Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MalwareBehaviorCatalog follow-up: less naming stutter, less slashes #558

Merged
merged 14 commits into from
Nov 1, 2024
Merged

MalwareBehaviorCatalog follow-up: less naming stutter, less slashes #558

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
6525382
rule naming: avoid stutter, further MBC reorg
tstromberg Nov 1, 2024
3a60ee7
update testdata
tstromberg Nov 1, 2024
8320b38
run yr fmt
tstromberg Nov 1, 2024
a7e80cd
keep the 3P subdir handling
tstromberg Nov 1, 2024
2bc66e6
improve 3rd party rule keys
tstromberg Nov 1, 2024
9f82ece
renamed rules
tstromberg Nov 1, 2024
3be94d5
Merge branch 'main' into more-rule-renaming
tstromberg Nov 1, 2024
67b7eec
rename lvt to lvt_locker, remove obsolete false
tstromberg Nov 1, 2024
2d78af4
Merge branch 'main' into more-rule-renaming
tstromberg Nov 1, 2024
124e209
preserve anti-static
tstromberg Nov 1, 2024
550111c
move sus/plugin
tstromberg Nov 1, 2024
f823d5d
fix 3P rendering
tstromberg Nov 1, 2024
334cc45
Merge branch 'main' into more-rule-renaming
egibs Nov 1, 2024
3636310
Merge branch 'main' into more-rule-renaming
tstromberg Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
5 changes: 3 additions & 2 deletions capabilities.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ There are some internal namespaces we use:
|---|---|
| 3P | third party queries (unorganized) |
| false-positives | rules to match known software |
| sec-tool | known security tools (possibly dangerous) |
| malware | known malware |
| internal | other internal rules |
| malware | known malware |
| sec-tool | known security tools (possibly dangerous) |
| sus | suspicious content that can't be otherwise categorized |
126 changes: 63 additions & 63 deletions pkg/action/testdata/scan_archive
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
# testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko: high
c2/addr/ip_port: medium
c2/server_address: medium
c2/tool_transfer/shell: medium
collect/archives/zip: medium
credential/keychain/keychain: medium
credential/ssh/ssh: medium
credential/keychain: medium
credential/password: low
credential/ssh: medium
credential/ssl/private_key: low
crypto/aes: low
crypto/ecdsa: low
Expand All @@ -12,109 +14,107 @@ crypto/tls: low
data/compression/bzip2: low
data/compression/gzip: low
data/compression/zstd: low
data/embedded/embedded/pem/certificate: low
data/embedded/embedded/pem/test_key: low
data/embedded/embedded/ssh/signature: medium
data/embedded/embedded/zstd: medium
data/embedded/pem_certificate: low
data/embedded/pem_test_key: low
data/embedded/ssh_signature: medium
data/embedded/zstd: medium
data/encoding/base64: low
data/encoding/json: low
data/encoding/json/decode: low
data/encoding/json/encode: low
data/encoding/json_decode: low
data/encoding/json_encode: low
data/hash/blake2b: low
data/hash/md5: low
discover/network/interface/list: medium
discover/network/mac/address: medium
discover/network/interface_list: medium
discover/network/mac_address: medium
discover/network/netstat: medium
discover/processes/pgrep: medium
discover/system/cpu/info: low
discover/system/hostname/get: low
discover/system/cpu_info: low
discover/system/hostname_get: low
discover/system/platform: low
discover/user/HOME: low
discover/user/USER: low
discover/user/username/get: medium
evasion/bypass_security/linux/selinux: medium
discover/user/name_get: medium
evasion/bypass_security/linux/se: medium
evasion/hidden_files/hidden: medium
evasion/hide_artifacts/pivot_root: high
exec/plugin: low
exec/program: medium
exec/shell/background/sleep: medium
exec/shell/background_sleep: medium
exec/shell/exec: medium
fs/blkid: low
fs/directory/create: low
fs/directory/list: low
fs/directory/remove: low
fs/fifo/create: low
fs/fifo_create: low
fs/file/delete: low
fs/file/delete/forcibly: low
fs/file/delete_forcibly: low
fs/file/read: low
fs/file/stat: low
fs/file/write: low
fs/link/create: low
fs/link/read: low
fs/lock/update: low
fs/link_create: low
fs/link_read: low
fs/lock_update: low
fs/mount: low
fs/node/create: low
fs/path/bin/su: low
fs/node_create: low
fs/path/bin_su: low
fs/path/etc: low
fs/path/etc/hosts: medium
fs/path/etc/resolv.conf: low
fs/path/etc_hosts: medium
fs/path/etc_resolv.conf: low
fs/path/home: medium
fs/path/home/config: low
fs/path/home_config: low
fs/path/relative: medium
fs/path/root: medium
fs/path/usr/bin: low
fs/path/usr/local: medium
fs/path/usr/sbin: low
fs/path/usr_bin: low
fs/path/usr_local: medium
fs/path/usr_sbin: low
fs/path/var: low
fs/permission/chown: medium
fs/permission/modify: medium
fs/swap/off: low
fs/swap/on: low
fs/symlink/resolve: low
fs/tempfile/create: low
fs/symlink_resolve: low
fs/tempdir/tempfile_create: low
fs/unmount: low
impact/words/exclamation: medium
impact/words/heartbeat: medium
impact/words/password: low
impact/words/plugin: low
impact/words/server_address: medium
net/dns/dns: low
net/dns/dns/reverse: medium
net/dns/dns/servers: low
net/dns/dns/txt: low
net/download/download: medium
impact/remote_access/heartbeat: medium
net/dns: low
net/dns/reverse: medium
net/dns/servers: low
net/dns/txt: low
net/download: medium
net/download/fetch: medium
net/http/content/length/0: medium
net/http/http/accept/encoding: low
net/http/http/auth: low
net/http/http/cookies: medium
net/http/http/form/upload: medium
net/http/http/post: medium
net/http/http/request: low
net/http/http2: low
net/http/http_proxy: low
net/ip/ip: low
net/ip/ip/parse: medium
net/http/2: low
net/http/accept_encoding: low
net/http/auth: low
net/http/content_length_0: medium
net/http/cookies: medium
net/http/form_upload: medium
net/http/post: medium
net/http/proxy: low
net/http/request: low
net/ip: low
net/ip/parse: medium
net/proxy/socks5: medium
net/resolve/hostname/resolve: low
net/socket/socket/listen: low
net/socket/socket/local_addr: low
net/socket/socket/peer/address: low
net/socket/socket/receive: low
net/socket/socket/send: low
net/resolve/hostname: low
net/socket/listen: low
net/socket/local_addr: low
net/socket/peer_address: low
net/socket/receive: low
net/socket/send: low
net/tcp/ssh: medium
net/udp/udp/receive: low
net/udp/udp/send: low
net/udp/receive: low
net/udp/send: low
net/url/embedded: low
net/url/encode: medium
net/url/parse: low
net/url/request: medium
os/fd/sendfile: low
os/kernel/netlink: low
os/time/clock/set: low
persist/cron/crontab: medium
persist/daemon/daemon: medium
os/time/clock_set: low
persist/cron/tab: medium
persist/daemon: medium
process/chdir: low
process/chroot: low
process/executable_path: low
process/groups/set: low
process/groups_set: low
process/unshare: low
sus/exclamation: medium
10 changes: 5 additions & 5 deletions pkg/action/testdata/scan_oci
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# testdata/static.tar.xz ∴ /etc/profile: medium
fs/file/permission/mask/set: none
fs/file/permission_mask_set: none
fs/path/etc: low
fs/path/usr: none
fs/path/usr/local: medium
fs/path/usr_local: medium
persist/shell/bash: medium
persist/shell/init_files: low
# testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json: medium
net/download/download: medium
net/download: medium
net/url/embedded: low
# testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json: medium
net/download/download: medium
net/download: medium
net/url/embedded: low
os/time/tzinfo: low
# testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json: medium
net/download/download: medium
net/download: medium
net/url/embedded: low
82 changes: 58 additions & 24 deletions pkg/report/report.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,40 @@

// yaraForge has some very, very long rule names.
var yaraForgeJunkWords = map[string]bool{
"controller": true,
"generic": true,
"0": true,
"1": true,
"2": true,
"apt": true,
"malware": true,
"YARAForge": true,
"exe": true,
"mal": true,
"trojan": true,
"m": true,
"hunting": true,
"dynamic": true,
"artefacts": true,

Check failure on line 51 in pkg/report/report.go

View workflow job for this annotation

GitHub Actions / Lint 

[misspell] reported by reviewdog 🐶
"artefacts" is a misspelling of "artifacts"

Raw Output:
./pkg/report/report.go:51:2: "artefacts" is a misspelling of "artifacts"
"artifacts": true,
"base": true,
"big": true,
"small": true,
"controller": true,
"dynamic": true,
"encoded": true,
"exe": true,
"forensic": true,
"forensicartifacts": true,
"lnx": true,
"generic": true,
"greyware": true,
"hunting": true,
"indicator": true,
"keyword": true,
"linux": true,
"lnx": true,
"m": true,
"mac": true,
"macos": true,
"mal": true,
"malware": true,
"offensive": true,
"osx": true,
"mac": true,
"tool": true,
"keyword": true,
"indicator": true,
"small": true,
"suspicious": true,
"offensive": true,
"greyware": true,
"tool": true,
"trojan": true,
"unix": true,
"YARAForge": true,
}

// thirdPartyCriticalSources are 3P sources that default to critical.
Expand Down Expand Up @@ -104,18 +112,18 @@
// include the directory
pathParts := strings.Split(path, "/")
subDir := pathParts[slices.Index(pathParts, "yara")+1]

words := []string{subDir}

// ELASTIC_Linux_Trojan_Gafgyt_E4A1982B
words = append(words, strings.Split(strings.ToLower(rule), "_")...)

// strip off the last wold if it's a hex key
// strip off the last word if it's a hex key
lastWord := words[len(words)-1]
_, err := strconv.ParseUint(lastWord, 16, 64)
if err == nil {
words = words[0 : len(words)-1]
}

var keepWords []string
for x, w := range words {
// ends with a date
Expand All @@ -134,8 +142,16 @@
keepWords = keepWords[0:4]
}

key := fmt.Sprintf("3P/%s", strings.Join(keepWords, "/"))
return strings.ReplaceAll(key, "signature/base", "signature_base")
src := keepWords[0]

// Fix name for https://github.com/Neo23x0/signature-base within YARAForge
if src == "signature" {
src = "sig_base"
}
rulename := keepWords[1:]

key := fmt.Sprintf("3P/%s/%s", src, strings.Join(rulename, "_"))
return key
}

// thirdParty returns whether the rule is sourced from a 3rd party.
Expand All @@ -153,8 +169,26 @@
return thirdPartyKey(src, rule)
}

key := strings.ReplaceAll(src, "-", "/")
return strings.ReplaceAll(key, ".yara", "")
key := strings.ReplaceAll(src, "-", "_")
key = strings.ReplaceAll(key, ".yara", "")

// Reduce stutter: if the rule is prefixed with the directory name, remove the prefix

dirParts := strings.Split(key, "/")
// ID's generally follow: `<namespace>/<resource>/<technique>`
ns := dirParts[0]
// namespaces can have dashes, like 'anti-static'
ns = strings.ReplaceAll(ns, "_", "-")
rsrc := dirParts[len(dirParts)-2]
tech := dirParts[len(dirParts)-1]

tech = strings.ReplaceAll(tech, rsrc, "")
tech = strings.ReplaceAll(tech, "__", "_")
tech = strings.Trim(tech, "_")

dirParts[0] = ns
dirParts[len(dirParts)-1] = tech
return strings.TrimSuffix(strings.Join(dirParts, "/"), "/")
}

func generateRuleURL(src string, rule string) string {
Expand Down
0 rules/impact/words/obfuscate.yara → rules/anti-static/obfuscation/obfuscate.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/dga.yara → rules/c2/discovery/dga.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/c2.yara → rules/c2/refs.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/server_address.yara → rules/c2/server_address.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/dropper.yara → rules/c2/tool_transfer/dropper.yara
View file
Open in desktop
File renamed without changes.
0 rules/c2/tool_transfer/exe.yara → rules/c2/tool_transfer/exe_url.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/payload_url.yara → rules/c2/tool_transfer/payload_url.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/ui/clipboard.yara → rules/credential/clipboard.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/keylogger.yara → rules/credential/keylogger.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/password.yara → rules/credential/password/password.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/password_finder.yara → .../credential/password/password_finder.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/sniffer.yara → rules/credential/sniffer/pcap.yara
View file
Open in desktop
File renamed without changes.
0 .../data/embedded/emdedded-app-manifest.yara → rules/data/embedded/app-manifest.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/suspicious-pdb.yara → ...asion/bypass_security/suspicious-pdb.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/wiper/sensitive_logs.yara → rules/evasion/logging/wipe.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/cmd.yara → rules/exec/cmd/cmd.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/pipe.yara → rules/exec/cmd/pipe.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/plugin.yara → rules/exec/plugin/plugin.yara
View file
Open in desktop
File renamed without changes.
10 changes: 0 additions & 10 deletions rules/exec/process-control.yara
View file
Open in desktop

This file was deleted.

0 rules/exec/program-background.yara → rules/exec/program/program-background.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/program.yara → rules/exec/program/program.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/scripting/automator_launcher.yara → rules/exec/script/automator_launcher.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/scripting/osascript.yara → rules/exec/script/osascript.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/scripting/powershell_encoded.yara → rules/exec/script/powershell_encoded.yara
View file
Open in desktop
File renamed without changes.
0 rules/exec/scripting/powershell_hidden.yara → rules/exec/script/powershell_hidden.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/collection.yara → rules/exfil/collection.yara
View file
Open in desktop
File renamed without changes.
0 rules/impact/words/exfil.yara → rules/exfil/exfil.yara
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion rules/false_positives/filebeat.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
rule misp_mdjson: override {
meta:
description = "misp_sample.mdjson.log"
lvt = "medium"
lvt_locker = "medium"

strings:
$attribute = "Attribute"
Expand Down
13 changes: 0 additions & 13 deletions rules/false_positives/sqlpad.yara
View file
Open in desktop

This file was deleted.

0 rules/fs/directory-create.yara → rules/fs/directory/directory-create.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/directory-list.yara → rules/fs/directory/directory-list.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/directory-remove.yara → rules/fs/directory/directory-remove.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/directory-traverse.yara → rules/fs/directory/directory-traverse.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-access-check.yara → rules/fs/file/file-access-check.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-capabilities-set.yara → rules/fs/file/file-capabilities-set.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-copy.yara → rules/fs/file/file-copy.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-create.yara → rules/fs/file/file-create.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-delete-forcibly.yara → rules/fs/file/file-delete-forcibly.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-delete.yara → rules/fs/file/file-delete.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-flags-change.yara → rules/fs/file/file-flags-change.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-make_executable.yara → rules/fs/file/file-make_executable.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-open-by_handle.yara → rules/fs/file/file-open-by_handle.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-open.yara → rules/fs/file/file-open.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-permission-mask-set.yara → rules/fs/file/file-permission-mask-set.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-permissions-setuid.yara → rules/fs/file/file-permissions-setuid.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-read.yara → rules/fs/file/file-read.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-rename.yara → rules/fs/file/file-rename.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-stat.yara → rules/fs/file/file-stat.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-sync.yara → rules/fs/file/file-sync.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-times-set.yara → rules/fs/file/file-times-set.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-truncate.yara → rules/fs/file/file-truncate.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/file-write.yara → rules/fs/file/file-write.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/path-from-cookie.yara → rules/fs/path/path-from-cookie.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/permission-chown.yara → rules/fs/permission/permission-chown.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/permission-get.yara → rules/fs/permission/permission-get.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/permission-modify-dangerous.yara → ...rmission/permission-modify-dangerous.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/permission-modify.yara → rules/fs/permission/permission-modify.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/swap-off.yara → rules/fs/swap/swap-off.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/swap-on.yara → rules/fs/swap/swap-on.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/TEMP.yara → rules/fs/tempdir/TEMP.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/TMPDIR.yara → rules/fs/tempdir/TMPDIR.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/tempdir-create.yara → rules/fs/tempdir/tempdir-create.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/tempdir.yara → rules/fs/tempdir/tempdir.yara
View file
Open in desktop
File renamed without changes.
0 rules/fs/tempfile-create.yara → rules/fs/tempdir/tempfile-create.yara
View file
Open in desktop
File renamed without changes.
Loading