linux: alert tuning for k4spreader, injector, medusa, Sliver

rules/combo/backdoor/remote_eval.yara

@@ -10,8 +10,10 @@ rule remote_eval : critical {
     $eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,64}/
     $exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
     $eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
-	$eval_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
-	$exec_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+	$eval_request_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+	$exec_request_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+	$eval_urllib = /eval\(urllib\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+	$exec_urllib = /exec\(urllib\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
   condition:
     filesize < 65535 and $http and any of ($e*)
 }

rules/combo/degrader/edr_killer.yara → rules/combo/degrader/edr.yara

@@ -18,6 +18,7 @@ rule win_kill_proc : medium windows {
 rule edr_stopper : critical windows {
   meta:
     description = "Stops EDR/Antivirus services"
+	filetypes = "exe,dll"
   strings:
 	$kind_malwarebytes = "alwarebytes"
 	$stop = "stopservice"

rules/combo/degrader/infection.yara

@@ -0,0 +1,29 @@
+rule infection_killer : critical {
+	meta:
+		description = "kills competing malware infections"
+	strings:
+		$k_pgrep = "pgrep" fullword
+		$k_kill = "kill" fullword
+		$c_pkill = "pkill" fullword
+		$c_killall = "killall" fullword
+
+		$c_meshagent = "meshagent" fullword
+		$c_kdevchecker = "kdevchecker" fullword
+		$c_ipv6_addrconfd = "ipv6_addrconfd" fullword
+		$c_kworkerr = "kworkerr" fullword
+		$c_cpuhelp = "cpuhelp" fullword
+		$c_deamon = "deamon" fullword
+		$c_ksoftriqd = "ksoftriqd" fullword
+		$c_pastebin = "pastebin" fullword
+		$c_solr = "solr.sh" fullword
+		$c_solrd = "solrd" fullword
+		$c_kinsing = "kinsing" fullword
+		$c_kdevtmpfsi = "kdevtmpfsi" fullword
+		$c_kthreaddk = "kthreaddk" fullword
+		$c_linuxsys = "linuxsys" fullword
+		$c_rnv2ymcl = "rnv2ymcl" fullword
+		$c_skid_x86 = "skid.x86" fullword
+		$c_getpty = "getpy.sh" fullword
+	condition:
+		filesize < 1MB and any of ($k*) and 2 of ($c*)
+}

rules/combo/degrader/iptables.yara

@@ -0,0 +1,14 @@
+import "math"
+
+rule iptables_disable : high {
+  meta:
+    description = "disables iptables firewall"
+  strings:
+	$input = "iptables -P INPUT ACCEPT"
+	$output = "iptables -P OUTPUT ACCEPT"
+	$forward = "iptables -P FORWARD ACCEPT"
+	$flush = "iptables -F"
+  condition:
+	filesize < 1MB and 3 of them
+}
+

rules/combo/degrader/procfs_unhide.yara

@@ -0,0 +1,14 @@
+rule procfs_unhide : critical {
+	meta:
+		description = "kills processes hidden by procfs bindmounts"
+	strings:
+		$p_mounts = "/proc/mounts"
+		$p_proc_d = "/proc/\\d"
+		$p_grep = "grep"
+
+		$k_kill = "kill" fullword
+		$k_pkill = "pkill" fullword
+		$k_killall = "killall" fullword
+	condition:
+		filesize < 100KB and all of ($p*) and any of ($k*)
+}

rules/combo/degrader/ufw.yara

@@ -0,0 +1,20 @@
+import "math"
+
+rule ufw_disable : high {
+  meta:
+    description = "disables ufw firewall"
+  strings:
+    $ufw = "ufw" fullword
+    $disable = "disable" fullword
+  condition:
+    filesize < 256KB and all of them and math.abs(@ufw - @disable) >= 8
+}
+
+rule ufw_disable_word : high {
+  meta:
+    description = "disables ufw firewall"
+  strings:
+	$ref = "ufw disable" fullword
+  condition:
+	filesize < 256KB and $ref
+}

rules/combo/dropper/binary.yara

@@ -10,3 +10,13 @@ rule chmod_executable_shell_binary : high {
   condition:
      filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*)
 }
+
+rule download_and_execute : high {
+	meta:
+		description = "may download and execute a program"
+	strings:
+		$ref = "download_and_execute"
+		$ref2 = "download_and_exec"
+	condition:
+		filesize < 1MB and any of them
+}

rules/combo/dropper/http_ip_temp.yara

@@ -0,0 +1,16 @@
+rule http_hardcoded_ip_dev_shm : critical exfil {
+  meta:
+    description = "hardcoded IP address + persistent temp dir"
+  strings:
+    $ipv4 = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.]{0,32}/
+    $not_metadata = "http://169.254.169.254"
+    $not_100 = "http://100.100.100"
+    $not_11 = "http://11.11.11"
+    $not_192 = "http://192.168"
+
+	$tmp_dev_shm = "/dev/shm"
+	$tmp_dev_mqueue = "/dev/mqueue"
+	$tmp_var_tmp = "/var/tmp"
+  condition:
+    $ipv4 and any of ($tmp*) and none of ($not*)
+}

rules/data/embedded-base64-gzip.yara

@@ -10,3 +10,13 @@ rule base64_gz : medium {
   condition:
     $header
 }
+
+
+rule base64_gz_small : high {
+  meta:
+    description = "Contains base64 gzip content"
+  strings:
+    $header = "H4sIA"
+  condition:
+    filesize < 32KB and $header
+}

rules/evasion/copy_run_delete.yara

@@ -1,5 +1,4 @@
-
-rule copy_run_delete : critical {
+rule tiny_copy_run_delete : critical {
   meta:
     description = "copy executable, run, and delete"
   strings:
@@ -12,7 +11,8 @@ rule copy_run_delete : critical {
 	$path_dev_shm = "/dev/shm"
 	$run_quoted = /\"\$[\w\-\/\$]{1,12}\"/ fullword
 	$run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
+	$run_absolute = /&& \/[\w\/\.]{0,32}/ fullword
   condition:
-    filesize < 256 and $cp and $rm and $null and any of ($path*) and any of ($run*)
+    filesize < 512 and $cp and $rm and $null and any of ($path*) and any of ($run*)
 }
 

rules/evasion/elf-funky-tenable.yara → rules/evasion/elf-sus_header.yara

@@ -1,34 +1,37 @@
 import "elf"
 
-rule single_load_rwe : high {
+rule single_load_rwe : critical {
   meta:
-    description = "Flags binaries with a single LOAD segment marked as RWE."
+    description = "Binary with a single LOAD segment marked RWE"
     family = "Stager"
     filetype = "ELF"
     hash_2024_Downloads_690f = "690f29dd425f7415ecb50986aa26750960c39a0ca8a02ddfd37ec4196993bd9e"
     hash_2023_Downloads_cd54 = "cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1"
     hash_2023_Linux_Malware_Samples_16e0 = "16e09592a9e85cd67530ec365ac2c50e48e873335c1ad0f984e3daaefc8a57b5"
+	author = "Tenable"
   condition:
     elf.number_of_segments == 1 and elf.segments[0].type == elf.PT_LOAD and elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X
 }
 
 rule fake_section_headers_conflicting_entry_point_address : critical {
   meta:
-    description = "A fake sections header has been added to the binary."
+    description = "binary with fake sections header"
     family = "Obfuscation"
     filetype = "ELF"
     hash_2024_Downloads_e241 = "e241a3808e1f8c4811759e1761e2fb31ce46ad1e412d65bb1ad9e697432bd4bd"
     hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73"
     hash_2023_Linux_Malware_Samples_19f7 = "19f76bf2be3ea11732f2c5c562afbd6f363b062c25fba3a143c3c6ef4712774b"
+	author = "Tenable"
   condition:
     elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_segments > 0 and elf.number_of_sections > 0 and not (for any i in (0..elf.number_of_segments) : ((elf.segments[i].offset <= elf.entry_point) and ((elf.segments[i].offset + elf.segments[i].file_size) >= elf.entry_point) and for any j in (0..elf.number_of_sections) : (elf.sections[j].offset <= elf.entry_point and ((elf.sections[j].offset + elf.sections[j].size) >= elf.entry_point) and (elf.segments[i].virtual_address + (elf.entry_point - elf.segments[i].offset)) == (elf.sections[j].address + (elf.entry_point - elf.sections[j].offset)))))
 }
 
 rule fake_dynamic_symbols : critical {
   meta:
-    description = "A fake dynamic symbol table has been added to the binary"
+    description = "binary with fake dynamic symbol table"
     family = "Obfuscation"
     filetype = "ELF"
+	author = "Tenable"
   condition:
     elf.type == elf.ET_EXEC and elf.entry_point < filesize and elf.number_of_sections > 0 and elf.dynamic_section_entries > 0 and for any i in (0..elf.dynamic_section_entries) : (elf.dynamic[i].type == elf.DT_SYMTAB and not (for any j in (0..elf.number_of_sections) : (elf.sections[j].type == elf.SHT_DYNSYM and for any k in (0..elf.number_of_segments) : ((elf.segments[k].virtual_address <= elf.dynamic[i].val) and ((elf.segments[k].virtual_address + elf.segments[k].file_size) >= elf.dynamic[i].val) and (elf.segments[k].offset + (elf.dynamic[i].val - elf.segments[k].virtual_address)) == elf.sections[j].offset))))
 }

rules/evasion/fake-process-name.yara → rules/evasion/fake-process.yara

@@ -8,12 +8,13 @@ rule fake_kworker_val : critical {
     $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/
     $kworker2 = "kworker" fullword
     $kworker3 = "[kworker"
+
     // datadog process-agent
     $not_datadog = /[Dd]ata[Dd]og/
     $not_datadog2 = /\*{0,1}is_kworker/
     $not_datadog3 = /is_current_kworker_dying\({0,1}\){0,1}/
   condition:
-    any of ($kworker*) and none of ($not*)
+    any of ($k*) and none of ($not*)
 }
 
 rule fake_syslogd : critical {
@@ -42,3 +43,17 @@ rule fake_systemd : critical {
   condition:
 	filesize < 100MB and $ref
 }
+
+rule fake_process_names : high {
+	meta:
+		description = "mentions known fake process names"
+	strings:
+		$kdevchecker = "kdevchecker" fullword
+		$kworkerr = "kworkerr" fullword
+		$ksoftriqd = "ksoftriqd" fullword
+		$kdevtmpfsi = "kdevtmpfsi" fullword
+		$kthreaddk = "kthreaddk" fullword
+		$deamon = "deamon" fullword
+	condition:
+		filesize < 10MB and any of them
+}

rules/evasion/hide_shell_history.yara

@@ -1,4 +1,3 @@
-
 rule hide_shell_history : high {
   meta:
     description = "Hides shell command history"

rules/evasion/http_443.yara

@@ -0,0 +1,8 @@
+rule http_port_443 : high {
+  meta:
+    description = "hardcoded HTTP site on port 443 (HTTPS)"
+  strings:
+	$http_443 = /http:\/\/[\w\.]{0,32}:443\/[\/\w\-\?\.]{0,32}/
+  condition:
+	any of them
+}

rules/evasion/process-inject.yara

@@ -13,3 +13,16 @@ rule ptrace_injector : high {
   condition:
     filesize < 67108864 and $maps and $ptrace and $proc and none of ($not*)
 }
+
+rule library_injector : high {
+  meta:
+    description = "may inject code into other processes"
+  strings:
+    $proc = "/proc"
+	$maps = "maps"
+	$inject_lib = "to-inject"
+	$inject_thread= "to inject"
+	$inject_succ = "successfully injected"
+  condition:
+    filesize < 100KB and $proc and $maps and any of ($inject*)
+}

rules/evasion/readdir-interceptor.yara

@@ -1,4 +1,3 @@
-
 rule readdir_intercept : high {
   meta:
     description = "userland rootkit designed to hide files"
@@ -13,7 +12,21 @@ rule readdir_intercept : high {
     $not_ld_debug = "LD_DEBUG"
     $not_libc = "getusershell"
   condition:
-    uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
+    filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
+}
+
+rule readdir_tcp_wrapper_intercept : high {
+  meta:
+    description = "userland rootkit designed to hide files and bypass tcp-wrappers"
+	ref = "https://github.com/ldpreload/Medusa"
+  strings:
+    $r_new65 = "readdir64" fullword
+    $r_old64 = "_readdir64"
+    $r_new32 = "readdir" fullword
+    $r_old32 = "_readdir"
+	$r_hosts_access = "hosts_access"
+  condition:
+    filesize < 2MB and uint32(0) == 1179403647 and all of ($r*)
 }
 
 rule readdir_intercept_source : high {

rules/malware/family/kubo_injector.yara

@@ -0,0 +1,13 @@
+rule kubo : critical {
+  meta:
+    description = "Kubo Injector"
+	ref = "https://github.com/kubo/injector"
+  strings:
+	$cloned_thread = "inject_in_cloned_thread"
+	$other = "arch2name"
+	$remote_vcall = "remote_vcall"
+	$va = "collect_libc_info"
+	$sh = "shellcode_size"
+  condition:
+    filesize < 200KB and 3 of them
+}

rules/malware/family/medusa.yara

@@ -0,0 +1,18 @@
+rule medusa : critical {
+  meta:
+    description = "Medusa LD_PRELOAD rootkit"
+	ref = "https://github.com/ldpreload/Medusa"
+  strings:
+	$cloned_thread = "DYNAMIC LINKER BUG!"
+	$__execve = "__execve" fullword
+	$lxstat64 = "__lxstat64" fullword
+	$syslog = "syslog" fullword
+	$LD_PRELOAD = "LD_PRELOAD" fullword
+	$LD_LIBRARY_PATH = "LD_LIBRARY_PATH" fullword
+	$archloaded = "archloaded" fullword
+	$rkload = "rkload" fullword
+	$wcs = "wcsmbsload" fullword
+	$readdir64 = "readdir64" fullword
+  condition:
+    filesize < 2MB and 80% of them
+}

rules/management/esxcli.yara

@@ -9,3 +9,24 @@ rule esxcli_caller : high {
   condition:
     any of them
 }
+
+
+rule esxcli_onion_ransom : critical {
+  meta:
+    description = "ransomware targeting VMware ESXi"
+  strings:
+    $esxcli = "esxcli"
+	$onion = ".onion"
+
+	$w_cyber = "cyber"
+	$w_victim = "victim"
+	$w_encrypted = "encrypted"
+	$w_tor = "tor" fullword
+	$w_Tor = "Tor" fullword
+	$w_TOR = "TOR" fullword
+	$w_company = "company" fullword
+	$w_your = "your data"
+	$w_incident = "incident"
+  condition:
+	$esxcli and $onion and any of ($w*)
+}

rules/persist/linux_multi.yara

@@ -1,6 +1,6 @@
-rule linux_multi_persist : critical {
+rule linux_multi_persist : high {
   meta:
-    description = "references multiple methods of persistence in Linux"
+    description = "references multiple Linux persistence methods"
   strings:
     $initd = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
 	$udev = "etc/udev"

rules/persist/writeable_dir.yara

@@ -0,0 +1,11 @@
+rule world_writeable_dirs : high {
+  meta:
+    description = "mentions multiple world writeable directories"
+  strings:
+	$tmp_tmp = /\/tmp[\w\.\/]{0,32}/ fullword
+	$tmp_dev_shm = /\/dev\/shm[\w\.\/]{0,32}/
+	$tmp_dev_mqueue = /\/dev\/mqueue[\w\.\/]{0,32}/
+	$tmp_var_tmp = /\/var\/tmp[\w\.\/]{0,32}/
+  condition:
+	filesize < 20MB and 3 of them
+}