chainguard-dev · tstromberg · Oct 24, 2024 · Oct 24, 2024 · Oct 24, 2024 · Oct 24, 2024
diff --git a/rules/combo/critical_paths.yara b/rules/combo/critical_paths.yara
diff --git a/rules/combo/degrader/linux_paths.yara b/rules/combo/degrader/linux_paths.yara
@@ -0,0 +1,52 @@
+
+rule linux_critical_system_paths : medium {
+  meta:
+    description = "accesses multiple critical Linux paths"
+  strings:
+    $p_etc_crontab = "/etc/crontab"
+	$p_etc_sysctl_conf = "/etc/sysctl.conf"
+	$p_etc_init_d = /\/etc\/init.d[\w\/\.\-]{0,32}/
+	$p_etc_cron_d = /\/etc\/cron.d[\w\/\.\-]{0,32}/
+	$p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/
+	$p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/
+	$p_etc_preload = "/etc/ld.so.preload"
+	$p_ld_so_cache = "/etc/ld.so.cache"
+    $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/
+    $p_var_log = /\/var\/log[\w\/\.\-]{0,32}/
+    $p_usr_libexec = /\/usr\/libexec[\w\/\.\-]{0,32}/
+    $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/
+    $p_sbin = /\/sbin\/[\w\/\.\-]{0,32}/
+    $p_lib_systemd = /\/lib\/systemd[\w\/\.\-]{0,32}/
+    $p_boot = /\/boot\/[\w\/\.\-]{0,32}/
+	$proc_self_cmdline = "/proc/self/cmdline"
+	$proc_self_cgroup = "/proc/self/cgroup"
+	$p_lib = "/usr/lib/x86_64-linux-gnu/"
+	$p_lib_ld = "/lib64/ld-linux-x86-64.so.2"
+    $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/
+    $p_sysctl = /sysctl[ -a-z]{0,32}/
+	$p_dev_watchdog = "/dev/watchdog"
+	$p_ps = "/usr/bin/ps"
+	$p_ss = "/usr/bin/lsof"
+	$p_ssh = "/usr/bin/ssh"
+	$p_dev_shm = "/dev/shm"
+  condition:
+    filesize < 120MB and any of ($p_etc*) and 5 of ($p*)
+}
+
+rule linux_critical_system_paths_small_elf : high {
+  meta:
+    description = "ELF accesses multiple critical Linux paths"
+  strings:
+	$not_vim = "VIMRUNTIME" fullword
+  condition:
+    filesize < 10MB and uint32(0) == 1179403647 and linux_critical_system_paths and none of ($not*)
+}
+
+rule linux_critical_system_paths_small_shell : high {
+  meta:
+    description = "script accesses multiple critical Linux paths"
+  strings:
+    $hash_bang = "#!"
+  condition:
+    filesize < 64KB and $hash_bang in (0..2) and linux_critical_system_paths
+}
diff --git a/rules/combo/dropper/binary.yara b/rules/combo/dropper/binary.yara
@@ -7,8 +7,9 @@ rule chmod_executable_shell_binary : high {
     $chmod2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/
 	$http = "http:"
 	$https = "https:"
+	$not_example = "try 'chmod +x'"
   condition:
-     filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*)
+     filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*) and none of ($not*)
 }
 
 rule download_and_execute : high {

diff --git a/rules/combo/recon/system_network.yara b/rules/combo/recon/system_network.yara
@@ -55,10 +55,11 @@ private rule exfil {
 		filesize < 512KB and any of them
 }
 
-
 rule sys_net_recon_exfil : high {
-  meta:
-    description = "may exfiltrate collected system and network information"
-   condition:
-     sys_net_recon and (obfuscate or exfil)
-}
+  	meta:
+    	description = "may exfiltrate collected system and network information"
+	strings:
+		$not_curl = "CURLAUTH_ONLY"
+	condition:
+		sys_net_recon and (obfuscate or exfil) and none of ($not*)
+}
diff --git a/rules/evasion/packer/upx.yara b/rules/evasion/packer/upx.yara
@@ -23,8 +23,9 @@ rule upx_elf : high {
   strings:
     $proc_self = "/proc/self/exe"
     $prot_exec = "PROT_EXEC|PROT_WRITE failed"
+	$not_upx_itself = "UPX comes with ABSOLUTELY NO WARRANTY"
   condition:
-    uint32(0) == 1179403647 and $prot_exec and $proc_self
+    uint32(0) == 1179403647 and $prot_exec and $proc_self and none of ($not*)
 }
 
 rule upx_elf_tampered : critical {

diff --git a/rules/fs/file-make_executable.yara b/rules/fs/file-make_executable.yara
@@ -19,8 +19,9 @@ rule chmod_executable_shell_binary : high {
   strings:
     $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/
     $val2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/
+	$not_example = "try 'chmod +x'"
   condition:
-     filesize < 20MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of them
+     filesize < 20MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($val*) and none of ($not*)
 }
 
 rule chmod_executable_ruby : high {

diff --git a/rules/fs/permission-modify-dangerous.yara b/rules/fs/permission-modify-dangerous.yara
@@ -5,19 +5,20 @@ rule chmod_word_writeable : medium {
   strings:
     $ref = /chmod [\-\w ]{0,4}666[ \$\w\/\.]{0,32}/
   condition:
-    $ref
+     filesize < 50MB and $ref
 }
 
 rule chmod_dangerous_exec : high exfil {
   meta:
-    description = "Makes a world writeable executable"
+    description = "Makes path world writeable and executable"
     hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2"
     hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f"
     hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322"
   strings:
     $ref = /chmod [\-\w ]{0,4}777[ \$\w\/\.]{0,32}/
-    $not_dev_shm = "chmod 1777 /dev/shm"
+    $not_chmod_1777 = "chmod 1777"
+    $not_chmod_01777 = "chmod 01777"
     $not_chromium = "CHROMIUM_TIMESTAMP"
   condition:
-    $ref and not ($not_dev_shm and $not_chromium)
+    filesize < 50MB and $ref and none of ($not*)
 }
diff --git a/rules/persist/bash.yara b/rules/persist/bash.yara
@@ -24,6 +24,8 @@ rule bash_logout_persist : high {
   strings:
     $ref = ".bash_logout"
     $not_bash = "POSIXLY_CORRECT"
+	$not_comment = "# ~/.bash_logout"
+	$not_clear = "/usr/bin/clear_console"
   condition:
     filesize < 2097152 and any of ($ref*) and none of ($not*)
 }
diff --git a/rules/procfs/self-cmdline.yara b/rules/procfs/self-cmdline.yara
@@ -1,5 +1,5 @@
 
-rule proc_self_cmdline : medium {
+rule proc_self_cmdline : medium linux {
   meta:
     description = "gets process command-line"
     pledge = "stdio"

diff --git a/rules/ref/path/etc-initd.yara b/rules/ref/path/etc-initd.yara
@@ -1,19 +1,20 @@
-rule etc_initd : medium {
+rule etc_initd : medium linux {
   meta:
     description = "references /etc/init.d"
   strings:
     $ref = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
   condition:
-    any of them
+    filesize < 50MB and any of them
 }
 
-rule etc_initd_short_file : high {
+rule etc_initd_short_file : high linux {
   meta:
     description = "references short filename within /etc/init.d"
   strings:
-    $ref = /etc\/init\.d\/[\w\.]{2,4}/ fullword
-	$not_sshd = "/etc/init.d/sshd"
+    $ref = /etc\/init\.d\/[\w\.]{1,3}/ fullword
 	$not_rcd = "/etc/init.d/rc.d"
+	$not_init = "SCRIPTNAME=/etc/init.d/"
+	$header = "### BEGIN INIT INFO"
   condition:
-    any of them and none of ($not*)
+     filesize < 50MB and $ref and none of ($not*) and not $header in (1..128)
 }
diff --git a/test_data/linux/2023.Kinsing/install.sh.simple b/test_data/linux/2023.Kinsing/install.sh.simple
@@ -8,8 +8,8 @@ admin/logs/syslog: medium
 admin/package/install: medium
 combo/backdoor/iptables: medium
 combo/backdoor/kill_rm: medium
-combo/critical_paths: medium
 combo/degrader/infection: critical
+combo/degrader/linux_paths: high
 combo/degrader/selinux_firewall: high
 combo/degrader/ufw: high
 combo/dropper/http_ip_temp: critical

diff --git a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -2,6 +2,7 @@
 3P/elastic/threat: high
 combo/backdoor/kill_rm: medium
 combo/botnet/systemctl: critical
+combo/degrader/linux_paths: high
 combo/dropper/shell: medium
 combo/stealer/linux_server: high
 combo/stealer/ssh: high

diff --git a/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -8,7 +8,6 @@ archives/unarchive: medium
 archives/zip: medium
 combo/backdoor/kill_rm: medium
 combo/backdoor/net_exec: medium
-combo/critical_paths: medium
 combo/exploit/overflow/shellcode: high
 combo/exploit/pwnkit: critical
 combo/net/host_port: medium

diff --git a/test_data/linux/2024.kworker_pretenders/gafgyt.simple b/test_data/linux/2024.kworker_pretenders/gafgyt.simple
@@ -1,7 +1,7 @@
 # linux/2024.kworker_pretenders/gafgyt: critical
 3P/elastic/mirai: critical
 3P/threat_hunting/base64: medium
-combo/critical_paths: medium
+combo/degrader/linux_paths: high
 encoding/base64: low
 evasion/base64/eval: high
 evasion/base64/external: medium

diff --git a/test_data/linux/2024.medusa/rkload.simple b/test_data/linux/2024.medusa/rkload.simple
@@ -1,6 +1,7 @@
 # linux/2024.medusa/rkload: critical
 3P/elastic/orbit: critical
 admin/system_directories: medium
+combo/degrader/linux_paths: high
 dylib/address/check: low
 dylib/symbol/address: medium
 env/GCONV_PATH: low

diff --git a/test_data/linux/clean/chrome.simple b/test_data/linux/clean/chrome.simple
@@ -2,7 +2,6 @@
 3P/threat_hunting/metasploit: medium
 3P/threat_hunting/proxmark: medium
 archives/zip: medium
-combo/critical_paths: medium
 combo/net/tunnel_proxy: medium
 compression/bzip2: low
 compression/gzip: low

diff --git a/test_data/linux/clean/clickhouse.simple b/test_data/linux/clean/clickhouse.simple
@@ -7,7 +7,6 @@ admin/package/install: medium
 admin/shutdown: medium
 builtin/openssl: medium
 cloud/google/metadata: low
-combo/critical_paths: medium
 combo/dropper/shell: medium
 combo/miner/argon2d_numa_self: high
 combo/net/tunnel_proxy: medium
@@ -68,7 +67,6 @@ fs/mounts/read: medium
 fs/node/create: low
 fs/permission/chown: low
 fs/permission/modify: medium
-fs/permission/modify/dangerous: medium
 fs/symlink/resolve: low
 fs/tempdir: low
 fs/tempdir/create: low

diff --git a/test_data/linux/clean/code-oss.md b/test_data/linux/clean/code-oss.md
diff --git a/test_data/linux/clean/containerd.simple b/test_data/linux/clean/containerd.simple
@@ -2,7 +2,7 @@
 3P/threat_hunting/hijacker: medium
 3P/threat_hunting/privilegeescalation: medium
 archives/zip: medium
-combo/critical_paths: medium
+combo/degrader/linux_paths: medium
 combo/net/host_port: medium
 compression/bzip2: low
 compression/gzip: low

diff --git a/test_data/linux/clean/kuma-cp.simple b/test_data/linux/clean/kuma-cp.simple
@@ -3,7 +3,6 @@
 3P/threat_hunting/privilegeescalation: medium
 archives/zip: medium
 combo/backdoor/iptables: medium
-combo/critical_paths: medium
 combo/dropper/shell: medium
 combo/net/host_port: medium
 combo/net/tunnel_proxy: medium

diff --git a/test_data/linux/clean/melange.simple b/test_data/linux/clean/melange.simple
@@ -9,7 +9,6 @@ cloud/aws/metadata: low
 cloud/google/metadata: low
 cloud/google/storage: low
 combo/backdoor/kill_rm: medium
-combo/critical_paths: medium
 combo/dropper/shell: medium
 combo/net/tunnel_proxy: medium
 compression/bzip2: low

diff --git a/test_data/linux/clean/minio.x86_64.md b/test_data/linux/clean/minio.x86_64.md
diff --git a/test_data/linux/clean/mongosh.simple b/test_data/linux/clean/mongosh.simple
@@ -3,7 +3,6 @@ archives/unarchive: medium
 cloud/aws/metadata: low
 cloud/google/metadata: low
 combo/backdoor/kill_rm: medium
-combo/critical_paths: medium
 combo/dropper/shell: medium
 combo/net/scan_tool: medium
 combo/net/tunnel_proxy: medium