[i>>>0](https://github.com/search?q=i%3E%3E%3E0&type=code)
[i>>>10](https://github.com/search?q=i%3E%3E%3E10&type=code)
[i>>>13](https://github.com/search?q=i%3E%3E%3E13&type=code)
[i>>>16](https://github.com/search?q=i%3E%3E%3E16&type=code)
[i>>>22](https://github.com/search?q=i%3E%3E%3E22&type=code)
[i>>>27](https://github.com/search?q=i%3E%3E%3E27&type=code)
[i>>>31](https://github.com/search?q=i%3E%3E%3E31&type=code)
[i>>>5](https://github.com/search?q=i%3E%3E%3E5&type=code)
[j>>>21](https://github.com/search?q=j%3E%3E%3E21&type=code)
[k>>>20](https://github.com/search?q=k%3E%3E%3E20&type=code)
[k>>>4](https://github.com/search?q=k%3E%3E%3E4&type=code)
[l>>>0](https://github.com/search?q=l%3E%3E%3E0&type=code)
[l>>>26](https://github.com/search?q=l%3E%3E%3E26&type=code)
[l>>>31](https://github.com/search?q=l%3E%3E%3E31&type=code)
[l>>>8](https://github.com/search?q=l%3E%3E%3E8&type=code)
[m>>>0](https://github.com/search?q=m%3E%3E%3E0&type=code)
[m>>>10](https://github.com/search?q=m%3E%3E%3E10&type=code)
[m>>>13](https://github.com/search?q=m%3E%3E%3E13&type=code)
[m>>>17](https://github.com/search?q=m%3E%3E%3E17&type=code)
[m>>>19](https://github.com/search?q=m%3E%3E%3E19&type=code)
[n>>>0](https://github.com/search?q=n%3E%3E%3E0&type=code)
[n>>>13](https://github.com/search?q=n%3E%3E%3E13&type=code)
[n>>>16](https://github.com/search?q=n%3E%3E%3E16&type=code)
[n>>>17](https://github.com/search?q=n%3E%3E%3E17&type=code)
[n>>>24](https://github.com/search?q=n%3E%3E%3E24&type=code)
[n>>>26](https://github.com/search?q=n%3E%3E%3E26&type=code)
[n>>>31](https://github.com/search?q=n%3E%3E%3E31&type=code)
[n>>>5](https://github.com/search?q=n%3E%3E%3E5&type=code)
[n>>>7](https://github.com/search?q=n%3E%3E%3E7&type=code)
[n>>>8](https://github.com/search?q=n%3E%3E%3E8&type=code)
[o>>>0](https://github.com/search?q=o%3E%3E%3E0&type=code)
[o>>>10](https://github.com/search?q=o%3E%3E%3E10&type=code)
[o>>>16](https://github.com/search?q=o%3E%3E%3E16&type=code)
[o>>>22](https://github.com/search?q=o%3E%3E%3E22&type=code)
[o>>>24](https://github.com/search?q=o%3E%3E%3E24&type=code)
[o>>>31](https://github.com/search?q=o%3E%3E%3E31&type=code)
[o>>>4](https://github.com/search?q=o%3E%3E%3E4&type=code)
[o>>>5](https://github.com/search?q=o%3E%3E%3E5&type=code)
[o>>>8](https://github.com/search?q=o%3E%3E%3E8&type=code)
[p>>>0](https://github.com/search?q=p%3E%3E%3E0&type=code)
[p>>>18](https://github.com/search?q=p%3E%3E%3E18&type=code)
[p>>>31](https://github.com/search?q=p%3E%3E%3E31&type=code)
[p>>>7](https://github.com/search?q=p%3E%3E%3E7&type=code)
[p>>>8](https://github.com/search?q=p%3E%3E%3E8&type=code)
[q>>>0](https://github.com/search?q=q%3E%3E%3E0&type=code)
[q>>>3](https://github.com/search?q=q%3E%3E%3E3&type=code)
[r>>>0](https://github.com/search?q=r%3E%3E%3E0&type=code)
[r>>>10](https://github.com/search?q=r%3E%3E%3E10&type=code)
[r>>>13](https://github.com/search?q=r%3E%3E%3E13&type=code)
[r>>>24](https://github.com/search?q=r%3E%3E%3E24&type=code)
[r>>>8](https://github.com/search?q=r%3E%3E%3E8&type=code)
[s>>>0](https://github.com/search?q=s%3E%3E%3E0&type=code)
[s>>>14](https://github.com/search?q=s%3E%3E%3E14&type=code)
[s>>>24](https://github.com/search?q=s%3E%3E%3E24&type=code)
[s>>>26](https://github.com/search?q=s%3E%3E%3E26&type=code)
[s>>>31](https://github.com/search?q=s%3E%3E%3E31&type=code)
[s>>>6](https://github.com/search?q=s%3E%3E%3E6&type=code)
[s>>>8](https://github.com/search?q=s%3E%3E%3E8&type=code)
[t>>>0](https://github.com/search?q=t%3E%3E%3E0&type=code)
[t>>>16](https://github.com/search?q=t%3E%3E%3E16&type=code)
[t>>>26](https://github.com/search?q=t%3E%3E%3E26&type=code)
[t>>>29](https://github.com/search?q=t%3E%3E%3E29&type=code)
[t>>>32](https://github.com/search?q=t%3E%3E%3E32&type=code)
[t>>>64](https://github.com/search?q=t%3E%3E%3E64&type=code)
[t>>>7](https://github.com/search?q=t%3E%3E%3E7&type=code)
[t>>>9](https://github.com/search?q=t%3E%3E%3E9&type=code)
[u>>>13](https://github.com/search?q=u%3E%3E%3E13&type=code)
[u>>>16](https://github.com/search?q=u%3E%3E%3E16&type=code)
[u>>>24](https://github.com/search?q=u%3E%3E%3E24&type=code)
[u>>>31](https://github.com/search?q=u%3E%3E%3E31&type=code)
[u>>>8](https://github.com/search?q=u%3E%3E%3E8&type=code)
[v>>>0](https://github.com/search?q=v%3E%3E%3E0&type=code)
[v>>>16](https://github.com/search?q=v%3E%3E%3E16&type=code)
[v>>>24](https://github.com/search?q=v%3E%3E%3E24&type=code)
[v>>>28](https://github.com/search?q=v%3E%3E%3E28&type=code)
[v>>>8](https://github.com/search?q=v%3E%3E%3E8&type=code)
[w>>>10](https://github.com/search?q=w%3E%3E%3E10&type=code)
[w>>>17](https://github.com/search?q=w%3E%3E%3E17&type=code)
[w>>>18](https://github.com/search?q=w%3E%3E%3E18&type=code)
[w>>>19](https://github.com/search?q=w%3E%3E%3E19&type=code)
[w>>>28](https://github.com/search?q=w%3E%3E%3E28&type=code)
[w>>>3](https://github.com/search?q=w%3E%3E%3E3&type=code)
[w>>>7](https://github.com/search?q=w%3E%3E%3E7&type=code)
[x>>>14](https://github.com/search?q=x%3E%3E%3E14&type=code)
[x>>>18](https://github.com/search?q=x%3E%3E%3E18&type=code)
[x>>>23](https://github.com/search?q=x%3E%3E%3E23&type=code)
[x>>>9](https://github.com/search?q=x%3E%3E%3E9&type=code)
[y>>>13](https://github.com/search?q=y%3E%3E%3E13&type=code)
[y>>>29](https://github.com/search?q=y%3E%3E%3E29&type=code)
[y>>>31](https://github.com/search?q=y%3E%3E%3E31&type=code)
[z>>>0](https://github.com/search?q=z%3E%3E%3E0&type=code)
[z>>>17](https://github.com/search?q=z%3E%3E%3E17&type=code) | +| +HIGH | **[anti-static/obfuscation/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/python.yara#multi_decode_3)** | multiple (3+) levels of decoding | [.decode(n);return o._baseCache.set(i,t),o}},jE=(e,t)=>{switch(e[0]){case"Q":{let r=t||N_;return[N_.prefix,r.decode(`${N_.prefix}${e}`)]}case N_.prefix:{let r=t||N_;return[N_.prefix,r.decode(e)]}case y_.prefix:{let r=t||y_;return[y_.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CjE%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28%60%24%7BN_.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+N_.prefix%3A%7Blet+r%3Dt%7C%7CN_%3Breturn%5BN_.prefix%2Cr.decode%28e%29%5D%7Dcase+y_.prefix%3A%7Blet+r%3Dt%7C%7Cy_%3Breturn%5By_.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code)
[.decode(n);return o._baseCache.set(i,t),o}},vB=(e,t)=>{switch(e[0]){case"Q":{let r=t||fN;return[fN.prefix,r.decode(`${fN.prefix}${e}`)]}case fN.prefix:{let r=t||fN;return[fN.prefix,r.decode(e)]}case JO.prefix:{let r=t||JO;return[JO.prefix,r.decode(e)]}default:if(null==t)throw Error("To parse non base32 or base58btc encoded CID multibase decoder must be provided");return[e[0],t.decode](https://github.com/search?q=.decode%28n%29%3Breturn+o._baseCache.set%28i%2Ct%29%2Co%7D%7D%2CvB%3D%28e%2Ct%29%3D%3E%7Bswitch%28e%5B0%5D%29%7Bcase%22Q%22%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28%60%24%7BfN.prefix%7D%24%7Be%7D%60%29%5D%7Dcase+fN.prefix%3A%7Blet+r%3Dt%7C%7CfN%3Breturn%5BfN.prefix%2Cr.decode%28e%29%5D%7Dcase+JO.prefix%3A%7Blet+r%3Dt%7C%7CJO%3Breturn%5BJO.prefix%2Cr.decode%28e%29%5D%7Ddefault%3Aif%28null%3D%3Dt%29throw+Error%28%22To+parse+non+base32+or+base58btc+encoded+CID+multibase+decoder+must+be+provided%22%29%3Breturn%5Be%5B0%5D%2Ct.decode&type=code) | | +HIGH | **[c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#exotic_tld)** | Contains HTTP hostname with unusual top-level domain | [https://api.mantlescan.xyz/](https://api.mantlescan.xyz/)
[https://mantlescan.xyz/](https://mantlescan.xyz/)
[https://openchain.xyz/](https://openchain.xyz/) | | +HIGH | **[data/builtin/appkit](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/builtin/appkit.yara#appkit)** | Includes AppKit, a web3 blockchain library | [Price impact reflects the change in market price due to your trade](https://github.com/search?q=Price+impact+reflects+the+change+in+market+price+due+to+your+trade&type=code)
[Select which chain to connect to your multi](https://github.com/search?q=Select+which+chain+to+connect+to+your+multi&type=code) | | +MEDIUM | **[anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse)** | converts hex data to ASCII | [toString("hex");](https://github.com/search?q=toString%28%22hex%22%29%3B&type=code) | +| +MEDIUM | **[c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord)** | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | +MEDIUM | **[credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain)** | accesses a keychain | [keychain](https://github.com/search?q=keychain&type=code) | | +MEDIUM | **[crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain)** | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | +| +MEDIUM | **[crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext)** | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | +MEDIUM | **[crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid)** | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | | +MEDIUM | **[data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url)** | Contains base64 url | [odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code) | | +MEDIUM | **[discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname)** | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | @@ -21,8 +24,9 @@ | +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [useragent](https://github.com/search?q=useragent&type=code) | | +MEDIUM | **[impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat)** | references a 'heartbeat' | [heartBeatTimeout](https://github.com/search?q=heartBeatTimeout&type=code)
[heartbeat_pulse](https://github.com/search?q=heartbeat_pulse&type=code)
[lastHeartbeatResponse](https://github.com/search?q=lastHeartbeatResponse&type=code)
[updateLastHeartbeat](https://github.com/search?q=updateLastHeartbeat&type=code) | | +MEDIUM | **[impact/resource/bank_xfer](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/resource/bank_xfer.yara#bank_xfer)** | references 'bank transfer' | [bank transfer](https://github.com/search?q=bank+transfer&type=code) | -| +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| +MEDIUM | **[net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload)** | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| +MEDIUM | **[net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook)** | supports webhooks | [callWebhook](https://github.com/search?q=callWebhook&type=code) | | +MEDIUM | **[net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket)** | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [WalletLinkWebSocket](https://github.com/search?q=WalletLinkWebSocket&type=code)
[WebSocket:gV](https://github.com/search?q=WebSocket%3AgV&type=code)
[WebSocket:typeof](https://github.com/search?q=WebSocket%3Atypeof&type=code)
[WebSocketClass:h](https://github.com/search?q=WebSocketClass%3Ah&type=code)
[WebSocketClass:l](https://github.com/search?q=WebSocketClass%3Al&type=code)
[clearWebSocket](https://github.com/search?q=clearWebSocket&type=code)
[webSocket:e](https://github.com/search?q=webSocket%3Ae&type=code)
[webSocket:r](https://github.com/search?q=webSocket%3Ar&type=code)
[webSocket:t](https://github.com/search?q=webSocket%3At&type=code) | | +MEDIUM | **[net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr)** | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code)
[ipAddr](https://github.com/search?q=ipAddr&type=code) | | +MEDIUM | **[net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen)** | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[socket](https://github.com/search?q=socket&type=code) | diff --git a/tests/javascript/clean/203.b7219352.chunk.js.simple b/tests/javascript/clean/203.b7219352.chunk.js.simple index ef4d435f..730c41b2 100644 --- a/tests/javascript/clean/203.b7219352.chunk.js.simple +++ b/tests/javascript/clean/203.b7219352.chunk.js.simple @@ -43,6 +43,7 @@ net/download: medium net/http/cookies: medium net/http/form_upload: medium net/http/post: medium +net/ip/host_port: medium net/socket/listen: medium net/socket/send: low net/tcp/sftp: medium diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple index 9b9b1c48..a1db63c9 100644 --- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple +++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple @@ -71,6 +71,7 @@ net/http/form_upload: medium net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/spoof: medium diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple index 5fd44e4b..51c339d8 100644 --- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple +++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple @@ -72,6 +72,7 @@ net/http/form_upload: medium net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/spoof: medium diff --git a/tests/javascript/clean/connection.js.simple b/tests/javascript/clean/connection.js.simple index a6ced0f0..c2134c14 100644 --- a/tests/javascript/clean/connection.js.simple +++ b/tests/javascript/clean/connection.js.simple @@ -8,6 +8,7 @@ data/embedded/base64_url: medium data/encoding/base64: low discover/system/hostname: low net/dns: low +net/ip/host_port: medium net/rpc/ntlm: medium net/socket/send: low net/url/embedded: medium diff --git a/tests/javascript/clean/faker.js.simple b/tests/javascript/clean/faker.js.simple index f55224c5..70b4fc74 100644 --- a/tests/javascript/clean/faker.js.simple +++ b/tests/javascript/clean/faker.js.simple @@ -30,6 +30,7 @@ net/download: medium net/http/fake_user_agent: medium net/http/form_upload: medium net/http/post: medium +net/ip/host_port: medium net/remote_control/vnc: medium net/url/embedded: low net/url/encode: medium diff --git a/tests/javascript/clean/faker.min.js.simple b/tests/javascript/clean/faker.min.js.simple index 6b2239ad..315b51df 100644 --- a/tests/javascript/clean/faker.min.js.simple +++ b/tests/javascript/clean/faker.min.js.simple @@ -25,6 +25,7 @@ net/download: medium net/http/fake_user_agent: medium net/http/form_upload: medium net/http/post: medium +net/ip/host_port: medium net/remote_control/vnc: medium net/url/embedded: low net/url/encode: medium diff --git a/tests/javascript/clean/frequency_lists.js.simple b/tests/javascript/clean/frequency_lists.js.simple index c3fd3893..bcf318e0 100644 --- a/tests/javascript/clean/frequency_lists.js.simple +++ b/tests/javascript/clean/frequency_lists.js.simple @@ -7,6 +7,7 @@ c2/tool_transfer/dropper: medium collect/databases/mysql: medium credential/gaming/minecraft: medium credential/password: low +crypto/cipher: medium discover/user/name_get: medium exec/plugin: low fs/lock_update: low diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple index abe7d598..da08b2e9 100644 --- a/tests/javascript/clean/highlight.esm.js.simple +++ b/tests/javascript/clean/highlight.esm.js.simple @@ -19,6 +19,7 @@ discover/group/lookup: medium discover/network/mac_address: medium discover/processes/list: medium discover/system/sysinfo: medium +discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: low @@ -57,6 +58,7 @@ net/download/fetch: medium net/http/cookies: medium net/http/post: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/resolve: low net/ip/spoof: medium net/ip/string: medium diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple index c5dbd460..278265b5 100644 --- a/tests/javascript/clean/highlight.js.simple +++ b/tests/javascript/clean/highlight.js.simple @@ -19,6 +19,7 @@ discover/group/lookup: medium discover/network/mac_address: medium discover/processes/list: medium discover/system/sysinfo: medium +discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low discover/user/name_get: low @@ -57,6 +58,7 @@ net/download/fetch: medium net/http/cookies: medium net/http/post: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/resolve: low net/ip/spoof: medium net/ip/string: medium diff --git a/tests/javascript/clean/http2wrapper.js.simple b/tests/javascript/clean/http2wrapper.js.simple index 56882ad9..757ebce3 100644 --- a/tests/javascript/clean/http2wrapper.js.simple +++ b/tests/javascript/clean/http2wrapper.js.simple @@ -5,5 +5,6 @@ data/embedded/base64_url: medium data/encoding/base64: low impact/remote_access/agent: medium net/http/2: low +net/ip/host_port: medium net/socket/connect: medium net/url/embedded: low diff --git a/tests/javascript/clean/index.js.map.simple b/tests/javascript/clean/index.js.map.simple index eb5386a1..50fc1987 100644 --- a/tests/javascript/clean/index.js.map.simple +++ b/tests/javascript/clean/index.js.map.simple @@ -1,5 +1,6 @@ # javascript/clean/index.js.map: medium crypto/aes: low +crypto/cipher: medium data/encoding/base64: low data/encoding/json_decode: low data/encoding/json_encode: low diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple index ee388f40..e536e282 100644 --- a/tests/javascript/clean/mode-php.js.simple +++ b/tests/javascript/clean/mode-php.js.simple @@ -36,6 +36,7 @@ fs/node_create: low fs/path/etc: low fs/permission/modify: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/watch: low impact/remote_access/agent: medium net/download/fetch: medium @@ -43,6 +44,7 @@ net/http/cookies: medium net/http/form_upload: medium net/http/post: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/spoof: medium diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple index 01d0205f..b9f43f75 100644 --- a/tests/javascript/clean/mode-php_laravel_blade.js.simple +++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple @@ -36,6 +36,7 @@ fs/node_create: low fs/path/etc: low fs/permission/modify: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/watch: low impact/remote_access/agent: medium net/download/fetch: medium @@ -43,6 +44,7 @@ net/http/cookies: medium net/http/form_upload: medium net/http/post: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/spoof: medium diff --git a/tests/javascript/clean/napi_rs_runtime.js.simple b/tests/javascript/clean/napi_rs_runtime.js.simple index 7456308a..017f4814 100644 --- a/tests/javascript/clean/napi_rs_runtime.js.simple +++ b/tests/javascript/clean/napi_rs_runtime.js.simple @@ -13,6 +13,7 @@ fs/file/stat: low fs/file/times_set: medium fs/link_read: low fs/symlink_resolve: low +net/http/form_upload: medium net/socket/listen: medium net/socket/receive: low net/socket/send: low diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple index f89a166e..46d15710 100644 --- a/tests/javascript/clean/php.js.simple +++ b/tests/javascript/clean/php.js.simple @@ -35,12 +35,14 @@ fs/node_create: low fs/path/etc: low fs/permission/modify: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/watch: low impact/remote_access/agent: medium net/http/cookies: medium net/http/form_upload: medium net/http/post: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/spoof: medium diff --git a/tests/javascript/clean/securityDashboards.plugin.js.simple b/tests/javascript/clean/securityDashboards.plugin.js.simple index 726acf13..91dabe93 100644 --- a/tests/javascript/clean/securityDashboards.plugin.js.simple +++ b/tests/javascript/clean/securityDashboards.plugin.js.simple @@ -9,6 +9,7 @@ c2/tool_transfer/dropper: medium collect/databases/mysql: medium credential/gaming/minecraft: medium credential/password: low +crypto/cipher: medium data/encoding/base64: low data/encoding/json_decode: low data/encoding/json_encode: low @@ -30,6 +31,7 @@ net/download: medium net/http/form_upload: medium net/http/post: medium net/http/request: low +net/ip/host_port: medium net/ip/multicast_send: low net/ip/spoof: medium net/proxy/tunnel: medium diff --git a/tests/javascript/clean/zxcvbn.js.simple b/tests/javascript/clean/zxcvbn.js.simple index 6d5f6c34..f3796fd1 100644 --- a/tests/javascript/clean/zxcvbn.js.simple +++ b/tests/javascript/clean/zxcvbn.js.simple @@ -7,6 +7,7 @@ c2/tool_transfer/dropper: medium collect/databases/mysql: medium credential/gaming/minecraft: medium credential/password: low +crypto/cipher: medium discover/user/name_get: medium exec/plugin: low exec/remote_commands/code_eval: medium diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple index 6f08a82e..7f8fd1eb 100644 --- a/tests/linux/2021.FontOnLake/45E9.elf.simple +++ b/tests/linux/2021.FontOnLake/45E9.elf.simple @@ -69,6 +69,7 @@ impact/remote_access/ssh: high impact/ui/x11_auth: medium malware/family/fontonlake: critical net/download: medium +net/ip/host_port: medium net/ip/spoof: medium net/ip/string: medium net/proxy/socks5: medium diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index 35f3f358..f5143165 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -51,6 +51,7 @@ fs/proc/mounts: medium fs/proc/nvidia_gpu: medium fs/proc/self_cgroup: medium fs/proc/self_exe: medium +fs/tempdir/TEMP: low hw/cpu: medium impact/cryptojacking/cryptonight: high impact/cryptojacking/generic: high @@ -68,6 +69,7 @@ net/http/cookies: medium net/http/form_upload: medium net/http/post: medium net/http/request: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/ip/string: medium diff --git a/tests/linux/2022.ez-pwnkit/payload.simple b/tests/linux/2022.ez-pwnkit/payload.simple index 8a61b030..24677997 100644 --- a/tests/linux/2022.ez-pwnkit/payload.simple +++ b/tests/linux/2022.ez-pwnkit/payload.simple @@ -25,6 +25,7 @@ net/dns: low net/dns/servers: low net/dns/txt: low net/ip/addr: medium +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/resolve/hostname: low diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index 065df91b..6ea3b6e1 100644 --- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -9,6 +9,7 @@ credential/shell/bash_history: high credential/ssh: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -69,6 +70,7 @@ net/http/post: medium net/http/proxy: low net/http/request: low net/ip: low +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/ip/spoof: high diff --git a/tests/linux/2024.PAN-OS.Upstyle/update.py.simple b/tests/linux/2024.PAN-OS.Upstyle/update.py.simple index 8eb29ecb..178e2ed1 100644 --- a/tests/linux/2024.PAN-OS.Upstyle/update.py.simple +++ b/tests/linux/2024.PAN-OS.Upstyle/update.py.simple @@ -5,6 +5,7 @@ anti-static/base64/function_names: critical data/base64/decode: medium data/encoding/base64: low exec/imports/python: medium +exec/remote_commands/code_eval: critical fs/file/delete: low fs/file/open: low fs/file/stat: low diff --git a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple index 5898f206..ba374f15 100644 --- a/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple +++ b/tests/linux/2024.PAN-OS.Upstyle/update_base64_payload1.py.simple @@ -6,8 +6,9 @@ data/base64/decode: medium data/encoding/base64: low exec/imports/python: low exec/program: medium -exec/remote_commands/code_eval: medium +exec/remote_commands/code_eval: high fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/file/read: low fs/file/write: low diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple index c6780c85..84974e84 100644 --- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple +++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple @@ -55,6 +55,7 @@ net/http/post: medium net/http/request: low net/ip: low net/ip/addr: medium +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/resolve/hostname: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index eee67f32..d885c3d4 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -6,6 +6,7 @@ collect/archives/zip: medium credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/rc4: low @@ -39,6 +40,7 @@ net/http/proxy: low net/http/request: low net/http/websocket: medium net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/proxy/socks5: medium diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index 87548cee..9d659993 100644 --- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -9,6 +9,7 @@ credential/password: low credential/ssh/d: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -55,6 +56,7 @@ net/http/cookies: medium net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/ip: low net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/2024.hadooken/drop2.sh.simple b/tests/linux/2024.hadooken/drop2.sh.simple index ad08ce4b..72f0cf7f 100644 --- a/tests/linux/2024.hadooken/drop2.sh.simple +++ b/tests/linux/2024.hadooken/drop2.sh.simple @@ -1,7 +1,7 @@ # linux/2024.hadooken/drop2.sh: critical c2/addr/ip: high exec/imports/python: low -exec/remote_commands/code_eval: medium +exec/remote_commands/code_eval: high impact/remote_access/remote_eval: critical net/url/embedded: low net/url/parse: low diff --git a/tests/linux/2024.hadooken/figure4.py.simple b/tests/linux/2024.hadooken/figure4.py.simple index 7fdf39ae..bcba823d 100644 --- a/tests/linux/2024.hadooken/figure4.py.simple +++ b/tests/linux/2024.hadooken/figure4.py.simple @@ -6,6 +6,7 @@ c2/tool_transfer/python: high exec/imports/python: low exec/program: medium fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/path/dev: medium fs/path/var: low diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple index cca41489..62b5f1b4 100644 --- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -17,6 +17,7 @@ credential/sniffer/bpf: medium credential/ssh/d: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -98,6 +99,7 @@ fs/proc/1_cgroup: medium fs/proc/arbitrary_pid: medium fs/proc/cpuinfo: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low hw/cpu: medium impact/exploit: high impact/exploit/GCONV_PATH: high diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple index 6189dfd3..17254030 100644 --- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple +++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple @@ -41,12 +41,14 @@ fs/proc/arbitrary_pid: medium fs/proc/cpuinfo: medium fs/proc/pid_status: medium fs/proc/self_exe: medium +fs/tempdir/TEMP: low impact/remote_access/heartbeat: medium lateral/scan/tool: medium malware/family/melofee: critical net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/string: medium net/proxy/tunnel: medium diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple index fa3c946f..9e929998 100644 --- a/tests/linux/2024.melofee/pskt.simple +++ b/tests/linux/2024.melofee/pskt.simple @@ -54,6 +54,7 @@ net/dns/txt: low net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/resolve: low net/proxy/tunnel: medium net/resolve/hostname: low diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff index 6a770472..08e0e7a2 100644 --- a/tests/linux/2024.sbcl.market/sbcl.sdiff +++ b/tests/linux/2024.sbcl.market/sbcl.sdiff @@ -20,5 +20,6 @@ fs/path/var fs/permission/modify fs/proc/self_exe fs/symlink_resolve +fs/tempdir/TEMP +net/dns/txt net/url/embedded diff --git a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple index 832263e0..dd1c9152 100644 --- a/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple +++ b/tests/linux/2024.sshdoor/dd98ee5273a02829167b255baf9979759f84a0a6b7769a67ecbf6c0c9100c38d.elf.simple @@ -59,6 +59,7 @@ impact/ui/x11_auth: medium malware/family/sshdoor: critical net/ip: low net/ip/addr: medium +net/ip/host_port: medium net/ip/spoof: medium net/ip/string: medium net/proxy/socks5: medium diff --git a/tests/linux/clean/appsec-rules.json.simple b/tests/linux/clean/appsec-rules.json.simple index 46a28878..4dc65c53 100644 --- a/tests/linux/clean/appsec-rules.json.simple +++ b/tests/linux/clean/appsec-rules.json.simple @@ -58,6 +58,8 @@ net/dns/servers: low net/download: medium net/ftp/t: low net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium net/socket/connect: medium net/tcp/sftp: medium persist/cron/tab: medium diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple index fdff14d1..529452e3 100644 --- a/tests/linux/clean/buildah.simple +++ b/tests/linux/clean/buildah.simple @@ -11,6 +11,7 @@ credential/password: low credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -113,6 +114,7 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/resolve/hostname: low diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple index 5e93509b..28b372ff 100644 --- a/tests/linux/clean/busybox.simple +++ b/tests/linux/clean/busybox.simple @@ -61,6 +61,7 @@ fs/proc/mounts: medium fs/proc/stat: medium fs/symlink_resolve: low fs/tempdir: low +fs/tempdir/TEMP: low fs/tempdir/TMPDIR: low fs/tempdir/create: low fs/tempdir/tempfile_create: low @@ -69,6 +70,7 @@ hw/cpu: medium impact/ddos/raw_flooder: medium lateral/scan/tool: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple index 100d7d55..8b634439 100644 --- a/tests/linux/clean/caddy.simple +++ b/tests/linux/clean/caddy.simple @@ -18,6 +18,7 @@ credential/sniffer/bpf: medium credential/ssh/d: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -115,8 +116,10 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/http/websocket: medium net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple index 994accc4..6d1dbb0c 100644 --- a/tests/linux/clean/chezmoi.simple +++ b/tests/linux/clean/chezmoi.simple @@ -5,8 +5,10 @@ 3P/threat_hunting/johntheripper: medium 3P/threat_hunting/sharpshooter: medium 3P/threat_hunting/tailscale: medium +c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium +c2/addr/telegram: medium c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium collect/archives/zip: medium @@ -24,6 +26,7 @@ credential/server/htpasswd: medium credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/file_encrypter: medium @@ -124,8 +127,10 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/http/websocket: medium net/ip: low +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/ip/resolve: low diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple index 0767e59e..4fbbbbdc 100644 --- a/tests/linux/clean/chrome.simple +++ b/tests/linux/clean/chrome.simple @@ -21,6 +21,7 @@ credential/sniffer/bpf: medium credential/ssh: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/rc4: medium @@ -132,6 +133,7 @@ net/http/proxy: low net/http/request: low net/http/websocket: medium net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/p_request: low diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple index 5b42b7f4..8039a627 100644 --- a/tests/linux/clean/clickhouse.simple +++ b/tests/linux/clean/clickhouse.simple @@ -21,6 +21,7 @@ credential/password: low credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ed25519: low crypto/file_encrypter: medium crypto/gost89: low @@ -149,6 +150,7 @@ net/http/proxy: low net/http/request: low net/http/websocket: medium net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/ip/resolve: low diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md index 82da8138..5268322d 100644 --- a/tests/linux/clean/code-oss.md +++ b/tests/linux/clean/code-oss.md @@ -19,6 +19,7 @@ | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[����](https://github.com/search?q=%83%82%81%80&type=code)
[����](https://github.com/search?q=%87%86%85%84&type=code)
[����](https://github.com/search?q=%8B%8A%89%88&type=code)
[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[����](https://github.com/search?q=%93%92%91%90&type=code)
[����](https://github.com/search?q=%97%96%95%94&type=code)
[����](https://github.com/search?q=%9B%9A%99%98&type=code)
[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | @@ -29,6 +30,7 @@ | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)
[_executeCommand](https://github.com/search?q=_executeCommand&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code)
[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) | @@ -64,9 +66,10 @@ | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | @@ -136,7 +139,7 @@ | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)
[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple index f0f72099..2dee40cf 100644 --- a/tests/linux/clean/containerd.simple +++ b/tests/linux/clean/containerd.simple @@ -10,6 +10,7 @@ credential/sniffer/bpf: medium credential/sniffer/pcap: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -67,6 +68,7 @@ fs/proc/arbitrary_pid: medium fs/proc/net_route: medium fs/proc/self_cgroup: medium fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low fs/tempdir/create: low fs/tempdir/tempfile_create: low fs/unmount: low @@ -89,6 +91,7 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/http/websocket: medium net/ip/host_port: medium net/ip/icmp: medium diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md index c59c9b16..c4183d01 100644 --- a/tests/linux/clean/cpack.md +++ b/tests/linux/clean/cpack.md @@ -34,8 +34,9 @@ | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [CPACK_DOWNLOAD_ALL](https://github.com/search?q=CPACK_DOWNLOAD_ALL&type=code)
[CPACK_DOWNLOAD_SITE](https://github.com/search?q=CPACK_DOWNLOAD_SITE&type=code)
[CPACK_IFW_DOWNLOAD_ALL](https://github.com/search?q=CPACK_IFW_DOWNLOAD_ALL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_COUNT_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_HASHES_INTERNAL&type=code)
[CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL](https://github.com/search?q=CPACK_INNOSETUP_DOWNLOAD_URLS_INTERNAL&type=code)
[CPACK_USES_DOWNLOAD](https://github.com/search?q=CPACK_USES_DOWNLOAD&type=code)
[Call DownloadFile](https://github.com/search?q=Call+DownloadFile&type=code)
[DOWNLOAD HASH mismatch](https://github.com/search?q=DOWNLOAD+HASH+mismatch&type=code)
[DOWNLOAD cannot set TLS](https://github.com/search?q=DOWNLOAD+cannot+set+TLS&type=code)
[DOWNLOAD cannot set http](https://github.com/search?q=DOWNLOAD+cannot+set+http&type=code)
[DOWNLOAD cannot set url](https://github.com/search?q=DOWNLOAD+cannot+set+url&type=code)
[DOWNLOAD cannot set user](https://github.com/search?q=DOWNLOAD+cannot+set+user&type=code)
[DOWNLOAD error](https://github.com/search?q=DOWNLOAD+error&type=code)
[DOWNLOAD missing ALGO](https://github.com/search?q=DOWNLOAD+missing+ALGO&type=code)
[DOWNLOAD missing VAR for](https://github.com/search?q=DOWNLOAD+missing+VAR+for&type=code)
[Maxdownload](https://github.com/search?q=Maxdownload&type=code)
[VERIFY_DOWNLOADS](https://github.com/search?q=VERIFY_DOWNLOADS&type=code)
[_DOWNLOADED](https://github.com/search?q=_DOWNLOADED&type=code)
[completely downloaded](https://github.com/search?q=completely+downloaded&type=code)
[compute hash on downloaded file](https://github.com/search?q=compute+hash+on+downloaded+file&type=code)
[cw_download_write](https://github.com/search?q=cw_download_write&type=code)
[download_write body](https://github.com/search?q=download_write+body&type=code)
[download_write header](https://github.com/search?q=download_write+header&type=code)
[for the URL download method](https://github.com/search?q=for+the+URL+download+method&type=code)
[hash on failed download](https://github.com/search?q=hash+on+failed+download&type=code)
[is already downloaded](https://github.com/search?q=is+already+downloaded&type=code)
[isDownloaded](https://github.com/search?q=isDownloaded&type=code)
[maxdownload](https://github.com/search?q=maxdownload&type=code)
[partial download completed](https://github.com/search?q=partial+download+completed&type=code)
[protected CPackDownloadArchives](https://github.com/search?q=protected+CPackDownloadArchives&type=code)
[protected CPackDownloadComponents](https://github.com/search?q=protected+CPackDownloadComponents&type=code)
[protected CPackDownloadCount](https://github.com/search?q=protected+CPackDownloadCount&type=code)
[protected CPackDownloadHashes](https://github.com/search?q=protected+CPackDownloadHashes&type=code)
[protected CPackDownloadUrls](https://github.com/search?q=protected+CPackDownloadUrls&type=code)
[skipping download as file already](https://github.com/search?q=skipping+download+as+file+already&type=code)
[t resume download](https://github.com/search?q=t+resume+download&type=code) | | MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl to download a file | [curl due to a build-time decision.](https://github.com/search?q=curl+due+to+a+build-time+decision.&type=code)
[curl function was given a bad argument](https://github.com/search?q=curl+function+was+given+a+bad+argument&type=code)
[curl is built without the HTTPS-proxy support.](https://github.com/search?q=curl+is+built+without+the+HTTPS-proxy+support.&type=code)
[curl lacks IDN support](https://github.com/search?q=curl+lacks+IDN+support&type=code)
[curl offers](https://github.com/search?q=curl+offers&type=code)
[curl understands](https://github.com/search?q=curl+understands&type=code)
[curl user interface](https://github.com/search?q=curl+user+interface&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port) | connects to an arbitrary hostname:port | $host_port | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) | @@ -86,7 +87,7 @@ | LOW | [fs/proc/pid_statistics](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-statistics.yara#proc_pid_stat_val) | access process stats using /pid/%d/stat | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) | @@ -94,7 +95,7 @@ | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | diff --git a/tests/linux/clean/default_config.json.simple b/tests/linux/clean/default_config.json.simple index 3fc00a2c..8ec8920b 100644 --- a/tests/linux/clean/default_config.json.simple +++ b/tests/linux/clean/default_config.json.simple @@ -59,6 +59,8 @@ net/dns/servers: low net/download: medium net/ftp/t: low net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium net/socket/connect: medium net/tcp/sftp: medium persist/cron/tab: medium diff --git a/tests/linux/clean/http-fingerprints.lua.simple b/tests/linux/clean/http-fingerprints.lua.simple index 65db663c..7aaad2df 100644 --- a/tests/linux/clean/http-fingerprints.lua.simple +++ b/tests/linux/clean/http-fingerprints.lua.simple @@ -5,6 +5,7 @@ 3P/threat_hunting/rapid7: medium 3P/threat_hunting/seclists: medium c2/tool_transfer/grayware: high +collect/archives/zip: medium collect/databases/mysql: medium collect/databases/sql: low credential/password: low diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple index 0326108f..523ccf31 100644 --- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple +++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple @@ -84,6 +84,7 @@ net/download: medium net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/socket/listen: medium net/socket/send: low net/tcp/sftp: medium diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple index 7eaae24c..d1bd1d59 100644 --- a/tests/linux/clean/kuma-cp.simple +++ b/tests/linux/clean/kuma-cp.simple @@ -14,6 +14,7 @@ credential/server/htpasswd: medium credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -78,6 +79,7 @@ fs/permission/chown: medium fs/permission/modify: medium fs/quota_manipulate: low fs/swap/on: low +fs/tempdir/TEMP: low fs/unmount: low fs/watch: low hw/dev/block_ice: medium @@ -99,6 +101,7 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/http/websocket: medium net/ip/host_port: medium net/ip/icmp: medium diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple index d91d1355..731c2322 100644 --- a/tests/linux/clean/libc.so.6.simple +++ b/tests/linux/clean/libc.so.6.simple @@ -80,6 +80,7 @@ mem/anonymous_file: medium net/dns/reverse: medium net/dns/servers: low net/dns/txt: low +net/ip/host_port: medium net/ip/parse: medium net/ip/resolve: low net/ip/string: medium diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple index 930a0c95..1a65b359 100644 --- a/tests/linux/clean/libgcj.so.17.0.0.simple +++ b/tests/linux/clean/libgcj.so.17.0.0.simple @@ -4,6 +4,7 @@ c2/addr/ip: medium credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/tls: low crypto/uuid: medium data/compression/bzip2: low @@ -68,6 +69,7 @@ net/http/post: medium net/http/proxy: low net/http/request: low net/ip: low +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/ip/resolve: low diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple index d8e4d63f..9329d6ab 100644 --- a/tests/linux/clean/libgcj.so.17.simple +++ b/tests/linux/clean/libgcj.so.17.simple @@ -4,6 +4,7 @@ c2/addr/ip: medium credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/tls: low crypto/uuid: medium data/compression/bzip2: low @@ -68,6 +69,7 @@ net/http/post: medium net/http/proxy: low net/http/request: low net/ip: low +net/ip/host_port: medium net/ip/multicast_send: low net/ip/parse: medium net/ip/resolve: low diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple index 28ddd93f..f8eaaa53 100644 --- a/tests/linux/clean/melange.simple +++ b/tests/linux/clean/melange.simple @@ -13,6 +13,7 @@ credential/password: low credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -91,6 +92,7 @@ fs/permission/modify: medium fs/swap/off: low fs/swap/on: low fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/tempdir/create: low fs/tempdir/tempfile_create: low fs/unmount: low @@ -114,6 +116,7 @@ net/http/post: medium net/http/proxy: low net/http/request: low net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/parse: medium net/proxy/socks5: medium diff --git a/tests/linux/clean/misp_sample.ndjson.log.simple b/tests/linux/clean/misp_sample.ndjson.log.simple index 2e8742a3..d18f5b90 100644 --- a/tests/linux/clean/misp_sample.ndjson.log.simple +++ b/tests/linux/clean/misp_sample.ndjson.log.simple @@ -8,5 +8,6 @@ exec/shell/command: medium false-positives/filebeat: low impact/ransom/decryptor: medium impact/remote_access/backdoor: medium +net/ip/host_port: medium net/url/embedded: medium os/fd/multiplex: low diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple index 7c152f99..8c89406f 100644 --- a/tests/linux/clean/mongosh.simple +++ b/tests/linux/clean/mongosh.simple @@ -15,6 +15,7 @@ credential/password: low credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ed25519: low crypto/file_encrypter: medium crypto/tls: low @@ -47,8 +48,10 @@ discover/processes/list: medium discover/system/hostname: low discover/system/platform: medium discover/system/sysinfo: medium +discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low +discover/user/USERPROFILE: medium discover/user/info: medium discover/user/name_get: low evasion/file/prefix: medium @@ -130,6 +133,7 @@ net/http/post: medium net/http/proxy: low net/http/request: low net/http/websocket: medium +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple index 5dacbcb3..ece74125 100644 --- a/tests/linux/clean/nvim.simple +++ b/tests/linux/clean/nvim.simple @@ -58,6 +58,7 @@ impact/remote_access/pseudo_terminal: medium net/dns/servers: low net/download/fetch: medium net/http/post: medium +net/ip/host_port: medium net/resolve/hostport_parse: low net/socket/listen: medium net/socket/local_addr: low diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple index 775bc302..b40e0305 100644 --- a/tests/linux/clean/opa.simple +++ b/tests/linux/clean/opa.simple @@ -8,6 +8,7 @@ collect/archives/zip: medium credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -51,6 +52,7 @@ fs/permission/chown: medium fs/permission/modify: medium fs/proc/self_cgroup: medium fs/proc/self_mountinfo: medium +fs/tempdir/TEMP: low fs/tempdir/tempfile_create: low fs/watch: low net/dns: low @@ -68,6 +70,7 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md index 8818dbf5..46b53e1a 100644 --- a/tests/linux/clean/pandoc.md +++ b/tests/linux/clean/pandoc.md @@ -22,6 +22,7 @@ | MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) | | MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) | | MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | | MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)
[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)
[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)
[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)
[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)
[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)
[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)
[execCommand](https://github.com/search?q=execCommand&type=code) | @@ -50,9 +51,10 @@ | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | | MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)
[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)
[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)
[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)
[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)
[http_cookie](https://github.com/search?q=http_cookie&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)
[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)
[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)
[port](https://github.com/search?q=port&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)
[spoofchecker](https://github.com/search?q=spoofchecker&type=code) | @@ -98,6 +100,7 @@ | LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | | LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) | | LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) | @@ -126,7 +129,7 @@ | LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) | | LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) | @@ -136,7 +139,7 @@ | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | | LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) | diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple index 20fa2fb5..12490609 100644 --- a/tests/linux/clean/pulumi.simple +++ b/tests/linux/clean/pulumi.simple @@ -16,6 +16,7 @@ credential/password: low credential/ssl/private_key: low crypto/aes: low crypto/blockchain: medium +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low diff --git a/tests/linux/clean/pypi_package_index.json.simple b/tests/linux/clean/pypi_package_index.json.simple index eeb51fa9..96b2d39a 100644 --- a/tests/linux/clean/pypi_package_index.json.simple +++ b/tests/linux/clean/pypi_package_index.json.simple @@ -69,9 +69,11 @@ 3P/threat_hunting/xsstrike: medium anti-static/obfuscation/obfuscate: low c2/discovery/dyndns: medium +c2/refs: medium c2/tool_transfer/download: medium c2/tool_transfer/dropper: medium collect/archives/unarchive: medium +collect/archives/zip: medium collect/databases/leveldb: medium collect/databases/mysql: medium collect/databases/postgresql: medium @@ -85,7 +87,9 @@ credential/sniffer/bpf: medium credential/ssh/d: medium credential/ssh/d_memory_map: high credential/ssl/private_key: low +crypto/aes: low crypto/blockchain: medium +crypto/cipher: medium crypto/ed25519: low crypto/fernet: medium crypto/file_encrypter: medium @@ -133,6 +137,7 @@ fs/mount: low fs/permission/modify: medium fs/proc/pid_cmdline: low fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/watch: low hw/hardware_enumeration: medium hw/wireless: low @@ -165,6 +170,8 @@ net/download: medium net/http/auth: low net/http/oauth2: low net/http/request: low +net/http/webhook: medium +net/ip/host_port: medium net/ip/multicast_send: low net/ip/spoof: medium net/proxy/reverse: medium diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md index 25b2d23e..fb55956c 100644 --- a/tests/linux/clean/qemu-system-xtensa.md +++ b/tests/linux/clean/qemu-system-xtensa.md @@ -6,9 +6,10 @@ | HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[Ip](https://github.com/search?q=Ip&type=code)
[Port](https://github.com/search?q=Port&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[ahci_port](https://github.com/search?q=ahci_port&type=code)
[and_port](https://github.com/search?q=and_port&type=code)
[be_port](https://github.com/search?q=be_port&type=code)
[claim_port](https://github.com/search?q=claim_port&type=code)
[clear_port](https://github.com/search?q=clear_port&type=code)
[compare_ip](https://github.com/search?q=compare_ip&type=code)
[ehci_port](https://github.com/search?q=ehci_port&type=code)
[extract_ip](https://github.com/search?q=extract_ip&type=code)
[find_port](https://github.com/search?q=find_port&type=code)
[fix_port](https://github.com/search?q=fix_port&type=code)
[get_ip](https://github.com/search?q=get_ip&type=code)
[get_port](https://github.com/search?q=get_port&type=code)
[handle_port](https://github.com/search?q=handle_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[hub_port](https://github.com/search?q=hub_port&type=code)
[megasas_port](https://github.com/search?q=megasas_port&type=code)
[mem_port](https://github.com/search?q=mem_port&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[metadata_ip](https://github.com/search?q=metadata_ip&type=code)
[mmio_port](https://github.com/search?q=mmio_port&type=code)
[mptsas_port](https://github.com/search?q=mptsas_port&type=code)
[ohci_port](https://github.com/search?q=ohci_port&type=code)
[pcie_port](https://github.com/search?q=pcie_port&type=code)
[register_port](https://github.com/search?q=register_port&type=code)
[release_port](https://github.com/search?q=release_port&type=code)
[remove_port](https://github.com/search?q=remove_port&type=code)
[reset_port](https://github.com/search?q=reset_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[spdm_port](https://github.com/search?q=spdm_port&type=code)
[state_port](https://github.com/search?q=state_port&type=code)
[throttle_port](https://github.com/search?q=throttle_port&type=code)
[uhci_port](https://github.com/search?q=uhci_port&type=code)
[update_ip](https://github.com/search?q=update_ip&type=code)
[upstream_port](https://github.com/search?q=upstream_port&type=code)
[usb_port](https://github.com/search?q=usb_port&type=code)
[virtser_port](https://github.com/search?q=virtser_port&type=code)
[write_port](https://github.com/search?q=write_port&type=code)
[xhci_port](https://github.com/search?q=xhci_port&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) | -| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [c2_port](https://github.com/search?q=c2_port&type=code) | +| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#command_and_control) | Uses terms that may reference a command and control server | [C2_PORT](https://github.com/search?q=C2_PORT&type=code)
[c2_port](https://github.com/search?q=c2_port&type=code) | | MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) | | MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | | MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | @@ -33,6 +34,7 @@ | MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[WebSocket](https://github.com/search?q=WebSocket&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host and/or port](https://github.com/search?q=host+and%2For+port&type=code)
[host from port](https://github.com/search?q=host+from+port&type=code)
[host is not support](https://github.com/search?q=host+is+not+support&type=code)
[host port](https://github.com/search?q=host+port&type=code)
[host transport](https://github.com/search?q=host+transport&type=code)
[host,addr.port=port](https://github.com/search?q=host%2Caddr.port%3Dport&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=addr,local.port](https://github.com/search?q=host%3Daddr%2Clocal.port&type=code)
[host=host,addr.port](https://github.com/search?q=host%3Dhost%2Caddr.port&type=code)
[host=host],port=port](https://github.com/search?q=host%3Dhost%5D%2Cport%3Dport&type=code)
[host]:port](https://github.com/search?q=host%5D%3Aport&type=code)
[host_get_port](https://github.com/search?q=host_get_port&type=code)
[host_support](https://github.com/search?q=host_support&type=code)
[host_user.support](https://github.com/search?q=host_user.support&type=code)
[host_user_support](https://github.com/search?q=host_user_support&type=code)
[hostaddr]:hostport](https://github.com/search?q=hostaddr%5D%3Ahostport&type=code)
[hostname port](https://github.com/search?q=hostname+port&type=code)
[hostname:s,port](https://github.com/search?q=hostname%3As%2Cport&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | @@ -79,6 +81,7 @@ | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) | diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md index 300e3d50..e2b3cf6a 100644 --- a/tests/linux/clean/redis-server.aarch64.md +++ b/tests/linux/clean/redis-server.aarch64.md @@ -18,6 +18,7 @@ | MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/ip/addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/addr.yara#ip_addr) | mentions an 'IP address' | [IP address](https://github.com/search?q=IP+address&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host-port](https://github.com/search?q=host-port&type=code)
[hostname and port](https://github.com/search?q=hostname+and+port&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | | MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | @@ -39,6 +40,7 @@ | LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | | LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | diff --git a/tests/linux/clean/rules.json.simple b/tests/linux/clean/rules.json.simple index d7329f5c..19649658 100644 --- a/tests/linux/clean/rules.json.simple +++ b/tests/linux/clean/rules.json.simple @@ -61,6 +61,8 @@ net/dns/servers: low net/download: medium net/ftp/t: low net/http/cookies: medium +net/http/webhook: medium +net/ip/host_port: medium net/socket/connect: medium net/tcp/sftp: medium persist/cron/tab: medium diff --git a/tests/linux/clean/searchindex.json.simple b/tests/linux/clean/searchindex.json.simple index c72e4667..ef02dec6 100644 --- a/tests/linux/clean/searchindex.json.simple +++ b/tests/linux/clean/searchindex.json.simple @@ -2,6 +2,7 @@ 3P/threat_hunting/dd: medium 3P/threat_hunting/keylogger: medium anti-static/obfuscation/obfuscate: low +c2/addr/discord: medium c2/tool_transfer/dropper: medium credential/keylogger: medium credential/password: low @@ -49,6 +50,7 @@ net/dns/servers: low net/dns/txt: low net/download/fetch: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/icmp: medium net/ip/spoof: medium net/socket/listen: medium diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md index 8bb47627..8a27a074 100644 --- a/tests/linux/clean/slack.md +++ b/tests/linux/clean/slack.md @@ -19,6 +19,7 @@ | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | | MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[����](https://github.com/search?q=%83%82%81%80&type=code)
[����](https://github.com/search?q=%87%86%85%84&type=code)
[����](https://github.com/search?q=%8B%8A%89%88&type=code)
[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[����](https://github.com/search?q=%93%92%91%90&type=code)
[����](https://github.com/search?q=%97%96%95%94&type=code)
[����](https://github.com/search?q=%9B%9A%99%98&type=code)
[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) | | MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | @@ -30,6 +31,7 @@ | MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) | | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)
[process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) | | MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | +| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)
[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) | | MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) | | MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) | @@ -66,9 +68,10 @@ | MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)
[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) | | MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)
[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)
[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)
[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)
[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)
[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)
[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)
[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)
[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)
[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)
[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)
[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)
[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)
[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)
[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)
[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)
[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)
[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)
[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)
[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)
[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)
[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)
[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)
[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)
[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)
[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)
[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)
[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)
[WebSocketError](https://github.com/search?q=WebSocketError&type=code)
[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)
[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)
[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)
[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)
[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)
[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)
[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)
[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)
[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)
[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)
[WebSockets](https://github.com/search?q=WebSockets&type=code)
[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)
[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)
[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)
[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)
[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)
[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)
[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)
[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)
[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)
[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)
[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)
[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) | +| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port) | connects to an arbitrary hostname:port | $host_port
[host and port](https://github.com/search?q=host+and+port&type=code)
[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)
[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)
[host, port](https://github.com/search?q=host%2C+port&type=code)
[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)
[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)
[host.length - port](https://github.com/search?q=host.length+-+port&type=code)
[host/port](https://github.com/search?q=host%2Fport&type=code)
[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)
[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)
[host:port](https://github.com/search?q=host%3Aport&type=code)
[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)
[host>:[host_import](https://github.com/search?q=host_import&type=code)
[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)
[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)
[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)
[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)
[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)
[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)
[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)
[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)
[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)
[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)
[ping failures and](https://github.com/search?q=ping+failures+and&type=code)
[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)
[ping interval to](https://github.com/search?q=ping+interval+to&type=code)
[ping interval.](https://github.com/search?q=ping+interval.&type=code)
[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)
[ping libuv](https://github.com/search?q=ping+libuv&type=code)
[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)
[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)
[ping received](https://github.com/search?q=ping+received&type=code)
[ping response](https://github.com/search?q=ping+response&type=code)
[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)
[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | | MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)
[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) | @@ -140,7 +143,7 @@ | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)
[TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)
[temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | @@ -151,7 +154,7 @@ | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | | LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpClose](https://github.com/search?q=httpClose&type=code)
[httpConnect](https://github.com/search?q=httpConnect&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple index 170920e7..dca0fee8 100644 --- a/tests/linux/clean/slirp4netns.simple +++ b/tests/linux/clean/slirp4netns.simple @@ -74,6 +74,7 @@ net/dns/servers: low net/dns/txt: low net/download: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/icmp: low net/ip/multicast_send: low net/ip/resolve: low diff --git a/tests/linux/clean/sonarlint-metadata.json.simple b/tests/linux/clean/sonarlint-metadata.json.simple index ac464e30..f3f66e9e 100644 --- a/tests/linux/clean/sonarlint-metadata.json.simple +++ b/tests/linux/clean/sonarlint-metadata.json.simple @@ -4,11 +4,13 @@ 3P/threat_hunting/owasp: medium c2/addr/ip: medium c2/tool_transfer/dropper: high +collect/archives/zip: medium collect/databases/mysql: medium collect/databases/sql: low credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ed25519: low crypto/uuid: medium data/encoding/json_decode: low @@ -47,6 +49,7 @@ net/http/post: medium net/http/request: low net/http/websocket: medium net/ip/addr: medium +net/ip/host_port: medium net/ip/spoof: medium net/socket/listen: medium net/socket/send: low diff --git a/tests/linux/clean/sshd.simple b/tests/linux/clean/sshd.simple index 1a71d7b0..0ef381d9 100644 --- a/tests/linux/clean/sshd.simple +++ b/tests/linux/clean/sshd.simple @@ -49,6 +49,7 @@ fs/tempdir/create: low impact/remote_access/agent: medium impact/remote_access/reverse_shell: medium impact/ui/x11_auth: medium +net/ip/host_port: medium net/ip/string: medium net/proxy/socks5: medium net/proxy/tunnel: medium diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple index 957da6b2..b9baf8c2 100644 --- a/tests/linux/clean/sudo.simple +++ b/tests/linux/clean/sudo.simple @@ -28,7 +28,9 @@ fs/path/var: low fs/permission/chown: low fs/proc/arbitrary_pid: medium fs/proc/pid_exe: medium +fs/tempdir/TEMP: low fs/tempdir/tempfile_create: low +net/ip/host_port: medium net/ip/string: medium net/socket/listen: medium net/socket/local_addr: low diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md index 47948914..1527a0ec 100644 --- a/tests/linux/clean/tree-sitter.md +++ b/tests/linux/clean/tree-sitter.md @@ -28,6 +28,7 @@ | LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)
[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)
[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)
[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple index b53d2fbd..966443e8 100644 --- a/tests/linux/clean/trivy.simple +++ b/tests/linux/clean/trivy.simple @@ -4,6 +4,7 @@ 3P/threat_hunting/hijacker: medium 3P/threat_hunting/linkedint: medium 3P/threat_hunting/privilegeescalation: medium +c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/server: medium @@ -27,6 +28,7 @@ credential/sniffer/bpf: medium credential/ssl/private_key: low crypto/aes: low crypto/blockchain: medium +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -149,6 +151,7 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/http/websocket: medium net/ip: low net/ip/host_port: medium diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md index 92e5ed85..4f706bd1 100644 --- a/tests/linux/clean/trufflehog.md +++ b/tests/linux/clean/trufflehog.md @@ -23,9 +23,11 @@ | MEDIUM | [3P/threat_hunting/trufflehog](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#truffleHog_offensive_tool_keyword) | [references 'truffleHog' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [/trufflehog.git](https://github.com/search?q=%2Ftrufflehog.git&type=code)
[https://trufflesecurity.com/canaries](https://trufflesecurity.com/canaries)
[trufflesecurity/trufflehog](https://github.com/search?q=trufflesecurity%2Ftrufflehog&type=code) | | MEDIUM | [3P/threat_hunting/userenum](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#UserEnum_offensive_tool_keyword) | [references 'UserEnum' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [userenum](https://github.com/search?q=userenum&type=code) | | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) | +| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)
[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)
[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)
[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)
[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)
[https://%s.currencycloud.com](https://%s.currencycloud.com)
[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)
[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)
[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)
[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)
[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)
[https://%s.s3](https://%s.s3)
[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)
[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)
[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)
[https://%s/account.json](https://%s/account.json)
[https://%s/admin/api/2024](https://%s/admin/api/2024)
[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)
[https://%s/api/laml/2010](https://%s/api/laml/2010)
[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)
[https://%s/api/v1/projects](https://%s/api/v1/projects)
[https://%s/api/v1/sources](https://%s/api/v1/sources)
[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)
[https://%s/api/v1/userserror](https://%s/api/v1/userserror)
[https://%s/api/v2/tickets](https://%s/api/v2/tickets)
[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)
[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)
[https://%s/invoices.json](https://%s/invoices.json)
[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)
[https://%sSCRAM](https://%sSCRAM) | | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[aIp](https://github.com/search?q=aIp&type=code)
[a_ip](https://github.com/search?q=a_ip&type=code)
[accel_port](https://github.com/search?q=accel_port&type=code)
[allowed_port](https://github.com/search?q=allowed_port&type=code)
[announce_port](https://github.com/search?q=announce_port&type=code)
[client_ip](https://github.com/search?q=client_ip&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[fastly_ip](https://github.com/search?q=fastly_ip&type=code)
[firewall_ip](https://github.com/search?q=firewall_ip&type=code)
[geo_ip](https://github.com/search?q=geo_ip&type=code)
[getPort](https://github.com/search?q=getPort&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[htcp_port](https://github.com/search?q=htcp_port&type=code)
[http_port](https://github.com/search?q=http_port&type=code)
[i_ip](https://github.com/search?q=i_ip&type=code)
[icp_port](https://github.com/search?q=icp_port&type=code)
[in_ip](https://github.com/search?q=in_ip&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[is_port](https://github.com/search?q=is_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[m_ip](https://github.com/search?q=m_ip&type=code)
[miss_port](https://github.com/search?q=miss_port&type=code)
[nIp](https://github.com/search?q=nIp&type=code)
[oIp](https://github.com/search?q=oIp&type=code)
[old_ip](https://github.com/search?q=old_ip&type=code)
[open_port](https://github.com/search?q=open_port&type=code)
[pages_ip](https://github.com/search?q=pages_ip&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[privateIp](https://github.com/search?q=privateIp&type=code)
[relay_port](https://github.com/search?q=relay_port&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[routedPort](https://github.com/search?q=routedPort&type=code)
[snmp_port](https://github.com/search?q=snmp_port&type=code)
[snmpd_port](https://github.com/search?q=snmpd_port&type=code)
[stripPort](https://github.com/search?q=stripPort&type=code)
[tIp](https://github.com/search?q=tIp&type=code)
[vIp](https://github.com/search?q=vIp&type=code) | | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) | +| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)
[telegram.org](https://github.com/search?q=telegram.org&type=code) | | MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) | | MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) | | MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | @@ -37,6 +39,7 @@ | MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)
[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) | | MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) | | MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) | +| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) | | MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) | | MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | | MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) | @@ -77,8 +80,9 @@ | MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | | MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) | -| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)
[post](https://github.com/search?q=post&type=code) | | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)
[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)
[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)
[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)
[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)
[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)
[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)
[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)
[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)
[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)
[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)
[WebhookAction](https://github.com/search?q=WebhookAction&type=code)
[WebhookH](https://github.com/search?q=WebhookH&type=code)
[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)
[WebhookResult](https://github.com/search?q=WebhookResult&type=code)
[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)
[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)
[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)
[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)
[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)
[discordwebhook](https://github.com/search?q=discordwebhook&type=code)
[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)
[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)
[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)
[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)
[readwebhooks](https://github.com/search?q=readwebhooks&type=code)
[slackwebhook](https://github.com/search?q=slackwebhook&type=code)
[tineswebhook](https://github.com/search?q=tineswebhook&type=code)
[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)
[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)
[webhook_read](https://github.com/search?q=webhook_read&type=code)
[webhook_secret](https://github.com/search?q=webhook_secret&type=code)
[webhook_write](https://github.com/search?q=webhook_write&type=code)
[webhookaction](https://github.com/search?q=webhookaction&type=code)
[webhookb2](https://github.com/search?q=webhookb2&type=code)
[writewebhooks](https://github.com/search?q=writewebhooks&type=code) | | MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)
[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | @@ -154,7 +158,7 @@ | LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) | | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | | LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | @@ -166,8 +170,8 @@ | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) | | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | | LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)
[oauth2](https://github.com/search?q=oauth2&type=code) | | LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code)
[http.get](https://github.com/search?q=http.get&type=code)
[httpRequest](https://github.com/search?q=httpRequest&type=code) | | LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) | diff --git a/tests/linux/clean/viewgam.md b/tests/linux/clean/viewgam.md index 178bd9f9..4857a812 100644 --- a/tests/linux/clean/viewgam.md +++ b/tests/linux/clean/viewgam.md @@ -10,5 +10,6 @@ | LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) | | LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | | LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [InstantPluginATXCtrl](https://github.com/search?q=InstantPluginATXCtrl&type=code)
[plugins](https://github.com/search?q=plugins&type=code) | +| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)
[temp](https://github.com/search?q=temp&type=code) | | LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://github.com/x3dom/x3dom/tree/](https://github.com/x3dom/x3dom/tree/) | diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple index 10da5965..ab9654b6 100644 --- a/tests/linux/clean/wolfictl.simple +++ b/tests/linux/clean/wolfictl.simple @@ -23,6 +23,7 @@ credential/server/htpasswd: medium credential/ssl/private_key: low crypto/aes: low crypto/blockchain: medium +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/tls: low @@ -138,7 +139,9 @@ net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium net/ip: low +net/ip/host_port: medium net/ip/icmp: medium net/ip/multicast_send: low net/ip/parse: medium diff --git a/tests/linux/clean/zipdetails.md b/tests/linux/clean/zipdetails.md index 5eef21d5..debb7835 100644 --- a/tests/linux/clean/zipdetails.md +++ b/tests/linux/clean/zipdetails.md @@ -4,7 +4,7 @@ |--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | MEDIUM | [anti-static/obfuscation/bitwise](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bidirectional_bitwise_math) | [uses bitwise math in both directions](https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection) | [1 << 0](https://github.com/search?q=1+%3C%3C+0&type=code)
[1 << 11](https://github.com/search?q=1+%3C%3C+11&type=code)
[1 << 3](https://github.com/search?q=1+%3C%3C+3&type=code)
[1 << 4](https://github.com/search?q=1+%3C%3C+4&type=code)
[1 << 5](https://github.com/search?q=1+%3C%3C+5&type=code)
[1 << 6](https://github.com/search?q=1+%3C%3C+6&type=code)
[2 << 1](https://github.com/search?q=2+%3C%3C+1&type=code)
[dt << 1](https://github.com/search?q=dt+%3C%3C+1&type=code)
[dt >> 11](https://github.com/search?q=dt+%3E%3E+11&type=code)
[dt >> 16](https://github.com/search?q=dt+%3E%3E+16&type=code)
[dt >> 21](https://github.com/search?q=dt+%3E%3E+21&type=code)
[dt >> 25](https://github.com/search?q=dt+%3E%3E+25&type=code)
[dt >> 5](https://github.com/search?q=dt+%3E%3E+5&type=code)
[got << 8](https://github.com/search?q=got+%3C%3C+8&type=code)
[gp >> 1](https://github.com/search?q=gp+%3E%3E+1&type=code) | | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#excessive_hex_refs) | many references to hexadecimal values | [0x0001](https://github.com/search?q=0x0001&type=code)
[0x0007](https://github.com/search?q=0x0007&type=code)
[0x0008](https://github.com/search?q=0x0008&type=code)
[0x0009](https://github.com/search?q=0x0009&type=code)
[0x000a](https://github.com/search?q=0x000a&type=code)
[0x000c](https://github.com/search?q=0x000c&type=code)
[0x000d](https://github.com/search?q=0x000d&type=code)
[0x000e](https://github.com/search?q=0x000e&type=code)
[0x000f](https://github.com/search?q=0x000f&type=code)
[0x0014](https://github.com/search?q=0x0014&type=code)
[0x0015](https://github.com/search?q=0x0015&type=code)
[0x0016](https://github.com/search?q=0x0016&type=code)
[0x0017](https://github.com/search?q=0x0017&type=code)
[0x0018](https://github.com/search?q=0x0018&type=code)
[0x0019](https://github.com/search?q=0x0019&type=code)
[0x0020](https://github.com/search?q=0x0020&type=code)
[0x0021](https://github.com/search?q=0x0021&type=code)
[0x0022](https://github.com/search?q=0x0022&type=code)
[0x0023](https://github.com/search?q=0x0023&type=code)
[0x0065](https://github.com/search?q=0x0065&type=code)
[0x0066](https://github.com/search?q=0x0066&type=code)
[0x01](https://github.com/search?q=0x01&type=code)
[0x02014b50](https://github.com/search?q=0x02014b50&type=code)
[0x03](https://github.com/search?q=0x03&type=code)
[0x04034b50](https://github.com/search?q=0x04034b50&type=code)
[0x05054b50](https://github.com/search?q=0x05054b50&type=code)
[0x06054b50](https://github.com/search?q=0x06054b50&type=code)
[0x06064b50](https://github.com/search?q=0x06064b50&type=code)
[0x07064b50](https://github.com/search?q=0x07064b50&type=code)
[0x07c8](https://github.com/search?q=0x07c8&type=code)
[0x08064b50](https://github.com/search?q=0x08064b50&type=code)
[0x08074b50](https://github.com/search?q=0x08074b50&type=code)
[0x0f](https://github.com/search?q=0x0f&type=code)
[0x10000000](https://github.com/search?q=0x10000000&type=code)
[0x19DB1DED](https://github.com/search?q=0x19DB1DED&type=code)
[0x1f](https://github.com/search?q=0x1f&type=code)
[0x20](https://github.com/search?q=0x20&type=code)
[0x2146444e](https://github.com/search?q=0x2146444e&type=code)
[0x2605](https://github.com/search?q=0x2605&type=code)
[0x2705](https://github.com/search?q=0x2705&type=code)
[0x2805](https://github.com/search?q=0x2805&type=code)
[0x334d](https://github.com/search?q=0x334d&type=code)
[0x3e](https://github.com/search?q=0x3e&type=code)
[0x3f](https://github.com/search?q=0x3f&type=code)
[0x4154](https://github.com/search?q=0x4154&type=code)
[0x42726577](https://github.com/search?q=0x42726577&type=code)
[0x4341](https://github.com/search?q=0x4341&type=code)
[0x4453](https://github.com/search?q=0x4453&type=code)
[0x4690](https://github.com/search?q=0x4690&type=code)
[0x4704](https://github.com/search?q=0x4704&type=code)
[0x470f](https://github.com/search?q=0x470f&type=code)
[0x4854](https://github.com/search?q=0x4854&type=code)
[0x4b46](https://github.com/search?q=0x4b46&type=code)
[0x4c41](https://github.com/search?q=0x4c41&type=code)
[0x4d49](https://github.com/search?q=0x4d49&type=code)
[0x4d63](https://github.com/search?q=0x4d63&type=code)
[0x4f4c](https://github.com/search?q=0x4f4c&type=code)
[0x504b4453](https://github.com/search?q=0x504b4453&type=code)
[0x5356](https://github.com/search?q=0x5356&type=code)
[0x5455](https://github.com/search?q=0x5455&type=code)
[0x554e](https://github.com/search?q=0x554e&type=code)
[0x5855](https://github.com/search?q=0x5855&type=code)
[0x5a4c](https://github.com/search?q=0x5a4c&type=code)
[0x5a4d](https://github.com/search?q=0x5a4d&type=code)
[0x6375](https://github.com/search?q=0x6375&type=code)
[0x6542](https://github.com/search?q=0x6542&type=code)
[0x6854](https://github.com/search?q=0x6854&type=code)
[0x6dff800d](https://github.com/search?q=0x6dff800d&type=code)
[0x7075](https://github.com/search?q=0x7075&type=code)
[0x7109871a](https://github.com/search?q=0x7109871a&type=code)
[0x71777777](https://github.com/search?q=0x71777777&type=code)
[0x7441](https://github.com/search?q=0x7441&type=code)
[0x756e](https://github.com/search?q=0x756e&type=code)
[0x7855](https://github.com/search?q=0x7855&type=code)
[0x7875](https://github.com/search?q=0x7875&type=code)
[0x7FFF](https://github.com/search?q=0x7FFF&type=code)
[0x7f](https://github.com/search?q=0x7f&type=code)
[0x8000](https://github.com/search?q=0x8000&type=code)
[0x9901](https://github.com/search?q=0x9901&type=code)
[0xA220](https://github.com/search?q=0xA220&type=code)
[0xCAFE](https://github.com/search?q=0xCAFE&type=code)
[0xE9F3F9F0](https://github.com/search?q=0xE9F3F9F0&type=code)
[0xFFFFFFFF](https://github.com/search?q=0xFFFFFFFF&type=code)
[0xa11e](https://github.com/search?q=0xa11e&type=code)
[0xf05368c0](https://github.com/search?q=0xf05368c0&type=code)
[0xfb4a](https://github.com/search?q=0xfb4a&type=code)
[0xff3b5998](https://github.com/search?q=0xff3b5998&type=code)
[\x00](https://github.com/search?q=%5Cx00&type=code)
[\x01](https://github.com/search?q=%5Cx01&type=code) | -| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code)
[zip files](https://github.com/search?q=zip+files&type=code) | +| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code)
[zip files](https://github.com/search?q=zip+files&type=code)
[zipfile](https://github.com/search?q=zipfile&type=code) | | MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) | | LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/opt/perl/bin/perl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fperl%2Fbin%2Fperl&type=code) | diff --git a/tests/macOS/2024.BeaverTail/client_5346.py.simple b/tests/macOS/2024.BeaverTail/client_5346.py.simple index 71e1b84c..5bf67d1c 100644 --- a/tests/macOS/2024.BeaverTail/client_5346.py.simple +++ b/tests/macOS/2024.BeaverTail/client_5346.py.simple @@ -12,6 +12,7 @@ exec/install_additional/pip_install: high exec/program: medium fs/directory/create: low fs/file/delete: low +fs/file/exists: low fs/file/open: low net/download: medium net/url/request: medium diff --git a/tests/macOS/2024.Previewers/Previewers.simple b/tests/macOS/2024.Previewers/Previewers.simple index 6e704fdf..dd33052c 100644 --- a/tests/macOS/2024.Previewers/Previewers.simple +++ b/tests/macOS/2024.Previewers/Previewers.simple @@ -28,6 +28,7 @@ fs/directory/remove: low fs/file/delete: low fs/path/etc: low fs/path/users: medium +fs/tempdir/TEMP: low fs/tempdir/tempfile_create: low hw/disk_info: medium malware/family/rustdoor: critical @@ -38,6 +39,7 @@ net/http/auth: low net/http/post: medium net/http/proxy: low net/http/request: low +net/ip/host_port: medium net/ip/icmp: medium net/proxy/tunnel: medium net/resolve/hostport_parse: low diff --git a/tests/macOS/2024.Rustdoor/localfile.simple b/tests/macOS/2024.Rustdoor/localfile.simple index 83343585..d8a9c484 100644 --- a/tests/macOS/2024.Rustdoor/localfile.simple +++ b/tests/macOS/2024.Rustdoor/localfile.simple @@ -46,6 +46,7 @@ fs/path/users: medium fs/path/var: low fs/permission/modify: medium fs/tempdir: low +fs/tempdir/TEMP: low fs/tempdir/TMPDIR: low hw/disk_info: medium impact/remote_access/reverse_shell: medium @@ -58,6 +59,7 @@ net/http/cookies: medium net/http/post: medium net/http/proxy: low net/http/request: low +net/ip/host_port: medium net/resolve/hostport_parse: low net/socket/connect: medium net/socket/listen: medium diff --git a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple index b121ab26..46eb9421 100644 --- a/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple +++ b/tests/macOS/2024.cobaltstrike/EDnFsVAEbP.simple @@ -27,12 +27,14 @@ fs/file/truncate: low fs/path/dev: medium fs/path/usr_local: medium fs/permission/modify: medium +fs/tempdir/TEMP: low impact/remote_access/heartbeat: medium lateral/scan/tool: medium malware/framework/cobalt_strike: high net/http/post: medium net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/ip/string: medium net/proxy/tunnel: medium diff --git a/tests/npm/2024.noblox/postinstall.js.json b/tests/npm/2024.noblox/postinstall.js.json index fd11f5f1..cb4f9ed2 100644 --- a/tests/npm/2024.noblox/postinstall.js.json +++ b/tests/npm/2024.noblox/postinstall.js.json @@ -1994,6 +1994,17 @@ "ID": "net/http/post", "RuleName": "http_post" }, + { + "Description": "supports webhooks", + "MatchStrings": [ + "webhook" + ], + "RiskScore": 2, + "RiskLevel": "MEDIUM", + "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook", + "ID": "net/http/webhook", + "RuleName": "webhook" + }, { "Description": "gets very excited", "MatchStrings": [ diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple index 7544cae2..7c2347ee 100644 --- a/tests/npm/2024.testerrrrrrrrrr/init.js.simple +++ b/tests/npm/2024.testerrrrrrrrrr/init.js.simple @@ -8,5 +8,6 @@ exec/shell/exec: medium exfil/nodejs: critical net/http/form_upload: medium net/http/post: medium +net/ip/host_port: medium net/resolve/hostname: medium net/url/parse: low diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple index beac662a..8db9635f 100644 --- a/tests/php/clean/composer-2.7.7.simple +++ b/tests/php/clean/composer-2.7.7.simple @@ -21,8 +21,10 @@ data/encoding/base64: low data/encoding/reverse: low discover/system/hostname: low discover/system/platform: low +discover/user/APPDATA: low discover/user/HOME: low discover/user/USER: low +discover/user/USERPROFILE: low evasion/file/prefix: medium evasion/hijack_execution/DYLD_LIBRARY_PATH: medium exec/cmd: medium @@ -48,18 +50,21 @@ fs/path/usr_bin: low fs/path/var: low fs/permission/modify: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/tempdir/create: low fs/tempdir/tempfile_create: low lateral/scan/target_ip: medium lateral/scan/tool: medium net/download/fetch: medium net/http/accept_encoding: low +net/http/auth: low net/http/form_upload: medium net/http/oauth2: low net/http/post: medium net/http/proxy: low net/http/request: low net/ip/addr: medium +net/ip/host_port: medium net/ip/parse: medium net/resolve/hostname: low net/socket/listen: medium diff --git a/tests/python/2021.DiscordSafety/setup.py.simple b/tests/python/2021.DiscordSafety/setup.py.simple index 45f1515a..26f8ee2a 100644 --- a/tests/python/2021.DiscordSafety/setup.py.simple +++ b/tests/python/2021.DiscordSafety/setup.py.simple @@ -2,6 +2,7 @@ anti-static/obfuscation/hex: medium anti-static/obfuscation/python: critical anti-static/unmarshal/marshal: high +c2/addr/discord: medium c2/addr/url: high c2/tool_transfer/download: high collect/databases/leveldb: medium @@ -9,7 +10,7 @@ data/encoding/base64: low data/encoding/marshal: medium exec/imports/python: low exec/program: medium -exec/remote_commands/code_eval: medium +exec/remote_commands/code_eval: critical exfil/stealer/browser: high fs/directory/create: low fs/path/users: medium diff --git a/tests/python/2022.activedevbadge-0.39/setup.py.simple b/tests/python/2022.activedevbadge-0.39/setup.py.simple index 45e0c906..a230b231 100644 --- a/tests/python/2022.activedevbadge-0.39/setup.py.simple +++ b/tests/python/2022.activedevbadge-0.39/setup.py.simple @@ -5,6 +5,7 @@ exec/imports/python: low exec/program: medium fs/directory/create: low fs/directory/list: low +fs/file/exists: low fs/file/rename: low impact/remote_access/py_setuptools: high net/url/embedded: low diff --git a/tests/python/2023.JokerSpy/shared.dat.simple b/tests/python/2023.JokerSpy/shared.dat.simple index 9cc437ee..8484b44f 100644 --- a/tests/python/2023.JokerSpy/shared.dat.simple +++ b/tests/python/2023.JokerSpy/shared.dat.simple @@ -19,6 +19,8 @@ fs/file/open: low fs/file/read: low fs/file/write: low fs/tempdir: low +net/http/form_upload: medium +net/http/post: medium net/url/embedded: low net/url/request: medium os/fd/read: low diff --git a/tests/python/2023.aiohttp/setup.py.simple b/tests/python/2023.aiohttp/setup.py.simple index b68da3c9..adb22227 100644 --- a/tests/python/2023.aiohttp/setup.py.simple +++ b/tests/python/2023.aiohttp/setup.py.simple @@ -5,7 +5,9 @@ anti-static/obfuscation/python: high anti-static/obfuscation/python_setuptools: medium discover/system/platform: medium exec/conditional/is_admin: medium +exec/dylib/windll: medium fs/directory/create: low fs/directory/traverse: medium +fs/file/exists: low fs/file/open: low impact/remote_access/py_setuptools: critical diff --git a/tests/python/2023.axderz-1.0.4/setup.py.simple b/tests/python/2023.axderz-1.0.4/setup.py.simple index de0578ed..ca9bd461 100644 --- a/tests/python/2023.axderz-1.0.4/setup.py.simple +++ b/tests/python/2023.axderz-1.0.4/setup.py.simple @@ -9,6 +9,7 @@ exec/imports/python: low exec/program: medium exec/shell/power: medium exfil/stealer/ssh: critical +fs/file/exists: low fs/file/open: low fs/file/read: low impact/remote_access/py_setuptools: critical diff --git a/tests/python/2024.Custom.RAT/output.py.simple b/tests/python/2024.Custom.RAT/output.py.simple index 9f1a8a26..17d698a9 100644 --- a/tests/python/2024.Custom.RAT/output.py.simple +++ b/tests/python/2024.Custom.RAT/output.py.simple @@ -5,10 +5,12 @@ 3P/threat_hunting/netsh: medium 3P/threat_hunting/powershell: medium 3P/threat_hunting/pupy: medium +c2/addr/discord: medium collect/databases/leveldb: medium credential/clipboard: medium credential/keylogger: high credential/password: low +crypto/ssl: low data/base64/decode: medium data/encoding/base64: low data/encoding/json_decode: low @@ -19,11 +21,13 @@ discover/network/interface_list: medium discover/process/name: medium discover/system/platform: medium discover/system/sysinfo: medium +discover/user/APPDATA: low discover/user/USER: low discover/user/name_get: low exec/cmd/pipe: medium exec/conditional/is_admin: medium exec/conditional/root_check: medium +exec/dylib/windll: medium exec/imports/python: low exec/program: medium exec/shell/command: medium @@ -31,19 +35,22 @@ exec/shell/power: medium exfil/discord: critical exfil/stealer/browser: high exfil/stealer/discord: high -exfil/stealer/keylogger: high +exfil/stealer/keylogger: critical fs/directory/create: low fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/file/read: medium fs/tempdir/TEMP: low hw/webcam: medium +impact/degrade/bluescreen: high impact/degrade/panic: medium impact/degrade/win_defender: critical net/download: medium net/http/fake_user_agent: medium +net/http/form_upload: medium net/http/post: medium net/http/request: low net/url/embedded: low diff --git a/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple b/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple index 85554adb..e3a827d0 100644 --- a/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple +++ b/tests/python/2024.RookeryCapital_PythonTest/obfuscated.py.simple @@ -1,9 +1,11 @@ -# python/2024.RookeryCapital_PythonTest/obfuscated.py: high +# python/2024.RookeryCapital_PythonTest/obfuscated.py: critical anti-static/base64/eval: high anti-static/obfuscation/python: high data/base64/decode: medium data/encoding/base64: low discover/system/platform: medium exec/imports/python: low -exec/remote_commands/code_eval: medium +exec/remote_commands/code_eval: high +net/http/form_upload: medium +net/http/post: medium net/url/request: medium diff --git a/tests/python/2024.coloredtxt/os.py.simple b/tests/python/2024.coloredtxt/os.py.simple index 73036b97..b2b8ea11 100644 --- a/tests/python/2024.coloredtxt/os.py.simple +++ b/tests/python/2024.coloredtxt/os.py.simple @@ -8,11 +8,13 @@ exec/cmd/pipe: medium exec/imports/python: high exec/program: medium exec/program/background: low +exec/remote_commands/code_eval: high fs/directory/create: low fs/directory/remove: low fs/directory/traverse: medium fs/fifo_create: low fs/file/delete: low +fs/file/exists: low fs/file/flags_change: low fs/file/open: low fs/file/times_set: medium diff --git a/tests/python/2024.coloredtxt/unhex.py.simple b/tests/python/2024.coloredtxt/unhex.py.simple index 27aacc1c..ea03087a 100644 --- a/tests/python/2024.coloredtxt/unhex.py.simple +++ b/tests/python/2024.coloredtxt/unhex.py.simple @@ -2,3 +2,4 @@ anti-static/obfuscation/hex: high data/encoding/base64: low exec/imports/python: high +exec/remote_commands/code_eval: high diff --git a/tests/python/2024.desktop_nuke/707dc1355c9dfa01d8b47db5d83193170a9a03b9b98b76b6a9e5c0692949e43d.py.simple b/tests/python/2024.desktop_nuke/707dc1355c9dfa01d8b47db5d83193170a9a03b9b98b76b6a9e5c0692949e43d.py.simple new file mode 100644 index 00000000..5b2eb084 --- /dev/null +++ b/tests/python/2024.desktop_nuke/707dc1355c9dfa01d8b47db5d83193170a9a03b9b98b76b6a9e5c0692949e43d.py.simple @@ -0,0 +1,10 @@ +# python/2024.desktop_nuke/707dc1355c9dfa01d8b47db5d83193170a9a03b9b98b76b6a9e5c0692949e43d.py: critical +discover/user/USERPROFILE: medium +exec/dylib/windll: medium +exec/imports/python: low +fs/directory/list: low +fs/file/delete: medium +impact/degrade/bluescreen: high +impact/shutdown: high +impact/wipe/desktop: critical +os/env/get: low diff --git a/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple new file mode 100644 index 00000000..7a802e73 --- /dev/null +++ b/tests/python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py.simple @@ -0,0 +1,32 @@ +# python/2024.krypton_ddos/b2d4cc2ecf9919bf84ce9ce83bb6b99b68a78181c1976a4f72526c3085096f99.py: critical +anti-static/obfuscation/python: medium +c2/addr/ip: medium +c2/connect/ping_pong: medium +c2/refs: high +credential/password: low +data/random/insecure: low +exec/imports/python: low +fs/file/open: low +fs/file/read: low +impact/remote_access/agent: medium +net/download: medium +net/http/fake_user_agent: medium +net/http/request: low +net/ip/host_port: medium +net/ip/icmp: medium +net/ip/spoof: high +net/proxy/socks5: medium +net/socket/connect: medium +net/socket/raw: medium +net/socket/receive: low +net/socket/send: low +net/ssl/socket: medium +net/tcp/attack: medium +net/tcp/synflood: medium +net/udp/attack: high +net/url/embedded: low +net/url/parse: low +net/url/request: medium +persist/daemon: medium +process/multi: medium +process/multithreaded: medium diff --git a/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple b/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple index 47c2d996..778afeb6 100644 --- a/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple +++ b/tests/python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py.simple @@ -1,3 +1,4 @@ # python/2024.obfuscation/066ebdd750911c0209f31499ffe672ff29c3ea4ec1c660f441729efdb7f2d5a4.py: critical anti-static/obfuscation/hex: medium +anti-static/obfuscation/python: low anti-static/packer/py_kramer: critical diff --git a/tests/python/2024.obfuscation/1366b919c5beae38d407b7bf136815ba1d1d679017b97af7e9ed84d035559520.py.simple b/tests/python/2024.obfuscation/1366b919c5beae38d407b7bf136815ba1d1d679017b97af7e9ed84d035559520.py.simple index 70da7fcd..c9d548fb 100644 --- a/tests/python/2024.obfuscation/1366b919c5beae38d407b7bf136815ba1d1d679017b97af7e9ed84d035559520.py.simple +++ b/tests/python/2024.obfuscation/1366b919c5beae38d407b7bf136815ba1d1d679017b97af7e9ed84d035559520.py.simple @@ -2,5 +2,6 @@ anti-static/obfuscation/python: high data/base64/decode: medium data/encoding/base64: low +exec/dylib/windll: medium mem/protect: high net/dns/txt: low diff --git a/tests/python/2024.obfuscation/aad310cf4f61a89a34cf6b454ef481e07ebc515e26da7d9b9854fd24665a1a96.py.simple b/tests/python/2024.obfuscation/aad310cf4f61a89a34cf6b454ef481e07ebc515e26da7d9b9854fd24665a1a96.py.simple new file mode 100644 index 00000000..1c57b3e9 --- /dev/null +++ b/tests/python/2024.obfuscation/aad310cf4f61a89a34cf6b454ef481e07ebc515e26da7d9b9854fd24665a1a96.py.simple @@ -0,0 +1,12 @@ +# python/2024.obfuscation/aad310cf4f61a89a34cf6b454ef481e07ebc515e26da7d9b9854fd24665a1a96.py: critical +collect/archives/zip: medium +crypto/aes: high +crypto/cipher: medium +data/base64/decode: medium +data/encoding/base64: low +exec/imports/python: high +fs/file/open: low +fs/file/read: medium +net/url/embedded: low +os/fd/read: low +os/fd/write: low diff --git a/tests/python/2024.obfuscation/kramer2.py.simple b/tests/python/2024.obfuscation/kramer2.py.simple new file mode 100644 index 00000000..14136fae --- /dev/null +++ b/tests/python/2024.obfuscation/kramer2.py.simple @@ -0,0 +1,6 @@ +# python/2024.obfuscation/kramer2.py: critical +anti-static/obfuscation/hex: high +anti-static/obfuscation/python: high +anti-static/packer/py_kramer: critical +fs/file/open: low +os/fd/read: low diff --git a/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple new file mode 100644 index 00000000..136721bd --- /dev/null +++ b/tests/python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py.simple @@ -0,0 +1,5 @@ +# python/2024.pyobfuscate/4aa577b492b38c0334b7d2783526a263394e3a4bb349383cbc45786ae2b79b42.py: critical +anti-static/obfuscation/obfuscate: low +anti-static/obfuscation/python: critical +anti-static/packer/pyobfuscate: high +net/url/embedded: low diff --git a/tests/python/2024.runpython/344006eb4fc501c3937e121409b1f2af1f3f272109ca644755b3f83feb5edb01.py.simple b/tests/python/2024.runpython/344006eb4fc501c3937e121409b1f2af1f3f272109ca644755b3f83feb5edb01.py.simple new file mode 100644 index 00000000..479f09d8 --- /dev/null +++ b/tests/python/2024.runpython/344006eb4fc501c3937e121409b1f2af1f3f272109ca644755b3f83feb5edb01.py.simple @@ -0,0 +1,13 @@ +# python/2024.runpython/344006eb4fc501c3937e121409b1f2af1f3f272109ca644755b3f83feb5edb01.py: critical +crypto/fernet: medium +discover/user/APPDATA: medium +evasion/indicator_blocking/hidden_window: medium +exec/imports/python: low +exec/program: medium +exec/remote_commands/code_eval: critical +exec/script/python: high +fs/directory/create: low +fs/file/exists: low +fs/file/open: low +fs/file/write: low +os/fd/write: low diff --git a/tests/python/clean/conda-build/_load_setup_py_data.py.simple b/tests/python/clean/conda-build/_load_setup_py_data.py.simple index 860f2ecb..8572bf45 100644 --- a/tests/python/clean/conda-build/_load_setup_py_data.py.simple +++ b/tests/python/clean/conda-build/_load_setup_py_data.py.simple @@ -1,6 +1,7 @@ # python/clean/conda-build/_load_setup_py_data.py: medium exec/imports/python: low exec/remote_commands/code_eval: medium +fs/file/exists: low fs/file/open: low impact/remote_access/py_setuptools: low net/download: medium diff --git a/tests/python/clean/google-cloud-sdk/mysql.py.simple b/tests/python/clean/google-cloud-sdk/mysql.py.simple index b8336f84..cff40b79 100644 --- a/tests/python/clean/google-cloud-sdk/mysql.py.simple +++ b/tests/python/clean/google-cloud-sdk/mysql.py.simple @@ -4,6 +4,7 @@ credential/password: low exec/imports/python: low fs/directory/create: low fs/file/copy: medium +fs/file/exists: low fs/file/open: low fs/path/etc: low fs/path/etc_initd: medium diff --git a/tests/python/clean/hatch/migrate.py.simple b/tests/python/clean/hatch/migrate.py.simple index b4ad0aec..a5462350 100644 --- a/tests/python/clean/hatch/migrate.py.simple +++ b/tests/python/clean/hatch/migrate.py.simple @@ -7,6 +7,7 @@ false-positives/py_hatch: low fs/directory/list: low fs/file/open: low fs/symlink_resolve: low +fs/tempdir/TEMP: low net/download: medium os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/jaraco/__init__.py.simple b/tests/python/clean/jaraco/__init__.py.simple index cf91229f..5194dced 100644 --- a/tests/python/clean/jaraco/__init__.py.simple +++ b/tests/python/clean/jaraco/__init__.py.simple @@ -7,6 +7,7 @@ fs/directory/create: low fs/directory/list: low fs/directory/remove: low fs/file/delete: low +fs/file/exists: low fs/permission/modify: medium fs/tempdir/create: low net/download: medium diff --git a/tests/python/clean/magic_trace/magic_trace.py.simple b/tests/python/clean/magic_trace/magic_trace.py.simple index be8346c6..9ae641ce 100644 --- a/tests/python/clean/magic_trace/magic_trace.py.simple +++ b/tests/python/clean/magic_trace/magic_trace.py.simple @@ -2,6 +2,7 @@ c2/tool_transfer/python: medium exec/imports/python: low exec/program: medium +fs/file/exists: low fs/path/tmp: medium fs/permission/modify: medium net/download: medium diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple index 49527331..e6901034 100644 --- a/tests/python/clean/numba/support.py.simple +++ b/tests/python/clean/numba/support.py.simple @@ -11,6 +11,7 @@ fs/file/open: low fs/file/read: low fs/file/write: low fs/tempdir: low +fs/tempdir/TEMP: low fs/tempdir/create: low net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/numpy/misc_util.py.simple b/tests/python/clean/numpy/misc_util.py.simple index d8333111..d3e34d90 100644 --- a/tests/python/clean/numpy/misc_util.py.simple +++ b/tests/python/clean/numpy/misc_util.py.simple @@ -9,6 +9,7 @@ exec/shell/command: medium fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/file/write: low fs/path/home: low @@ -17,6 +18,7 @@ fs/path/usr_bin: low fs/path/usr_lib_python: medium fs/path/usr_local: medium fs/symlink_resolve: low +fs/tempdir/TEMP: low fs/tempdir/create: low net/ip/spoof: medium net/url/embedded: low diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple index 3679380c..543cd076 100644 --- a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple +++ b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple @@ -4,9 +4,11 @@ exec/imports/python: low exec/remote_commands/code_eval: medium fs/directory/list: low fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/file/read: low fs/file/write: low +fs/tempdir/TEMP: low impact/remote_access/py_setuptools: low os/fd/read: low os/fd/write: low diff --git a/tests/python/clean/pyparsing/sparser.py.simple b/tests/python/clean/pyparsing/sparser.py.simple index 4641c7b1..9a78d040 100644 --- a/tests/python/clean/pyparsing/sparser.py.simple +++ b/tests/python/clean/pyparsing/sparser.py.simple @@ -4,7 +4,9 @@ data/compression/gzip: low exec/cmd/pipe: medium exec/imports/python: low exec/remote_commands/code_eval: medium +fs/file/exists: low fs/file/open: low +fs/file/write: low fs/path/usr_bin: low net/url/embedded: low net/url/parse: low diff --git a/tests/python/clean/setuptools/build_meta.py.simple b/tests/python/clean/setuptools/build_meta.py.simple index 2e2b367c..789ba8f5 100644 --- a/tests/python/clean/setuptools/build_meta.py.simple +++ b/tests/python/clean/setuptools/build_meta.py.simple @@ -10,8 +10,11 @@ fs/directory/create: low fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low +fs/file/exists: low fs/file/rename: low +fs/tempdir/TEMP: low impact/remote_access/agent: medium net/download: medium +net/http/form_upload: medium net/url/embedded: low os/fd/read: low diff --git a/tests/python/clean/setuptools/easy_install.py.simple b/tests/python/clean/setuptools/easy_install.py.simple index 0ed94336..e64d750e 100644 --- a/tests/python/clean/setuptools/easy_install.py.simple +++ b/tests/python/clean/setuptools/easy_install.py.simple @@ -1,5 +1,6 @@ # python/clean/setuptools/easy_install.py: medium anti-static/obfuscation/python: medium +collect/archives/zip: medium discover/system/platform: medium discover/user/HOME: low discover/user/USER: low @@ -8,6 +9,7 @@ fs/directory/create: low fs/directory/list: low fs/directory/traverse: medium fs/file/delete: low +fs/file/exists: low fs/file/open: low fs/file/read: medium fs/permission/modify: medium diff --git a/tests/python/clean/setuptools/package_index.py.simple b/tests/python/clean/setuptools/package_index.py.simple index dcaa7b20..341afbac 100644 --- a/tests/python/clean/setuptools/package_index.py.simple +++ b/tests/python/clean/setuptools/package_index.py.simple @@ -7,12 +7,15 @@ exec/imports/python: low exec/program: medium fs/directory/list: low fs/file/delete: low +fs/file/exists: low fs/file/open: low +fs/file/write: low fs/symlink_resolve: low fs/tempdir/create: low impact/remote_access/agent: medium net/download: medium net/http/request: low +net/ip/host_port: medium net/url/embedded: low net/url/parse: low net/url/request: medium diff --git a/tests/python/clean/versioneer/versioneer.py.simple b/tests/python/clean/versioneer/versioneer.py.simple index 08ebb261..d36e3bdd 100644 --- a/tests/python/clean/versioneer/versioneer.py.simple +++ b/tests/python/clean/versioneer/versioneer.py.simple @@ -1,9 +1,10 @@ -# python/clean/versioneer/versioneer.py: medium +# python/clean/versioneer/versioneer.py: high anti-static/base64/eval: medium data/base64/decode: medium data/embedded/base64_terms: medium data/embedded/base64_url: medium data/encoding/base64: low +exec/remote_commands/code_eval: high fs/file/open: low fs/path/usr_bin: low os/fd/write: low diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple index a2aab138..1b989234 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js.simple @@ -1,11 +1,14 @@ # typescript/2021.CursedGrabber.an0n-chat-lib/build/stealer.js: critical +c2/addr/discord: medium collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium exfil/discord: high +exfil/stealer: high exfil/stealer/browser: high fs/file/read: low fs/file/write: low fs/path/relative: medium +net/http/webhook: medium net/url/embedded: low persist/windows_start: high diff --git a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple index e4616998..fee992fe 100644 --- a/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple +++ b/tests/typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts.simple @@ -1,11 +1,14 @@ # typescript/2021.CursedGrabber.an0n-chat-lib/src/stealer.ts: critical +c2/addr/discord: medium collect/databases/leveldb: medium data/encoding/json_decode: low discover/user/info: medium exfil/discord: high +exfil/stealer: high exfil/stealer/browser: high fs/file/read: low fs/file/write: low fs/path/relative: medium +net/http/webhook: medium net/url/embedded: low persist/windows_start: high diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple index b764ed1c..a015fe21 100644 --- a/tests/windows/2024.GitHub.Clipper/main.exe.simple +++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple @@ -9,6 +9,7 @@ 3P/threat_hunting/gofile_io: medium 3P/threat_hunting/runascs: medium anti-behavior/anti_debugger: medium +c2/addr/discord: medium c2/addr/http_dynamic: medium c2/addr/ip: medium c2/tool_transfer/download: high @@ -25,6 +26,7 @@ credential/clipboard: medium credential/password: low credential/ssl/private_key: low crypto/aes: low +crypto/cipher: medium crypto/ecdsa: low crypto/ed25519: low crypto/rc4: low @@ -80,6 +82,8 @@ net/http/cookies: medium net/http/post: medium net/http/proxy: low net/http/request: low +net/http/webhook: medium +net/ip/host_port: medium net/ip/parse: medium net/remote_control/vnc: medium net/resolve/hostname: low diff --git a/tests/windows/2024.GitHub.Clipper/raw.py.simple b/tests/windows/2024.GitHub.Clipper/raw.py.simple index 10c52998..72c96669 100644 --- a/tests/windows/2024.GitHub.Clipper/raw.py.simple +++ b/tests/windows/2024.GitHub.Clipper/raw.py.simple @@ -1,4 +1,5 @@ # windows/2024.GitHub.Clipper/raw.py: critical +c2/addr/discord: medium c2/addr/url: high c2/tool_transfer/download: high c2/tool_transfer/exe_url: high diff --git a/tests/windows/2024.Sharp/sharpil_RAT.exe.md b/tests/windows/2024.Sharp/sharpil_RAT.exe.md index a88e5778..c8a4109c 100644 --- a/tests/windows/2024.Sharp/sharpil_RAT.exe.md +++ b/tests/windows/2024.Sharp/sharpil_RAT.exe.md @@ -5,6 +5,8 @@ | CRITICAL | [3P/ditekshen/telegramchatbot](https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308) | Detects executables using Telegram Chat Bot, by [ditekSHen](https://github.com/ditekshen/detection) | $p1
$p2
$s1
$s2
$s4 | | HIGH | [net/email/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/send.yara#SMTPClient_Send_creds) | sends e-mail with a hardcoded credentials | [NetworkCredential](https://github.com/search?q=NetworkCredential&type=code) | | MEDIUM | [3P/threat_hunting/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#telegram_greyware_tool_keyword) | [references 'telegram' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | $string2_telegram_greyware_tool_keyword | +| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) | +| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code) | | MEDIUM | [data/embedded/app_manifest](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/app-manifest.yara#app_manifest) | [Contains embedded Microsoft Windows application manifest](https://learn.microsoft.com/en-us/cpp/build/reference/manifestuac-embeds-uac-information-in-manifest?view=msvc-170) | [requestedExecutionLevel](https://github.com/search?q=requestedExecutionLevel&type=code)
[requestedPrivileges](https://github.com/search?q=requestedPrivileges&type=code) | | MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#proclist) | accesses process list | [ProcessList](https://github.com/search?q=ProcessList&type=code) | | MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DownloadString](https://github.com/search?q=DownloadString&type=code)
[Downloads](https://github.com/search?q=Downloads&type=code) | diff --git a/tests/windows/2024.aspdasdksa2/creal.exe.simple b/tests/windows/2024.aspdasdksa2/creal.exe.simple index c34837ae..2e649bb8 100644 --- a/tests/windows/2024.aspdasdksa2/creal.exe.simple +++ b/tests/windows/2024.aspdasdksa2/creal.exe.simple @@ -2,6 +2,7 @@ 3P/bartblaze/pyinstaller: high anti-behavior/anti_debugger: medium anti-static/packer/pe: high +collect/archives/zip: medium collect/databases/sqlite: medium credential/sniffer/bpf: medium crypto/aes: low diff --git a/tests/windows/2024.aspdasdksa2/creal.pyc.simple b/tests/windows/2024.aspdasdksa2/creal.pyc.simple index b21798a6..5a396eda 100644 --- a/tests/windows/2024.aspdasdksa2/creal.pyc.simple +++ b/tests/windows/2024.aspdasdksa2/creal.pyc.simple @@ -5,7 +5,10 @@ anti-behavior/blocklist/hostname: critical anti-behavior/blocklist/mac_addr: critical anti-behavior/blocklist/user: critical +c2/addr/discord: medium +c2/addr/telegram: medium c2/tool_transfer/download: high +collect/archives/zip: medium collect/databases/leveldb: medium credential/browser/chrome_cookies: high credential/browser/chromium_credit_cards: critical @@ -22,6 +25,7 @@ exec/install_additional/pip_install: high exec/program: medium exec/tty/getpass: low exfil/discord: critical +exfil/stealer: high exfil/stealer/browser: high exfil/stealer/credit_card: medium exfil/stealer/creds: high @@ -31,6 +35,7 @@ net/download: medium net/download/fetch: medium net/http/fake_user_agent: medium net/http/request: low +net/http/webhook: medium net/socket/connect: medium net/url/embedded: low net/url/parse: low diff --git a/tests/windows/2024.black_basta/dropper.lnk.simple b/tests/windows/2024.black_basta/dropper.lnk.simple index b152b0fb..616c4a8b 100644 --- a/tests/windows/2024.black_basta/dropper.lnk.simple +++ b/tests/windows/2024.black_basta/dropper.lnk.simple @@ -1,2 +1,3 @@ # windows/2024.black_basta/dropper.lnk: low +discover/user/APPDATA: low process/chdir: low diff --git a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple index 762b1cf9..94263647 100644 --- a/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple +++ b/tests/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -38,10 +38,12 @@ fs/tempdir/TEMP: low fs/unmount: low impact/degrade/infection: medium net/download: medium +net/http/auth: low net/http/form_upload: medium net/http/oauth2: low net/http/post: medium net/http/request: low +net/http/webhook: medium net/resolve/hostname: low net/tcp/sftp: medium net/tcp/ssh: medium