diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 9623468d2..45e3bfcfa 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -1626,15 +1626,16 @@
                     "RuleName": "temp"
                 },
                 {
-                    "Description": "Uses mktemp to create temporary files",
+                    "Description": "creates temporary files",
                     "MatchStrings": [
                         "mktemp",
-                        "temp file"
+                        "temp file",
+                        "tmpfile"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp",
-                    "ID": "fs/tempdir/tempfile_create",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp",
+                    "ID": "fs/tempfile",
                     "RuleName": "mktemp"
                 },
                 {
diff --git a/rules/anti-static/elf/multiple.yara b/rules/anti-static/elf/multiple.yara
new file mode 100644
index 000000000..db1efd6c1
--- /dev/null
+++ b/rules/anti-static/elf/multiple.yara
@@ -0,0 +1,12 @@
+import "elf"
+
+rule multiple_elf: medium {
+  meta:
+    description = "multiple ELF binaries within an ELF binary"
+
+  strings:
+    $elf_head = "\x7fELF"
+
+  condition:
+    uint32(0) == 1179403647 and #elf_head > 1
+}
diff --git a/rules/anti-static/obfuscation/hidden_literals.yara b/rules/anti-static/obfuscation/hidden_literals.yara
new file mode 100644
index 000000000..ea2daf033
--- /dev/null
+++ b/rules/anti-static/obfuscation/hidden_literals.yara
@@ -0,0 +1,10 @@
+rule hidden_literals: medium {
+  meta:
+    description = "references hidden literals"
+
+  strings:
+    $ref = "hidden_literals"
+
+  condition:
+    filesize < 10MB and $ref
+}
diff --git a/rules/anti-static/xor/xor-commands.yara b/rules/anti-static/xor/xor-commands.yara
index 3b9812aa1..b7b482967 100644
--- a/rules/anti-static/xor/xor-commands.yara
+++ b/rules/anti-static/xor/xor-commands.yara
@@ -3,41 +3,32 @@ rule xor_commands: high {
     description = "commands obfuscated using xor"
 
   strings:
-    $b_chmod      = "chmod " xor(1-31)
-    $b_curl       = "curl -" xor(1-31)
-    $b_bin_sh     = "/bin/sh" xor(1-31)
-    $b_bin_bash   = "/bin/bash" xor(1-31)
-    $b_openssl    = "openssl" xor(1-31)
-    $b_dev_null   = "/dev/null" xor(1-31)
-    $b_usr_bin    = "/usr/bin" xor(1-31)
-    $b_usr_sbin   = "/usr/sbin" xor(1-31)
-    $b_var_tmp    = "/var/tmp" xor(1-31)
-    $b_var_run    = "/var/run" xor(1-31)
-    $b_screen_dm  = "screen -" xor(1-31)
-    $b_zmodload   = "zmodload" xor(1-31)
-    $b_dev_tcp    = "/dev/tcp" xor(1-31)
-    $b_bash_i     = "bash -i" xor(1-31)
-    $b_bash_c     = "bash -c" xor(1-31)
-    $b_base64     = "base64" xor(1-31)
-    $b_eval       = "eval(" xor(1-31)
-    $b_chmod2     = "chmod " xor(33-255)
-    $b_curl2      = "curl -" xor(33-255)
-    $b_bin_sh2    = "/bin/sh" xor(33-255)
-    $b_bin_bash2  = "/bin/bash" xor(33-255)
-    $b_openssl2   = "openssl" xor(33-255)
-    $b_dev_null2  = "/dev/null" xor(33-255)
-    $b_usr_bin2   = "/usr/bin" xor(33-255)
-    $b_usr_sbin2  = "/usr/sbin" xor(33-255)
-    $b_var_tmp2   = "/var/tmp" xor(33-255)
-    $b_var_run2   = "/var/run" xor(33-255)
-    $b_screen_dm2 = "screen -" xor(33-255)
-    $b_zmodload2  = "zmodload" xor(33-255)
-    $b_dev_tcp2   = "/dev/tcp" xor(33-255)
-    $b_bash_i2    = "bash -i" xor(33-255)
-    $b_bash_c2    = "bash -c" xor(33-255)
-    $b_base642    = "base64" xor(33-255)
-    $b_eval2      = "eval(" xor(33-255)
-
+    $b_chmod           = "chmod " xor(1-31)
+    $b_curl            = "curl -" xor(1-31)
+    $b_bin_sh          = "/bin/sh" xor(1-31)
+    $b_bin_bash        = "/bin/bash" xor(1-31)
+    $b_openssl         = "openssl" xor(1-31)
+    $b_screen_dm       = "screen -" xor(1-31)
+    $b_zmodload        = "zmodload" xor(1-31)
+    $b_dev_tcp         = "/dev/tcp" xor(1-31)
+    $b_bash_i          = "bash -i" xor(1-31)
+    $b_bash_c          = "bash -c" xor(1-31)
+    $b_base64          = "base64" xor(1-31)
+    $b_eval            = "eval(" xor(1-31)
+    $b_chmod2          = "chmod " xor(33-255)
+    $b_curl2           = "curl -" xor(33-255)
+    $b_bin_sh2         = "/bin/sh" xor(33-255)
+    $b_bin_bash2       = "/bin/bash" xor(33-255)
+    $b_openssl2        = "openssl" xor(33-255)
+    $b_screen_dm2      = "screen -" xor(33-255)
+    $b_zmodload2       = "zmodload" xor(33-255)
+    $b_dev_tcp2        = "/dev/tcp" xor(33-255)
+    $b_bash_i2         = "bash -i" xor(33-255)
+    $b_bash_c2         = "bash -c" xor(33-255)
+    $b_base642         = "base64" xor(33-255)
+    $b_eval2           = "eval(" xor(33-255)
+    $b_xterm           = "TERM=xterm" xor(1-31)
+    $b_xterm2          = "TERM=xterm" xor(33-255)
     $not_password_list = "qwer1234"
 
   condition:
diff --git a/rules/anti-static/xor/xor-paths.yara b/rules/anti-static/xor/xor-paths.yara
new file mode 100644
index 000000000..8c243288c
--- /dev/null
+++ b/rules/anti-static/xor/xor-paths.yara
@@ -0,0 +1,32 @@
+rule xor_paths: high {
+  meta:
+    description = "paths obfuscated using xor"
+
+  strings:
+    $dev_shm       = "/dev/shm" xor(1-31)
+    $dev_shm2      = "/dev/shm" xor(33-255)
+    $dev_null      = "/dev/null" xor(1-31)
+    $dev_null2     = "/dev/null" xor(33-255)
+    $dev_stdin     = "/dev/stdin" xor(1-31)
+    $dev_stdin2    = "/dev/stdin" xor(33-255)
+    $dev_stderr    = "/dev/stderr" xor(1-31)
+    $dev_stderr2   = "/dev/stderr" xor(33-255)
+    $proc_net_tcp  = "/proc/net/tcp" xor(1-31)
+    $proc_net_tcp2 = "/proc/net/tcp" xor(33-255)
+    $var_log_wtmp  = "/var/log/wtmp" xor(1-31)
+    $var_log_wtmp2 = "/var/log/wtmp" xor(33-255)
+    $var_run_utmp  = "/var/run/utmp" xor(1-31)
+    $var_run_utmp2 = "/var/run/utmp" xor(33-255)
+    $usr_bin       = "/usr/bin" xor(1-31)
+    $usr_sbin      = "/usr/sbin" xor(1-31)
+    $var_tmp       = "/var/tmp" xor(1-31)
+    $var_run       = "/var/run" xor(1-31)
+    $usr_bin2      = "/usr/bin" xor(33-255)
+    $usr_sbin2     = "/usr/sbin" xor(33-255)
+    $var_tmp2      = "/var/tmp" xor(33-255)
+    $var_run2      = "/var/run" xor(33-255)
+
+  condition:
+    filesize < 10MB and any of them
+}
+
diff --git a/rules/anti-static/xor/xor-terms.yara b/rules/anti-static/xor/xor-terms.yara
new file mode 100644
index 000000000..fa2a0577b
--- /dev/null
+++ b/rules/anti-static/xor/xor-terms.yara
@@ -0,0 +1,26 @@
+rule xor_terms: high {
+  meta:
+    description = "terms obfuscated using xor"
+
+  strings:
+    $LIBRARY  = "LIBRARY" xor(1-31)
+    $LIBRARY2 = "LIBRARY" xor(33-255)
+    $INFECT   = "INFECT" xor(1-31)
+    $INFECT2  = "INFECT" xor(33-255)
+    $MAGIC    = "MAGIC" xor(1-31)
+    $MAGIC2   = "MAGIC" xor(33-255)
+    $plugin   = "plugin" xor(1-31)
+    $plugin2  = "plugin2" xor(33-255)
+    $debug    = "debug" xor(1-31)
+    $debug2   = "debug2" xor(33-255)
+    $evil     = " evil " xor(1-31)
+    $evil2    = " evil " xor(33-255)
+    $environ  = "environ" xor(1-31)
+    $environ2 = "environ" xor(33-255)
+
+    $xterm  = "xterm" xor(1-31)
+    $xterm2 = "xterm" xor(33-255)
+
+  condition:
+    filesize < 5MB and any of them
+}
diff --git a/rules/discover/multiple.yara b/rules/discover/multiple.yara
index 512f1c036..6862fddac 100644
--- a/rules/discover/multiple.yara
+++ b/rules/discover/multiple.yara
@@ -6,6 +6,7 @@ rule sys_net_recon: medium {
     $net_ipconfig          = "ipconfig" fullword
     $net_ipaddr            = "ipaddr" fullword
     $sys_getpass           = "getpass.getuser"
+    $sys_whoami            = "whoami" fullword
     $sys_platform_node     = "platform.node()" fullword
     $sys_platform_platform = "platform.platform()" fullword
     $sys_platform_system   = "platform.system()" fullword
@@ -19,8 +20,8 @@ rule sys_net_recon: medium {
     $sys_id                = "id" fullword
     $sys_lspi              = "lspci"
     $sys_sudo              = /sudo.{0,4}-l/
-    $sys_uname             = "uname -a"
-    $sys_whoami            = "whoami" fullword
+    $sys_uname_a           = "uname -a"
+    $sys_uname_r           = "uname -r"
     $sys_macos             = "isPlatformOrVariant"
     $sys_systeminfo        = "systeminfo" fullword
 
@@ -28,6 +29,39 @@ rule sys_net_recon: medium {
     filesize < 512KB and any of ($sys*) and any of ($net*)
 }
 
+rule user_sys_net_disk_recon: high {
+  meta:
+    description = "collects user, system, disk, and network information"
+
+  strings:
+    $net_ipconfig          = "ipconfig"
+    $net_ipaddr            = "ipaddr" fullword
+    $user_getpass          = "getpass.getuser"
+    $user_whoami           = "whoami"
+    $sys_platform_node     = "platform.node()" fullword
+    $sys_platform_platform = "platform.platform()" fullword
+    $sys_platform_system   = "platform.system()" fullword
+    $sys_tasklist          = /tasklist.{0,4}\/svc/ fullword
+    $net_ifconfig          = "ifconfig" fullword
+    $net_ip_addr           = /ip.{0,4}addr/ fullword
+    $net_ip_route          = /ip.{0,4}route/
+    $net_netstat           = /netstat.{0,4}-[arn]/
+    $net_ufw               = /ufw.{0,4}status/
+    $sys_hostname          = "hostname" fullword
+    $sys_id                = "id" fullword
+    $sys_lspi              = "lspci"
+    $sys_sudo              = /sudo.{0,4}-l/
+    $sys_uname_a           = "uname -a"
+    $sys_uname_r           = "uname -r"
+    $sys_macos             = "isPlatformOrVariant"
+    $sys_systeminfo        = "systeminfo" fullword
+    $disk_df_h             = "df -h"
+    $disk_space            = "Disk space"
+
+  condition:
+    filesize < 512KB and any of ($sys*) and any of ($net*) and any of ($user*) and any of ($disk*)
+}
+
 private rule discover_obfuscate {
   strings:
     $b64decode = "b64decode"
diff --git a/rules/evasion/file/location/multiple.yara b/rules/evasion/file/location/multiple.yara
index 7039993b6..675c72215 100644
--- a/rules/evasion/file/location/multiple.yara
+++ b/rules/evasion/file/location/multiple.yara
@@ -1,4 +1,4 @@
-rule multiple_elf: high linux {
+rule multiple_elf_system_paths: high linux {
   meta:
     description = "references multiple system paths, may be trying to hide content"
 
diff --git a/rules/evasion/file/prefix/prefix.yara b/rules/evasion/file/prefix/prefix.yara
index 7525429b7..088a49d05 100644
--- a/rules/evasion/file/prefix/prefix.yara
+++ b/rules/evasion/file/prefix/prefix.yara
@@ -23,6 +23,18 @@ rule static_hidden_path: medium {
     $ref
 }
 
+rule known_hidden_path: critical {
+  meta:
+    description = "known hidden file path"
+
+  strings:
+    $xl1      = /[a-z\/]{0,24}\/(var|usr|tmp|lib)\/[a-z\/]{0,24}\/\.Xl1[\w\_\-\.]{0,16}/
+    $kde_root = /[a-z\/]{0,24}\/(var|usr|tmp|lib)\/[a-z\/]{0,24}\/\.kde-root[\w\_\-\.]{0,16}/
+
+  condition:
+    any of them
+}
+
 rule hidden_path: medium {
   meta:
     description = "hidden path in a system directory"
diff --git a/rules/evasion/logging/hide_shell_history.yara b/rules/evasion/logging/hide_shell_history.yara
index 2b7151734..88b3b1a76 100644
--- a/rules/evasion/logging/hide_shell_history.yara
+++ b/rules/evasion/logging/hide_shell_history.yara
@@ -16,6 +16,18 @@ rule hide_shell_history: high {
     any of ($h*) and none of ($not*)
 }
 
+rule histfile_xor: high {
+  meta:
+    description = "commands obfuscated using xor"
+
+  strings:
+    $HISTFILE  = "HISTFILE" xor(1-31)
+    $HISTFILE2 = "HISTFILE" xor(33-255)
+
+  condition:
+    filesize < 10MB and any of them
+}
+
 rule histfile_savehist_ld: high {
   meta:
     description = "likely hides shell command history"
diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara
index 8e42dbc53..65e3193ef 100644
--- a/rules/evasion/rootkit/userspace.yara
+++ b/rules/evasion/rootkit/userspace.yara
@@ -46,6 +46,22 @@ rule readdir_intercept: high {
     filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
 }
 
+rule readdir_dlsym_interceptor: high {
+  meta:
+    description = "userland rootkit designed to hide files (readdir)"
+
+    filetypes = "so,c"
+
+  strings:
+    $dlsym                     = "dlsym" fullword
+    $readdir64                 = "readdir64" fullword
+    $readlink_maybe_not_needed = "readlink"
+    $proc                      = "/proc"
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and all of them
+}
+
 rule readdir_tcp_wrapper_intercept: high {
   meta:
     description = "userland rootkit designed to hide files and bypass tcp-wrappers"
diff --git a/rules/exec/dylib/symbol-address.yara b/rules/exec/dylib/symbol-address.yara
index 4782a0f70..a6c5750ed 100644
--- a/rules/exec/dylib/symbol-address.yara
+++ b/rules/exec/dylib/symbol-address.yara
@@ -4,7 +4,8 @@ rule dlsym: medium {
     description = "get the address of a symbol"
 
   strings:
-    $ref = "dlsym" fullword
+    $ref  = "dlsym" fullword
+    $ref2 = "dlvsym" fullword
 
   condition:
     any of them
diff --git a/rules/exec/program/program.yara b/rules/exec/program/program.yara
index 428d84bb2..be4066cfd 100644
--- a/rules/exec/program/program.yara
+++ b/rules/exec/program/program.yara
@@ -161,3 +161,25 @@ rule npm_exec: medium {
   condition:
     all of them
 }
+
+rule hash_bang_bash_exec: high {
+  meta:
+    description = "starts program from a hash-bang line"
+
+  strings:
+    $bin_bash = /#!\/bin\/bash\s{1,256}\/[\w\/\.\-]{2,64}/
+
+  condition:
+    all of them and $bin_bash at 0
+}
+
+rule hash_bang_sh_exec: high {
+  meta:
+    description = "starts program from a hash-bang line"
+
+  strings:
+    $bin_sh = /#!\/bin\/sh\s{1,256}\/[\w\/\.\-]{2,64}/
+
+  condition:
+    all of them and $bin_sh at 0
+}
diff --git a/rules/exec/shell/arbitrary_command-dev_null.yara b/rules/exec/shell/arbitrary_command-dev_null.yara
index 2bd198f4e..0b2fe5364 100644
--- a/rules/exec/shell/arbitrary_command-dev_null.yara
+++ b/rules/exec/shell/arbitrary_command-dev_null.yara
@@ -17,6 +17,7 @@ rule cmd_dev_null_quoted: high {
   strings:
     $ref  = /"%s" {0,2}[12&]{0,1}> {0,1}\/dev\/null/
     $ref2 = "\"%s\" >/dev/null"
+    $ref3 = /.{0,64} %s 2\>\/dev\/null/
 
   condition:
     any of them
diff --git a/rules/fs/proc/pid-cmdline.yara b/rules/fs/proc/pid-cmdline.yara
index 091531d88..94369703b 100644
--- a/rules/fs/proc/pid-cmdline.yara
+++ b/rules/fs/proc/pid-cmdline.yara
@@ -1,3 +1,5 @@
+import "math"
+
 rule proc_s_cmdline: high {
   meta:
     description = "access command-line of other processes"
@@ -45,3 +47,16 @@ rule proc_py_cmdline: high {
   condition:
     any of them
 }
+
+rule proc_cmdline_near: high {
+  meta:
+    description = "access command-line for other processes"
+
+  strings:
+    $proc  = "/proc" fullword
+    $fmt   = "cmdline" fullword
+    $fmt_d = "%d" fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 64 and math.abs(@fmt - @fmt_d) < 64
+}
diff --git a/rules/fs/proc/pid-fd.yara b/rules/fs/proc/pid-fd.yara
index 2509a50cf..0e5a2751d 100644
--- a/rules/fs/proc/pid-fd.yara
+++ b/rules/fs/proc/pid-fd.yara
@@ -27,3 +27,15 @@ rule proc_fd_high: medium {
   condition:
     $ref and none of ($not*)
 }
+
+rule inspects_opened_sockets: high {
+  meta:
+    description = "inspects open file descriptors, looking for sockets"
+
+  strings:
+    $ref  = "socket:[" fullword
+    $ref2 = /\/proc\/[%{$][\w\}]{0,12}\/fd/
+
+  condition:
+    all of them
+}
diff --git a/rules/fs/proc/pid-stat.yara b/rules/fs/proc/pid-stat.yara
new file mode 100644
index 000000000..947fbeee0
--- /dev/null
+++ b/rules/fs/proc/pid-stat.yara
@@ -0,0 +1,26 @@
+import "math"
+
+rule proc_pid_stat: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $string = "/proc/%s/stat" fullword
+    $digit  = "/proc/%d/stat" fullword
+    $python = "/proc/{}/stat" fullword
+
+  condition:
+    any of them
+}
+
+rule proc_pid_stat_near: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $proc = "/proc" fullword
+    $fmt  = /%[sd]\/stat/ fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 128
+}
diff --git a/rules/fs/proc/pid-status.yara b/rules/fs/proc/pid-status.yara
index 1900d3a42..6f84d4279 100644
--- a/rules/fs/proc/pid-status.yara
+++ b/rules/fs/proc/pid-status.yara
@@ -1,3 +1,5 @@
+import "math"
+
 rule proc_status: medium {
   meta:
     description = "access status fields for other processes"
@@ -10,3 +12,15 @@ rule proc_status: medium {
   condition:
     any of them
 }
+
+rule proc_status_near: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $proc = "/proc" fullword
+    $fmt  = /%[sd]\/status/ fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 128
+}
diff --git a/rules/fs/tempdir/tempfile-create.yara b/rules/fs/tempfile.yara
similarity index 61%
rename from rules/fs/tempdir/tempfile-create.yara
rename to rules/fs/tempfile.yara
index 02ccf7ab1..bd8037ecc 100644
--- a/rules/fs/tempdir/tempfile-create.yara
+++ b/rules/fs/tempfile.yara
@@ -1,12 +1,13 @@
 rule mktemp {
   meta:
-    description = "Uses mktemp to create temporary files"
+    description = "creates temporary files"
 
   strings:
     $ref  = "mktemp" fullword
     $ref2 = "temp file"
     $ref3 = "ioutil/tempfile"
-    $ref4 = "createTempFile"
+    $ref4 = "tmpfile"
+    $ref5 = "createTempFile"
 
   condition:
     any of them
diff --git a/rules/impact/degrade/systemd.yara b/rules/impact/degrade/systemd.yara
new file mode 100644
index 000000000..f030e4355
--- /dev/null
+++ b/rules/impact/degrade/systemd.yara
@@ -0,0 +1,21 @@
+rule systemd_disabler: medium {
+  meta:
+    description = "disables systemd services"
+
+  strings:
+    $ref = "systemctl disable"
+
+  condition:
+    filesize < 10MB and any of them
+}
+
+rule systemd_disabler_high: high {
+  meta:
+    description = "disables arbitrary systemd services, hiding output"
+
+  strings:
+    $ref = "systemctl disable %s 2>/dev/null"
+
+  condition:
+    filesize < 10MB and any of them
+}
diff --git a/rules/impact/infection/infected.yara b/rules/impact/infection/infected.yara
index 55f65adcd..101533ea6 100644
--- a/rules/impact/infection/infected.yara
+++ b/rules/impact/infection/infected.yara
@@ -10,6 +10,20 @@ rule infected: medium {
     filesize < 5MB and any of them
 }
 
+rule infected_xor: high {
+  meta:
+    description = "References being 'infected', obfuscated using XOR"
+
+  strings:
+    $infected  = "infected" xor(1-31)
+    $infected2 = "infected2" xor(33-255)
+    $INFECTED  = "INFECTED" xor(1-31)
+    $INFECTED2 = "INFECTED2" xor(33-255)
+
+  condition:
+    filesize < 5MB and any of them
+}
+
 rule infection: medium {
   meta:
     description = "References 'infection'"
diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara
new file mode 100644
index 000000000..815a2d848
--- /dev/null
+++ b/rules/malware/family/beurk.yara
@@ -0,0 +1,34 @@
+rule beurk: critical linux {
+  meta:
+    description = "BEURK userland process hider"
+
+    filetypes = "elf,so"
+    ref       = "https://github.com/unix-thrust/beurk"
+
+  strings:
+    $ = "dlsym" fullword
+    $ = "__non_hooked_symbols"
+    $ = "__hidden_literals"
+    $ = "readdir"
+
+  condition:
+    filesize < 2MB and 3 of them
+}
+
+rule beurk_xor: critical linux {
+  meta:
+    description = "BEURK userland process hider (xor)"
+
+    filetypes = "elf,so"
+    ref       = "https://github.com/unix-thrust/beurk"
+
+  strings:
+    $ = "BEURK" xor(1-31) fullword
+    $ = "BEURK" xor(33-255) fullword
+    $ = "b3urkR0cks" xor(1-31)
+    $ = "b3urkR0cks" xor(33-255)
+
+  condition:
+    filesize < 2MB and any of them
+}
+
diff --git a/rules/malware/family/gelsemium.yara b/rules/malware/family/gelsemium.yara
new file mode 100644
index 000000000..19ba3407b
--- /dev/null
+++ b/rules/malware/family/gelsemium.yara
@@ -0,0 +1,27 @@
+rule wolfsbane_config: critical linux {
+  meta:
+    description = "Wolfsbane Malware (configuration)"
+    ref         = "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"
+
+  strings:
+    $config_clientpath = "clientpath" wide
+    $config_hiderpath  = "hiderpath" wide
+    $config_pluginkey  = "pluginkey" wide
+    $config_mainpath   = "mainpath" wide
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule wolfsbane_rc4_key: critical linux {
+  meta:
+    description = "Wolfsbane Malware (RC4 key)"
+    ref         = "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"
+
+  strings:
+    $rc4_key = "8825FC47153E264D" wide
+
+  condition:
+    filesize < 10MB and all of them
+}
+
diff --git a/rules/net/ip/ip-byte-order.yara b/rules/net/ip/ip-byte-order.yara
index dcdd7add8..33a9f7d33 100644
--- a/rules/net/ip/ip-byte-order.yara
+++ b/rules/net/ip/ip-byte-order.yara
@@ -6,6 +6,7 @@ rule htonl: medium {
   strings:
     $ref  = "htonl" fullword
     $ref2 = "htons" fullword
+    $ref3 = "ntohs" fullword
 
   condition:
     any of them in (1300..3000)
diff --git a/rules/net/udp/kcp.yara b/rules/net/udp/kcp.yara
new file mode 100644
index 000000000..636e8f9b7
--- /dev/null
+++ b/rules/net/udp/kcp.yara
@@ -0,0 +1,15 @@
+rule kcp_go: medium {
+  meta:
+    description = "uses kcp-go, a reliable UDP library for Go"
+
+  strings:
+    $                = "ikcp_waitsnd"
+    $                = "IKCP_CMD_WINS"
+    $u_ssdp_discover = "ssdp:discover"
+    $u_addr          = "239.255.255.250"
+    $not_igd         = "UPnP/IGD"
+    $not_c1          = "CaptureOne"
+
+  condition:
+    any of them
+}
diff --git a/rules/os/fd/print.yara b/rules/os/fd/print.yara
new file mode 100644
index 000000000..acc3a6cf3
--- /dev/null
+++ b/rules/os/fd/print.yara
@@ -0,0 +1,12 @@
+rule fd_print: low {
+  meta:
+    description = "print to file descriptor"
+    pledge      = "stdio"
+    syscall     = "pwrite64"
+
+  strings:
+    $ref = "dprintf" fullword
+
+  condition:
+    any of them
+}
diff --git a/rules/persist/kernel_module/kprobe.yara b/rules/persist/kernel_module/kprobe.yara
deleted file mode 100644
index 9f419c05f..000000000
--- a/rules/persist/kernel_module/kprobe.yara
+++ /dev/null
@@ -1,10 +0,0 @@
-rule register_kprobe: medium {
-  meta:
-    description = "registers a kernel probe (possibly kernel module)"
-
-  strings:
-    $ref = "register_kprobe"
-
-  condition:
-    any of them
-}
diff --git a/rules/persist/kernel_module/insert.yara b/rules/persist/kernel_module/load.yara
similarity index 59%
rename from rules/persist/kernel_module/insert.yara
rename to rules/persist/kernel_module/load.yara
index 90742dd72..62bf3eb78 100644
--- a/rules/persist/kernel_module/insert.yara
+++ b/rules/persist/kernel_module/load.yara
@@ -9,17 +9,6 @@ rule kernel_module_loader: medium linux {
     filesize < 10MB and all of them
 }
 
-rule kernel_module_unloader: medium linux {
-  meta:
-    description = "unloads Linux kernel module via rmmod"
-
-  strings:
-    $insmod = /rmmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
-
-  condition:
-    filesize < 10MB and all of them
-}
-
 rule kernel_module_loader_ko: high linux {
   meta:
     description = "loads Linux kernel module .ko via insmod"
@@ -36,10 +25,11 @@ rule kernel_module_loader_sus_redir: high linux {
     description = "suspiciously loads Linux kernel module via insmod"
 
   strings:
-    $insmod = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/
+    $insmod  = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/
+    $insmod2 = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}2>\/dev\/null/
 
   condition:
-    filesize < 10MB and all of them
+    filesize < 10MB and any of them
 }
 
 rule cha_cha_tests: override linux {
@@ -54,19 +44,3 @@ rule cha_cha_tests: override linux {
   condition:
     filesize < 2KB and any of them
 }
-
-rule init_module: medium linux {
-  meta:
-    description = "Linux kernel module"
-    syscall     = "init_module"
-    capability  = "CAP_SYS_MODULE"
-
-    filetypes = "ko,elf,so"
-
-  strings:
-    $ref = "init_module" fullword
-
-  condition:
-    filesize < 1MB and all of them
-}
-
diff --git a/rules/persist/kernel_module/module-unload.yara b/rules/persist/kernel_module/module-unload.yara
deleted file mode 100644
index 7644616da..000000000
--- a/rules/persist/kernel_module/module-unload.yara
+++ /dev/null
@@ -1,10 +0,0 @@
-rule system_kext_unloader: high {
-  meta:
-    description = "unloads system kernel extensions"
-
-  strings:
-    $kextunload_sys_lib_ext = "kextunload /System/Library/Extensions/"
-
-  condition:
-    filesize < 10485760 and any of them
-}
diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara
index d57804b81..464e7b174 100644
--- a/rules/persist/kernel_module/module.yara
+++ b/rules/persist/kernel_module/module.yara
@@ -1,5 +1,16 @@
 import "elf"
 
+rule register_kprobe: medium {
+  meta:
+    description = "registers a kernel probe (possibly kernel module)"
+
+  strings:
+    $ref = "register_kprobe"
+
+  condition:
+    any of them
+}
+
 rule lkm: medium {
   meta:
     description = "Linux kernel module"
@@ -26,15 +37,18 @@ rule lkm_embedded_in_elf: high {
     elf.type == elf.ET_EXEC and all of them
 }
 
-rule delete_module: medium {
+rule init_module: medium linux {
   meta:
-    description = "Unload Linux kernel module"
-    syscall     = "delete_module"
+    description = "Linux kernel module"
+    syscall     = "init_module"
     capability  = "CAP_SYS_MODULE"
 
+    filetypes = "ko,elf,so"
+
   strings:
-    $ref = "delete_module" fullword
+    $ref = "init_module" fullword
 
   condition:
-    all of them
+    filesize < 1MB and all of them
 }
+
diff --git a/rules/persist/kernel_module/name.yara b/rules/persist/kernel_module/name.yara
new file mode 100644
index 000000000..1e0ac2d43
--- /dev/null
+++ b/rules/persist/kernel_module/name.yara
@@ -0,0 +1,18 @@
+rule lkm_name: medium {
+  meta:
+    description = "mentions Linux kernel module by name"
+    capability  = "CAP_SYS_MODULE"
+
+  strings:
+    $ko = /[a-z_]{2,12}\.ko/ fullword
+
+    $o_kernel         = "kernel"
+    $o_lsmod          = "lsmod"
+    $o_rmmod          = "rmmod"
+    $o_insmod         = "insmod"
+    $o_modprobe       = "modprobe"
+    $not_languages_ko = "languages.ko"
+
+  condition:
+    $ko and any of ($o*) and none of ($not*)
+}
diff --git a/rules/persist/kernel_module/unload.yara b/rules/persist/kernel_module/unload.yara
new file mode 100644
index 000000000..afdca2f86
--- /dev/null
+++ b/rules/persist/kernel_module/unload.yara
@@ -0,0 +1,45 @@
+rule kernel_module_unloader: medium linux {
+  meta:
+    description = "unloads Linux kernel module via rmmod"
+
+  strings:
+    $insmod = /rmmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule kernel_module_unloader_sus: high linux {
+  meta:
+    description = "unloads Linux kernel module via rmmod, discarding output"
+
+  strings:
+    $insmod = /rmmod.{0,32}2\>\s{0,2}\/dev\/null/
+
+  condition:
+    filesize < 10MB and any of them
+}
+
+rule delete_module: medium {
+  meta:
+    description = "Unload Linux kernel module"
+    syscall     = "delete_module"
+    capability  = "CAP_SYS_MODULE"
+
+  strings:
+    $ref = "delete_module" fullword
+
+  condition:
+    all of them
+}
+
+rule system_kext_unloader: high {
+  meta:
+    description = "unloads system kernel extensions"
+
+  strings:
+    $kextunload_sys_lib_ext = "kextunload /System/Library/Extensions/"
+
+  condition:
+    filesize < 10485760 and any of them
+}
diff --git a/rules/persist/linux_multi.yara b/rules/persist/linux_multi.yara
index 8af02da1c..9a98dc169 100644
--- a/rules/persist/linux_multi.yara
+++ b/rules/persist/linux_multi.yara
@@ -3,9 +3,14 @@ rule linux_multi_persist: high {
     description = "references multiple Linux persistence methods"
 
   strings:
-    $initd   = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
-    $udev    = "etc/udev"
-    $crontab = "crontab" fullword
+    $o_initd     = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
+    $o_udev      = "etc/udev"
+    $o_crontab   = "crontab" fullword
+    $o_xdg       = "[Desktop Entry]"
+    $o_rc_d      = "/etc/rc.d/rc.local"
+    $o_insmod    = "insmod" fullword
+    $o_preload   = "/etc/ld.so.preload"
+    $o_systemctl = "systemctl"
 
     $bash_ref  = ".bash_profile"
     $bash_ref2 = ".profile" fullword
@@ -19,5 +24,5 @@ rule linux_multi_persist: high {
     $not_vim   = "VIMRUNTIME" fullword
 
   condition:
-    filesize < 20MB and ($initd or $udev) and $crontab and any of ($bash*) and none of ($not*)
+    filesize < 20MB and 3 of ($o*) and any of ($bash*) and none of ($not*)
 }
diff --git a/rules/persist/plugin.yara b/rules/persist/plugin.yara
new file mode 100644
index 000000000..17a593277
--- /dev/null
+++ b/rules/persist/plugin.yara
@@ -0,0 +1,10 @@
+rule plugin_persist: high {
+  meta:
+    description = "may use persistence plugins"
+
+  strings:
+    $ref = "plugin_persist"
+
+  condition:
+    any of them
+}
diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara
index ae26fab80..e0186bb70 100644
--- a/rules/persist/shell/bash.yara
+++ b/rules/persist/shell/bash.yara
@@ -16,6 +16,23 @@ rule bash_persist: medium {
     filesize < 2097152 and any of ($ref*) and none of ($not*)
 }
 
+rule bash_persist_persistent: high {
+  meta:
+    description = "acccesses multiple bash startup files"
+
+  strings:
+    $ref1 = ".bash_profile"
+    $ref2 = ".bash_login"
+    $ref3 = ".profile"
+    $ref4 = ".bashrc"
+
+    $not_bash = "POSIXLY_CORRECT"
+
+  condition:
+    3 of them and none of ($not*)
+
+}
+
 rule hardcoded_bash_persist_file: high {
   meta:
     description = "hardcodes a shell startup file"
diff --git a/rules/persist/xdg_desktop_entry.yara b/rules/persist/xdg_desktop_entry.yara
new file mode 100644
index 000000000..abe04f415
--- /dev/null
+++ b/rules/persist/xdg_desktop_entry.yara
@@ -0,0 +1,25 @@
+rule desktop_app_exec_entry: medium {
+  meta:
+    description = "creates an XDG Desktop Entry to execute an application"
+
+  strings:
+    $ = "[Desktop Entry]"
+    $ = "Type=Application"
+    $ = "Exec="
+
+  condition:
+    filesize < 20MB and all of them
+}
+
+rule elf_desktop_app_exec_entry: high {
+  meta:
+    description = "persists via an XDG Desktop Entry"
+
+  strings:
+    $ = "[Desktop Entry]"
+    $ = "Type=Application"
+    $ = "Exec="
+
+  condition:
+    filesize < 20MB and uint32(0) == 1179403647 and all of them
+}
diff --git a/rules/process/terminate/arbitrary.yara b/rules/process/terminate/arbitrary.yara
new file mode 100644
index 000000000..84d971d65
--- /dev/null
+++ b/rules/process/terminate/arbitrary.yara
@@ -0,0 +1,22 @@
+rule kill_d: high {
+  meta:
+    description = "kills arbitrary process, hiding errors"
+
+  strings:
+    $kill_9 = "kill %d 2>/dev/null"
+
+  condition:
+    any of them
+}
+
+rule kill_9_d: high {
+  meta:
+    description = "terminates arbitrary process, hiding errors"
+
+  strings:
+    $kill_9 = "kill -9 %d 2>/dev/null"
+
+  condition:
+    any of them
+}
+
diff --git a/rules/process/terminate/terminate.yara b/rules/process/terminate/terminate.yara
index 2452b6f7d..c239f02f9 100644
--- a/rules/process/terminate/terminate.yara
+++ b/rules/process/terminate/terminate.yara
@@ -9,3 +9,4 @@ rule TerminateProcess: medium {
   condition:
     any of them
 }
+
diff --git a/rules/sus/lang.yara b/rules/sus/lang.yara
new file mode 100644
index 000000000..1929504e7
--- /dev/null
+++ b/rules/sus/lang.yara
@@ -0,0 +1,10 @@
+rule en_us_utf8: medium {
+  meta:
+    description = "hardcodes language to American English"
+
+  strings:
+    $ = "en_US.UTF-8" fullword
+
+  condition:
+    any of them
+}
diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
index 925d238c2..ddc3f153a 100644
--- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
+++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -68,6 +68,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
index be5224c4e..06abf6622 100644
--- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
+++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -69,6 +69,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple
index dc90cc030..a638c2906 100644
--- a/tests/javascript/clean/highlight.esm.js.simple
+++ b/tests/javascript/clean/highlight.esm.js.simple
@@ -58,6 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple
index a4fa10376..208dc6da4 100644
--- a/tests/javascript/clean/highlight.js.simple
+++ b/tests/javascript/clean/highlight.js.simple
@@ -58,6 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple
index 4910391df..6fe24e926 100644
--- a/tests/javascript/clean/mode-php.js.simple
+++ b/tests/javascript/clean/mode-php.js.simple
@@ -45,6 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple
index 8f03155a2..8e9ebdffe 100644
--- a/tests/javascript/clean/mode-php_laravel_blade.js.simple
+++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple
@@ -45,6 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple
index e5d0721da..6d65f9383 100644
--- a/tests/javascript/clean/php.js.simple
+++ b/tests/javascript/clean/php.js.simple
@@ -44,6 +44,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/http/cookies: medium
diff --git a/tests/linux/2019.ChinaZ/yk.simple b/tests/linux/2019.ChinaZ/yk.simple
index cff3078ac..bbec14c0c 100644
--- a/tests/linux/2019.ChinaZ/yk.simple
+++ b/tests/linux/2019.ChinaZ/yk.simple
@@ -1,6 +1,7 @@
 # linux/2019.ChinaZ/yk: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
 c2/addr/server: medium
 c2/addr/url: low
 crypto/rc4: low
diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple
index b9ee69f36..eddab67c9 100644
--- a/tests/linux/2020.bdvl/bdvl.so.simple
+++ b/tests/linux/2020.bdvl/bdvl.so.simple
@@ -39,6 +39,7 @@ fs/path/usr_sbin: low
 fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_cmdline: high
+fs/tempfile: low
 impact/degrade/sshd: high
 impact/remote_access/backdoor: high
 impact/remote_access/net_exec: medium
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index 6e5e1614f..6cf7cf53c 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -1,6 +1,7 @@
 # linux/2021.FontOnLake/45E9.elf: critical
 3P/elastic/rootkit: high
 3P/elastic/rootkit_fontonlake: critical
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
@@ -67,7 +68,7 @@ fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
 fs/symlink_resolve: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/remote_access/agent: medium
 impact/remote_access/backdoor: high
 impact/remote_access/reverse_shell: medium
@@ -92,8 +93,7 @@ net/tcp/ssh: medium
 net/tun_tap: medium
 net/url/embedded: low
 persist/daemon: medium
-persist/kernel_module/insert: high
-persist/kernel_module/kprobe: medium
+persist/kernel_module/load: high
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
 persist/pid_file: medium
diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
index c0f171b6a..2cbf045ba 100644
--- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
+++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
@@ -59,6 +59,7 @@ fs/proc/nvidia_gpu: medium
 fs/proc/self_cgroup: medium
 fs/proc/self_exe: medium
 fs/tempdir/TEMP: low
+fs/tempfile: low
 hw/cpu: medium
 impact/cryptojacking/cryptonight: high
 impact/cryptojacking/generic: high
diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
index 8a92d32ef..97fb0e7bd 100644
--- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
+++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -19,6 +19,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/pid_status: medium
 fs/proc/self_cmdline: medium
 fs/proc/self_exe: medium
+fs/tempfile: low
 net/dns/servers: low
 net/ip/byte_order: medium
 net/ip/parse: medium
diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple
index 7b57a2b7d..d0dfee0ab 100644
--- a/tests/linux/2023.Kinsing/install.sh.simple
+++ b/tests/linux/2023.Kinsing/install.sh.simple
@@ -50,7 +50,7 @@ fs/path/usr_sbin: low
 fs/path/var: low
 fs/path/var_log: medium
 fs/permission/modify: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/cryptojacking/cryptonight: high
 impact/cryptojacking/generic: high
 impact/cryptojacking/monero_pool: medium
@@ -58,6 +58,7 @@ impact/cryptojacking/xmrig: high
 impact/degrade/firewall: high
 impact/degrade/infection: critical
 impact/degrade/linux_paths: high
+impact/degrade/systemd: medium
 impact/remote_access/agent: medium
 impact/remote_access/iptables: medium
 impact/remote_access/kill_rm: medium
diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple
index 0c578f2ac..fb6afb772 100644
--- a/tests/linux/2024.Gelsemium/dbus.simple
+++ b/tests/linux/2024.Gelsemium/dbus.simple
@@ -1,14 +1,16 @@
 # linux/2024.Gelsemium/dbus: critical
+anti-static/elf/multiple: medium
 crypto/decrypt: low
 crypto/encrypt: medium
 data/hash/md5: medium
 data/random/insecure: low
+discover/multiple: high
 discover/network/netstat: medium
 discover/system/platform: medium
 discover/system/sysinfo: medium
 discover/user/name_get: medium
-evasion/file/prefix: high
-exec/shell/arbitrary_command_dev_null: medium
+evasion/file/prefix: critical
+exec/shell/arbitrary_command_dev_null: high
 fs/directory/create: low
 fs/directory/remove: low
 fs/file/delete_forcibly: medium
@@ -29,10 +31,15 @@ net/socket/local_addr: low
 net/socket/receive: low
 net/socket/send: low
 persist/daemon: medium
-persist/kernel_module/insert: medium
+persist/kernel_module/load: high
+persist/kernel_module/name: medium
+persist/kernel_module/unload: high
+persist/linux_multi: high
 persist/pid_file: medium
 persist/shell/bash: medium
+persist/xdg_desktop_entry: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: medium
diff --git a/tests/linux/2024.Gelsemium/kde.simple b/tests/linux/2024.Gelsemium/kde.simple
index ca129dd7f..f282e2770 100644
--- a/tests/linux/2024.Gelsemium/kde.simple
+++ b/tests/linux/2024.Gelsemium/kde.simple
@@ -2,11 +2,11 @@
 crypto/rc4: low
 discover/process/name: medium
 evasion/file/location/dev_shm: high
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/program: medium
 exec/program/background: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 fs/directory/create: low
 fs/directory/remove: low
 fs/file/delete: medium
@@ -16,7 +16,11 @@ fs/link_read: low
 fs/path/etc: low
 fs/path/usr_bin: low
 fs/proc/self_exe: medium
-persist/shell/bash: medium
+malware/family/gelsemium: critical
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple
index 4e44be171..e8a77072b 100644
--- a/tests/linux/2024.Gelsemium/libselinux.so.simple
+++ b/tests/linux/2024.Gelsemium/libselinux.so.simple
@@ -1,5 +1,10 @@
-# linux/2024.Gelsemium/libselinux.so: high
+# linux/2024.Gelsemium/libselinux.so: critical
+anti-static/obfuscation/hidden_literals: medium
 anti-static/xor/commands: high
+anti-static/xor/paths: high
+anti-static/xor/terms: high
+evasion/logging/hide_shell_history: high
+evasion/rootkit/userspace: high
 exec/dylib/symbol_address: medium
 exec/program: medium
 exec/tty/open: medium
@@ -7,5 +12,11 @@ fs/directory/remove: low
 fs/file/delete: low
 fs/link_read: low
 fs/proc/arbitrary_pid: medium
-fs/proc/pid_fd: medium
+fs/proc/pid_cmdline: high
+fs/proc/pid_fd: high
+fs/proc/pid_stat: medium
+fs/tempfile: low
+malware/family/beurk: critical
+malware/family/gelsemium: critical
 os/fd/multiplex: low
+os/fd/print: low
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
index 5e6505fcb..8b0c60d66 100644
--- a/tests/linux/2024.Gelsemium/udevd.simple
+++ b/tests/linux/2024.Gelsemium/udevd.simple
@@ -1,4 +1,5 @@
-# linux/2024.Gelsemium/udevd: high
+# linux/2024.Gelsemium/udevd: critical
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -21,12 +22,12 @@ data/hash/sha256: low
 data/random/insecure: low
 discover/system/platform: low
 evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/dylib/address_check: low
 exec/dylib/symbol_address: medium
 exec/plugin: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 exec/shell/exec: medium
 exec/system_controls/systemd: medium
 fs/directory/create: low
@@ -44,9 +45,11 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
+impact/degrade/systemd: high
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
+malware/family/gelsemium: critical
 net/dns/txt: low
 net/http/post: medium
 net/http/request: low
@@ -61,8 +64,14 @@ net/socket/local_addr: low
 net/socket/peer_address: low
 net/socket/receive: low
 net/socket/send: low
+net/udp/kcp: medium
 net/url/embedded: low
+persist/linux_multi: high
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
index 560c05b57..44a47ae05 100644
--- a/tests/linux/2024.Gelsemium/udevd_multi.simple
+++ b/tests/linux/2024.Gelsemium/udevd_multi.simple
@@ -1,4 +1,5 @@
-# linux/2024.Gelsemium/udevd_multi: high
+# linux/2024.Gelsemium/udevd_multi: critical
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -21,12 +22,12 @@ data/hash/sha256: low
 data/random/insecure: low
 discover/system/platform: low
 evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/dylib/address_check: low
 exec/dylib/symbol_address: medium
 exec/plugin: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 exec/shell/exec: medium
 exec/system_controls/systemd: medium
 fs/directory/create: low
@@ -44,9 +45,11 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
+impact/degrade/systemd: high
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
+malware/family/gelsemium: critical
 net/dns/txt: low
 net/http/post: medium
 net/http/request: low
@@ -60,8 +63,14 @@ net/socket/listen: medium
 net/socket/local_addr: low
 net/socket/receive: low
 net/socket/send: low
+net/udp/kcp: medium
 net/url/embedded: low
+persist/linux_multi: high
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
index b0750609b..f277bbf26 100644
--- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
+++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -57,6 +57,7 @@ fs/permission/chown: medium
 fs/permission/get: low
 fs/permission/modify: medium
 fs/proc/stat: medium
+fs/tempfile: low
 impact/exploit/cve_list: medium
 impact/remote_access/kill_rm: medium
 impact/remote_access/reverse_shell: high
diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
index 97c7d0b9b..26fce3ce6 100644
--- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
+++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
@@ -48,6 +48,7 @@ fs/path/tmp: medium
 fs/path/var: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+impact/degrade/systemd: medium
 impact/ransom/note: high
 impact/remote_access/reverse_shell: medium
 net/dns: low
diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple
index 0eb6c6af2..6e2646fb4 100644
--- a/tests/linux/2024.chisel/crondx.simple
+++ b/tests/linux/2024.chisel/crondx.simple
@@ -33,6 +33,7 @@ fs/path/etc_hosts: medium
 fs/path/etc_resolv.conf: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+fs/tempfile: low
 net/dns: low
 net/dns/servers: low
 net/dns/txt: low
diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
index 99a4b386f..4dafeae56 100644
--- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
+++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
@@ -47,6 +47,7 @@ fs/path/tmp: medium
 fs/path/usr_bin: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+fs/tempfile: low
 impact/cryptojacking/nicehash_pool: high
 impact/cryptojacking/xmrig: high
 net/dns: low
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index 06af4a85f..3e3c0ad5b 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -1,6 +1,7 @@
 # linux/2024.gas/gas: high
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
 crypto/rc4: low
@@ -32,6 +33,7 @@ hw/cpu: medium
 impact/remote_access/dl_iterate: high
 net/socket/send: low
 net/url/embedded: low
+os/fd/print: low
 process/create: low
 process/executable_path: low
 process/name_set: medium
diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json
index 57a82773f..54d87c62d 100644
--- a/tests/linux/2024.kubo_injector/injector.json
+++ b/tests/linux/2024.kubo_injector/injector.json
@@ -12,6 +12,17 @@
                 "rpath"
             ],
             "Behaviors": [
+                {
+                    "Description": "multiple ELF binaries within an ELF binary",
+                    "MatchStrings": [
+                        "$elf_head"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf",
+                    "ID": "anti-static/elf/multiple",
+                    "RuleName": "multiple_elf"
+                },
                 {
                     "Description": "binary contains hardcoded URL",
                     "MatchStrings": [
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index bd27bda1e..00225be29 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -104,6 +104,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/cpuinfo: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 hw/cpu: medium
 impact/exploit: high
 impact/exploit/GCONV_PATH: high
@@ -160,6 +161,7 @@ os/fd/sendfile: low
 os/kernel/netlink: low
 persist/cron/tab: medium
 persist/pid_file: medium
+persist/shell/bash: high
 privesc/linpeas: high
 privesc/setuid: low
 privesc/sudo: medium
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 119131218..a089d7fcd 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -2,7 +2,8 @@
 3P/elastic/orbit: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/xor/commands: high
+anti-static/elf/multiple: medium
+anti-static/xor/paths: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
 credential/ssh/d: medium
@@ -18,6 +19,7 @@ evasion/file/prefix/dev: high
 evasion/file/prefix/lib: high
 evasion/hijack_execution/LD_LIBRARY_PATH: low
 evasion/hijack_execution/etc_ld.so.preload: medium
+evasion/logging/hide_shell_history: high
 evasion/rootkit/userspace: critical
 exec/conditional/LANG: low
 exec/dylib/address_check: low
@@ -42,11 +44,13 @@ fs/proc/self_exe: medium
 fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TMPDIR: low
+fs/tempfile: low
 hw/cpu: medium
 malware/family/medusa: critical
 net/socket/local_addr: low
 net/socket/send: low
 net/url/embedded: low
+os/fd/print: low
 privesc/setuid: low
 process/create: low
 process/executable_path: low
diff --git a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
index e39c82293..2bd69115f 100644
--- a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
+++ b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
@@ -11,7 +11,9 @@ fs/link_read: low
 fs/path/etc: low
 malware/family/melofee: critical
 persist/daemon: medium
-persist/kernel_module/insert: medium
+persist/kernel_module/load: medium
+persist/kernel_module/name: medium
+persist/kernel_module/unload: medium
 process/create: low
 process/terminate/kill_multiple: medium
 sus/compiler: high
diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
index 995a84805..eee2d20b7 100644
--- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
+++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
@@ -65,6 +65,8 @@ net/socket/receive: low
 net/socket/send: low
 net/tcp/ssh: medium
 persist/daemon: medium
-persist/kernel_module/insert: high
+persist/kernel_module/load: high
+persist/kernel_module/name: medium
+persist/kernel_module/unload: medium
 process/multithreaded: low
 sus/compiler: medium
diff --git a/tests/linux/2024.melofee/driver_decrypted.simple b/tests/linux/2024.melofee/driver_decrypted.simple
index 30f39eccb..d29b03953 100644
--- a/tests/linux/2024.melofee/driver_decrypted.simple
+++ b/tests/linux/2024.melofee/driver_decrypted.simple
@@ -4,8 +4,6 @@ anti-static/binary/opaque: medium
 evasion/indicator_blocking/process: high
 evasion/mimicry/fake_process: high
 impact/rootkit: critical
-persist/kernel_module/insert: medium
-persist/kernel_module/kprobe: medium
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
 sus/compiler: medium
diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple
index 0dea6b119..c45fa5aa2 100644
--- a/tests/linux/2024.melofee/pskt.simple
+++ b/tests/linux/2024.melofee/pskt.simple
@@ -3,6 +3,7 @@
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
 anti-static/elf/entropy: high
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff
index 0d81f2098..fb3cc46aa 100644
--- a/tests/linux/2024.sbcl.market/sbcl.sdiff
+++ b/tests/linux/2024.sbcl.market/sbcl.sdiff
@@ -8,6 +8,7 @@ data/compression/zstd
 discover/user/HOME
 discover/user/USER
 evasion/file/location/var_tmp
+-evasion/rootkit/userspace
 exec/dylib/address_check
 exec/dylib/symbol_address
 exec/program
diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
index e3e1193b2..d8356a676 100644
--- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
+++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
@@ -2,6 +2,7 @@
 anti-static/elf/content: high
 anti-static/elf/entropy: high
 anti-static/elf/header: high
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/2024.vncjew/__min__c.simple b/tests/linux/2024.vncjew/__min__c.simple
index 76e50741c..4e49b97f4 100644
--- a/tests/linux/2024.vncjew/__min__c.simple
+++ b/tests/linux/2024.vncjew/__min__c.simple
@@ -1,6 +1,7 @@
 # linux/2024.vncjew/__min__c: critical
 anti-static/elf/entropy: high
 anti-static/elf/header: high
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
index e44848f47..60a4df47e 100644
--- a/tests/linux/clean/buildah.simple
+++ b/tests/linux/clean/buildah.simple
@@ -101,6 +101,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple
index 72194d8f4..36ad08b12 100644
--- a/tests/linux/clean/busybox.simple
+++ b/tests/linux/clean/busybox.simple
@@ -1,4 +1,4 @@
-# linux/clean/busybox: medium
+# linux/clean/busybox: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/os: low
@@ -60,13 +60,14 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/meminfo: medium
 fs/proc/mounts: medium
+fs/proc/pid_fd: high
 fs/proc/stat: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 impact/ddos/raw_flooder: medium
@@ -86,6 +87,7 @@ net/socket/receive: low
 net/socket/send: low
 net/tun_tap: medium
 net/url/embedded: low
+os/fd/print: low
 os/time/clock_set: low
 persist/daemon: medium
 privesc/setuid: low
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index 5f880ac2f..7e0bbcea5 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -92,6 +92,7 @@ fs/path/windows_root: low
 fs/permission/chown: medium
 fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
+fs/proc/pid_stat: medium
 fs/proc/pid_statistics: low
 fs/proc/self_cgroup: medium
 fs/proc/self_exe: medium
@@ -101,6 +102,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
+fs/tempfile: low
 fs/watch: low
 hw/wireless: low
 net/dns: low
@@ -152,7 +154,7 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chroot: low
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index 32933e12a..22b81a609 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -103,7 +103,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/dev/block_ice: medium
 hw/wireless: low
@@ -160,7 +160,7 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chdir: low
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index 6747518a9..b6271f90b 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -1,6 +1,7 @@
 # linux/clean/chrome: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
@@ -114,7 +115,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/cpu: medium
@@ -159,6 +160,7 @@ net/socket/receive: low
 net/socket/reuseport: medium
 net/socket/send: low
 net/tcp/ssh: medium
+net/udp/kcp: medium
 net/udp/upnp: medium
 net/url/embedded: medium
 net/url/encode: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 90c7512a6..75be78df1 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -1,4 +1,5 @@
 # linux/clean/clickhouse: high
+anti-static/elf/multiple: medium
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
@@ -135,6 +136,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 hw/dev/block_ice: medium
@@ -183,6 +185,7 @@ net/url/embedded: medium
 net/url/encode: medium
 net/url/parse: low
 os/fd/epoll: low
+os/fd/print: low
 os/fd/read: low
 os/fd/sendfile: low
 os/kernel/netlink: low
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 9cc90de1f..4270357c9 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -5,6 +5,7 @@
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
 | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[bIp](https://github.com/search?q=bIp&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[gIp](https://github.com/search?q=gIp&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[maxPort](https://github.com/search?q=maxPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[minPort](https://github.com/search?q=minPort&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_ip](https://github.com/search?q=quic_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code) |
@@ -151,6 +152,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index 26104e091..d979ac232 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -77,7 +77,7 @@ fs/proc/self_cgroup: medium
 fs/proc/self_mountinfo: medium
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index c14166b91..fc838a67b 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -2,6 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
@@ -30,6 +31,7 @@
 | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
 | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
+| MEDIUM | [fs/proc/pid_stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-stat.yara#proc_pid_stat) | access status fields for other processes | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
 | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | listens, uses SOCKS5, and cryptography | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
 | MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
@@ -100,7 +102,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) |
 | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index 869a2576b..59142a2a1 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -85,6 +85,7 @@ fs/permission/modify: medium
 fs/quota_manipulate: low
 fs/swap/on: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple
index 7f640c2af..0180d38ee 100644
--- a/tests/linux/clean/ld-2.27.so.simple
+++ b/tests/linux/clean/ld-2.27.so.simple
@@ -1,6 +1,7 @@
 # linux/clean/ld-2.27.so: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
 c2/tool_transfer/os: low
diff --git a/tests/linux/clean/libasan.so.8.0.0.simple b/tests/linux/clean/libasan.so.8.0.0.simple
index aaebd75d9..b644d9bf3 100644
--- a/tests/linux/clean/libasan.so.8.0.0.simple
+++ b/tests/linux/clean/libasan.so.8.0.0.simple
@@ -81,7 +81,7 @@ os/fd/sendfile: low
 os/kernel/key_management: low
 os/kernel/perfmon: low
 os/time/clock_set: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/chroot: low
 process/create: low
diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple
index 2b61c6d92..6db713f22 100644
--- a/tests/linux/clean/libc.so.6.simple
+++ b/tests/linux/clean/libc.so.6.simple
@@ -70,7 +70,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/cpu: medium
@@ -98,11 +98,12 @@ net/socket/receive: low
 net/socket/send: low
 net/url/embedded: low
 os/fd/epoll: low
+os/fd/print: low
 os/fd/sendfile: low
 os/kernel/netlink: low
 os/time/clock_set: low
 persist/daemon: medium
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/chroot: low
 process/create: low
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index 94747d639..65b554ce3 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -66,7 +66,7 @@ fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/iokit_registry: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index 86c4f8893..4a19eb230 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -66,7 +66,7 @@ fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/iokit_registry: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index 158b60e7d..afce3a926 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -1,4 +1,5 @@
 # linux/clean/melange: medium
+anti-static/elf/multiple: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/addr/url: low
@@ -100,7 +101,7 @@ fs/swap/on: low
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 impact/remote_access/heartbeat: medium
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index 18c18e237..9ef86ed4a 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -120,7 +120,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 hw/wireless: low
diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple
index 6108830bd..e5f53b526 100644
--- a/tests/linux/clean/nvim.simple
+++ b/tests/linux/clean/nvim.simple
@@ -59,7 +59,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/remote_access/pseudo_terminal: medium
 net/dns/servers: low
 net/download/fetch: medium
diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple
index 09252ecb5..86b5cdc89 100644
--- a/tests/linux/clean/opa.simple
+++ b/tests/linux/clean/opa.simple
@@ -60,7 +60,7 @@ fs/permission/modify: medium
 fs/proc/self_cgroup: medium
 fs/proc/self_mountinfo: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 net/dns: low
 net/dns/reverse: medium
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 838a11017..e4f1cb3c9 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -3,6 +3,8 @@
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
 | HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)<br>[offset](https://github.com/search?q=offset&type=code)<br>[padding](https://github.com/search?q=padding&type=code)<br>[shellcode](https://github.com/search?q=shellcode&type=code) |
+| HIGH | [persist/shell/bash](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist_persistent) | acccesses multiple bash startup files | [.bash_login](https://github.com/search?q=.bash_login&type=code)<br>[.bash_profile](https://github.com/search?q=.bash_profile&type=code)<br>[.bashrc](https://github.com/search?q=.bashrc&type=code)<br>[.profile](https://github.com/search?q=.profile&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |
@@ -58,6 +60,7 @@
 | MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
 | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
 | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)<br>[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)<br>[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code) |
+| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)<br>[htons](https://github.com/search?q=htons&type=code)<br>[ntohs](https://github.com/search?q=ntohs&type=code) |
 | MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)<br>[port](https://github.com/search?q=port&type=code) |
 | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) |
 | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
@@ -78,7 +81,7 @@
 | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
 | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
 | MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) |
-| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
 | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
 | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
 | MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) |
@@ -140,7 +143,7 @@
 | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) |
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index a8f38d6db..8b17cd939 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -100,7 +100,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/heartbeat: medium
 lateral/scan/tool: medium
@@ -149,10 +149,11 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chroot: low
 sus/exclamation: medium
 sus/intercept: medium
+sus/lang: medium
 sus/leetspeak: medium
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index 7beaec96c..f24a1df59 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -4,6 +4,7 @@
 |--|--|--|--|
 | HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) |
 | HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://) |
diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md
index f10140dbb..7adb4bae3 100644
--- a/tests/linux/clean/redis-server.aarch64.md
+++ b/tests/linux/clean/redis-server.aarch64.md
@@ -46,7 +46,7 @@
 | LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)<br>[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)<br>[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)<br>[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)<br>[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) |
 | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
 | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
 | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
 | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple
index 5d8f53475..bd994f3d5 100644
--- a/tests/linux/clean/runtime-security-fentry.o.simple
+++ b/tests/linux/clean/runtime-security-fentry.o.simple
@@ -27,7 +27,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
index 1cb68d4df..3319895da 100644
--- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
+++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
@@ -28,7 +28,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple
index 6c02c40e1..6fd06e98d 100644
--- a/tests/linux/clean/runtime-security.o.simple
+++ b/tests/linux/clean/runtime-security.o.simple
@@ -26,7 +26,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 46d75cfe4..89d44ca7c 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -4,6 +4,7 @@
 |--|--|--|--|
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
 | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)<br>[https://%s](https://%s) |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[endpoint_port](https://github.com/search?q=endpoint_port&type=code)<br>[firstIp](https://github.com/search?q=firstIp&type=code)<br>[hIp](https://github.com/search?q=hIp&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[multi_port](https://github.com/search?q=multi_port&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[pIp](https://github.com/search?q=pIp&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[quiche_ip](https://github.com/search?q=quiche_ip&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[required_ip](https://github.com/search?q=required_ip&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[yoIp](https://github.com/search?q=yoIp&type=code) |
@@ -153,7 +154,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)<br>[bssid](https://github.com/search?q=bssid&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple
index 77be8a9d6..b2b0dece8 100644
--- a/tests/linux/clean/slirp4netns.simple
+++ b/tests/linux/clean/slirp4netns.simple
@@ -1,6 +1,7 @@
 # linux/clean/slirp4netns: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
@@ -100,7 +101,7 @@ os/kernel/netlink: low
 os/kernel/perfmon: low
 os/kernel/seccomp: low
 os/time/clock_set: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/writeable_dir: medium
 privesc/setuid: low
 process/chroot: low
diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple
index 848721909..f614d1934 100644
--- a/tests/linux/clean/sudo.simple
+++ b/tests/linux/clean/sudo.simple
@@ -30,7 +30,7 @@ fs/permission/chown: low
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_exe: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/ip/host_port: medium
 net/ip/string: medium
 net/socket/listen: medium
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 5fab4bc38..9daab6155 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -3,6 +3,7 @@
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
 | HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
 | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
@@ -32,7 +33,7 @@
 | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
 | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
 | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
 | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
 | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index da08c3a66..8d67345fb 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -1,4 +1,5 @@
 # linux/clean/trivy: medium
+anti-static/elf/multiple: medium
 c2/addr/discord: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
@@ -131,7 +132,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/dev/block_ice: medium
 hw/wireless: low
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 01427a4eb..ad6c6c17e 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -10,6 +10,7 @@
 | HIGH | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)<br>[Binance](https://github.com/search?q=Binance&type=code)<br>[Chrome](https://github.com/search?q=Chrome&type=code)<br>[Discord](https://github.com/search?q=Discord&type=code)<br>[Firefox](https://github.com/search?q=Firefox&type=code)<br>[History](https://github.com/search?q=History&type=code)<br>[OpenVPN](https://github.com/search?q=OpenVPN&type=code)<br>[Snowflake](https://github.com/search?q=Snowflake&type=code)<br>[Telegram](https://github.com/search?q=Telegram&type=code) |
 | HIGH | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)<br>[file.io](https://github.com/search?q=file.io&type=code)<br>[post](https://github.com/search?q=post&type=code) |
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) |
 | MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)<br>[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)<br>[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)<br>[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)<br>[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)<br>[https://%s.currencycloud.com](https://%s.currencycloud.com)<br>[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)<br>[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)<br>[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)<br>[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)<br>[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)<br>[https://%s.s3](https://%s.s3)<br>[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)<br>[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)<br>[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)<br>[https://%s/account.json](https://%s/account.json)<br>[https://%s/admin/api/2024](https://%s/admin/api/2024)<br>[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)<br>[https://%s/api/laml/2010](https://%s/api/laml/2010)<br>[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)<br>[https://%s/api/v1/projects](https://%s/api/v1/projects)<br>[https://%s/api/v1/sources](https://%s/api/v1/sources)<br>[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)<br>[https://%s/api/v1/userserror](https://%s/api/v1/userserror)<br>[https://%s/api/v2/tickets](https://%s/api/v2/tickets)<br>[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)<br>[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)<br>[https://%s/invoices.json](https://%s/invoices.json)<br>[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)<br>[https://%sSCRAM](https://%sSCRAM) |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[aIp](https://github.com/search?q=aIp&type=code)<br>[a_ip](https://github.com/search?q=a_ip&type=code)<br>[accel_port](https://github.com/search?q=accel_port&type=code)<br>[allowed_port](https://github.com/search?q=allowed_port&type=code)<br>[announce_port](https://github.com/search?q=announce_port&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[fastly_ip](https://github.com/search?q=fastly_ip&type=code)<br>[firewall_ip](https://github.com/search?q=firewall_ip&type=code)<br>[geo_ip](https://github.com/search?q=geo_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[htcp_port](https://github.com/search?q=htcp_port&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[i_ip](https://github.com/search?q=i_ip&type=code)<br>[icp_port](https://github.com/search?q=icp_port&type=code)<br>[in_ip](https://github.com/search?q=in_ip&type=code)<br>[ip_port](https://github.com/search?q=ip_port&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[lookupPort](https://github.com/search?q=lookupPort&type=code)<br>[m_ip](https://github.com/search?q=m_ip&type=code)<br>[miss_port](https://github.com/search?q=miss_port&type=code)<br>[nIp](https://github.com/search?q=nIp&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[old_ip](https://github.com/search?q=old_ip&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pages_ip](https://github.com/search?q=pages_ip&type=code)<br>[parsePort](https://github.com/search?q=parsePort&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[privateIp](https://github.com/search?q=privateIp&type=code)<br>[relay_port](https://github.com/search?q=relay_port&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[routedPort](https://github.com/search?q=routedPort&type=code)<br>[snmp_port](https://github.com/search?q=snmp_port&type=code)<br>[snmpd_port](https://github.com/search?q=snmpd_port&type=code)<br>[stripPort](https://github.com/search?q=stripPort&type=code)<br>[tIp](https://github.com/search?q=tIp&type=code)<br>[vIp](https://github.com/search?q=vIp&type=code) |
@@ -86,7 +87,7 @@
 | MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)<br>[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)<br>[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) |
 | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
 | MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code) |
-| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
 | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
 | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
 | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)<br>[interceptor](https://github.com/search?q=interceptor&type=code) |
@@ -155,7 +156,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)<br>[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)<br>[dnsmessage](https://github.com/search?q=dnsmessage&type=code) |
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index d18834444..5a76c42d3 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -1,4 +1,5 @@
 # linux/clean/wolfictl: medium
+anti-static/elf/multiple: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/addr/url: low
@@ -120,7 +121,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/wireless: low
diff --git a/tests/macOS/2024.Previewers/Previewers.simple b/tests/macOS/2024.Previewers/Previewers.simple
index 0df20a2c5..caf0d1ae0 100644
--- a/tests/macOS/2024.Previewers/Previewers.simple
+++ b/tests/macOS/2024.Previewers/Previewers.simple
@@ -32,7 +32,7 @@ fs/file/delete: low
 fs/path/etc: low
 fs/path/users: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/disk_info: medium
 malware/family/rustdoor: critical
 net/dns/txt: low
diff --git a/tests/npm/2024.distube-fast/postinstall.js.simple b/tests/npm/2024.distube-fast/postinstall.js.simple
index be87fcf61..a16fd5d17 100644
--- a/tests/npm/2024.distube-fast/postinstall.js.simple
+++ b/tests/npm/2024.distube-fast/postinstall.js.simple
@@ -3,7 +3,7 @@ c2/addr/ip: medium
 c2/tool_transfer/exe_url: critical
 c2/tool_transfer/js: critical
 fs/file/delete: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/download: medium
 net/http/request: low
 net/url/embedded: low
diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple
index fb72f79ec..5ad2bf9b2 100644
--- a/tests/php/clean/composer-2.7.7.simple
+++ b/tests/php/clean/composer-2.7.7.simple
@@ -61,7 +61,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 lateral/scan/target_ip: medium
 lateral/scan/tool: medium
 net/download/fetch: medium
diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple
index f718a5569..9f28257b0 100644
--- a/tests/python/clean/numba/support.py.simple
+++ b/tests/python/clean/numba/support.py.simple
@@ -15,6 +15,7 @@ fs/file/write: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
+fs/tempfile: low
 net/url/embedded: low
 os/fd/read: low
 os/fd/write: low
diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
index 8bdb9c95b..c7b3908d6 100644
--- a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
+++ b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
@@ -6,4 +6,4 @@ exec/shell/exec: medium
 impact/remote_access/reverse_shell: high
 net/tcp/connect: medium
 os/signal/send: high
-persist/kernel_module/insert: medium
+persist/kernel_module/unload: medium
diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple
index 2f3363cbf..9c5a86b5e 100644
--- a/tests/windows/2024.GitHub.Clipper/main.exe.simple
+++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple
@@ -70,6 +70,7 @@ fs/permission/chown: medium
 fs/permission/modify: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempfile: low
 hw/disk_info: medium
 impact/degrade/win_defender: high
 lateral/scan/tool: medium