From 77dbca94ef8d429b72e1eff7ee8dab334ee559a0 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Sat, 7 Dec 2024 09:57:06 -0500
Subject: [PATCH 01/10] libselinux.so tuning

---
 .../obfuscation/hidden_literals.yara          | 10 +++++++
 rules/anti-static/xor/xor-terms.yara          | 26 +++++++++++++++++++
 rules/evasion/logging/hide_shell_history.yara | 12 +++++++++
 rules/evasion/rootkit/userspace.yara          | 16 ++++++++++++
 rules/exec/dylib/symbol-address.yara          |  3 ++-
 rules/fs/tempdir/tempfile-create.yara         |  1 +
 rules/impact/infection/infected.yara          | 14 ++++++++++
 rules/malware/family/beurk.yara               | 17 ++++++++++++
 rules/net/ip/ip-byte-order.yara               |  1 +
 rules/os/fd/print.yara                        | 12 +++++++++
 rules/os/fd/socket.yara                       | 11 ++++++++
 tests/linux/2024.Gelsemium/dbus.simple        |  0
 tests/linux/2024.Gelsemium/kde.simple         |  0
 .../linux/2024.Gelsemium/libselinux.so.simple |  0
 tests/linux/2024.Gelsemium/udevd.simple       |  0
 tests/linux/2024.Gelsemium/udevd_multi.simple |  0
 16 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 rules/anti-static/obfuscation/hidden_literals.yara
 create mode 100644 rules/anti-static/xor/xor-terms.yara
 create mode 100644 rules/malware/family/beurk.yara
 create mode 100644 rules/os/fd/print.yara
 create mode 100644 rules/os/fd/socket.yara
 create mode 100644 tests/linux/2024.Gelsemium/dbus.simple
 create mode 100644 tests/linux/2024.Gelsemium/kde.simple
 create mode 100644 tests/linux/2024.Gelsemium/libselinux.so.simple
 create mode 100644 tests/linux/2024.Gelsemium/udevd.simple
 create mode 100644 tests/linux/2024.Gelsemium/udevd_multi.simple

diff --git a/rules/anti-static/obfuscation/hidden_literals.yara b/rules/anti-static/obfuscation/hidden_literals.yara
new file mode 100644
index 00000000..ea2daf03
--- /dev/null
+++ b/rules/anti-static/obfuscation/hidden_literals.yara
@@ -0,0 +1,10 @@
+rule hidden_literals: medium {
+  meta:
+    description = "references hidden literals"
+
+  strings:
+    $ref = "hidden_literals"
+
+  condition:
+    filesize < 10MB and $ref
+}
diff --git a/rules/anti-static/xor/xor-terms.yara b/rules/anti-static/xor/xor-terms.yara
new file mode 100644
index 00000000..fa2a0577
--- /dev/null
+++ b/rules/anti-static/xor/xor-terms.yara
@@ -0,0 +1,26 @@
+rule xor_terms: high {
+  meta:
+    description = "terms obfuscated using xor"
+
+  strings:
+    $LIBRARY  = "LIBRARY" xor(1-31)
+    $LIBRARY2 = "LIBRARY" xor(33-255)
+    $INFECT   = "INFECT" xor(1-31)
+    $INFECT2  = "INFECT" xor(33-255)
+    $MAGIC    = "MAGIC" xor(1-31)
+    $MAGIC2   = "MAGIC" xor(33-255)
+    $plugin   = "plugin" xor(1-31)
+    $plugin2  = "plugin2" xor(33-255)
+    $debug    = "debug" xor(1-31)
+    $debug2   = "debug2" xor(33-255)
+    $evil     = " evil " xor(1-31)
+    $evil2    = " evil " xor(33-255)
+    $environ  = "environ" xor(1-31)
+    $environ2 = "environ" xor(33-255)
+
+    $xterm  = "xterm" xor(1-31)
+    $xterm2 = "xterm" xor(33-255)
+
+  condition:
+    filesize < 5MB and any of them
+}
diff --git a/rules/evasion/logging/hide_shell_history.yara b/rules/evasion/logging/hide_shell_history.yara
index 2b715173..88b3b1a7 100644
--- a/rules/evasion/logging/hide_shell_history.yara
+++ b/rules/evasion/logging/hide_shell_history.yara
@@ -16,6 +16,18 @@ rule hide_shell_history: high {
     any of ($h*) and none of ($not*)
 }
 
+rule histfile_xor: high {
+  meta:
+    description = "commands obfuscated using xor"
+
+  strings:
+    $HISTFILE  = "HISTFILE" xor(1-31)
+    $HISTFILE2 = "HISTFILE" xor(33-255)
+
+  condition:
+    filesize < 10MB and any of them
+}
+
 rule histfile_savehist_ld: high {
   meta:
     description = "likely hides shell command history"
diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara
index 8e42dbc5..65e3193e 100644
--- a/rules/evasion/rootkit/userspace.yara
+++ b/rules/evasion/rootkit/userspace.yara
@@ -46,6 +46,22 @@ rule readdir_intercept: high {
     filesize < 2MB and uint32(0) == 1179403647 and all of ($r*) and none of ($not*)
 }
 
+rule readdir_dlsym_interceptor: high {
+  meta:
+    description = "userland rootkit designed to hide files (readdir)"
+
+    filetypes = "so,c"
+
+  strings:
+    $dlsym                     = "dlsym" fullword
+    $readdir64                 = "readdir64" fullword
+    $readlink_maybe_not_needed = "readlink"
+    $proc                      = "/proc"
+
+  condition:
+    filesize < 1MB and uint32(0) == 1179403647 and all of them
+}
+
 rule readdir_tcp_wrapper_intercept: high {
   meta:
     description = "userland rootkit designed to hide files and bypass tcp-wrappers"
diff --git a/rules/exec/dylib/symbol-address.yara b/rules/exec/dylib/symbol-address.yara
index 4782a0f7..a6c5750e 100644
--- a/rules/exec/dylib/symbol-address.yara
+++ b/rules/exec/dylib/symbol-address.yara
@@ -4,7 +4,8 @@ rule dlsym: medium {
     description = "get the address of a symbol"
 
   strings:
-    $ref = "dlsym" fullword
+    $ref  = "dlsym" fullword
+    $ref2 = "dlvsym" fullword
 
   condition:
     any of them
diff --git a/rules/fs/tempdir/tempfile-create.yara b/rules/fs/tempdir/tempfile-create.yara
index 44979d3d..c01a6425 100644
--- a/rules/fs/tempdir/tempfile-create.yara
+++ b/rules/fs/tempdir/tempfile-create.yara
@@ -6,6 +6,7 @@ rule mktemp {
     $ref  = "mktemp" fullword
     $ref2 = "temp file"
     $ref3 = "ioutil/tempfile"
+    $ref4 = "tmpfile"
 
   condition:
     any of them
diff --git a/rules/impact/infection/infected.yara b/rules/impact/infection/infected.yara
index 55f65adc..101533ea 100644
--- a/rules/impact/infection/infected.yara
+++ b/rules/impact/infection/infected.yara
@@ -10,6 +10,20 @@ rule infected: medium {
     filesize < 5MB and any of them
 }
 
+rule infected_xor: high {
+  meta:
+    description = "References being 'infected', obfuscated using XOR"
+
+  strings:
+    $infected  = "infected" xor(1-31)
+    $infected2 = "infected2" xor(33-255)
+    $INFECTED  = "INFECTED" xor(1-31)
+    $INFECTED2 = "INFECTED2" xor(33-255)
+
+  condition:
+    filesize < 5MB and any of them
+}
+
 rule infection: medium {
   meta:
     description = "References 'infection'"
diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara
new file mode 100644
index 00000000..9f64f326
--- /dev/null
+++ b/rules/malware/family/beurk.yara
@@ -0,0 +1,17 @@
+rule beurk: critical linux {
+  meta:
+    description = "BEURK userland process hider"
+
+    filetypes = "elf,so"
+    ref       = "hhttps://github.com/unix-thrust/beurk"
+
+  strings:
+    $ = "dlsym" fullword
+    $ = "__non_hooked_symbols"
+    $ = "__hidden_literals"
+    $ = "readdir"
+
+  condition:
+    filesize < 2MB and 3 of them
+}
+
diff --git a/rules/net/ip/ip-byte-order.yara b/rules/net/ip/ip-byte-order.yara
index dcdd7add..33a9f7d3 100644
--- a/rules/net/ip/ip-byte-order.yara
+++ b/rules/net/ip/ip-byte-order.yara
@@ -6,6 +6,7 @@ rule htonl: medium {
   strings:
     $ref  = "htonl" fullword
     $ref2 = "htons" fullword
+    $ref3 = "ntohs" fullword
 
   condition:
     any of them in (1300..3000)
diff --git a/rules/os/fd/print.yara b/rules/os/fd/print.yara
new file mode 100644
index 00000000..acc3a6cf
--- /dev/null
+++ b/rules/os/fd/print.yara
@@ -0,0 +1,12 @@
+rule fd_print: low {
+  meta:
+    description = "print to file descriptor"
+    pledge      = "stdio"
+    syscall     = "pwrite64"
+
+  strings:
+    $ref = "dprintf" fullword
+
+  condition:
+    any of them
+}
diff --git a/rules/os/fd/socket.yara b/rules/os/fd/socket.yara
new file mode 100644
index 00000000..e278e3ff
--- /dev/null
+++ b/rules/os/fd/socket.yara
@@ -0,0 +1,11 @@
+rule inspects_opened_sockets: medium {
+  meta:
+    description = "inspects open file descriptors for sockets"
+
+  strings:
+    $ref  = "socket:[" fullword
+    $ref2 = /\/proc\/[%{$][\w\}]{0,12}\/fd/
+
+  condition:
+    all of them
+}
diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/linux/2024.Gelsemium/kde.simple b/tests/linux/2024.Gelsemium/kde.simple
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
new file mode 100644
index 00000000..e69de29b

From 17688b305ee594fdd6e9e9fe04229af95455576a Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 20:00:51 -0500
Subject: [PATCH 02/10] Finish libselinux.so analysis

---
 pkg/action/testdata/scan_archive              |  3 +-
 rules/anti-static/xor/xor-commands.yara       | 71 ++++++++++---------
 rules/fs/proc/pid-cmdline.yara                | 15 ++++
 rules/fs/proc/pid-fd.yara                     | 12 ++++
 rules/fs/proc/pid-status.yara                 | 14 ++++
 rules/malware/family/beurk.yara               | 19 ++++-
 ...4796BB27126E03A7E25DD5D589.cache.js.simple |  1 +
 ...D016DDDA0665CB8CD8EEA6C537.cache.js.simple |  1 +
 .../javascript/clean/highlight.esm.js.simple  |  1 +
 tests/javascript/clean/highlight.js.simple    |  1 +
 tests/javascript/clean/mode-php.js.simple     |  1 +
 .../clean/mode-php_laravel_blade.js.simple    |  1 +
 tests/javascript/clean/php.js.simple          |  1 +
 tests/linux/2020.bdvl/bdvl.so.simple          |  1 +
 tests/linux/2021.XMR-Stak/1b1a56.elf.simple   |  1 +
 .../2022.Symbiote/kerneldev.so.bkp.simple     |  1 +
 tests/linux/2024.Gelsemium/kde.simple         |  1 +
 .../linux/2024.Gelsemium/libselinux.so.simple | 15 +++-
 tests/linux/2024.Gelsemium/udevd.simple       |  3 +-
 tests/linux/2024.Gelsemium/udevd_multi.simple |  3 +-
 .../eight-nebraska-autumn-illinois.simple     |  1 +
 tests/linux/2024.chisel/crondx.simple         |  1 +
 ...4084b7471bc5aed1c81803054f017240a72.simple |  1 +
 tests/linux/2024.gas/gas.simple               |  1 +
 .../emp3r0r.agent.simple                      |  1 +
 tests/linux/2024.medusa/rkload.simple         |  4 ++
 tests/linux/2024.sbcl.market/sbcl.sdiff       |  1 +
 tests/linux/clean/buildah.simple              |  1 +
 tests/linux/clean/busybox.simple              |  2 +
 tests/linux/clean/caddy.simple                |  2 +
 tests/linux/clean/clickhouse.simple           |  2 +
 tests/linux/clean/code-oss.md                 |  1 +
 tests/linux/clean/cpack.md                    |  1 +
 tests/linux/clean/kuma-cp.simple              |  1 +
 tests/linux/clean/libc.so.6.simple            |  1 +
 tests/linux/clean/pandoc.md                   |  3 +-
 tests/linux/clean/slack.md                    |  2 +-
 tests/linux/clean/trufflehog.md               |  2 +-
 tests/python/clean/numba/support.py.simple    |  1 +
 .../2024.GitHub.Clipper/main.exe.simple       |  1 +
 40 files changed, 152 insertions(+), 44 deletions(-)

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 9623468d..9eb1dc59 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -1629,7 +1629,8 @@
                     "Description": "Uses mktemp to create temporary files",
                     "MatchStrings": [
                         "mktemp",
-                        "temp file"
+                        "temp file",
+                        "tmpfile"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
diff --git a/rules/anti-static/xor/xor-commands.yara b/rules/anti-static/xor/xor-commands.yara
index 3b9812aa..38666084 100644
--- a/rules/anti-static/xor/xor-commands.yara
+++ b/rules/anti-static/xor/xor-commands.yara
@@ -3,41 +3,42 @@ rule xor_commands: high {
     description = "commands obfuscated using xor"
 
   strings:
-    $b_chmod      = "chmod " xor(1-31)
-    $b_curl       = "curl -" xor(1-31)
-    $b_bin_sh     = "/bin/sh" xor(1-31)
-    $b_bin_bash   = "/bin/bash" xor(1-31)
-    $b_openssl    = "openssl" xor(1-31)
-    $b_dev_null   = "/dev/null" xor(1-31)
-    $b_usr_bin    = "/usr/bin" xor(1-31)
-    $b_usr_sbin   = "/usr/sbin" xor(1-31)
-    $b_var_tmp    = "/var/tmp" xor(1-31)
-    $b_var_run    = "/var/run" xor(1-31)
-    $b_screen_dm  = "screen -" xor(1-31)
-    $b_zmodload   = "zmodload" xor(1-31)
-    $b_dev_tcp    = "/dev/tcp" xor(1-31)
-    $b_bash_i     = "bash -i" xor(1-31)
-    $b_bash_c     = "bash -c" xor(1-31)
-    $b_base64     = "base64" xor(1-31)
-    $b_eval       = "eval(" xor(1-31)
-    $b_chmod2     = "chmod " xor(33-255)
-    $b_curl2      = "curl -" xor(33-255)
-    $b_bin_sh2    = "/bin/sh" xor(33-255)
-    $b_bin_bash2  = "/bin/bash" xor(33-255)
-    $b_openssl2   = "openssl" xor(33-255)
-    $b_dev_null2  = "/dev/null" xor(33-255)
-    $b_usr_bin2   = "/usr/bin" xor(33-255)
-    $b_usr_sbin2  = "/usr/sbin" xor(33-255)
-    $b_var_tmp2   = "/var/tmp" xor(33-255)
-    $b_var_run2   = "/var/run" xor(33-255)
-    $b_screen_dm2 = "screen -" xor(33-255)
-    $b_zmodload2  = "zmodload" xor(33-255)
-    $b_dev_tcp2   = "/dev/tcp" xor(33-255)
-    $b_bash_i2    = "bash -i" xor(33-255)
-    $b_bash_c2    = "bash -c" xor(33-255)
-    $b_base642    = "base64" xor(33-255)
-    $b_eval2      = "eval(" xor(33-255)
-
+    $b_chmod           = "chmod " xor(1-31)
+    $b_curl            = "curl -" xor(1-31)
+    $b_bin_sh          = "/bin/sh" xor(1-31)
+    $b_bin_bash        = "/bin/bash" xor(1-31)
+    $b_openssl         = "openssl" xor(1-31)
+    $b_dev_null        = "/dev/null" xor(1-31)
+    $b_usr_bin         = "/usr/bin" xor(1-31)
+    $b_usr_sbin        = "/usr/sbin" xor(1-31)
+    $b_var_tmp         = "/var/tmp" xor(1-31)
+    $b_var_run         = "/var/run" xor(1-31)
+    $b_screen_dm       = "screen -" xor(1-31)
+    $b_zmodload        = "zmodload" xor(1-31)
+    $b_dev_tcp         = "/dev/tcp" xor(1-31)
+    $b_bash_i          = "bash -i" xor(1-31)
+    $b_bash_c          = "bash -c" xor(1-31)
+    $b_base64          = "base64" xor(1-31)
+    $b_eval            = "eval(" xor(1-31)
+    $b_chmod2          = "chmod " xor(33-255)
+    $b_curl2           = "curl -" xor(33-255)
+    $b_bin_sh2         = "/bin/sh" xor(33-255)
+    $b_bin_bash2       = "/bin/bash" xor(33-255)
+    $b_openssl2        = "openssl" xor(33-255)
+    $b_dev_null2       = "/dev/null" xor(33-255)
+    $b_usr_bin2        = "/usr/bin" xor(33-255)
+    $b_usr_sbin2       = "/usr/sbin" xor(33-255)
+    $b_var_tmp2        = "/var/tmp" xor(33-255)
+    $b_var_run2        = "/var/run" xor(33-255)
+    $b_screen_dm2      = "screen -" xor(33-255)
+    $b_zmodload2       = "zmodload" xor(33-255)
+    $b_dev_tcp2        = "/dev/tcp" xor(33-255)
+    $b_bash_i2         = "bash -i" xor(33-255)
+    $b_bash_c2         = "bash -c" xor(33-255)
+    $b_base642         = "base64" xor(33-255)
+    $b_eval2           = "eval(" xor(33-255)
+    $b_xterm           = "TERM=xterm" xor(1-31)
+    $b_xterm2          = "TERM=xterm" xor(33-255)
     $not_password_list = "qwer1234"
 
   condition:
diff --git a/rules/fs/proc/pid-cmdline.yara b/rules/fs/proc/pid-cmdline.yara
index 091531d8..94369703 100644
--- a/rules/fs/proc/pid-cmdline.yara
+++ b/rules/fs/proc/pid-cmdline.yara
@@ -1,3 +1,5 @@
+import "math"
+
 rule proc_s_cmdline: high {
   meta:
     description = "access command-line of other processes"
@@ -45,3 +47,16 @@ rule proc_py_cmdline: high {
   condition:
     any of them
 }
+
+rule proc_cmdline_near: high {
+  meta:
+    description = "access command-line for other processes"
+
+  strings:
+    $proc  = "/proc" fullword
+    $fmt   = "cmdline" fullword
+    $fmt_d = "%d" fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 64 and math.abs(@fmt - @fmt_d) < 64
+}
diff --git a/rules/fs/proc/pid-fd.yara b/rules/fs/proc/pid-fd.yara
index 2509a50c..0e5a2751 100644
--- a/rules/fs/proc/pid-fd.yara
+++ b/rules/fs/proc/pid-fd.yara
@@ -27,3 +27,15 @@ rule proc_fd_high: medium {
   condition:
     $ref and none of ($not*)
 }
+
+rule inspects_opened_sockets: high {
+  meta:
+    description = "inspects open file descriptors, looking for sockets"
+
+  strings:
+    $ref  = "socket:[" fullword
+    $ref2 = /\/proc\/[%{$][\w\}]{0,12}\/fd/
+
+  condition:
+    all of them
+}
diff --git a/rules/fs/proc/pid-status.yara b/rules/fs/proc/pid-status.yara
index 1900d3a4..6f84d427 100644
--- a/rules/fs/proc/pid-status.yara
+++ b/rules/fs/proc/pid-status.yara
@@ -1,3 +1,5 @@
+import "math"
+
 rule proc_status: medium {
   meta:
     description = "access status fields for other processes"
@@ -10,3 +12,15 @@ rule proc_status: medium {
   condition:
     any of them
 }
+
+rule proc_status_near: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $proc = "/proc" fullword
+    $fmt  = /%[sd]\/status/ fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 128
+}
diff --git a/rules/malware/family/beurk.yara b/rules/malware/family/beurk.yara
index 9f64f326..815a2d84 100644
--- a/rules/malware/family/beurk.yara
+++ b/rules/malware/family/beurk.yara
@@ -3,7 +3,7 @@ rule beurk: critical linux {
     description = "BEURK userland process hider"
 
     filetypes = "elf,so"
-    ref       = "hhttps://github.com/unix-thrust/beurk"
+    ref       = "https://github.com/unix-thrust/beurk"
 
   strings:
     $ = "dlsym" fullword
@@ -15,3 +15,20 @@ rule beurk: critical linux {
     filesize < 2MB and 3 of them
 }
 
+rule beurk_xor: critical linux {
+  meta:
+    description = "BEURK userland process hider (xor)"
+
+    filetypes = "elf,so"
+    ref       = "https://github.com/unix-thrust/beurk"
+
+  strings:
+    $ = "BEURK" xor(1-31) fullword
+    $ = "BEURK" xor(33-255) fullword
+    $ = "b3urkR0cks" xor(1-31)
+    $ = "b3urkR0cks" xor(33-255)
+
+  condition:
+    filesize < 2MB and any of them
+}
+
diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
index 925d238c..85e21306 100644
--- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
+++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -68,6 +68,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
index be5224c4..8193c983 100644
--- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
+++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -69,6 +69,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple
index dc90cc03..f624d8d5 100644
--- a/tests/javascript/clean/highlight.esm.js.simple
+++ b/tests/javascript/clean/highlight.esm.js.simple
@@ -58,6 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple
index a4fa1037..65bbee71 100644
--- a/tests/javascript/clean/highlight.js.simple
+++ b/tests/javascript/clean/highlight.js.simple
@@ -58,6 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple
index 4910391d..3a71cf28 100644
--- a/tests/javascript/clean/mode-php.js.simple
+++ b/tests/javascript/clean/mode-php.js.simple
@@ -45,6 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple
index 8f03155a..4a8a3f50 100644
--- a/tests/javascript/clean/mode-php_laravel_blade.js.simple
+++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple
@@ -45,6 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple
index e5d0721d..35f42224 100644
--- a/tests/javascript/clean/php.js.simple
+++ b/tests/javascript/clean/php.js.simple
@@ -44,6 +44,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/http/cookies: medium
diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple
index b9ee69f3..99966f4d 100644
--- a/tests/linux/2020.bdvl/bdvl.so.simple
+++ b/tests/linux/2020.bdvl/bdvl.so.simple
@@ -39,6 +39,7 @@ fs/path/usr_sbin: low
 fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_cmdline: high
+fs/tempdir/tempfile_create: low
 impact/degrade/sshd: high
 impact/remote_access/backdoor: high
 impact/remote_access/net_exec: medium
diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
index c0f171b6..a45f6517 100644
--- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
+++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
@@ -59,6 +59,7 @@ fs/proc/nvidia_gpu: medium
 fs/proc/self_cgroup: medium
 fs/proc/self_exe: medium
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 hw/cpu: medium
 impact/cryptojacking/cryptonight: high
 impact/cryptojacking/generic: high
diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
index 8a92d32e..6409eba3 100644
--- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
+++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -19,6 +19,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/pid_status: medium
 fs/proc/self_cmdline: medium
 fs/proc/self_exe: medium
+fs/tempdir/tempfile_create: low
 net/dns/servers: low
 net/ip/byte_order: medium
 net/ip/parse: medium
diff --git a/tests/linux/2024.Gelsemium/kde.simple b/tests/linux/2024.Gelsemium/kde.simple
index ca129dd7..569ea4c3 100644
--- a/tests/linux/2024.Gelsemium/kde.simple
+++ b/tests/linux/2024.Gelsemium/kde.simple
@@ -16,6 +16,7 @@ fs/link_read: low
 fs/path/etc: low
 fs/path/usr_bin: low
 fs/proc/self_exe: medium
+malware/family/gelsemium: critical
 persist/shell/bash: medium
 privesc/setuid: low
 process/groupid_set: low
diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple
index 4e44be17..72ec5c15 100644
--- a/tests/linux/2024.Gelsemium/libselinux.so.simple
+++ b/tests/linux/2024.Gelsemium/libselinux.so.simple
@@ -1,5 +1,10 @@
-# linux/2024.Gelsemium/libselinux.so: high
+# linux/2024.Gelsemium/libselinux.so: critical
+anti-static/obfuscation/hidden_literals: medium
 anti-static/xor/commands: high
+anti-static/xor/paths: high
+anti-static/xor/terms: high
+evasion/logging/hide_shell_history: high
+evasion/rootkit/userspace: high
 exec/dylib/symbol_address: medium
 exec/program: medium
 exec/tty/open: medium
@@ -7,5 +12,11 @@ fs/directory/remove: low
 fs/file/delete: low
 fs/link_read: low
 fs/proc/arbitrary_pid: medium
-fs/proc/pid_fd: medium
+fs/proc/pid_cmdline: high
+fs/proc/pid_stat: medium
+fs/tempdir/tempfile_create: low
+malware/family/beurk: critical
+malware/family/gelsemium: critical
 os/fd/multiplex: low
+os/fd/print: low
+os/fd/socket: medium
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
index 5e6505fc..f27c77f7 100644
--- a/tests/linux/2024.Gelsemium/udevd.simple
+++ b/tests/linux/2024.Gelsemium/udevd.simple
@@ -1,4 +1,4 @@
-# linux/2024.Gelsemium/udevd: high
+# linux/2024.Gelsemium/udevd: critical
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -47,6 +47,7 @@ fs/proc/self_exe: medium
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
+malware/family/gelsemium: critical
 net/dns/txt: low
 net/http/post: medium
 net/http/request: low
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
index 560c05b5..e027a150 100644
--- a/tests/linux/2024.Gelsemium/udevd_multi.simple
+++ b/tests/linux/2024.Gelsemium/udevd_multi.simple
@@ -1,4 +1,4 @@
-# linux/2024.Gelsemium/udevd_multi: high
+# linux/2024.Gelsemium/udevd_multi: critical
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -47,6 +47,7 @@ fs/proc/self_exe: medium
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
+malware/family/gelsemium: critical
 net/dns/txt: low
 net/http/post: medium
 net/http/request: low
diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
index b0750609..dd10c696 100644
--- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
+++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -57,6 +57,7 @@ fs/permission/chown: medium
 fs/permission/get: low
 fs/permission/modify: medium
 fs/proc/stat: medium
+fs/tempdir/tempfile_create: low
 impact/exploit/cve_list: medium
 impact/remote_access/kill_rm: medium
 impact/remote_access/reverse_shell: high
diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple
index 0eb6c6af..1b6c1865 100644
--- a/tests/linux/2024.chisel/crondx.simple
+++ b/tests/linux/2024.chisel/crondx.simple
@@ -33,6 +33,7 @@ fs/path/etc_hosts: medium
 fs/path/etc_resolv.conf: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+fs/tempdir/tempfile_create: low
 net/dns: low
 net/dns/servers: low
 net/dns/txt: low
diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
index 99a4b386..93844086 100644
--- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
+++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
@@ -47,6 +47,7 @@ fs/path/tmp: medium
 fs/path/usr_bin: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+fs/tempdir/tempfile_create: low
 impact/cryptojacking/nicehash_pool: high
 impact/cryptojacking/xmrig: high
 net/dns: low
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index 06af4a85..a89056fc 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -32,6 +32,7 @@ hw/cpu: medium
 impact/remote_access/dl_iterate: high
 net/socket/send: low
 net/url/embedded: low
+os/fd/print: low
 process/create: low
 process/executable_path: low
 process/name_set: medium
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index bd27bda1..b042c971 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -104,6 +104,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/cpuinfo: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 hw/cpu: medium
 impact/exploit: high
 impact/exploit/GCONV_PATH: high
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 11913121..914d5b1f 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -3,6 +3,7 @@
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
 anti-static/xor/commands: high
+anti-static/xor/paths: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
 credential/ssh/d: medium
@@ -18,6 +19,7 @@ evasion/file/prefix/dev: high
 evasion/file/prefix/lib: high
 evasion/hijack_execution/LD_LIBRARY_PATH: low
 evasion/hijack_execution/etc_ld.so.preload: medium
+evasion/logging/hide_shell_history: high
 evasion/rootkit/userspace: critical
 exec/conditional/LANG: low
 exec/dylib/address_check: low
@@ -42,11 +44,13 @@ fs/proc/self_exe: medium
 fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TMPDIR: low
+fs/tempdir/tempfile_create: low
 hw/cpu: medium
 malware/family/medusa: critical
 net/socket/local_addr: low
 net/socket/send: low
 net/url/embedded: low
+os/fd/print: low
 privesc/setuid: low
 process/create: low
 process/executable_path: low
diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff
index 0d81f209..fb3cc46a 100644
--- a/tests/linux/2024.sbcl.market/sbcl.sdiff
+++ b/tests/linux/2024.sbcl.market/sbcl.sdiff
@@ -8,6 +8,7 @@ data/compression/zstd
 discover/user/HOME
 discover/user/USER
 evasion/file/location/var_tmp
+-evasion/rootkit/userspace
 exec/dylib/address_check
 exec/dylib/symbol_address
 exec/program
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
index e44848f4..97feee5e 100644
--- a/tests/linux/clean/buildah.simple
+++ b/tests/linux/clean/buildah.simple
@@ -101,6 +101,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
+fs/tempdir/tempfile_create: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple
index 72194d8f..0ccd915a 100644
--- a/tests/linux/clean/busybox.simple
+++ b/tests/linux/clean/busybox.simple
@@ -86,6 +86,8 @@ net/socket/receive: low
 net/socket/send: low
 net/tun_tap: medium
 net/url/embedded: low
+os/fd/print: low
+os/fd/socket: medium
 os/time/clock_set: low
 persist/daemon: medium
 privesc/setuid: low
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index 5f880ac2..e1ccbb89 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -92,6 +92,7 @@ fs/path/windows_root: low
 fs/permission/chown: medium
 fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
+fs/proc/pid_stat: medium
 fs/proc/pid_statistics: low
 fs/proc/self_cgroup: medium
 fs/proc/self_exe: medium
@@ -101,6 +102,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 hw/wireless: low
 net/dns: low
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 90c7512a..6ac02d6c 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -135,6 +135,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
+fs/tempdir/tempfile_create: low
 fs/watch: low
 hw/cpu: medium
 hw/dev/block_ice: medium
@@ -183,6 +184,7 @@ net/url/embedded: medium
 net/url/encode: medium
 net/url/parse: low
 os/fd/epoll: low
+os/fd/print: low
 os/fd/read: low
 os/fd/sendfile: low
 os/kernel/netlink: low
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 9cc90de1..4d7dc97c 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -151,6 +151,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
+| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index c14166b9..bcb14fb8 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -30,6 +30,7 @@
 | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
 | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
+| MEDIUM | [fs/proc/pid_stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-stat.yara#proc_stat) | access status fields for other processes | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
 | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | listens, uses SOCKS5, and cryptography | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
 | MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index 869a2576..b9481668 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -85,6 +85,7 @@ fs/permission/modify: medium
 fs/quota_manipulate: low
 fs/swap/on: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple
index 2b61c6d9..257247a2 100644
--- a/tests/linux/clean/libc.so.6.simple
+++ b/tests/linux/clean/libc.so.6.simple
@@ -98,6 +98,7 @@ net/socket/receive: low
 net/socket/send: low
 net/url/embedded: low
 os/fd/epoll: low
+os/fd/print: low
 os/fd/sendfile: low
 os/kernel/netlink: low
 os/time/clock_set: low
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 838a1101..0ae75aee 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -58,6 +58,7 @@
 | MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
 | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
 | MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)<br>[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)<br>[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code) |
+| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)<br>[htons](https://github.com/search?q=htons&type=code)<br>[ntohs](https://github.com/search?q=ntohs&type=code) |
 | MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)<br>[port](https://github.com/search?q=port&type=code) |
 | MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) |
 | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
@@ -140,7 +141,7 @@
 | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
+| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) |
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 46d75cfe..9665620e 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -153,7 +153,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)<br>[bssid](https://github.com/search?q=bssid&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 01427a4e..3a09b936 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -155,7 +155,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)<br>[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)<br>[dnsmessage](https://github.com/search?q=dnsmessage&type=code) |
diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple
index f718a556..3a8cc8d2 100644
--- a/tests/python/clean/numba/support.py.simple
+++ b/tests/python/clean/numba/support.py.simple
@@ -15,6 +15,7 @@ fs/file/write: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
+fs/tempdir/tempfile_create: low
 net/url/embedded: low
 os/fd/read: low
 os/fd/write: low
diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple
index 2f3363cb..94a0393c 100644
--- a/tests/windows/2024.GitHub.Clipper/main.exe.simple
+++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple
@@ -70,6 +70,7 @@ fs/permission/chown: medium
 fs/permission/modify: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
+fs/tempdir/tempfile_create: low
 hw/disk_info: medium
 impact/degrade/win_defender: high
 lateral/scan/tool: medium

From 1587afb5a3883ffa57fc5c401f45cff8e8207621 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 20:56:22 -0500
Subject: [PATCH 03/10] Finish libselinux.so analysis

---
 pkg/action/testdata/scan_archive                   |  6 +++---
 rules/anti-static/xor/xor-commands.yara            | 10 ----------
 rules/fs/tempdir/tempfile-create.yara              | 14 --------------
 ...A50D54796BB27126E03A7E25DD5D589.cache.js.simple |  2 +-
 ...D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple |  2 +-
 tests/javascript/clean/highlight.esm.js.simple     |  2 +-
 tests/javascript/clean/highlight.js.simple         |  2 +-
 tests/javascript/clean/mode-php.js.simple          |  2 +-
 .../clean/mode-php_laravel_blade.js.simple         |  2 +-
 tests/javascript/clean/php.js.simple               |  2 +-
 tests/linux/2020.bdvl/bdvl.so.simple               |  2 +-
 tests/linux/2021.FontOnLake/45E9.elf.simple        |  2 +-
 tests/linux/2021.XMR-Stak/1b1a56.elf.simple        |  2 +-
 tests/linux/2022.Symbiote/kerneldev.so.bkp.simple  |  2 +-
 tests/linux/2023.Kinsing/install.sh.simple         |  2 +-
 tests/linux/2024.Gelsemium/libselinux.so.simple    |  2 +-
 .../eight-nebraska-autumn-illinois.simple          |  2 +-
 tests/linux/2024.chisel/crondx.simple              |  2 +-
 ...6644f4084b7471bc5aed1c81803054f017240a72.simple |  2 +-
 .../2024.kworker_pretenders/emp3r0r.agent.simple   |  2 +-
 tests/linux/2024.medusa/rkload.simple              |  3 +--
 tests/linux/clean/buildah.simple                   |  2 +-
 tests/linux/clean/busybox.simple                   |  2 +-
 tests/linux/clean/caddy.simple                     |  2 +-
 tests/linux/clean/chezmoi.simple                   |  2 +-
 tests/linux/clean/chrome.simple                    |  2 +-
 tests/linux/clean/clickhouse.simple                |  2 +-
 tests/linux/clean/code-oss.md                      |  2 +-
 tests/linux/clean/containerd.simple                |  2 +-
 tests/linux/clean/cpack.md                         |  2 +-
 tests/linux/clean/kuma-cp.simple                   |  2 +-
 tests/linux/clean/libc.so.6.simple                 |  2 +-
 tests/linux/clean/libgcj.so.17.0.0.simple          |  2 +-
 tests/linux/clean/libgcj.so.17.simple              |  2 +-
 tests/linux/clean/melange.simple                   |  2 +-
 tests/linux/clean/mongosh.simple                   |  2 +-
 tests/linux/clean/nvim.simple                      |  2 +-
 tests/linux/clean/opa.simple                       |  2 +-
 tests/linux/clean/pandoc.md                        |  2 +-
 tests/linux/clean/pulumi.simple                    |  2 +-
 tests/linux/clean/redis-server.aarch64.md          |  2 +-
 tests/linux/clean/slack.md                         |  2 +-
 tests/linux/clean/sudo.simple                      |  2 +-
 tests/linux/clean/tree-sitter.md                   |  2 +-
 tests/linux/clean/trivy.simple                     |  2 +-
 tests/linux/clean/trufflehog.md                    |  2 +-
 tests/linux/clean/wolfictl.simple                  |  2 +-
 tests/macOS/2024.Previewers/Previewers.simple      |  2 +-
 tests/npm/2024.distube-fast/postinstall.js.simple  |  2 +-
 tests/php/clean/composer-2.7.7.simple              |  2 +-
 tests/python/clean/numba/support.py.simple         |  2 +-
 tests/windows/2024.GitHub.Clipper/main.exe.simple  |  2 +-
 52 files changed, 52 insertions(+), 77 deletions(-)
 delete mode 100644 rules/fs/tempdir/tempfile-create.yara

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 9eb1dc59..45e3bfcf 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -1626,7 +1626,7 @@
                     "RuleName": "temp"
                 },
                 {
-                    "Description": "Uses mktemp to create temporary files",
+                    "Description": "creates temporary files",
                     "MatchStrings": [
                         "mktemp",
                         "temp file",
@@ -1634,8 +1634,8 @@
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp",
-                    "ID": "fs/tempdir/tempfile_create",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp",
+                    "ID": "fs/tempfile",
                     "RuleName": "mktemp"
                 },
                 {
diff --git a/rules/anti-static/xor/xor-commands.yara b/rules/anti-static/xor/xor-commands.yara
index 38666084..b7b48296 100644
--- a/rules/anti-static/xor/xor-commands.yara
+++ b/rules/anti-static/xor/xor-commands.yara
@@ -8,11 +8,6 @@ rule xor_commands: high {
     $b_bin_sh          = "/bin/sh" xor(1-31)
     $b_bin_bash        = "/bin/bash" xor(1-31)
     $b_openssl         = "openssl" xor(1-31)
-    $b_dev_null        = "/dev/null" xor(1-31)
-    $b_usr_bin         = "/usr/bin" xor(1-31)
-    $b_usr_sbin        = "/usr/sbin" xor(1-31)
-    $b_var_tmp         = "/var/tmp" xor(1-31)
-    $b_var_run         = "/var/run" xor(1-31)
     $b_screen_dm       = "screen -" xor(1-31)
     $b_zmodload        = "zmodload" xor(1-31)
     $b_dev_tcp         = "/dev/tcp" xor(1-31)
@@ -25,11 +20,6 @@ rule xor_commands: high {
     $b_bin_sh2         = "/bin/sh" xor(33-255)
     $b_bin_bash2       = "/bin/bash" xor(33-255)
     $b_openssl2        = "openssl" xor(33-255)
-    $b_dev_null2       = "/dev/null" xor(33-255)
-    $b_usr_bin2        = "/usr/bin" xor(33-255)
-    $b_usr_sbin2       = "/usr/sbin" xor(33-255)
-    $b_var_tmp2        = "/var/tmp" xor(33-255)
-    $b_var_run2        = "/var/run" xor(33-255)
     $b_screen_dm2      = "screen -" xor(33-255)
     $b_zmodload2       = "zmodload" xor(33-255)
     $b_dev_tcp2        = "/dev/tcp" xor(33-255)
diff --git a/rules/fs/tempdir/tempfile-create.yara b/rules/fs/tempdir/tempfile-create.yara
deleted file mode 100644
index 8b82e158..00000000
--- a/rules/fs/tempdir/tempfile-create.yara
+++ /dev/null
@@ -1,14 +0,0 @@
-rule mktemp {
-  meta:
-    description = "Uses mktemp to create temporary files"
-
-  strings:
-    $ref  = "mktemp" fullword
-    $ref2 = "temp file"
-    $ref3 = "ioutil/tempfile"
-    $ref4 = "tmpfile"
-    $ref5 = "createTempFile"
-
-  condition:
-    any of them
-}
diff --git a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
index 85e21306..ddc3f153 100644
--- a/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
+++ b/tests/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -68,7 +68,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
index 8193c983..06abf662 100644
--- a/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
+++ b/tests/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -69,7 +69,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 impact/remote_access/crypto_geoip_exec: medium
diff --git a/tests/javascript/clean/highlight.esm.js.simple b/tests/javascript/clean/highlight.esm.js.simple
index f624d8d5..a638c290 100644
--- a/tests/javascript/clean/highlight.esm.js.simple
+++ b/tests/javascript/clean/highlight.esm.js.simple
@@ -58,7 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/highlight.js.simple b/tests/javascript/clean/highlight.js.simple
index 65bbee71..208dc6da 100644
--- a/tests/javascript/clean/highlight.js.simple
+++ b/tests/javascript/clean/highlight.js.simple
@@ -58,7 +58,7 @@ fs/path/usr_bin: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/javascript/clean/mode-php.js.simple b/tests/javascript/clean/mode-php.js.simple
index 3a71cf28..6fe24e92 100644
--- a/tests/javascript/clean/mode-php.js.simple
+++ b/tests/javascript/clean/mode-php.js.simple
@@ -45,7 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/mode-php_laravel_blade.js.simple b/tests/javascript/clean/mode-php_laravel_blade.js.simple
index 4a8a3f50..8e9ebdff 100644
--- a/tests/javascript/clean/mode-php_laravel_blade.js.simple
+++ b/tests/javascript/clean/mode-php_laravel_blade.js.simple
@@ -45,7 +45,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/download/fetch: medium
diff --git a/tests/javascript/clean/php.js.simple b/tests/javascript/clean/php.js.simple
index 35f42224..6d65f938 100644
--- a/tests/javascript/clean/php.js.simple
+++ b/tests/javascript/clean/php.js.simple
@@ -44,7 +44,7 @@ fs/path/etc: low
 fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 impact/remote_access/agent: medium
 net/http/cookies: medium
diff --git a/tests/linux/2020.bdvl/bdvl.so.simple b/tests/linux/2020.bdvl/bdvl.so.simple
index 99966f4d..eddab67c 100644
--- a/tests/linux/2020.bdvl/bdvl.so.simple
+++ b/tests/linux/2020.bdvl/bdvl.so.simple
@@ -39,7 +39,7 @@ fs/path/usr_sbin: low
 fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_cmdline: high
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/degrade/sshd: high
 impact/remote_access/backdoor: high
 impact/remote_access/net_exec: medium
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index b5af98f3..87fe4524 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -66,7 +66,7 @@ fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
 fs/symlink_resolve: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/remote_access/agent: medium
 impact/remote_access/backdoor: high
 impact/remote_access/reverse_shell: medium
diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
index a45f6517..2cbf045b 100644
--- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
+++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple
@@ -59,7 +59,7 @@ fs/proc/nvidia_gpu: medium
 fs/proc/self_cgroup: medium
 fs/proc/self_exe: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/cpu: medium
 impact/cryptojacking/cryptonight: high
 impact/cryptojacking/generic: high
diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
index 6409eba3..97fb0e7b 100644
--- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
+++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -19,7 +19,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/pid_status: medium
 fs/proc/self_cmdline: medium
 fs/proc/self_exe: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/dns/servers: low
 net/ip/byte_order: medium
 net/ip/parse: medium
diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple
index 7b57a2b7..e1fa04e8 100644
--- a/tests/linux/2023.Kinsing/install.sh.simple
+++ b/tests/linux/2023.Kinsing/install.sh.simple
@@ -50,7 +50,7 @@ fs/path/usr_sbin: low
 fs/path/var: low
 fs/path/var_log: medium
 fs/permission/modify: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/cryptojacking/cryptonight: high
 impact/cryptojacking/generic: high
 impact/cryptojacking/monero_pool: medium
diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple
index 72ec5c15..b2c8d26f 100644
--- a/tests/linux/2024.Gelsemium/libselinux.so.simple
+++ b/tests/linux/2024.Gelsemium/libselinux.so.simple
@@ -14,7 +14,7 @@ fs/link_read: low
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_cmdline: high
 fs/proc/pid_stat: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 malware/family/beurk: critical
 malware/family/gelsemium: critical
 os/fd/multiplex: low
diff --git a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
index dd10c696..f277bbf2 100644
--- a/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
+++ b/tests/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple
@@ -57,7 +57,7 @@ fs/permission/chown: medium
 fs/permission/get: low
 fs/permission/modify: medium
 fs/proc/stat: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/exploit/cve_list: medium
 impact/remote_access/kill_rm: medium
 impact/remote_access/reverse_shell: high
diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple
index 1b6c1865..6e2646fb 100644
--- a/tests/linux/2024.chisel/crondx.simple
+++ b/tests/linux/2024.chisel/crondx.simple
@@ -33,7 +33,7 @@ fs/path/etc_hosts: medium
 fs/path/etc_resolv.conf: low
 fs/permission/chown: medium
 fs/permission/modify: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/dns: low
 net/dns/servers: low
 net/dns/txt: low
diff --git a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
index 93844086..4dafeae5 100644
--- a/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
+++ b/tests/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple
@@ -47,7 +47,7 @@ fs/path/tmp: medium
 fs/path/usr_bin: low
 fs/permission/chown: medium
 fs/permission/modify: medium
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/cryptojacking/nicehash_pool: high
 impact/cryptojacking/xmrig: high
 net/dns: low
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index b042c971..1c818545 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -104,7 +104,7 @@ fs/proc/arbitrary_pid: medium
 fs/proc/cpuinfo: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/cpu: medium
 impact/exploit: high
 impact/exploit/GCONV_PATH: high
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 914d5b1f..10ad4768 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -2,7 +2,6 @@
 3P/elastic/orbit: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/xor/commands: high
 anti-static/xor/paths: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
@@ -44,7 +43,7 @@ fs/proc/self_exe: medium
 fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/cpu: medium
 malware/family/medusa: critical
 net/socket/local_addr: low
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
index 97feee5e..60a4df47 100644
--- a/tests/linux/clean/buildah.simple
+++ b/tests/linux/clean/buildah.simple
@@ -101,7 +101,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple
index 0ccd915a..2308ffd5 100644
--- a/tests/linux/clean/busybox.simple
+++ b/tests/linux/clean/busybox.simple
@@ -66,7 +66,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 impact/ddos/raw_flooder: medium
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index e1ccbb89..df656a86 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -102,7 +102,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/wireless: low
 net/dns: low
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index 32933e12..c509dba2 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -103,7 +103,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/dev/block_ice: medium
 hw/wireless: low
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index 6747518a..8862c584 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -114,7 +114,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/cpu: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 6ac02d6c..7a4669a8 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -135,7 +135,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 4d7dc97c..b521f270 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -151,7 +151,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index 26104e09..d979ac23 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -77,7 +77,7 @@ fs/proc/self_cgroup: medium
 fs/proc/self_mountinfo: medium
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index bcb14fb8..0297d311 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -101,7 +101,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) |
 | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index b9481668..59142a2a 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -85,7 +85,7 @@ fs/permission/modify: medium
 fs/quota_manipulate: low
 fs/swap/on: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/dev/block_ice: medium
diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple
index 257247a2..648a19e1 100644
--- a/tests/linux/clean/libc.so.6.simple
+++ b/tests/linux/clean/libc.so.6.simple
@@ -70,7 +70,7 @@ fs/symlink_resolve: low
 fs/tempdir: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/cpu: medium
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index 94747d63..65b554ce 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -66,7 +66,7 @@ fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/iokit_registry: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index 86c4f889..4a19eb23 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -66,7 +66,7 @@ fs/proc/stat: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/iokit_registry: low
 impact/remote_access/agent: medium
 lateral/scan/tool: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index 158b60e7..3b1a9def 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -100,7 +100,7 @@ fs/swap/on: low
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 impact/remote_access/heartbeat: medium
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index 18c18e23..9ef86ed4 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -120,7 +120,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/cpu: medium
 hw/wireless: low
diff --git a/tests/linux/clean/nvim.simple b/tests/linux/clean/nvim.simple
index 6108830b..e5f53b52 100644
--- a/tests/linux/clean/nvim.simple
+++ b/tests/linux/clean/nvim.simple
@@ -59,7 +59,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 impact/remote_access/pseudo_terminal: medium
 net/dns/servers: low
 net/download/fetch: medium
diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple
index 09252ecb..86b5cdc8 100644
--- a/tests/linux/clean/opa.simple
+++ b/tests/linux/clean/opa.simple
@@ -60,7 +60,7 @@ fs/permission/modify: medium
 fs/proc/self_cgroup: medium
 fs/proc/self_mountinfo: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 net/dns: low
 net/dns/reverse: medium
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 0ae75aee..0217724a 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -141,7 +141,7 @@
 | LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) |
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index a8f38d6d..e023ebf3 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -100,7 +100,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/wireless: low
 impact/remote_access/heartbeat: medium
 lateral/scan/tool: medium
diff --git a/tests/linux/clean/redis-server.aarch64.md b/tests/linux/clean/redis-server.aarch64.md
index f10140db..7adb4bae 100644
--- a/tests/linux/clean/redis-server.aarch64.md
+++ b/tests/linux/clean/redis-server.aarch64.md
@@ -46,7 +46,7 @@
 | LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)<br>[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)<br>[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)<br>[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)<br>[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) |
 | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
 | LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
 | LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
 | LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 9665620e..9e18ab9e 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -153,7 +153,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)<br>[bssid](https://github.com/search?q=bssid&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
diff --git a/tests/linux/clean/sudo.simple b/tests/linux/clean/sudo.simple
index 84872190..f614d193 100644
--- a/tests/linux/clean/sudo.simple
+++ b/tests/linux/clean/sudo.simple
@@ -30,7 +30,7 @@ fs/permission/chown: low
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_exe: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/ip/host_port: medium
 net/ip/string: medium
 net/socket/listen: medium
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 5fab4bc3..9a2f2fef 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -32,7 +32,7 @@
 | LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
 | LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
 | LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
 | LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
 | LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index da08c3a6..96b8733e 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -131,7 +131,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/watch: low
 hw/dev/block_ice: medium
 hw/wireless: low
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 3a09b936..7886ae1e 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -155,7 +155,7 @@
 | LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
 | LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
 | LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempdir/tempfile_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
 | LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
 | LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
 | LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)<br>[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)<br>[dnsmessage](https://github.com/search?q=dnsmessage&type=code) |
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index d1883444..98f5424a 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -120,7 +120,7 @@ fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/TMPDIR: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 fs/unmount: low
 fs/watch: low
 hw/wireless: low
diff --git a/tests/macOS/2024.Previewers/Previewers.simple b/tests/macOS/2024.Previewers/Previewers.simple
index 0df20a2c..caf0d1ae 100644
--- a/tests/macOS/2024.Previewers/Previewers.simple
+++ b/tests/macOS/2024.Previewers/Previewers.simple
@@ -32,7 +32,7 @@ fs/file/delete: low
 fs/path/etc: low
 fs/path/users: medium
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/disk_info: medium
 malware/family/rustdoor: critical
 net/dns/txt: low
diff --git a/tests/npm/2024.distube-fast/postinstall.js.simple b/tests/npm/2024.distube-fast/postinstall.js.simple
index be87fcf6..a16fd5d1 100644
--- a/tests/npm/2024.distube-fast/postinstall.js.simple
+++ b/tests/npm/2024.distube-fast/postinstall.js.simple
@@ -3,7 +3,7 @@ c2/addr/ip: medium
 c2/tool_transfer/exe_url: critical
 c2/tool_transfer/js: critical
 fs/file/delete: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/download: medium
 net/http/request: low
 net/url/embedded: low
diff --git a/tests/php/clean/composer-2.7.7.simple b/tests/php/clean/composer-2.7.7.simple
index fb72f79e..5ad2bf9b 100644
--- a/tests/php/clean/composer-2.7.7.simple
+++ b/tests/php/clean/composer-2.7.7.simple
@@ -61,7 +61,7 @@ fs/permission/modify: medium
 fs/symlink_resolve: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 lateral/scan/target_ip: medium
 lateral/scan/tool: medium
 net/download/fetch: medium
diff --git a/tests/python/clean/numba/support.py.simple b/tests/python/clean/numba/support.py.simple
index 3a8cc8d2..9f28257b 100644
--- a/tests/python/clean/numba/support.py.simple
+++ b/tests/python/clean/numba/support.py.simple
@@ -15,7 +15,7 @@ fs/file/write: low
 fs/tempdir: low
 fs/tempdir/TEMP: low
 fs/tempdir/create: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 net/url/embedded: low
 os/fd/read: low
 os/fd/write: low
diff --git a/tests/windows/2024.GitHub.Clipper/main.exe.simple b/tests/windows/2024.GitHub.Clipper/main.exe.simple
index 94a0393c..9c5a86b5 100644
--- a/tests/windows/2024.GitHub.Clipper/main.exe.simple
+++ b/tests/windows/2024.GitHub.Clipper/main.exe.simple
@@ -70,7 +70,7 @@ fs/permission/chown: medium
 fs/permission/modify: medium
 fs/tempdir: low
 fs/tempdir/TEMP: low
-fs/tempdir/tempfile_create: low
+fs/tempfile: low
 hw/disk_info: medium
 impact/degrade/win_defender: high
 lateral/scan/tool: medium

From e06df74159b8d0b0f4254f10913c950912656a8a Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 20:56:56 -0500
Subject: [PATCH 04/10] add missing files

---
 rules/anti-static/xor/xor-paths.yara | 32 ++++++++++++++++++++++++++++
 rules/fs/proc/pid-stat.yara          | 26 ++++++++++++++++++++++
 rules/fs/tempfile.yara               | 14 ++++++++++++
 rules/malware/family/gelsemium.yara  | 27 +++++++++++++++++++++++
 4 files changed, 99 insertions(+)
 create mode 100644 rules/anti-static/xor/xor-paths.yara
 create mode 100644 rules/fs/proc/pid-stat.yara
 create mode 100644 rules/fs/tempfile.yara
 create mode 100644 rules/malware/family/gelsemium.yara

diff --git a/rules/anti-static/xor/xor-paths.yara b/rules/anti-static/xor/xor-paths.yara
new file mode 100644
index 00000000..8c243288
--- /dev/null
+++ b/rules/anti-static/xor/xor-paths.yara
@@ -0,0 +1,32 @@
+rule xor_paths: high {
+  meta:
+    description = "paths obfuscated using xor"
+
+  strings:
+    $dev_shm       = "/dev/shm" xor(1-31)
+    $dev_shm2      = "/dev/shm" xor(33-255)
+    $dev_null      = "/dev/null" xor(1-31)
+    $dev_null2     = "/dev/null" xor(33-255)
+    $dev_stdin     = "/dev/stdin" xor(1-31)
+    $dev_stdin2    = "/dev/stdin" xor(33-255)
+    $dev_stderr    = "/dev/stderr" xor(1-31)
+    $dev_stderr2   = "/dev/stderr" xor(33-255)
+    $proc_net_tcp  = "/proc/net/tcp" xor(1-31)
+    $proc_net_tcp2 = "/proc/net/tcp" xor(33-255)
+    $var_log_wtmp  = "/var/log/wtmp" xor(1-31)
+    $var_log_wtmp2 = "/var/log/wtmp" xor(33-255)
+    $var_run_utmp  = "/var/run/utmp" xor(1-31)
+    $var_run_utmp2 = "/var/run/utmp" xor(33-255)
+    $usr_bin       = "/usr/bin" xor(1-31)
+    $usr_sbin      = "/usr/sbin" xor(1-31)
+    $var_tmp       = "/var/tmp" xor(1-31)
+    $var_run       = "/var/run" xor(1-31)
+    $usr_bin2      = "/usr/bin" xor(33-255)
+    $usr_sbin2     = "/usr/sbin" xor(33-255)
+    $var_tmp2      = "/var/tmp" xor(33-255)
+    $var_run2      = "/var/run" xor(33-255)
+
+  condition:
+    filesize < 10MB and any of them
+}
+
diff --git a/rules/fs/proc/pid-stat.yara b/rules/fs/proc/pid-stat.yara
new file mode 100644
index 00000000..1a1a64c6
--- /dev/null
+++ b/rules/fs/proc/pid-stat.yara
@@ -0,0 +1,26 @@
+import "math"
+
+rule proc_stat: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $string = "/proc/%s/stat" fullword
+    $digit  = "/proc/%d/stat" fullword
+    $python = "/proc/{}/stat" fullword
+
+  condition:
+    any of them
+}
+
+rule proc_stat_near: medium {
+  meta:
+    description = "access status fields for other processes"
+
+  strings:
+    $proc = "/proc" fullword
+    $fmt  = /%[sd]\/stat/ fullword
+
+  condition:
+    all of them and math.abs(@proc - @fmt) < 128
+}
diff --git a/rules/fs/tempfile.yara b/rules/fs/tempfile.yara
new file mode 100644
index 00000000..bd8037ec
--- /dev/null
+++ b/rules/fs/tempfile.yara
@@ -0,0 +1,14 @@
+rule mktemp {
+  meta:
+    description = "creates temporary files"
+
+  strings:
+    $ref  = "mktemp" fullword
+    $ref2 = "temp file"
+    $ref3 = "ioutil/tempfile"
+    $ref4 = "tmpfile"
+    $ref5 = "createTempFile"
+
+  condition:
+    any of them
+}
diff --git a/rules/malware/family/gelsemium.yara b/rules/malware/family/gelsemium.yara
new file mode 100644
index 00000000..19ba3407
--- /dev/null
+++ b/rules/malware/family/gelsemium.yara
@@ -0,0 +1,27 @@
+rule wolfsbane_config: critical linux {
+  meta:
+    description = "Wolfsbane Malware (configuration)"
+    ref         = "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"
+
+  strings:
+    $config_clientpath = "clientpath" wide
+    $config_hiderpath  = "hiderpath" wide
+    $config_pluginkey  = "pluginkey" wide
+    $config_mainpath   = "mainpath" wide
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule wolfsbane_rc4_key: critical linux {
+  meta:
+    description = "Wolfsbane Malware (RC4 key)"
+    ref         = "https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"
+
+  strings:
+    $rc4_key = "8825FC47153E264D" wide
+
+  condition:
+    filesize < 10MB and all of them
+}
+

From 21aef34e222290654ecfcf93afd4c55a4359c5b9 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 22:03:18 -0500
Subject: [PATCH 05/10] Finish dbus analysis

---
 rules/discover/multiple.yara                  | 38 +++++++++-
 rules/evasion/file/prefix/prefix.yara         | 12 ++++
 rules/exec/program/program.yara               | 22 ++++++
 .../shell/arbitrary_command-dev_null.yara     |  1 +
 rules/persist/kernel_module/insert.yara       | 72 -------------------
 rules/persist/kernel_module/module.yara       | 16 +++++
 rules/persist/linux_multi.yara                | 11 +--
 rules/persist/shell/bash.yara                 | 17 +++++
 rules/process/terminate/terminate.yara        |  1 +
 tests/linux/2019.ChinaZ/yk.simple             |  1 +
 tests/linux/2021.FontOnLake/45E9.elf.simple   |  3 +-
 tests/linux/2023.Kinsing/install.sh.simple    |  2 +-
 tests/linux/2024.Gelsemium/dbus.simple        | 13 +++-
 tests/linux/2024.Gelsemium/kde.simple         |  9 ++-
 tests/linux/2024.Gelsemium/udevd.simple       | 11 ++-
 tests/linux/2024.Gelsemium/udevd_multi.simple | 11 ++-
 .../uranus-ack-mike-cat.simple                |  1 +
 tests/linux/2024.gas/gas.simple               |  3 +-
 tests/linux/2024.kubo_injector/injector.json  | 11 +++
 .../emp3r0r.agent.simple                      |  1 +
 tests/linux/2024.medusa/rkload.simple         |  1 +
 .../2024.melofee/2023.758b0934b7.elf.simple   |  4 +-
 .../2024.melofee/2023.8d855c2874.elf.simple   |  4 +-
 .../2024.melofee/driver_decrypted.simple      |  1 -
 tests/linux/2024.melofee/pskt.simple          |  1 +
 ...5d0e2031551f9f1a70b6db475ba71b2.elf.simple |  1 +
 tests/linux/2024.vncjew/__min__c.simple       |  1 +
 tests/linux/clean/caddy.simple                |  2 +-
 tests/linux/clean/chezmoi.simple              |  2 +-
 tests/linux/clean/chrome.simple               |  4 +-
 tests/linux/clean/clickhouse.simple           |  1 +
 tests/linux/clean/code-oss.md                 |  3 +-
 tests/linux/clean/cpack.md                    |  3 +-
 tests/linux/clean/ld-2.27.so.simple           |  3 +-
 tests/linux/clean/libasan.so.8.0.0.simple     |  2 +-
 tests/linux/clean/libc.so.6.simple            |  2 +-
 tests/linux/clean/libgcj.so.17.0.0.simple     |  3 +-
 tests/linux/clean/libgcj.so.17.simple         |  3 +-
 tests/linux/clean/melange.simple              |  3 +-
 tests/linux/clean/pandoc.md                   |  4 +-
 tests/linux/clean/pulumi.simple               |  3 +-
 tests/linux/clean/qemu-system-xtensa.md       |  1 +
 .../clean/runtime-security-fentry.o.simple    |  2 +-
 .../runtime-security-syscall-wrapper.o.simple |  2 +-
 tests/linux/clean/runtime-security.o.simple   |  2 +-
 tests/linux/clean/slack.md                    |  3 +-
 tests/linux/clean/slirp4netns.simple          |  5 +-
 tests/linux/clean/tree-sitter.md              |  1 +
 tests/linux/clean/trivy.simple                |  3 +-
 tests/linux/clean/trufflehog.md               |  3 +-
 tests/linux/clean/wolfictl.simple             |  3 +-
 tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple   |  2 +-
 52 files changed, 217 insertions(+), 117 deletions(-)
 delete mode 100644 rules/persist/kernel_module/insert.yara

diff --git a/rules/discover/multiple.yara b/rules/discover/multiple.yara
index 512f1c03..6862fdda 100644
--- a/rules/discover/multiple.yara
+++ b/rules/discover/multiple.yara
@@ -6,6 +6,7 @@ rule sys_net_recon: medium {
     $net_ipconfig          = "ipconfig" fullword
     $net_ipaddr            = "ipaddr" fullword
     $sys_getpass           = "getpass.getuser"
+    $sys_whoami            = "whoami" fullword
     $sys_platform_node     = "platform.node()" fullword
     $sys_platform_platform = "platform.platform()" fullword
     $sys_platform_system   = "platform.system()" fullword
@@ -19,8 +20,8 @@ rule sys_net_recon: medium {
     $sys_id                = "id" fullword
     $sys_lspi              = "lspci"
     $sys_sudo              = /sudo.{0,4}-l/
-    $sys_uname             = "uname -a"
-    $sys_whoami            = "whoami" fullword
+    $sys_uname_a           = "uname -a"
+    $sys_uname_r           = "uname -r"
     $sys_macos             = "isPlatformOrVariant"
     $sys_systeminfo        = "systeminfo" fullword
 
@@ -28,6 +29,39 @@ rule sys_net_recon: medium {
     filesize < 512KB and any of ($sys*) and any of ($net*)
 }
 
+rule user_sys_net_disk_recon: high {
+  meta:
+    description = "collects user, system, disk, and network information"
+
+  strings:
+    $net_ipconfig          = "ipconfig"
+    $net_ipaddr            = "ipaddr" fullword
+    $user_getpass          = "getpass.getuser"
+    $user_whoami           = "whoami"
+    $sys_platform_node     = "platform.node()" fullword
+    $sys_platform_platform = "platform.platform()" fullword
+    $sys_platform_system   = "platform.system()" fullword
+    $sys_tasklist          = /tasklist.{0,4}\/svc/ fullword
+    $net_ifconfig          = "ifconfig" fullword
+    $net_ip_addr           = /ip.{0,4}addr/ fullword
+    $net_ip_route          = /ip.{0,4}route/
+    $net_netstat           = /netstat.{0,4}-[arn]/
+    $net_ufw               = /ufw.{0,4}status/
+    $sys_hostname          = "hostname" fullword
+    $sys_id                = "id" fullword
+    $sys_lspi              = "lspci"
+    $sys_sudo              = /sudo.{0,4}-l/
+    $sys_uname_a           = "uname -a"
+    $sys_uname_r           = "uname -r"
+    $sys_macos             = "isPlatformOrVariant"
+    $sys_systeminfo        = "systeminfo" fullword
+    $disk_df_h             = "df -h"
+    $disk_space            = "Disk space"
+
+  condition:
+    filesize < 512KB and any of ($sys*) and any of ($net*) and any of ($user*) and any of ($disk*)
+}
+
 private rule discover_obfuscate {
   strings:
     $b64decode = "b64decode"
diff --git a/rules/evasion/file/prefix/prefix.yara b/rules/evasion/file/prefix/prefix.yara
index 7525429b..088a49d0 100644
--- a/rules/evasion/file/prefix/prefix.yara
+++ b/rules/evasion/file/prefix/prefix.yara
@@ -23,6 +23,18 @@ rule static_hidden_path: medium {
     $ref
 }
 
+rule known_hidden_path: critical {
+  meta:
+    description = "known hidden file path"
+
+  strings:
+    $xl1      = /[a-z\/]{0,24}\/(var|usr|tmp|lib)\/[a-z\/]{0,24}\/\.Xl1[\w\_\-\.]{0,16}/
+    $kde_root = /[a-z\/]{0,24}\/(var|usr|tmp|lib)\/[a-z\/]{0,24}\/\.kde-root[\w\_\-\.]{0,16}/
+
+  condition:
+    any of them
+}
+
 rule hidden_path: medium {
   meta:
     description = "hidden path in a system directory"
diff --git a/rules/exec/program/program.yara b/rules/exec/program/program.yara
index 428d84bb..be4066cf 100644
--- a/rules/exec/program/program.yara
+++ b/rules/exec/program/program.yara
@@ -161,3 +161,25 @@ rule npm_exec: medium {
   condition:
     all of them
 }
+
+rule hash_bang_bash_exec: high {
+  meta:
+    description = "starts program from a hash-bang line"
+
+  strings:
+    $bin_bash = /#!\/bin\/bash\s{1,256}\/[\w\/\.\-]{2,64}/
+
+  condition:
+    all of them and $bin_bash at 0
+}
+
+rule hash_bang_sh_exec: high {
+  meta:
+    description = "starts program from a hash-bang line"
+
+  strings:
+    $bin_sh = /#!\/bin\/sh\s{1,256}\/[\w\/\.\-]{2,64}/
+
+  condition:
+    all of them and $bin_sh at 0
+}
diff --git a/rules/exec/shell/arbitrary_command-dev_null.yara b/rules/exec/shell/arbitrary_command-dev_null.yara
index 2bd198f4..0b2fe536 100644
--- a/rules/exec/shell/arbitrary_command-dev_null.yara
+++ b/rules/exec/shell/arbitrary_command-dev_null.yara
@@ -17,6 +17,7 @@ rule cmd_dev_null_quoted: high {
   strings:
     $ref  = /"%s" {0,2}[12&]{0,1}> {0,1}\/dev\/null/
     $ref2 = "\"%s\" >/dev/null"
+    $ref3 = /.{0,64} %s 2\>\/dev\/null/
 
   condition:
     any of them
diff --git a/rules/persist/kernel_module/insert.yara b/rules/persist/kernel_module/insert.yara
deleted file mode 100644
index 90742dd7..00000000
--- a/rules/persist/kernel_module/insert.yara
+++ /dev/null
@@ -1,72 +0,0 @@
-rule kernel_module_loader: medium linux {
-  meta:
-    description = "loads Linux kernel module via insmod"
-
-  strings:
-    $insmod = /insmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
-
-  condition:
-    filesize < 10MB and all of them
-}
-
-rule kernel_module_unloader: medium linux {
-  meta:
-    description = "unloads Linux kernel module via rmmod"
-
-  strings:
-    $insmod = /rmmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
-
-  condition:
-    filesize < 10MB and all of them
-}
-
-rule kernel_module_loader_ko: high linux {
-  meta:
-    description = "loads Linux kernel module .ko via insmod"
-
-  strings:
-    $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/
-
-  condition:
-    filesize < 10MB and all of them
-}
-
-rule kernel_module_loader_sus_redir: high linux {
-  meta:
-    description = "suspiciously loads Linux kernel module via insmod"
-
-  strings:
-    $insmod = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/
-
-  condition:
-    filesize < 10MB and all of them
-}
-
-rule cha_cha_tests: override linux {
-  meta:
-    description             = "test_cipher.ko"
-    filetypes               = "sh"
-    kernel_module_loader_ko = "medium"
-
-  strings:
-    $test = "insmod test_cipher.ko size"
-
-  condition:
-    filesize < 2KB and any of them
-}
-
-rule init_module: medium linux {
-  meta:
-    description = "Linux kernel module"
-    syscall     = "init_module"
-    capability  = "CAP_SYS_MODULE"
-
-    filetypes = "ko,elf,so"
-
-  strings:
-    $ref = "init_module" fullword
-
-  condition:
-    filesize < 1MB and all of them
-}
-
diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara
index d57804b8..3716d162 100644
--- a/rules/persist/kernel_module/module.yara
+++ b/rules/persist/kernel_module/module.yara
@@ -38,3 +38,19 @@ rule delete_module: medium {
   condition:
     all of them
 }
+
+rule init_module: medium linux {
+  meta:
+    description = "Linux kernel module"
+    syscall     = "init_module"
+    capability  = "CAP_SYS_MODULE"
+
+    filetypes = "ko,elf,so"
+
+  strings:
+    $ref = "init_module" fullword
+
+  condition:
+    filesize < 1MB and all of them
+}
+
diff --git a/rules/persist/linux_multi.yara b/rules/persist/linux_multi.yara
index 8af02da1..9e93d4a8 100644
--- a/rules/persist/linux_multi.yara
+++ b/rules/persist/linux_multi.yara
@@ -3,9 +3,12 @@ rule linux_multi_persist: high {
     description = "references multiple Linux persistence methods"
 
   strings:
-    $initd   = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
-    $udev    = "etc/udev"
-    $crontab = "crontab" fullword
+    $o_initd   = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
+    $o_udev    = "etc/udev"
+    $o_crontab = "crontab" fullword
+    $o_xdg     = "[Desktop Entry]"
+    $o_rc_d    = "/etc/rc.d/rc.local"
+    $o_insmod  = "insmod" fullword
 
     $bash_ref  = ".bash_profile"
     $bash_ref2 = ".profile" fullword
@@ -19,5 +22,5 @@ rule linux_multi_persist: high {
     $not_vim   = "VIMRUNTIME" fullword
 
   condition:
-    filesize < 20MB and ($initd or $udev) and $crontab and any of ($bash*) and none of ($not*)
+    filesize < 20MB and 3 of ($o*) and any of ($bash*) and none of ($not*)
 }
diff --git a/rules/persist/shell/bash.yara b/rules/persist/shell/bash.yara
index ae26fab8..e0186bb7 100644
--- a/rules/persist/shell/bash.yara
+++ b/rules/persist/shell/bash.yara
@@ -16,6 +16,23 @@ rule bash_persist: medium {
     filesize < 2097152 and any of ($ref*) and none of ($not*)
 }
 
+rule bash_persist_persistent: high {
+  meta:
+    description = "acccesses multiple bash startup files"
+
+  strings:
+    $ref1 = ".bash_profile"
+    $ref2 = ".bash_login"
+    $ref3 = ".profile"
+    $ref4 = ".bashrc"
+
+    $not_bash = "POSIXLY_CORRECT"
+
+  condition:
+    3 of them and none of ($not*)
+
+}
+
 rule hardcoded_bash_persist_file: high {
   meta:
     description = "hardcodes a shell startup file"
diff --git a/rules/process/terminate/terminate.yara b/rules/process/terminate/terminate.yara
index 2452b6f7..c239f02f 100644
--- a/rules/process/terminate/terminate.yara
+++ b/rules/process/terminate/terminate.yara
@@ -9,3 +9,4 @@ rule TerminateProcess: medium {
   condition:
     any of them
 }
+
diff --git a/tests/linux/2019.ChinaZ/yk.simple b/tests/linux/2019.ChinaZ/yk.simple
index cff3078a..04d15dab 100644
--- a/tests/linux/2019.ChinaZ/yk.simple
+++ b/tests/linux/2019.ChinaZ/yk.simple
@@ -1,6 +1,7 @@
 # linux/2019.ChinaZ/yk: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 c2/addr/server: medium
 c2/addr/url: low
 crypto/rc4: low
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index 87fe4524..f11bafbf 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -1,5 +1,6 @@
 # linux/2021.FontOnLake/45E9.elf: critical
 3P/elastic/rootkit_fontonlake: critical
+anti-static/elf/multiple: high
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
@@ -91,7 +92,7 @@ net/tcp/ssh: medium
 net/tun_tap: medium
 net/url/embedded: low
 persist/daemon: medium
-persist/kernel_module/insert: high
+persist/kernel_module/install: high
 persist/kernel_module/kprobe: medium
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple
index e1fa04e8..156524d4 100644
--- a/tests/linux/2023.Kinsing/install.sh.simple
+++ b/tests/linux/2023.Kinsing/install.sh.simple
@@ -58,6 +58,7 @@ impact/cryptojacking/xmrig: high
 impact/degrade/firewall: high
 impact/degrade/infection: critical
 impact/degrade/linux_paths: high
+impact/degrade/systemd: medium
 impact/remote_access/agent: medium
 impact/remote_access/iptables: medium
 impact/remote_access/kill_rm: medium
@@ -67,7 +68,6 @@ net/url/embedded: low
 persist/cron/etc_d: high
 persist/cron/tab: medium
 persist/daemon: medium
-persist/linux_multi: high
 persist/shell/bash: medium
 persist/ssh_authorized_keys: medium
 persist/writeable_dir: high
diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple
index 0c578f2a..bdb95b7e 100644
--- a/tests/linux/2024.Gelsemium/dbus.simple
+++ b/tests/linux/2024.Gelsemium/dbus.simple
@@ -1,14 +1,16 @@
 # linux/2024.Gelsemium/dbus: critical
+anti-static/elf/multiple: high
 crypto/decrypt: low
 crypto/encrypt: medium
 data/hash/md5: medium
 data/random/insecure: low
+discover/multiple: high
 discover/network/netstat: medium
 discover/system/platform: medium
 discover/system/sysinfo: medium
 discover/user/name_get: medium
-evasion/file/prefix: high
-exec/shell/arbitrary_command_dev_null: medium
+evasion/file/prefix: critical
+exec/shell/arbitrary_command_dev_null: high
 fs/directory/create: low
 fs/directory/remove: low
 fs/file/delete_forcibly: medium
@@ -29,10 +31,15 @@ net/socket/local_addr: low
 net/socket/receive: low
 net/socket/send: low
 persist/daemon: medium
-persist/kernel_module/insert: medium
+persist/kernel_module/install: high
+persist/kernel_module/name: high
+persist/kernel_module/unload: high
+persist/linux_multi: high
 persist/pid_file: medium
 persist/shell/bash: medium
+persist/xdg_desktop_entry: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: medium
diff --git a/tests/linux/2024.Gelsemium/kde.simple b/tests/linux/2024.Gelsemium/kde.simple
index 569ea4c3..f282e277 100644
--- a/tests/linux/2024.Gelsemium/kde.simple
+++ b/tests/linux/2024.Gelsemium/kde.simple
@@ -2,11 +2,11 @@
 crypto/rc4: low
 discover/process/name: medium
 evasion/file/location/dev_shm: high
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/program: medium
 exec/program/background: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 fs/directory/create: low
 fs/directory/remove: low
 fs/file/delete: medium
@@ -17,7 +17,10 @@ fs/path/etc: low
 fs/path/usr_bin: low
 fs/proc/self_exe: medium
 malware/family/gelsemium: critical
-persist/shell/bash: medium
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
index f27c77f7..df3ed0d8 100644
--- a/tests/linux/2024.Gelsemium/udevd.simple
+++ b/tests/linux/2024.Gelsemium/udevd.simple
@@ -1,4 +1,5 @@
 # linux/2024.Gelsemium/udevd: critical
+anti-static/elf/multiple: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -21,12 +22,12 @@ data/hash/sha256: low
 data/random/insecure: low
 discover/system/platform: low
 evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/dylib/address_check: low
 exec/dylib/symbol_address: medium
 exec/plugin: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 exec/shell/exec: medium
 exec/system_controls/systemd: medium
 fs/directory/create: low
@@ -44,6 +45,7 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
+impact/degrade/systemd: high
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
@@ -62,8 +64,13 @@ net/socket/local_addr: low
 net/socket/peer_address: low
 net/socket/receive: low
 net/socket/send: low
+net/udp/kcp: medium
 net/url/embedded: low
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
index e027a150..a65b813c 100644
--- a/tests/linux/2024.Gelsemium/udevd_multi.simple
+++ b/tests/linux/2024.Gelsemium/udevd_multi.simple
@@ -1,4 +1,5 @@
 # linux/2024.Gelsemium/udevd_multi: critical
+anti-static/elf/multiple: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
@@ -21,12 +22,12 @@ data/hash/sha256: low
 data/random/insecure: low
 discover/system/platform: low
 evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
+evasion/file/prefix: critical
 evasion/hijack_execution/etc_ld.so.preload: high
 exec/dylib/address_check: low
 exec/dylib/symbol_address: medium
 exec/plugin: low
-exec/shell/arbitrary_command_dev_null: medium
+exec/shell/arbitrary_command_dev_null: high
 exec/shell/exec: medium
 exec/system_controls/systemd: medium
 fs/directory/create: low
@@ -44,6 +45,7 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_fd: medium
 fs/proc/self_exe: medium
+impact/degrade/systemd: high
 impact/remote_access/heartbeat: medium
 impact/remote_access/reverse_shell: medium
 lateral/scan/tool: medium
@@ -61,8 +63,13 @@ net/socket/listen: medium
 net/socket/local_addr: low
 net/socket/receive: low
 net/socket/send: low
+net/udp/kcp: medium
 net/url/embedded: low
+persist/plugin: high
+persist/shell/bash: high
 privesc/setuid: low
 process/groupid_set: low
 process/multithreaded: low
+process/terminate/arbitrary: high
 sus/compiler: high
+sus/lang: medium
diff --git a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
index 97c7d0b9..26fce3ce 100644
--- a/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
+++ b/tests/linux/2024.TellYouThePass/uranus-ack-mike-cat.simple
@@ -48,6 +48,7 @@ fs/path/tmp: medium
 fs/path/var: low
 fs/permission/chown: medium
 fs/permission/modify: medium
+impact/degrade/systemd: medium
 impact/ransom/note: high
 impact/remote_access/reverse_shell: medium
 net/dns: low
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index a89056fc..8d13257e 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -1,6 +1,7 @@
-# linux/2024.gas/gas: high
+# linux/2024.gas/gas: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
 crypto/rc4: low
diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json
index 57a82773..9acacf10 100644
--- a/tests/linux/2024.kubo_injector/injector.json
+++ b/tests/linux/2024.kubo_injector/injector.json
@@ -12,6 +12,17 @@
                 "rpath"
             ],
             "Behaviors": [
+                {
+                    "Description": "multiple ELF binaries concatenated into a single file",
+                    "MatchStrings": [
+                        "$elf_head"
+                    ],
+                    "RiskScore": 3,
+                    "RiskLevel": "HIGH",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf",
+                    "ID": "anti-static/elf/multiple",
+                    "RuleName": "multiple_elf"
+                },
                 {
                     "Description": "binary contains hardcoded URL",
                     "MatchStrings": [
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index 1c818545..00225be2 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -161,6 +161,7 @@ os/fd/sendfile: low
 os/kernel/netlink: low
 persist/cron/tab: medium
 persist/pid_file: medium
+persist/shell/bash: high
 privesc/linpeas: high
 privesc/setuid: low
 privesc/sudo: medium
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 10ad4768..646f34c6 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -2,6 +2,7 @@
 3P/elastic/orbit: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 anti-static/xor/paths: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
index e39c8229..f86f4e18 100644
--- a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
+++ b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
@@ -11,7 +11,9 @@ fs/link_read: low
 fs/path/etc: low
 malware/family/melofee: critical
 persist/daemon: medium
-persist/kernel_module/insert: medium
+persist/kernel_module/install: medium
+persist/kernel_module/name: high
+persist/kernel_module/unload: medium
 process/create: low
 process/terminate/kill_multiple: medium
 sus/compiler: high
diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
index 995a8480..153c6cdb 100644
--- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
+++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
@@ -65,6 +65,8 @@ net/socket/receive: low
 net/socket/send: low
 net/tcp/ssh: medium
 persist/daemon: medium
-persist/kernel_module/insert: high
+persist/kernel_module/install: high
+persist/kernel_module/name: high
+persist/kernel_module/unload: medium
 process/multithreaded: low
 sus/compiler: medium
diff --git a/tests/linux/2024.melofee/driver_decrypted.simple b/tests/linux/2024.melofee/driver_decrypted.simple
index 30f39ecc..ece2a0cf 100644
--- a/tests/linux/2024.melofee/driver_decrypted.simple
+++ b/tests/linux/2024.melofee/driver_decrypted.simple
@@ -4,7 +4,6 @@ anti-static/binary/opaque: medium
 evasion/indicator_blocking/process: high
 evasion/mimicry/fake_process: high
 impact/rootkit: critical
-persist/kernel_module/insert: medium
 persist/kernel_module/kprobe: medium
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple
index 0dea6b11..44fad00b 100644
--- a/tests/linux/2024.melofee/pskt.simple
+++ b/tests/linux/2024.melofee/pskt.simple
@@ -3,6 +3,7 @@
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
 anti-static/elf/entropy: high
+anti-static/elf/multiple: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
index e3e1193b..7f175cc3 100644
--- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
+++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
@@ -2,6 +2,7 @@
 anti-static/elf/content: high
 anti-static/elf/entropy: high
 anti-static/elf/header: high
+anti-static/elf/multiple: high
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/2024.vncjew/__min__c.simple b/tests/linux/2024.vncjew/__min__c.simple
index 76e50741..cb280b34 100644
--- a/tests/linux/2024.vncjew/__min__c.simple
+++ b/tests/linux/2024.vncjew/__min__c.simple
@@ -1,6 +1,7 @@
 # linux/2024.vncjew/__min__c: critical
 anti-static/elf/entropy: high
 anti-static/elf/header: high
+anti-static/elf/multiple: high
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index df656a86..7e0bbcea 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -154,7 +154,7 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chroot: low
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index c509dba2..22b81a60 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -160,7 +160,7 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chdir: low
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index 8862c584..d0690c28 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -1,6 +1,7 @@
-# linux/clean/chrome: medium
+# linux/clean/chrome: high
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
@@ -159,6 +160,7 @@ net/socket/receive: low
 net/socket/reuseport: medium
 net/socket/send: low
 net/tcp/ssh: medium
+net/udp/kcp: medium
 net/udp/upnp: medium
 net/url/embedded: medium
 net/url/encode: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 7a4669a8..337d86aa 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -1,4 +1,5 @@
 # linux/clean/clickhouse: high
+anti-static/elf/multiple: high
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index b521f270..0eb84de6 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -1,7 +1,8 @@
-## linux/clean/code-oss [🟡 MEDIUM]
+## linux/clean/code-oss [🛑 HIGH]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index 0297d311..65bd4667 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -1,7 +1,8 @@
-## linux/clean/cpack [🟡 MEDIUM]
+## linux/clean/cpack [🛑 HIGH]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple
index 7f640c2a..a8017f32 100644
--- a/tests/linux/clean/ld-2.27.so.simple
+++ b/tests/linux/clean/ld-2.27.so.simple
@@ -1,6 +1,7 @@
-# linux/clean/ld-2.27.so: medium
+# linux/clean/ld-2.27.so: high
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
 c2/tool_transfer/os: low
diff --git a/tests/linux/clean/libasan.so.8.0.0.simple b/tests/linux/clean/libasan.so.8.0.0.simple
index aaebd75d..b644d9bf 100644
--- a/tests/linux/clean/libasan.so.8.0.0.simple
+++ b/tests/linux/clean/libasan.so.8.0.0.simple
@@ -81,7 +81,7 @@ os/fd/sendfile: low
 os/kernel/key_management: low
 os/kernel/perfmon: low
 os/time/clock_set: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/chroot: low
 process/create: low
diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple
index 648a19e1..6db713f2 100644
--- a/tests/linux/clean/libc.so.6.simple
+++ b/tests/linux/clean/libc.so.6.simple
@@ -103,7 +103,7 @@ os/fd/sendfile: low
 os/kernel/netlink: low
 os/time/clock_set: low
 persist/daemon: medium
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/chroot: low
 process/create: low
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index 65b554ce..3ec73597 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -1,4 +1,4 @@
-# linux/clean/libgcj.so.17.0.0: medium
+# linux/clean/libgcj.so.17.0.0: high
 3P/JPCERT/cobaltstrike_v3v4: medium
 anti-behavior/random_behavior: low
 c2/addr/ip: medium
@@ -97,6 +97,7 @@ net/url/embedded: low
 net/url/encode: medium
 net/url/parse: low
 net/url/request: medium
+persist/kernel_module/name: high
 process/multithreaded: low
 sus/exclamation: medium
 sus/intercept: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index 4a19eb23..d63587d6 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -1,4 +1,4 @@
-# linux/clean/libgcj.so.17: medium
+# linux/clean/libgcj.so.17: high
 3P/JPCERT/cobaltstrike_v3v4: medium
 anti-behavior/random_behavior: low
 c2/addr/ip: medium
@@ -97,6 +97,7 @@ net/url/embedded: low
 net/url/encode: medium
 net/url/parse: low
 net/url/request: medium
+persist/kernel_module/name: high
 process/multithreaded: low
 sus/exclamation: medium
 sus/intercept: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index 3b1a9def..5c57fae0 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -1,4 +1,5 @@
-# linux/clean/melange: medium
+# linux/clean/melange: high
+anti-static/elf/multiple: high
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/addr/url: low
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 0217724a..11d0e8ec 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -2,7 +2,9 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)<br>[offset](https://github.com/search?q=offset&type=code)<br>[padding](https://github.com/search?q=padding&type=code)<br>[shellcode](https://github.com/search?q=shellcode&type=code) |
+| HIGH | [persist/shell/bash](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist_persistent) | acccesses multiple bash startup files | [.bash_login](https://github.com/search?q=.bash_login&type=code)<br>[.bash_profile](https://github.com/search?q=.bash_profile&type=code)<br>[.bashrc](https://github.com/search?q=.bashrc&type=code)<br>[.profile](https://github.com/search?q=.profile&type=code) |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |
@@ -79,7 +81,7 @@
 | MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
 | MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
 | MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) |
-| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
 | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
 | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
 | MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) |
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index e023ebf3..8b17cd93 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -149,10 +149,11 @@ net/webrtc: medium
 os/env/get: low
 os/fd/sendfile: low
 os/kernel/netlink: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/pid_file: medium
 privesc/sudo: medium
 process/chroot: low
 sus/exclamation: medium
 sus/intercept: medium
+sus/lang: medium
 sus/leetspeak: medium
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index 7beaec96..9a8bf6f8 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -2,6 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) |
 | HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code) |
diff --git a/tests/linux/clean/runtime-security-fentry.o.simple b/tests/linux/clean/runtime-security-fentry.o.simple
index 5d8f5347..bd994f3d 100644
--- a/tests/linux/clean/runtime-security-fentry.o.simple
+++ b/tests/linux/clean/runtime-security-fentry.o.simple
@@ -27,7 +27,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
index 1cb68d4d..3319895d 100644
--- a/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
+++ b/tests/linux/clean/runtime-security-syscall-wrapper.o.simple
@@ -28,7 +28,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/runtime-security.o.simple b/tests/linux/clean/runtime-security.o.simple
index 6c02c40e..6fd06e98 100644
--- a/tests/linux/clean/runtime-security.o.simple
+++ b/tests/linux/clean/runtime-security.o.simple
@@ -26,7 +26,7 @@ net/socket/listen: medium
 net/socket/send: low
 net/url/embedded: low
 os/kernel/seccomp: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 privesc/setuid: low
 process/create: low
 process/groupid_set: low
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 9e18ab9e..03b0eeff 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -1,7 +1,8 @@
-## linux/clean/slack [🟡 MEDIUM]
+## linux/clean/slack [🛑 HIGH]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
 | MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
 | MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple
index 77be8a9d..cdd925c6 100644
--- a/tests/linux/clean/slirp4netns.simple
+++ b/tests/linux/clean/slirp4netns.simple
@@ -1,6 +1,7 @@
-# linux/clean/slirp4netns: medium
+# linux/clean/slirp4netns: high
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
@@ -100,7 +101,7 @@ os/kernel/netlink: low
 os/kernel/perfmon: low
 os/kernel/seccomp: low
 os/time/clock_set: low
-persist/kernel_module/module: medium
+persist/kernel_module/unload: medium
 persist/writeable_dir: medium
 privesc/setuid: low
 process/chroot: low
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 9a2f2fef..3248000e 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -2,6 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
 | MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index 96b8733e..1b30cd55 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -1,4 +1,5 @@
-# linux/clean/trivy: medium
+# linux/clean/trivy: high
+anti-static/elf/multiple: high
 c2/addr/discord: medium
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 7886ae1e..50d68ff0 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -2,6 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
+| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
 | HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)<br>[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)<br>[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) |
 | HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)<br>[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)<br>[pastebin.go](https://github.com/search?q=pastebin.go&type=code)<br>[pastebin.init](https://github.com/search?q=pastebin.init&type=code) |
 | HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) |
@@ -86,7 +87,7 @@
 | MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)<br>[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)<br>[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) |
 | MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
 | MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code) |
-| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
 | MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
 | MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
 | MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)<br>[interceptor](https://github.com/search?q=interceptor&type=code) |
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index 98f5424a..4e7539a4 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -1,4 +1,5 @@
-# linux/clean/wolfictl: medium
+# linux/clean/wolfictl: high
+anti-static/elf/multiple: high
 c2/addr/http_dynamic: medium
 c2/addr/ip: medium
 c2/addr/url: low
diff --git a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
index 8bdb9c95..c7b3908d 100644
--- a/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
+++ b/tests/ruby/2024.Ruby_rootkit/Ruby.rb.simple
@@ -6,4 +6,4 @@ exec/shell/exec: medium
 impact/remote_access/reverse_shell: high
 net/tcp/connect: medium
 os/signal/send: high
-persist/kernel_module/insert: medium
+persist/kernel_module/unload: medium

From 8c5d0606593a2128b6783ff1663c23c42204fc6c Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 22:09:00 -0500
Subject: [PATCH 06/10] Finish dbus analysis

---
 pkg/action/testdata/scan_archive              | 2487 -----------------
 pkg/action/testdata/scan_oci                  |   74 -
 tests/linux/2019.ChinaZ/yk.simple             |    2 +-
 tests/linux/2021.FontOnLake/45E9.elf.simple   |    2 +-
 tests/linux/2024.Gelsemium/dbus.simple        |    2 +-
 tests/linux/2024.Gelsemium/udevd.simple       |    2 +-
 tests/linux/2024.Gelsemium/udevd_multi.simple |    2 +-
 tests/linux/2024.gas/gas.simple               |    4 +-
 tests/linux/2024.kubo_injector/injector.json  |    6 +-
 .../emp3r0r.agent.simple                      |  174 --
 tests/linux/2024.medusa/rkload.simple         |    2 +-
 tests/linux/2024.melofee/pskt.simple          |    2 +-
 ...5d0e2031551f9f1a70b6db475ba71b2.elf.simple |    2 +-
 tests/linux/2024.vncjew/__min__c.simple       |    2 +-
 tests/linux/clean/buildah.simple              |  159 --
 tests/linux/clean/caddy.simple                |  163 --
 tests/linux/clean/chezmoi.simple              |  171 --
 tests/linux/clean/chrome.simple               |  184 --
 tests/linux/clean/clickhouse.simple           |  205 --
 tests/linux/clean/code-oss.md                 |  192 --
 tests/linux/clean/containerd.simple           |  134 -
 tests/linux/clean/cpack.md                    |    4 +-
 .../securitySolution.chunk.22.js.simple       |   48 -
 .../kibana/securitySolution.chunk.9.js.simple |   71 -
 tests/linux/clean/kuma-cp.simple              |  142 -
 tests/linux/clean/ld-2.27.so.simple           |    4 +-
 tests/linux/clean/libgcj.so.17.0.0.simple     |  104 -
 tests/linux/clean/libgcj.so.17.simple         |  104 -
 tests/linux/clean/melange.simple              |  160 --
 tests/linux/clean/mongosh.simple              |  194 --
 tests/linux/clean/opa.simple                  |  106 -
 tests/linux/clean/pandoc.md                   |  177 --
 tests/linux/clean/pulumi.simple               |  159 --
 tests/linux/clean/qemu-system-xtensa.md       |  113 -
 tests/linux/clean/slack.md                    |  193 --
 tests/linux/clean/slirp4netns.simple          |    4 +-
 tests/linux/clean/tree-sitter.md              |   52 -
 tests/linux/clean/trivy.simple                |  201 --
 tests/linux/clean/trufflehog.md               |  194 --
 tests/linux/clean/wolfictl.simple             |  192 --
 40 files changed, 20 insertions(+), 6173 deletions(-)

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 45e3bfcf..e69de29b 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -1,2487 +0,0 @@
-{
-    "Files": {
-        "/apko_0.13.2_linux_arm64/apko": {
-            "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko",
-            "SHA256": "ad237dc65d25cfe673b4891e189e9ff1fd041ec817133ac6c565120a6a189189",
-            "Size": 26400952,
-            "Syscalls": [
-                "accept",
-                "adjtimex",
-                "chmod",
-                "chown",
-                "chroot",
-                "clone",
-                "close",
-                "execve",
-                "fchmodat",
-                "fchown",
-                "flock",
-                "fsync",
-                "getegid",
-                "geteuid",
-                "getpeername",
-                "getpid",
-                "getrlimit",
-                "getsockname",
-                "getsockopt",
-                "getuid",
-                "getwd",
-                "ioctl",
-                "kill",
-                "linkat",
-                "lstat",
-                "madvise",
-                "mknod",
-                "mount",
-                "nice",
-                "open",
-                "pivot_root",
-                "posix_spawn",
-                "pread64",
-                "pwrite64",
-                "readlink",
-                "recv",
-                "rename",
-                "send",
-                "sendfile",
-                "sendmsg",
-                "sendto",
-                "setgroups",
-                "setrlimit",
-                "setsid",
-                "setsockopt",
-                "stat",
-                "swapoff",
-                "swapon",
-                "symlink",
-                "symlinkat",
-                "sysctl",
-                "truncate",
-                "umount",
-                "unlink",
-                "unshare"
-            ],
-            "Pledge": [
-                "cpath",
-                "exec",
-                "fattr",
-                "flock",
-                "id",
-                "inet",
-                "proc",
-                "rpath",
-                "settime",
-                "stdio",
-                "sysctl",
-                "wpath"
-            ],
-            "Behaviors": [
-                {
-                    "Description": "Contains a table that may be used for XOR decryption",
-                    "MatchStrings": [
-                        "56789abcdefghijklmnopqrstuvwxyzABCDE::$ref"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-table.yara#xor_table",
-                    "ID": "anti-static/xor/table",
-                    "RuleName": "xor_table"
-                },
-                {
-                    "Description": "mentions an IP and port",
-                    "MatchStrings": [
-                        "IP",
-                        "dIp",
-                        "getPort",
-                        "hIp",
-                        "hasPort",
-                        "iIp",
-                        "kIp",
-                        "lIp",
-                        "lookupPort",
-                        "mIp",
-                        "oIp",
-                        "pIp",
-                        "parsePort",
-                        "qfIp",
-                        "rxPort",
-                        "sfIp",
-                        "yIp",
-                        "zIp"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention",
-                    "ID": "c2/addr/ip",
-                    "RuleName": "ip_port_mention"
-                },
-                {
-                    "Description": "references a 'server address', possible C2 client",
-                    "MatchStrings": [
-                        "serverAddress"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address",
-                    "ID": "c2/addr/server",
-                    "RuleName": "server_address"
-                },
-                {
-                    "Description": "binary contains hardcoded URL",
-                    "MatchStrings": [
-                        "http://localhost",
-                        "http://www.w3.org/XML/1998/namespacexml",
-                        "https://GoString01234567beEfFgGvsignal",
-                        "https://alpinelinux.org/releases.jsondid",
-                        "https://github.com/chainguard",
-                        "https://github.com/google/go",
-                        "https://github.com/spf13/cobra/issues/1279",
-                        "https://github.com/spf13/cobra/issues/1508",
-                        "https://index.docker.io/v1/Path",
-                        "https://index.docker.io/v2/library/ubuntu/tags/list",
-                        "https://pkg.go.dev/text/template",
-                        "https://reproducible",
-                        "https://spdx.org/spdxdocs/apko/directory"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url",
-                    "ID": "c2/addr/url",
-                    "RuleName": "binary_with_url"
-                },
-                {
-                    "Description": "contains a client ID",
-                    "MatchStrings": [
-                        "client_id"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID",
-                    "ID": "c2/client",
-                    "RuleName": "clientID"
-                },
-                {
-                    "Description": "references a specific architecture",
-                    "MatchStrings": [
-                        "AMD64",
-                        "amd64",
-                        "arm64",
-                        "http://",
-                        "https://",
-                        "x86_64"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref",
-                    "ID": "c2/tool_transfer/arch",
-                    "RuleName": "arch_ref"
-                },
-                {
-                    "Description": "references multiple operating systems",
-                    "MatchStrings": [
-                        "Linux",
-                        "Windows",
-                        "http://",
-                        "https://",
-                        "macOS"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref",
-                    "ID": "c2/tool_transfer/os",
-                    "RuleName": "multiple_os_ref"
-                },
-                {
-                    "Description": "Works with zip files",
-                    "MatchStrings": [
-                        "archive/zip"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip",
-                    "ID": "collect/archives/zip",
-                    "RuleName": "zip"
-                },
-                {
-                    "Description": "accesses a keychain",
-                    "MatchStrings": [
-                        "Keychain",
-                        "keychain"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain",
-                    "ID": "credential/keychain",
-                    "RuleName": "keychain"
-                },
-                {
-                    "Description": "references a 'password'",
-                    "MatchStrings": [
-                        "IncorrectPasswordError",
-                        "Password from",
-                        "PasswordHashIterations",
-                        "UserPassword",
-                        "and password requiredreading",
-                        "bson bytes as Passwordopenpgp",
-                        "passwordSet",
-                        "passwordStdin",
-                        "socksUsernamePassword",
-                        "stripPassword",
-                        "with a password",
-                        "wpassword-stdinparsing"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password",
-                    "ID": "credential/password",
-                    "RuleName": "password"
-                },
-                {
-                    "Description": "References private keys",
-                    "MatchStrings": [
-                        "privateKey",
-                        "private_key"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val",
-                    "ID": "credential/ssl/private_key",
-                    "RuleName": "private_key_val"
-                },
-                {
-                    "Description": "Supports AES (Advanced Encryption Standard)",
-                    "MatchStrings": [
-                        "AES",
-                        "crypto/aes"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes",
-                    "ID": "crypto/aes",
-                    "RuleName": "crypto_aes"
-                },
-                {
-                    "Description": "mentions 'ciphertext'",
-                    "MatchStrings": [
-                        "ciphertext"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext",
-                    "ID": "crypto/cipher",
-                    "RuleName": "ciphertext"
-                },
-                {
-                    "Description": "decrypts data",
-                    "MatchStrings": [
-                        "DecryptPEMBlock",
-                        "DecryptPKCS1v15SessionK",
-                        "DecryptPrivateKeys",
-                        "DecryptTicket",
-                        "DecrypterOpts",
-                        "DecrypterreadPythonMult",
-                        "DecryptionKeys",
-                        "ErrDecryption",
-                        "NewCBCDecrypter",
-                        "NewCFBDecrypter",
-                        "NewOCFBDecrypter",
-                        "PKCS1v15DecryptOptions",
-                        "aeadDecrypter",
-                        "cbcDecrypter",
-                        "lid options for Decrypttags don",
-                        "newDecrypter",
-                        "ocfbDecrypter",
-                        "pter type in NewDecrypterPrivateKeyargu",
-                        "rsaDecryptOk"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt",
-                    "ID": "crypto/decrypt",
-                    "RuleName": "decrypt"
-                },
-                {
-                    "Description": "Uses the Go crypto/ecdsa library",
-                    "MatchStrings": [
-                        "crypto/ecdsa"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa",
-                    "ID": "crypto/ecdsa",
-                    "RuleName": "crypto_ecdsa"
-                },
-                {
-                    "Description": "Elliptic curve algorithm used by TLS and SSH",
-                    "MatchStrings": [
-                        "ed25519"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519",
-                    "ID": "crypto/ed25519",
-                    "RuleName": "ed25519"
-                },
-                {
-                    "Description": "elliptic",
-                    "MatchStrings": [
-                        "crypto/elliptic",
-                        "elliptic.p224",
-                        "elliptic.p256",
-                        "p256Inverse"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/elliptic.yara#elliptic",
-                    "ID": "crypto/elliptic",
-                    "RuleName": "elliptic"
-                },
-                {
-                    "Description": "references a 'public key'",
-                    "MatchStrings": [
-                        "Public Key",
-                        "PublicKey",
-                        "public key",
-                        "public-key",
-                        "publicKey",
-                        "public_key",
-                        "publickey"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key",
-                    "ID": "crypto/public_key",
-                    "RuleName": "public_key"
-                },
-                {
-                    "Description": "tls",
-                    "MatchStrings": [
-                        "TLS13",
-                        "TLSVersion",
-                        "crypto/tls"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls",
-                    "ID": "crypto/tls",
-                    "RuleName": "tls"
-                },
-                {
-                    "Description": "Works with bzip2 files",
-                    "MatchStrings": [
-                        "bzip2"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2",
-                    "ID": "data/compression/bzip2",
-                    "RuleName": "bzip2"
-                },
-                {
-                    "Description": "works with gzip files",
-                    "MatchStrings": [
-                        "gzip"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip",
-                    "ReferenceURL": "https://www.gnu.org/software/gzip/",
-                    "ID": "data/compression/gzip",
-                    "RuleName": "gzip"
-                },
-                {
-                    "Description": "works with lzma files",
-                    "MatchStrings": [
-                        "lzma"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma",
-                    "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm",
-                    "ID": "data/compression/lzma",
-                    "RuleName": "lzma"
-                },
-                {
-                    "Description": "uses zlib",
-                    "MatchStrings": [
-                        "zlib"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib",
-                    "ID": "data/compression/zlib",
-                    "RuleName": "zlib"
-                },
-                {
-                    "Description": "Zstandard: fast real-time compression algorithm",
-                    "MatchStrings": [
-                        "(\ufffd/\ufffd",
-                        "zstd"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd",
-                    "ID": "data/compression/zstd",
-                    "RuleName": "zstd"
-                },
-                {
-                    "Description": "Contains embedded PEM certificate",
-                    "MatchStrings": [
-                        "-----BEGIN CERTIFICATE-----"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert",
-                    "ID": "data/embedded/pem_certificate",
-                    "RuleName": "begin_cert"
-                },
-                {
-                    "Description": "Contains TESTING KEY directive",
-                    "MatchStrings": [
-                        "TESTING KEY-----"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-test_key.yara#testing_key",
-                    "ID": "data/embedded/pem_test_key",
-                    "RuleName": "testing_key"
-                },
-                {
-                    "Description": "Contains embedded SSH signature",
-                    "MatchStrings": [
-                        "--BEGIN SSH SIGNATURE--"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature",
-                    "ID": "data/embedded/ssh_signature",
-                    "RuleName": "ssh_signature"
-                },
-                {
-                    "Description": "Contains compressed content in ZStandard format",
-                    "MatchStrings": [
-                        "(\ufffd/\ufffd"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd",
-                    "ReferenceURL": "https://github.com/facebook/zstd",
-                    "ID": "data/embedded/zstd",
-                    "RuleName": "embedded_zstd"
-                },
-                {
-                    "Description": "go asn1",
-                    "MatchStrings": [
-                        "asn1.parse",
-                        "encoding/asn1"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/asn1.yara#go_asn1",
-                    "ID": "data/encoding/asn1",
-                    "RuleName": "go_asn1"
-                },
-                {
-                    "Description": "Supports base64 encoded strings",
-                    "MatchStrings": [
-                        "base64"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64",
-                    "ID": "data/encoding/base64",
-                    "RuleName": "b64"
-                },
-                {
-                    "Description": "Supports JSON encoded objects",
-                    "MatchStrings": [
-                        "encoding/json"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json",
-                    "ID": "data/encoding/json",
-                    "RuleName": "encoding_json"
-                },
-                {
-                    "Description": "Decodes JSON messages",
-                    "MatchStrings": [
-                        "json.Unmarshal"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode",
-                    "ID": "data/encoding/json_decode",
-                    "RuleName": "jsondecode"
-                },
-                {
-                    "Description": "encodes JSON",
-                    "MatchStrings": [
-                        "MarshalJSON"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#MarshalJSON",
-                    "ID": "data/encoding/json_encode",
-                    "RuleName": "MarshalJSON"
-                },
-                {
-                    "Description": "protobuf",
-                    "MatchStrings": [
-                        "protobuf"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/protobuf.yara#protobuf",
-                    "ID": "data/encoding/protobuf",
-                    "RuleName": "protobuf"
-                },
-                {
-                    "Description": "Uses blake2b encryption algorithm",
-                    "MatchStrings": [
-                        "blake2b"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b",
-                    "ID": "data/hash/blake2b",
-                    "RuleName": "crypto_blake2b"
-                },
-                {
-                    "Description": "Uses the MD5 signature format",
-                    "MatchStrings": [
-                        "md5:"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5",
-                    "ID": "data/hash/md5",
-                    "RuleName": "MD5"
-                },
-                {
-                    "Description": "Uses the SHA512 signature format",
-                    "MatchStrings": [
-                        "SHA512"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha512.yara#SHA512",
-                    "ID": "data/hash/sha512",
-                    "RuleName": "SHA512"
-                },
-                {
-                    "Description": "list network interfaces",
-                    "MatchStrings": [
-                        "ifconfig"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs",
-                    "ID": "discover/network/interface_list",
-                    "RuleName": "bsd_ifaddrs"
-                },
-                {
-                    "Description": "Retrieves network MAC address",
-                    "MatchStrings": [
-                        "MAC address"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr",
-                    "ID": "discover/network/mac_address",
-                    "RuleName": "macaddr"
-                },
-                {
-                    "Description": "Uses 'netstat' for network information",
-                    "MatchStrings": [
-                        "netstat"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat",
-                    "ID": "discover/network/netstat",
-                    "RuleName": "netstat"
-                },
-                {
-                    "Description": "returns the effective group id of the current process",
-                    "MatchStrings": [
-                        "Getegid"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#getegid",
-                    "ID": "discover/process/egid",
-                    "RuleName": "getegid"
-                },
-                {
-                    "Description": "returns the effective user id of the current process",
-                    "MatchStrings": [
-                        "Geteuid"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/euid.yara#geteuid",
-                    "ID": "discover/process/euid",
-                    "RuleName": "geteuid"
-                },
-                {
-                    "Description": "gets the active process ID",
-                    "MatchStrings": [
-                        "getpid"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/pid.yara#getpid",
-                    "ID": "discover/process/pid",
-                    "RuleName": "getpid"
-                },
-                {
-                    "Description": "retrieve resource limits",
-                    "MatchStrings": [
-                        "Getrlimit",
-                        "getrlimit"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/resource-limits.yara#getrlimit",
-                    "ID": "discover/process/resource_limits",
-                    "RuleName": "getrlimit"
-                },
-                {
-                    "Description": "returns the user id of the current process",
-                    "MatchStrings": [
-                        "Getuid"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/uid.yara#getuid",
-                    "ID": "discover/process/uid",
-                    "RuleName": "getuid"
-                },
-                {
-                    "Description": "gets current working directory",
-                    "MatchStrings": [
-                        "Getwd",
-                        "getwd"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/working_directory.yara#getwd",
-                    "ID": "discover/process/working_directory",
-                    "RuleName": "getwd"
-                },
-                {
-                    "Description": "Finds program in process table",
-                    "MatchStrings": [
-                        "pgrep"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/pgrep.yara#pgrep",
-                    "ID": "discover/processes/pgrep",
-                    "RuleName": "pgrep"
-                },
-                {
-                    "Description": "gets number of processors",
-                    "MatchStrings": [
-                        "nproc"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man3/get_nprocs.3.html",
-                    "ID": "discover/system/cpu",
-                    "RuleName": "processor_count"
-                },
-                {
-                    "Description": "accesses the kernel log ring buffer",
-                    "MatchStrings": [
-                        "dmesg"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg",
-                    "ID": "discover/system/dmesg",
-                    "RuleName": "dmesg"
-                },
-                {
-                    "Description": "get computer host name",
-                    "MatchStrings": [
-                        "/proc/sys/kernel/hostname"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/sethostname.2.html",
-                    "ID": "discover/system/hostname",
-                    "RuleName": "gethostname"
-                },
-                {
-                    "Description": "system identification",
-                    "MatchStrings": [
-                        "syscall.Uname",
-                        "uname"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man1/uname.1.html",
-                    "ID": "discover/system/platform",
-                    "RuleName": "uname"
-                },
-                {
-                    "Description": "Looks up the HOME directory for the current user",
-                    "MatchStrings": [
-                        "HOME",
-                        "getenv"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME",
-                    "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT",
-                    "ID": "discover/user/HOME",
-                    "RuleName": "HOME"
-                },
-                {
-                    "Description": "Looks up the USER name of the current user",
-                    "MatchStrings": [
-                        "USER",
-                        "environ",
-                        "getenv"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER",
-                    "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT",
-                    "ID": "discover/user/USER",
-                    "RuleName": "USER"
-                },
-                {
-                    "Description": "get entry from passwd (user) database",
-                    "MatchStrings": [
-                        "user/lookup"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/lookup.yara#getpwuid",
-                    "ID": "discover/user/lookup",
-                    "RuleName": "getpwuid"
-                },
-                {
-                    "Description": "returns the user name running this process",
-                    "MatchStrings": [
-                        "whoami"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man1/whoami.1.html",
-                    "ID": "discover/user/name_get",
-                    "RuleName": "whoami"
-                },
-                {
-                    "Description": "hidden path generated dynamically",
-                    "MatchStrings": [
-                        "%s/.ssh"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path",
-                    "ReferenceURL": "https://objective-see.org/blog/blog_0x73.html",
-                    "ID": "evasion/file/prefix",
-                    "RuleName": "dynamic_hidden_path"
-                },
-                {
-                    "Description": "change the root mount location",
-                    "MatchStrings": [
-                        "pivot_root"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hide_artifacts/pivot_root.yara#pivot_root",
-                    "ID": "evasion/hide_artifacts/pivot_root",
-                    "RuleName": "pivot_root"
-                },
-                {
-                    "Description": "references a 'plugin'",
-                    "MatchStrings": [
-                        "ErrIntOverflowPlugin",
-                        "ErrInvalidLengthPlugin",
-                        "PluginConfigArgs",
-                        "PluginConfigInterface",
-                        "PluginConfigLinux",
-                        "PluginConfigNetwork",
-                        "PluginConfigRootfs",
-                        "PluginConfigUser",
-                        "PluginCreateOptions",
-                        "PluginDescription",
-                        "PluginDevice",
-                        "PluginDisableOptions",
-                        "PluginEnableOptions",
-                        "PluginEnv",
-                        "PluginInspectWithRaw",
-                        "PluginInstallOptions",
-                        "PluginInterfaceType",
-                        "PluginList",
-                        "PluginMount",
-                        "PluginName",
-                        "PluginPrivileges",
-                        "PluginPush",
-                        "PluginReference",
-                        "PluginRemoveOptions",
-                        "PluginSettings",
-                        "PluginSpecwrong",
-                        "PluginsFormat",
-                        "PluginsInfo",
-                        "PluginsListResponse",
-                        "SetPluginConfig",
-                        "_pingOSTypepluginsecret",
-                        "both a container spec and a plugin spec in",
-                        "denied while installing plugin",
-                        "encodeVarintPlugin",
-                        "fileDescriptorPlugin",
-                        "plugin_create",
-                        "plugin_disable",
-                        "plugin_enable",
-                        "plugin_inspect",
-                        "plugin_install",
-                        "plugin_list",
-                        "plugin_push",
-                        "plugin_remove",
-                        "plugin_responses",
-                        "plugin_set",
-                        "plugin_upgrade",
-                        "pluginpath",
-                        "pluginsFormat",
-                        "skipPlugin",
-                        "sovPlugin",
-                        "tryPluginPull",
-                        "tryPluginUpgrade"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin",
-                    "ID": "exec/plugin",
-                    "RuleName": "plugin"
-                },
-                {
-                    "Description": "executes external programs",
-                    "MatchStrings": [
-                        ").CombinedOutput",
-                        "exec.(*Cmd).Run"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run",
-                    "ID": "exec/program",
-                    "RuleName": "exec_cmd_run"
-                },
-                {
-                    "Description": "calls sleep and runs shell code in the background",
-                    "MatchStrings": [
-                        "#!",
-                        "2\u003e\u00261 \u0026",
-                        "nohup"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/background-sleep.yara#sleep_and_background",
-                    "ID": "exec/shell/background_sleep",
-                    "RuleName": "sleep_and_background"
-                },
-                {
-                    "Description": "executes shell",
-                    "MatchStrings": [
-                        "/bin/bash",
-                        "/bin/sh"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell",
-                    "ID": "exec/shell/exec",
-                    "RuleName": "calls_shell"
-                },
-                {
-                    "Description": "works with block device attributes",
-                    "MatchStrings": [
-                        "blkid"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/blkid.yara#blkid",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man8/blkid.8.html",
-                    "ID": "fs/blkid",
-                    "RuleName": "blkid"
-                },
-                {
-                    "Description": "manipulate the device parameters of special files",
-                    "MatchStrings": [
-                        "ioctl"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/device-control.yara#ioctl",
-                    "ID": "fs/device_control",
-                    "RuleName": "ioctl"
-                },
-                {
-                    "Description": "creates directories",
-                    "MatchStrings": [
-                        "mkdir"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html",
-                    "ID": "fs/directory/create",
-                    "RuleName": "mkdir"
-                },
-                {
-                    "Description": "Uses Go functions to list a directory",
-                    "MatchStrings": [
-                        ".ReadDir"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir",
-                    "ID": "fs/directory/list",
-                    "RuleName": "GoReadDir"
-                },
-                {
-                    "Description": "Uses libc functions to remove directories",
-                    "MatchStrings": [
-                        "Rmdir",
-                        "rmdir"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir",
-                    "ID": "fs/directory/remove",
-                    "RuleName": "rmdir"
-                },
-                {
-                    "Description": "make a FIFO special file (a named pipe)",
-                    "MatchStrings": [
-                        "mkfifo"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo",
-                    "ID": "fs/fifo_create",
-                    "RuleName": "mkfifo"
-                },
-                {
-                    "Description": "check if the current user can access a file",
-                    "MatchStrings": [
-                        "faccessat2"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-access-check.yara#_access",
-                    "ID": "fs/file/access_check",
-                    "RuleName": "_access"
-                },
-                {
-                    "Description": "deletes files",
-                    "MatchStrings": [
-                        "unlinkat"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html",
-                    "ID": "fs/file/delete",
-                    "RuleName": "unlink"
-                },
-                {
-                    "Description": "Forcibly deletes files",
-                    "MatchStrings": [
-                        "rm non-TreeNodersopenpgp"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force",
-                    "ID": "fs/file/delete_forcibly",
-                    "RuleName": "rm_force"
-                },
-                {
-                    "Description": "opens files",
-                    "MatchStrings": [
-                        "openFile"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open",
-                    "ID": "fs/file/open",
-                    "RuleName": "java_open"
-                },
-                {
-                    "Description": "reads files",
-                    "MatchStrings": [
-                        "ReadFile",
-                        "os.(*File).Read"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read",
-                    "ID": "fs/file/read",
-                    "RuleName": "go_file_read"
-                },
-                {
-                    "Description": "renames files",
-                    "MatchStrings": [
-                        "os.rename"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename",
-                    "ID": "fs/file/rename",
-                    "RuleName": "explicit_rename"
-                },
-                {
-                    "Description": "access filesystem metadata",
-                    "MatchStrings": [
-                        "fs.statDirEntry"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat",
-                    "ID": "fs/file/stat",
-                    "RuleName": "npm_stat"
-                },
-                {
-                    "Description": "forcibly synchronizes file state to disk",
-                    "MatchStrings": [
-                        "fsync",
-                        "syscall.Fsync"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-sync.yara#fsync",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/fsync.2.html",
-                    "ID": "fs/file/sync",
-                    "RuleName": "fsync"
-                },
-                {
-                    "Description": "truncate a file to a specified length",
-                    "MatchStrings": [
-                        "truncate"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#truncate",
-                    "ID": "fs/file/truncate",
-                    "RuleName": "truncate"
-                },
-                {
-                    "Description": "writes to file",
-                    "MatchStrings": [
-                        "AllowOverwriteDirWithFile",
-                        "WriteFile",
-                        "writeFilePatchHeader",
-                        "writeIndexToFile",
-                        "writeOneFile",
-                        "writeRawFile"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write",
-                    "ID": "fs/file/write",
-                    "RuleName": "file_write"
-                },
-                {
-                    "Description": "May create hard file links",
-                    "MatchStrings": [
-                        "linkat"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat",
-                    "ID": "fs/link_create",
-                    "RuleName": "linkat"
-                },
-                {
-                    "Description": "read value of a symbolic link",
-                    "MatchStrings": [
-                        "readlinkat"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/readlink.2.html",
-                    "ID": "fs/link_read",
-                    "RuleName": "readlink"
-                },
-                {
-                    "Description": "apply or remove an advisory lock on a file",
-                    "MatchStrings": [
-                        "flock"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock",
-                    "ID": "fs/lock_update",
-                    "RuleName": "flock"
-                },
-                {
-                    "Description": "mounts file systems",
-                    "MatchStrings": [
-                        "-o",
-                        "mount"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount",
-                    "ID": "fs/mount",
-                    "RuleName": "mount"
-                },
-                {
-                    "Description": "create device files",
-                    "MatchStrings": [
-                        "mknod"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/mknod.2.html",
-                    "ID": "fs/node_create",
-                    "RuleName": "mknod"
-                },
-                {
-                    "Description": "Calls /bin/su",
-                    "MatchStrings": [
-                        "/bin/su"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/bin-su.yara#bin_su",
-                    "ID": "fs/path/bin_su",
-                    "RuleName": "bin_su"
-                },
-                {
-                    "Description": "References /dev/null",
-                    "MatchStrings": [
-                        "/dev/null"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/dev-null.yara#dev_null",
-                    "ID": "fs/path/dev_null",
-                    "RuleName": "dev_null"
-                },
-                {
-                    "Description": "path reference within /etc",
-                    "MatchStrings": [
-                        "/etc/apache/mime.typeshpack",
-                        "/etc/apk/keys/etc/apk/archcached",
-                        "/etc/apk/lib/apk",
-                        "/etc/apk/repositories/lib/apk/db/inst",
-                        "/etc/apk/world",
-                        "/etc/bash",
-                        "/etc/busybox-paths.d/usr/bin/setkeyco",
-                        "/etc/default/motd-newsformat",
-                        "/etc/group",
-                        "/etc/hostsgetsockoptnetlinkrib",
-                        "/etc/httpd/conf/mime.typesmime",
-                        "/etc/mime.types",
-                        "/etc/nsswitch.confinvalid",
-                        "/etc/os-release",
-                        "/etc/passwdparse",
-                        "/etc/pki/ca-trust/extracted/pem/tls-c",
-                        "/etc/pki/tls/cacert.peminvalid",
-                        "/etc/pki/tls/certs/ca-bundle.crtx",
-                        "/etc/pki/tls/certsunexpected",
-                        "/etc/protocolsunknown",
-                        "/etc/resolv.confnon-",
-                        "/etc/security/cacertsx",
-                        "/etc/services/etc/apk/keys/etc/apk/ar",
-                        "/etc/ssh/ssh",
-                        "/etc/ssl/ca-bundle.pemx",
-                        "/etc/ssl/cert.peminvalid",
-                        "/etc/ssl/certs/ca-certificates.crttim",
-                        "/etc/ssl/certsbad",
-                        "/etc/zoneinfoparsing"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path",
-                    "ID": "fs/path/etc",
-                    "RuleName": "etc_path"
-                },
-                {
-                    "Description": "references /etc/hosts",
-                    "MatchStrings": [
-                        "/etc/hosts"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts",
-                    "ID": "fs/path/etc_hosts",
-                    "RuleName": "etc_hosts"
-                },
-                {
-                    "Description": "accesses DNS resolver configuration",
-                    "MatchStrings": [
-                        "/etc/resolv.conf"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf",
-                    "ID": "fs/path/etc_resolv.conf",
-                    "RuleName": "etc_resolv_conf"
-                },
-                {
-                    "Description": "references path within /home",
-                    "MatchStrings": [
-                        "/home/sha2561.32.11.33.01.33.11.33.21.34.01.34.11.35.01.36.0ID"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path",
-                    "ID": "fs/path/home",
-                    "RuleName": "home_path"
-                },
-                {
-                    "Description": "path reference within ~/.config",
-                    "MatchStrings": [
-                        "~/.config/fish/completions/"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path",
-                    "ID": "fs/path/home_config",
-                    "RuleName": "home_config_path"
-                },
-                {
-                    "Description": "references and possibly executes relative path",
-                    "MatchStrings": [
-                        "./line",
-                        "./pipe"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val",
-                    "ID": "fs/path/relative",
-                    "RuleName": "relative_path_val"
-                },
-                {
-                    "Description": "path reference within /root",
-                    "MatchStrings": [
-                        "/root/linuxrc/sbin/hwclock/sbin/ipneigh/sbin/iproute/sbin/logread/sbin"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val",
-                    "ID": "fs/path/root",
-                    "RuleName": "root_path_val"
-                },
-                {
-                    "Description": "path reference within /usr/bin",
-                    "MatchStrings": [
-                        "/usr/bin/ar",
-                        "/usr/bin/ascii",
-                        "/usr/bin/awk",
-                        "/usr/bin/basename",
-                        "/usr/bin/bc",
-                        "/usr/bin/beep",
-                        "/usr/bin/blkdiscard",
-                        "/usr/bin/bunzip2",
-                        "/usr/bin/bzcat",
-                        "/usr/bin/bzip2",
-                        "/usr/bin/cal",
-                        "/usr/bin/chcon",
-                        "/usr/bin/chpst",
-                        "/usr/bin/chrt",
-                        "/usr/bin/chvt",
-                        "/usr/bin/cksum",
-                        "/usr/bin/clear",
-                        "/usr/bin/cmp",
-                        "/usr/bin/comm",
-                        "/usr/bin/crc32",
-                        "/usr/bin/crontab",
-                        "/usr/bin/cryptpw",
-                        "/usr/bin/cut",
-                        "/usr/bin/dc",
-                        "/usr/bin/deallocvt",
-                        "/usr/bin/diff",
-                        "/usr/bin/dirname",
-                        "/usr/bin/dos2unix",
-                        "/usr/bin/dpkg-deb",
-                        "/usr/bin/dumpleases",
-                        "/usr/bin/eject",
-                        "/usr/bin/envdir",
-                        "/usr/bin/envuidgid",
-                        "/usr/bin/expand",
-                        "/usr/bin/expr",
-                        "/usr/bin/factor",
-                        "/usr/bin/fallocate",
-                        "/usr/bin/fgconsole",
-                        "/usr/bin/find",
-                        "/usr/bin/flock",
-                        "/usr/bin/fold",
-                        "/usr/bin/free",
-                        "/usr/bin/ftpget",
-                        "/usr/bin/ftpput",
-                        "/usr/bin/fuser",
-                        "/usr/bin/groups",
-                        "/usr/bin/hd",
-                        "/usr/bin/head",
-                        "/usr/bin/hexdump",
-                        "/usr/bin/hexedit",
-                        "/usr/bin/hostid",
-                        "/usr/bin/id",
-                        "/usr/bin/install",
-                        "/usr/bin/ipcrm",
-                        "/usr/bin/ipcs",
-                        "/usr/bin/killall",
-                        "/usr/bin/last",
-                        "/usr/bin/less",
-                        "/usr/bin/logger",
-                        "/usr/bin/logname",
-                        "/usr/bin/lpq",
-                        "/usr/bin/lpr",
-                        "/usr/bin/lsof",
-                        "/usr/bin/lspci",
-                        "/usr/bin/lsscsi",
-                        "/usr/bin/lsusb",
-                        "/usr/bin/lzcat",
-                        "/usr/bin/lzma",
-                        "/usr/bin/lzopcat",
-                        "/usr/bin/man",
-                        "/usr/bin/md5sum",
-                        "/usr/bin/mesg",
-                        "/usr/bin/microcom",
-                        "/usr/bin/mkfifo",
-                        "/usr/bin/mkpasswd",
-                        "/usr/bin/nc",
-                        "/usr/bin/netcat",
-                        "/usr/bin/nl",
-                        "/usr/bin/nmeter",
-                        "/usr/bin/nohup",
-                        "/usr/bin/nproc",
-                        "/usr/bin/nsenter",
-                        "/usr/bin/nslookup",
-                        "/usr/bin/od",
-                        "/usr/bin/openvt",
-                        "/usr/bin/passwd",
-                        "/usr/bin/paste",
-                        "/usr/bin/patch",
-                        "/usr/bin/pgrep",
-                        "/usr/bin/pkill",
-                        "/usr/bin/pmap",
-                        "/usr/bin/printf",
-                        "/usr/bin/pscan",
-                        "/usr/bin/pstree",
-                        "/usr/bin/pwdx",
-                        "/usr/bin/readlink",
-                        "/usr/bin/realpath",
-                        "/usr/bin/renice",
-                        "/usr/bin/reset",
-                        "/usr/bin/resize",
-                        "/usr/bin/rpm2cpio",
-                        "/usr/bin/runcon",
-                        "/usr/bin/runsvdir",
-                        "/usr/bin/rx",
-                        "/usr/bin/script",
-                        "/usr/bin/seq",
-                        "/usr/bin/setfattr",
-                        "/usr/bin/setkeycodes",
-                        "/usr/bin/setsid",
-                        "/usr/bin/setuidgid",
-                        "/usr/bin/sha1sum",
-                        "/usr/bin/sha256sum",
-                        "/usr/bin/sha3sum",
-                        "/usr/bin/sha512sum",
-                        "/usr/bin/showkey",
-                        "/usr/bin/shred",
-                        "/usr/bin/shuf",
-                        "/usr/bin/smemcap",
-                        "/usr/bin/softlimit",
-                        "/usr/bin/sort",
-                        "/usr/bin/split",
-                        "/usr/bin/ssl_client",
-                        "/usr/bin/strings",
-                        "/usr/bin/sum",
-                        "/usr/bin/svc",
-                        "/usr/bin/svok",
-                        "/usr/bin/tac",
-                        "/usr/bin/tail",
-                        "/usr/bin/taskset",
-                        "/usr/bin/tcpsvd",
-                        "/usr/bin/tee",
-                        "/usr/bin/telnet",
-                        "/usr/bin/test",
-                        "/usr/bin/tftp",
-                        "/usr/bin/timeout",
-                        "/usr/bin/top",
-                        "/usr/bin/traceroute6",
-                        "/usr/bin/tree",
-                        "/usr/bin/truncate",
-                        "/usr/bin/tsortVERSION_ID",
-                        "/usr/bin/ttysize",
-                        "/usr/bin/udhcpc6",
-                        "/usr/bin/udpsvd",
-                        "/usr/bin/unexpand",
-                        "/usr/bin/uniq",
-                        "/usr/bin/unit",
-                        "/usr/bin/unix2dos",
-                        "/usr/bin/unlink",
-                        "/usr/bin/unlzma",
-                        "/usr/bin/unlzop",
-                        "/usr/bin/unshare",
-                        "/usr/bin/unxz",
-                        "/usr/bin/unzip",
-                        "/usr/bin/uptime",
-                        "/usr/bin/users",
-                        "/usr/bin/uudecode",
-                        "/usr/bin/uuencode",
-                        "/usr/bin/vlock",
-                        "/usr/bin/volname",
-                        "/usr/bin/wall",
-                        "/usr/bin/wc",
-                        "/usr/bin/wget",
-                        "/usr/bin/which",
-                        "/usr/bin/whoami",
-                        "/usr/bin/whois",
-                        "/usr/bin/xargs",
-                        "/usr/bin/xxd",
-                        "/usr/bin/xzcat",
-                        "/usr/bin/yes"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path",
-                    "ID": "fs/path/usr_bin",
-                    "RuleName": "usr_bin_path"
-                },
-                {
-                    "Description": "path reference within /usr/local/bin",
-                    "MatchStrings": [
-                        "/usr/local/bin"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path",
-                    "ID": "fs/path/usr_local",
-                    "RuleName": "usr_local_bin_path"
-                },
-                {
-                    "Description": "path reference within /usr/sbin",
-                    "MatchStrings": [
-                        "/usr/sbin/add-shell/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdete",
-                        "/usr/sbin/addgroup/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/u",
-                        "/usr/sbin/adduser/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/s",
-                        "/usr/sbin/arping/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/",
-                        "/usr/sbin/brctl/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inet",
-                        "/usr/sbin/chat/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr",
-                        "/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/u",
-                        "/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/",
-                        "/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdat",
-                        "/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/u",
-                        "/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/s",
-                        "/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwri",
-                        "/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr",
-                        "/usr/sbin/ether-wake/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/gete",
-                        "/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-",
-                        "/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftp",
-                        "/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/u",
-                        "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping",
-                        "/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popm",
-                        "/usr/sbin/flash_unlock/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbi",
-                        "/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/s",
-                        "/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/u",
-                        "/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr",
-                        "/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/sete",
-                        "/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partpro",
-                        "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd",
-                        "/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahe",
-                        "/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/s",
-                        "/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/",
-                        "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd",
-                        "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile",
-                        "/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/s",
-                        "/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/u",
-                        "/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/u",
-                        "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree",
-                        "/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerati",
-                        "/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/u",
-                        "/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebo",
-                        "/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setl",
-                        "/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/s",
-                        "/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERS",
-                        "/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiatta",
-                        "/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setlogconsapko-generated",
-                        "/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/u",
-                        "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID",
-                        "/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubideta",
-                        "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating",
-                        "/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY",
-                        "/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/u",
-                        "/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolge",
-                        "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME",
-                        "/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirena",
-                        "/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirename",
-                        "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-sbin.yara#usr_sbin_path",
-                    "ID": "fs/path/usr_sbin",
-                    "RuleName": "usr_sbin_path"
-                },
-                {
-                    "Description": "path reference within /var",
-                    "MatchStrings": [
-                        "/var/cache%s",
-                        "/var/cache/apk/etc/apk/worldCalculateWorldcache",
-                        "/var/cache/miscAPKINDEX.tar.gzfetchAlpineKeyscfg.MapTo",
-                        "/var/lib/db/sbomSPDXRef-Package-remote",
-                        "/var/run/docker.sockopen"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path",
-                    "ID": "fs/path/var",
-                    "RuleName": "var_path"
-                },
-                {
-                    "Description": "Changes file ownership",
-                    "MatchStrings": [
-                        "Chown"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown",
-                    "ID": "fs/permission/chown",
-                    "RuleName": "Chown"
-                },
-                {
-                    "Description": "modifies file permissions",
-                    "MatchStrings": [
-                        "Chmod",
-                        "chmod"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod",
-                    "ReferenceURL": "https://linux.die.net/man/1/chmod",
-                    "ID": "fs/permission/modify",
-                    "RuleName": "chmod"
-                },
-                {
-                    "Description": "stop swapping to a file/device",
-                    "MatchStrings": [
-                        "swapoff"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff",
-                    "ID": "fs/swap/off",
-                    "RuleName": "swapoff"
-                },
-                {
-                    "Description": "start swapping to a file/device",
-                    "MatchStrings": [
-                        "swapon"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-on.yara#swapon",
-                    "ID": "fs/swap/on",
-                    "RuleName": "swapon"
-                },
-                {
-                    "Description": "creates symbolic links",
-                    "MatchStrings": [
-                        "symlink"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-create.yara#symlink",
-                    "ID": "fs/symlink_create",
-                    "RuleName": "symlink"
-                },
-                {
-                    "Description": "resolves symbolic links",
-                    "MatchStrings": [
-                        "realpath"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man3/realpath.3.html",
-                    "ID": "fs/symlink_resolve",
-                    "RuleName": "realpath"
-                },
-                {
-                    "Description": "temp",
-                    "MatchStrings": [
-                        "getenv",
-                        "temp"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp",
-                    "ID": "fs/tempdir/TEMP",
-                    "RuleName": "temp"
-                },
-                {
-                    "Description": "creates temporary files",
-                    "MatchStrings": [
-                        "mktemp",
-                        "temp file",
-                        "tmpfile"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp",
-                    "ID": "fs/tempfile",
-                    "RuleName": "mktemp"
-                },
-                {
-                    "Description": "unmount file system",
-                    "MatchStrings": [
-                        "umount"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount",
-                    "ID": "fs/unmount",
-                    "RuleName": "umount"
-                },
-                {
-                    "Description": "references /dev/urandom",
-                    "MatchStrings": [
-                        "/dev/urandom"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/urandom.yara#urandom",
-                    "ID": "hw/urandom",
-                    "RuleName": "urandom"
-                },
-                {
-                    "Description": "references a 'heartbeat'",
-                    "MatchStrings": [
-                        "HeartbeatPeriod",
-                        "HeartbeatTick"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat",
-                    "ID": "impact/remote_access/heartbeat",
-                    "RuleName": "heartbeat"
-                },
-                {
-                    "Description": "parse command-line arguments",
-                    "MatchStrings": [
-                        "getopt"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/parses-arguments.yara#argparse",
-                    "ID": "impact/ui/parses_arguments",
-                    "RuleName": "argparse"
-                },
-                {
-                    "Description": "give advice about use of memory",
-                    "MatchStrings": [
-                        "madvise"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/advise.yara#madvise",
-                    "ID": "mem/advise",
-                    "RuleName": "madvise"
-                },
-                {
-                    "Description": "Uses DNS (Domain Name Service)",
-                    "MatchStrings": [
-                        "CNAMEResource",
-                        "SetEDNS0",
-                        "dnsmessage"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs",
-                    "ID": "net/dns",
-                    "RuleName": "go_dns_refs"
-                },
-                {
-                    "Description": "looks up the reverse hostname for an IP",
-                    "MatchStrings": [
-                        ".in-addr.arpa",
-                        "ip6.arpa"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa",
-                    "ID": "net/dns/reverse",
-                    "RuleName": "in_addr_arpa"
-                },
-                {
-                    "Description": "Examines local DNS servers",
-                    "MatchStrings": [
-                        "CNAMEResource"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local",
-                    "ID": "net/dns/servers",
-                    "RuleName": "go_dns_refs_local"
-                },
-                {
-                    "Description": "Uses DNS TXT (text) records",
-                    "MatchStrings": [
-                        "TXT",
-                        "dns"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt",
-                    "ID": "net/dns/txt",
-                    "RuleName": "dns_txt"
-                },
-                {
-                    "Description": "download files",
-                    "MatchStrings": [
-                        "DownloadLocation",
-                        "downloadLocation",
-                        "to registrySkip downloading"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
-                    "ID": "net/download",
-                    "RuleName": "download"
-                },
-                {
-                    "Description": "Invokes curl",
-                    "MatchStrings": [
-                        "curl -H \""
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value",
-                    "ID": "net/download/fetch",
-                    "RuleName": "curl_value"
-                },
-                {
-                    "Description": "Uses the HTTP/2 protocol",
-                    "MatchStrings": [
-                        "HTTP/2"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2",
-                    "ID": "net/http/2",
-                    "RuleName": "http2"
-                },
-                {
-                    "Description": "accepts binary files via HTTP",
-                    "MatchStrings": [
-                        "Accept",
-                        "application/octet-stream"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary",
-                    "ID": "net/http/accept",
-                    "RuleName": "http_accept_binary"
-                },
-                {
-                    "Description": "set HTTP response encoding format (example: gzip)",
-                    "MatchStrings": [
-                        "Accept-Encoding"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type",
-                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding",
-                    "ID": "net/http/accept_encoding",
-                    "RuleName": "content_type"
-                },
-                {
-                    "Description": "makes HTTP requests with Bearer authentication",
-                    "MatchStrings": [
-                        "WWW-Authenticate",
-                        "Www-Authenticate",
-                        "www-authenticate"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth",
-                    "ID": "net/http/auth",
-                    "RuleName": "http_auth"
-                },
-                {
-                    "Description": "Sets HTTP content length to zero",
-                    "MatchStrings": [
-                        "Content-Length: 0"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0",
-                    "ID": "net/http/content_length",
-                    "RuleName": "content_length_0"
-                },
-                {
-                    "Description": "access HTTP resources using cookies",
-                    "MatchStrings": [
-                        "Cookie",
-                        "HTTP"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie",
-                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies",
-                    "ID": "net/http/cookies",
-                    "RuleName": "http_cookie"
-                },
-                {
-                    "Description": "upload content via HTTP form",
-                    "MatchStrings": [
-                        "POST",
-                        "application/json",
-                        "application/x-www-form-urlencoded",
-                        "post"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload",
-                    "ID": "net/http/form_upload",
-                    "RuleName": "http_form_upload"
-                },
-                {
-                    "Description": "submits content to websites",
-                    "MatchStrings": [
-                        "Content-Type for PUTeach colon",
-                        "Content-Type headerdid not find expected alp",
-                        "Content-Type isn",
-                        "Content-Type: text/plain",
-                        "Content-TypeCookie.Valuecontent",
-                        "Content-Typenet/http: timeout awaiting respo",
-                        "HTTP",
-                        "POST"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post",
-                    "ID": "net/http/post",
-                    "RuleName": "http_post"
-                },
-                {
-                    "Description": "use HTTP proxy that requires authentication",
-                    "MatchStrings": [
-                        "Proxy-Authorization"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth",
-                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization",
-                    "ID": "net/http/proxy",
-                    "RuleName": "proxy_auth"
-                },
-                {
-                    "Description": "makes HTTP requests",
-                    "MatchStrings": [
-                        "HTTP/1.",
-                        "Referer",
-                        "User-Agent"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request",
-                    "ID": "net/http/request",
-                    "RuleName": "http_request"
-                },
-                {
-                    "Description": "access the internet",
-                    "MatchStrings": [
-                        "invalid packet"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets",
-                    "ID": "net/ip",
-                    "RuleName": "packets"
-                },
-                {
-                    "Description": "connects to an arbitrary hostname:port",
-                    "MatchStrings": [
-                        "host to transport"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref",
-                    "ID": "net/ip/host_port",
-                    "RuleName": "host_port_ref"
-                },
-                {
-                    "Description": "parses IP address (IPv4 or IPv6)",
-                    "MatchStrings": [
-                        "IsLinkLocalUnicast",
-                        "IsSingleIP"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go",
-                    "ID": "net/ip/parse",
-                    "RuleName": "ip_go"
-                },
-                {
-                    "Description": "Supports SOCK5 proxies",
-                    "MatchStrings": [
-                        "SOCKS5",
-                        "socks5"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5",
-                    "ID": "net/proxy/socks5",
-                    "RuleName": "socks5"
-                },
-                {
-                    "Description": "resolve network host name to IP address",
-                    "MatchStrings": [
-                        "net.hostLookup"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#net_hostlookup",
-                    "ID": "net/resolve/hostname",
-                    "RuleName": "net_hostlookup"
-                },
-                {
-                    "Description": "listen on a socket",
-                    "MatchStrings": [
-                        "accept",
-                        "listen",
-                        "socket"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen",
-                    "ID": "net/socket/listen",
-                    "RuleName": "listen"
-                },
-                {
-                    "Description": "get local address of connected socket",
-                    "MatchStrings": [
-                        "getsockname"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/getsockname.2.html",
-                    "ID": "net/socket/local_addr",
-                    "RuleName": "getsockname"
-                },
-                {
-                    "Description": "get socket options",
-                    "MatchStrings": [
-                        "getsockopt"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-get.yara#getsockopt",
-                    "ID": "net/socket/options_get",
-                    "RuleName": "getsockopt"
-                },
-                {
-                    "Description": "set socket options",
-                    "MatchStrings": [
-                        "setsockopt"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-set.yara#setsockopt",
-                    "ID": "net/socket/options_set",
-                    "RuleName": "setsockopt"
-                },
-                {
-                    "Description": "get peer address of connected socket",
-                    "MatchStrings": [
-                        "getpeername"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/getpeername.2.html",
-                    "ID": "net/socket/peer_address",
-                    "RuleName": "getpeername"
-                },
-                {
-                    "Description": "receive a message from a socket",
-                    "MatchStrings": [
-                        "recvfrom",
-                        "recvmsg"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg",
-                    "ReferenceURL": "https://linux.die.net/man/2/recvmsg",
-                    "ID": "net/socket/receive",
-                    "RuleName": "recvmsg"
-                },
-                {
-                    "Description": "send a message to a socket",
-                    "MatchStrings": [
-                        "sendmsg",
-                        "sendto"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg",
-                    "ReferenceURL": "https://linux.die.net/man/2/sendmsg",
-                    "ID": "net/socket/send",
-                    "RuleName": "sendmsg"
-                },
-                {
-                    "Description": "connects to a TCP port",
-                    "MatchStrings": [
-                        "dialTCP"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp",
-                    "ID": "net/tcp/connect",
-                    "RuleName": "connect_tcp"
-                },
-                {
-                    "Description": "Uses crypto/ssh to connect to the SSH (secure shell) service",
-                    "MatchStrings": [
-                        "SSH"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh",
-                    "ID": "net/tcp/ssh",
-                    "RuleName": "ssh"
-                },
-                {
-                    "Description": "Listens for UDP responses",
-                    "MatchStrings": [
-                        "ReadFromUDP",
-                        "listenUDP"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen",
-                    "ID": "net/udp/receive",
-                    "RuleName": "udp_listen"
-                },
-                {
-                    "Description": "Sends UDP packets",
-                    "MatchStrings": [
-                        "DialUDP",
-                        "WriteMsgUDP"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send",
-                    "ID": "net/udp/send",
-                    "RuleName": "udp_send"
-                },
-                {
-                    "Description": "contains embedded HTTPS URLs",
-                    "MatchStrings": [
-                        "https://GoString01234567beEfFgGvsignal",
-                        "https://alpinelinux.org/releases.jsondid",
-                        "https://github.com/chainguard-dev/apkocould",
-                        "https://github.com/google/go-containerregistry/issues/377internal",
-                        "https://github.com/spf13/cobra/issues/1279",
-                        "https://github.com/spf13/cobra/issues/1508",
-                        "https://index.docker.io/v1/Path",
-                        "https://index.docker.io/v2/library/ubuntu/tags/list",
-                        "https://pkg.go.dev/text/template",
-                        "https://reproducible-builds.org/docs/source-date-epoch/directory",
-                        "https://spdx.org/spdxdocs/apko/directory"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
-                    "ID": "net/url/embedded",
-                    "RuleName": "https_url"
-                },
-                {
-                    "Description": "encodes URL, likely to pass GET variables",
-                    "MatchStrings": [
-                        "urlencode"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode",
-                    "ID": "net/url/encode",
-                    "RuleName": "url_encode"
-                },
-                {
-                    "Description": "Handles URL strings",
-                    "MatchStrings": [
-                        "RequestURI"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
-                    "ID": "net/url/parse",
-                    "RuleName": "url_handle"
-                },
-                {
-                    "Description": "requests resources via URL",
-                    "MatchStrings": [
-                        "http.request",
-                        "net/url"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls",
-                    "ID": "net/url/request",
-                    "RuleName": "requests_urls"
-                },
-                {
-                    "Description": "Retrieve environment variables",
-                    "MatchStrings": [
-                        "Getenv"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#getenv",
-                    "ID": "os/env/get",
-                    "RuleName": "getenv"
-                },
-                {
-                    "Description": "places a variable into the environment",
-                    "MatchStrings": [
-                        "setenv"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/set.yara#setenv_putenv",
-                    "ID": "os/env/set",
-                    "RuleName": "setenv_putenv"
-                },
-                {
-                    "Description": "unsetenv",
-                    "MatchStrings": [
-                        "unsetenv"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/unset.yara#unsetenv",
-                    "ID": "os/env/unset",
-                    "RuleName": "unsetenv"
-                },
-                {
-                    "Description": " close",
-                    "MatchStrings": [
-                        "_close"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/access.yara#_close",
-                    "ID": "os/fd/access",
-                    "RuleName": "_close"
-                },
-                {
-                    "Description": "manipulate file descriptor with fcntl",
-                    "MatchStrings": [
-                        "fcntl"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/manipulate.yara#fcntl",
-                    "ID": "os/fd/manipulate",
-                    "RuleName": "fcntl"
-                },
-                {
-                    "Description": "Reads from file descriptors",
-                    "MatchStrings": [
-                        "pread"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#fd_read",
-                    "ID": "os/fd/read",
-                    "RuleName": "fd_read"
-                },
-                {
-                    "Description": "transfer data between file descriptors",
-                    "MatchStrings": [
-                        "sendfile",
-                        "syscall.Sendfile"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/sendfile.2.html",
-                    "ID": "os/fd/sendfile",
-                    "RuleName": "sendfile"
-                },
-                {
-                    "Description": "write to file descriptor",
-                    "MatchStrings": [
-                        "pwrite"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#fd_write",
-                    "ID": "os/fd/write",
-                    "RuleName": "fd_write"
-                },
-                {
-                    "Description": "communicate with kernel services",
-                    "MatchStrings": [
-                        "netlink"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink",
-                    "ID": "os/kernel/netlink",
-                    "RuleName": "netlink"
-                },
-                {
-                    "Description": "get or set kernel stat",
-                    "MatchStrings": [
-                        "Sysctl",
-                        "sysctl"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/sysctl.yara#sysctl",
-                    "ID": "os/kernel/sysctl",
-                    "RuleName": "sysctl"
-                },
-                {
-                    "Description": "libc",
-                    "MatchStrings": [
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle.yara#libc",
-                    "ID": "os/signal/handle",
-                    "RuleName": "libc"
-                },
-                {
-                    "Description": "Listen for SIGALRM (timeout) events",
-                    "MatchStrings": [
-                        "ALRM",
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-ALRM.yara#sigaction_ALRM",
-                    "ID": "os/signal/handle_ALRM",
-                    "RuleName": "sigaction_ALRM"
-                },
-                {
-                    "Description": "Listen for SIGHUP (hangup) events",
-                    "MatchStrings": [
-                        "HUP",
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-HUP.yara#sigaction_SIGHUP",
-                    "ID": "os/signal/handle_HUP",
-                    "RuleName": "sigaction_SIGHUP"
-                },
-                {
-                    "Description": "Listen for SIGINT (ctrl-C) events",
-                    "MatchStrings": [
-                        "SIGINT",
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-INT.yara#sigaction_SIGINT",
-                    "ID": "os/signal/handle_INT",
-                    "RuleName": "sigaction_SIGINT"
-                },
-                {
-                    "Description": "Listen for SIGQUIT (kill) events",
-                    "MatchStrings": [
-                        "QUIT",
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-QUIT.yara#sigaction_SIGQUIT",
-                    "ID": "os/signal/handle_QUIT",
-                    "RuleName": "sigaction_SIGQUIT"
-                },
-                {
-                    "Description": "Listen for SIGWINCH (terminal window change) events",
-                    "MatchStrings": [
-                        "WINCH",
-                        "sigaction"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_WINCH",
-                    "ID": "os/signal/handle_WINCH",
-                    "RuleName": "sigaction_WINCH"
-                },
-                {
-                    "Description": "sigprocmask",
-                    "MatchStrings": [
-                        "sigprocmask"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/mask.yara#sigprocmask",
-                    "ID": "os/signal/mask",
-                    "RuleName": "sigprocmask"
-                },
-                {
-                    "Description": "kill",
-                    "MatchStrings": [
-                        "syscall.Kill"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/send.yara#kill",
-                    "ID": "os/signal/send",
-                    "RuleName": "kill"
-                },
-                {
-                    "Description": "bsd time conversion",
-                    "MatchStrings": [
-                        "ctime"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-convert.yara#bsd_time_conversion",
-                    "ID": "os/time/clock_convert",
-                    "RuleName": "bsd_time_conversion"
-                },
-                {
-                    "Description": "set time via system clock",
-                    "MatchStrings": [
-                        "adjtimex"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-set.yara#linux_adjtimex",
-                    "ID": "os/time/clock_set",
-                    "RuleName": "linux_adjtimex"
-                },
-                {
-                    "Description": "lists crontab entries, may also persist",
-                    "MatchStrings": [
-                        "crontab"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support",
-                    "ID": "persist/cron/tab",
-                    "RuleName": "crontab_support"
-                },
-                {
-                    "Description": "changes working directory",
-                    "MatchStrings": [
-                        "cd u"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell",
-                    "ID": "process/chdir",
-                    "RuleName": "chdir_shell"
-                },
-                {
-                    "Description": "change the location of root for the process",
-                    "MatchStrings": [
-                        "chroot"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot",
-                    "ID": "process/chroot",
-                    "RuleName": "chroot"
-                },
-                {
-                    "Description": "create child process",
-                    "MatchStrings": [
-                        "clone"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_clone",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/clone.2.html",
-                    "ID": "process/create",
-                    "RuleName": "syscall_clone"
-                },
-                {
-                    "Description": "creates a session and sets the process group ID",
-                    "MatchStrings": [
-                        "setsid"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/group/create.yara#syscalls",
-                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/setsid.2.html",
-                    "ID": "process/group/create",
-                    "RuleName": "syscalls"
-                },
-                {
-                    "Description": "set group access list",
-                    "MatchStrings": [
-                        "setgroups"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups",
-                    "ID": "process/groups_set",
-                    "RuleName": "setgroups"
-                },
-                {
-                    "Description": "set resource limits",
-                    "MatchStrings": [
-                        "setrlimit"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/limit-set.yara#setrlimit",
-                    "ID": "process/limit_set",
-                    "RuleName": "setrlimit"
-                },
-                {
-                    "Description": "adjust the process nice value",
-                    "MatchStrings": [
-                        "renice"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/setpriority.yara#nice",
-                    "ID": "process/setpriority",
-                    "RuleName": "nice"
-                },
-                {
-                    "Description": "disassociate parts of the process execution context",
-                    "MatchStrings": [
-                        "unshare"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare",
-                    "ID": "process/unshare",
-                    "RuleName": "syscall_unshare"
-                },
-                {
-                    "Description": "gets very excited",
-                    "MatchStrings": [
-                        "does not work!!!",
-                        "ontain alphanumerical characters onlyexplicitly tagged !!"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations",
-                    "ID": "sus/exclamation",
-                    "RuleName": "exclamations"
-                }
-            ],
-            "RiskScore": 2,
-            "RiskLevel": "MEDIUM"
-        }
-    }
-}
diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci
index 5f57f73d..e69de29b 100644
--- a/pkg/action/testdata/scan_oci
+++ b/pkg/action/testdata/scan_oci
@@ -1,74 +0,0 @@
-{
-    "Files": {
-        "/etc/profile": {
-            "Path": "testdata/static.tar.xz ∴ /etc/profile",
-            "SHA256": "8adf547453fe02fdc92e90424bffea4130bf88cc772a492b74912fb50a85c467",
-            "Size": 534,
-            "Behaviors": [
-                {
-                    "Description": "set file mode creation mask",
-                    "MatchStrings": [
-                        "umask"
-                    ],
-                    "RiskScore": 0,
-                    "RiskLevel": "NONE",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-permission-mask-set.yara#umask",
-                    "ID": "fs/file/permission_mask_set",
-                    "RuleName": "umask"
-                },
-                {
-                    "Description": "path reference within /etc",
-                    "MatchStrings": [
-                        "/etc/profile.d/"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path",
-                    "ID": "fs/path/etc",
-                    "RuleName": "etc_path"
-                },
-                {
-                    "Description": "path reference within /usr/local/bin",
-                    "MatchStrings": [
-                        "/usr/local/bin"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path",
-                    "ID": "fs/path/usr_local",
-                    "RuleName": "usr_local_bin_path"
-                },
-                {
-                    "Description": "access bash startup files",
-                    "MatchStrings": [
-                        "/etc/profile"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist",
-                    "ID": "persist/shell/bash",
-                    "RuleName": "bash_persist"
-                },
-                {
-                    "Description": "etc shell init references",
-                    "MatchStrings": [
-                        "/etc/profile"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/init_files.yara#etc_shell_init_references",
-                    "ID": "persist/shell/init_files",
-                    "RuleName": "etc_shell_init_references"
-                }
-            ],
-            "RiskScore": 2,
-            "RiskLevel": "MEDIUM"
-        },
-        "/etc/profile.d/locale.sh": {
-            "Path": "testdata/static.tar.xz ∴ /etc/profile.d/locale.sh",
-            "SHA256": "",
-            "Size": 0,
-            "RiskScore": 0
-        }
-    }
-}
diff --git a/tests/linux/2019.ChinaZ/yk.simple b/tests/linux/2019.ChinaZ/yk.simple
index 04d15dab..bbec14c0 100644
--- a/tests/linux/2019.ChinaZ/yk.simple
+++ b/tests/linux/2019.ChinaZ/yk.simple
@@ -1,7 +1,7 @@
 # linux/2019.ChinaZ/yk: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/server: medium
 c2/addr/url: low
 crypto/rc4: low
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index f11bafbf..4fd6fb40 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -1,6 +1,6 @@
 # linux/2021.FontOnLake/45E9.elf: critical
 3P/elastic/rootkit_fontonlake: critical
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple
index bdb95b7e..440ce62e 100644
--- a/tests/linux/2024.Gelsemium/dbus.simple
+++ b/tests/linux/2024.Gelsemium/dbus.simple
@@ -1,5 +1,5 @@
 # linux/2024.Gelsemium/dbus: critical
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 crypto/decrypt: low
 crypto/encrypt: medium
 data/hash/md5: medium
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
index df3ed0d8..9ff9c9f9 100644
--- a/tests/linux/2024.Gelsemium/udevd.simple
+++ b/tests/linux/2024.Gelsemium/udevd.simple
@@ -1,5 +1,5 @@
 # linux/2024.Gelsemium/udevd: critical
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
index a65b813c..4c57b503 100644
--- a/tests/linux/2024.Gelsemium/udevd_multi.simple
+++ b/tests/linux/2024.Gelsemium/udevd_multi.simple
@@ -1,5 +1,5 @@
 # linux/2024.Gelsemium/udevd_multi: critical
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/client: medium
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index 8d13257e..3e3c0ad5 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -1,7 +1,7 @@
-# linux/2024.gas/gas: critical
+# linux/2024.gas/gas: high
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
 crypto/rc4: low
diff --git a/tests/linux/2024.kubo_injector/injector.json b/tests/linux/2024.kubo_injector/injector.json
index 9acacf10..54d87c62 100644
--- a/tests/linux/2024.kubo_injector/injector.json
+++ b/tests/linux/2024.kubo_injector/injector.json
@@ -13,12 +13,12 @@
             ],
             "Behaviors": [
                 {
-                    "Description": "multiple ELF binaries concatenated into a single file",
+                    "Description": "multiple ELF binaries within an ELF binary",
                     "MatchStrings": [
                         "$elf_head"
                     ],
-                    "RiskScore": 3,
-                    "RiskLevel": "HIGH",
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
                     "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf",
                     "ID": "anti-static/elf/multiple",
                     "RuleName": "multiple_elf"
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index 00225be2..e69de29b 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -1,174 +0,0 @@
-# linux/2024.kworker_pretenders/emp3r0r.agent: critical
-3P/elastic/exploit_cve_2021: critical
-anti-behavior/vm_check: medium
-anti-static/elf/entropy: high
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/discovery/ip_dns_resolver: medium
-c2/refs: high
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/os: medium
-collect/archives/unarchive: medium
-collect/archives/zip: medium
-credential/os/shadow: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssh/d: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/xz: medium
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/zstd: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/hash/blake2b: low
-data/hash/md5: low
-data/hash/sha256: low
-discover/network/connectivity: low
-discover/network/netstat: medium
-discover/processes/list: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/file/location/chdir_unusual: medium
-evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
-evasion/file/prefix/dev: high
-evasion/file/prefix/tmp: high
-evasion/hijack_execution/LD_LIBRARY_PATH: low
-evasion/logging/current_logins: medium
-evasion/logging/hide_shell_history: high
-evasion/mimicry/fake_process: critical
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/remote_commands/code_eval: medium
-exec/script/shell: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/arbitrary_command_dev_null: medium
-exec/shell/background_sleep: medium
-exec/shell/exec: medium
-exec/tty/open: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: medium
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/mount: low
-fs/path/bin_su: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home: low
-fs/path/home_config: low
-fs/path/tmp: medium
-fs/path/users: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/usr_sbin: low
-fs/path/var: low
-fs/path/var_log: medium
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/1_cgroup: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/cpuinfo: medium
-fs/symlink_resolve: low
-fs/tempdir/TEMP: low
-fs/tempfile: low
-hw/cpu: medium
-impact/exploit: high
-impact/exploit/GCONV_PATH: high
-impact/exploit/overflow_shellcode: high
-impact/exploit/pwnkit: critical
-impact/remote_access/heartbeat: medium
-impact/remote_access/kill_rm: medium
-impact/remote_access/net_exec: medium
-impact/remote_access/pseudo_terminal: medium
-impact/remote_access/reverse_shell: high
-malware/family/emp3r0r: critical
-net/dns: low
-net/dns/over_https: medium
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/tcp_state_tracker: medium
-net/proxy/shadowsocks: high
-net/proxy/socks5: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/raw: medium
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/sftp: medium
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: medium
-net/url/embedded: medium
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/netlink: low
-persist/cron/tab: medium
-persist/pid_file: medium
-persist/shell/bash: high
-privesc/linpeas: high
-privesc/setuid: low
-privesc/sudo: medium
-process/chdir: low
-process/chroot: low
-process/groupid_set: low
-process/groups_set: low
-process/multithreaded: low
-process/terminate/killed_all: medium
-sus/exclamation: medium
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 646f34c6..a089d7fc 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -2,7 +2,7 @@
 3P/elastic/orbit: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 anti-static/xor/paths: high
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple
index 44fad00b..c45fa5aa 100644
--- a/tests/linux/2024.melofee/pskt.simple
+++ b/tests/linux/2024.melofee/pskt.simple
@@ -3,7 +3,7 @@
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
 anti-static/elf/entropy: high
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
index 7f175cc3..d8356a67 100644
--- a/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
+++ b/tests/linux/2024.sliver/de33b8d9694b6b4c44e3459b2151571af5d0e2031551f9f1a70b6db475ba71b2.elf.simple
@@ -2,7 +2,7 @@
 anti-static/elf/content: high
 anti-static/elf/entropy: high
 anti-static/elf/header: high
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/2024.vncjew/__min__c.simple b/tests/linux/2024.vncjew/__min__c.simple
index cb280b34..4e49b97f 100644
--- a/tests/linux/2024.vncjew/__min__c.simple
+++ b/tests/linux/2024.vncjew/__min__c.simple
@@ -1,7 +1,7 @@
 # linux/2024.vncjew/__min__c: critical
 anti-static/elf/entropy: high
 anti-static/elf/header: high
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
index 60a4df47..e69de29b 100644
--- a/tests/linux/clean/buildah.simple
+++ b/tests/linux/clean/buildah.simple
@@ -1,159 +0,0 @@
-# linux/clean/buildah: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/client: medium
-c2/discovery/ip_dns_resolver: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/databases/sqlite: medium
-credential/keychain: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/xz: medium
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/zstd: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/hash/blake2b: low
-data/hash/md5: low
-discover/network/mac_address: medium
-discover/process/name: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-evasion/bypass_security/linux/iptables: medium
-evasion/file/location/dev_mqueue: medium
-evasion/file/location/dev_shm: medium
-evasion/file/location/var_run: medium
-evasion/file/prefix: medium
-evasion/file/prefix/dev: low
-exec/cmd: medium
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/reconfigure/hostname_set: low
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/exec: medium
-exec/system_controls/apparmor: medium
-exec/system_controls/systemd: low
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/event_monitoring: low
-fs/fifo_create: low
-fs/file/create: medium
-fs/file/delete: low
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/loopback: medium
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/lib_dynamic: medium
-fs/path/relative: medium
-fs/path/tmp: medium
-fs/path/users: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/usr_sbin: low
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/self_cgroup: medium
-fs/proc/self_cmdline: medium
-fs/proc/self_exe: medium
-fs/proc/self_mountinfo: medium
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-hw/dev/block_ice: medium
-impact/degrade/linux_paths: medium
-impact/remote_access/iptables: medium
-mem/anonymous_file: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/parse: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/kcore: low
-os/kernel/key_management: low
-os/kernel/netlink: low
-os/kernel/seccomp: low
-persist/pid_file: medium
-privesc/setuid: low
-process/chroot: low
-process/groupid_set: low
-process/groups_set: low
-process/multithreaded: low
-process/unshare: low
-sus/exclamation: medium
-sus/intercept: medium
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index 7e0bbcea..e69de29b 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -1,163 +0,0 @@
-# linux/clean/caddy: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/client: medium
-c2/discovery/ip_dns_resolver: medium
-c2/refs: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/sniffer/bpf: medium
-credential/ssh/d: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-data/compression/gzip: low
-data/compression/zstd: low
-data/embedded/base64_terms: medium
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/pem_private_key: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: low
-data/random/insecure: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/group/lookup: medium
-discover/network/mac_address: medium
-discover/process/parent: low
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: low
-evasion/file/location/var_run: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/install_additional/package_install: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/script/osa: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/system_controls/stop: low
-exec/system_controls/systemd: low
-exfil/office_file_ext: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/capabilities_set: low
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/write: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/relative: medium
-fs/path/tmp: medium
-fs/path/users: medium
-fs/path/var: low
-fs/path/windows_root: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/pid_stat: medium
-fs/proc/pid_statistics: low
-fs/proc/self_cgroup: medium
-fs/proc/self_exe: medium
-fs/proc/self_mountinfo: medium
-fs/swap/off: low
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempfile: low
-fs/watch: low
-hw/wireless: low
-net/dns: low
-net/dns/over_https: medium
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/http/websocket: medium
-net/ip: low
-net/ip/connect: medium
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/spoof: medium
-net/proxy/reverse: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-net/webrtc: medium
-os/env/get: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-persist/kernel_module/unload: medium
-persist/pid_file: medium
-privesc/sudo: medium
-process/chroot: low
-process/groups_set: low
-sus/exclamation: medium
-sus/intercept: medium
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index 22b81a60..e69de29b 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -1,171 +0,0 @@
-# linux/clean/chezmoi: medium
-c2/addr/discord: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/telegram: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/code/github_api: low
-collect/databases/leveldb: medium
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/clipboard: medium
-credential/gaming/minecraft: medium
-credential/keychain: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/encrypt: medium
-crypto/public_key: low
-crypto/tls: low
-crypto/uuid: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/xz: medium
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/base64_terms: medium
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/ssh_signature: medium
-data/embedded/zstd: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/hash/blake2b: low
-data/hash/md5: low
-data/random/insecure: low
-discover/group/lookup: medium
-discover/network/mac_address: medium
-discover/process/parent: low
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/script/osa: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/exec: medium
-exec/system_controls/systemd: low
-exfil/upload: medium
-fs/attributes/chattr: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: medium
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/users: medium
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/swap/off: low
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempfile: low
-fs/watch: low
-hw/dev/block_ice: medium
-hw/wireless: low
-impact/exploit: medium
-impact/infection/worm: medium
-impact/remote_access/heartbeat: medium
-impact/remote_access/implant: medium
-impact/remote_access/pseudo_terminal: medium
-impact/remote_access/trojan: medium
-malware/ref: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/spoof: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-net/webrtc: medium
-os/env/get: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-persist/kernel_module/unload: medium
-persist/pid_file: medium
-privesc/sudo: medium
-process/chdir: low
-process/chroot: low
-process/groups_set: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index d0690c28..e69de29b 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -1,184 +0,0 @@
-# linux/clean/chrome: high
-anti-behavior/LD_DEBUG: medium
-anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
-anti-static/obfuscation/obfuscate: low
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/client: medium
-c2/discovery/ip_dns_resolver: medium
-c2/refs: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/databases/leveldb: medium
-collect/databases/sqlite: medium
-credential/keychain: medium
-credential/keychain/gnome_keyring_daemon: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssh: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/rc4: medium
-crypto/tls: low
-crypto/uuid: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/encoding/base64: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/sha1: low
-data/random/insecure: low
-discover/network/interface_list: medium
-discover/network/mac_address: medium
-discover/process/name: medium
-discover/process/parent: low
-discover/process/runtime_deps: medium
-discover/processes/list: medium
-discover/system/hostname: low
-discover/system/platform: low
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-evasion/bypass_security/linux/ufw: medium
-evasion/file/location/dev_shm: medium
-evasion/hijack_execution/LD_LIBRARY_PATH: low
-evasion/process_injection/ptrace: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/address_check: low
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/shell/TERM: low
-exec/shell/echo: medium
-exec/shell/pipe_sh: medium
-exec/system_controls/apparmor: medium
-exec/system_controls/stop: low
-exfil/collection: medium
-exfil/office_file_ext: medium
-exfil/stealer/credit_card: medium
-exfil/upload: medium
-fs/directory/create: low
-fs/directory/remove: low
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/mounts_read: medium
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/tmp: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/var: low
-fs/permission/chown: low
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/cpuinfo: medium
-fs/proc/meminfo: medium
-fs/proc/self_cmdline: medium
-fs/proc/self_exe: medium
-fs/proc/self_status: medium
-fs/proc/stat: medium
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-hw/cpu: medium
-hw/dev/block_ice: medium
-hw/wireless: low
-impact/remote_access/heartbeat: medium
-lateral/scan/target_ip: medium
-malware/ref: medium
-mem/anonymous_file: medium
-net/dns/over_https: medium
-net/dns/servers: low
-net/dns/txt: low
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/cookies: medium
-net/http/fake_user_agent: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/p_request: low
-net/ip/parse: medium
-net/ip/string: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/rpc/ntlm: medium
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/tcp/ssh: medium
-net/udp/kcp: medium
-net/udp/upnp: medium
-net/url/embedded: medium
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-net/webrtc: medium
-os/fd/epoll: low
-os/kernel/netlink: low
-os/kernel/opencl: medium
-os/kernel/seccomp: low
-persist/service/start: low
-privesc/setuid: low
-privesc/sudo: medium
-process/chdir: low
-process/chroot: low
-process/create: low
-process/groups_set: low
-process/multithreaded: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index 337d86aa..e69de29b 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -1,205 +0,0 @@
-# linux/clean/clickhouse: high
-anti-static/elf/multiple: high
-anti-static/obfuscation/obfuscate: low
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/client: medium
-c2/discovery/dyndns: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/grayware: high
-c2/tool_transfer/os: medium
-collect/databases/leveldb: medium
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/cloud/aws: medium
-credential/cloud/g: medium
-credential/gaming/minecraft: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ed25519: low
-crypto/encrypt: medium
-crypto/gost89: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-data/base64/decode: medium
-data/base64/encode: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_private_key: medium
-data/encoding/base64: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: low
-data/hash/sha1: low
-data/hash/sha256: low
-data/hash/whirlpool: medium
-data/random/insecure: low
-discover/cloud/google_metadata: low
-discover/network/interface: low
-discover/network/interface_list: medium
-discover/permissions/capabilities: medium
-discover/process/name: medium
-discover/process/runtime_deps: medium
-discover/processes/list: medium
-discover/system/cpu: low
-discover/system/dmesg: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: low
-evasion/bypass_security/linux/ufw: medium
-evasion/file/location/dev_shm: medium
-evasion/file/prefix: medium
-evasion/hijack_execution/DYLD_LIBRARY_PATH: medium
-evasion/hijack_execution/LD_LIBRARY_PATH: low
-evasion/logging/acct: low
-evasion/process_injection/ptrace: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/address_check: low
-exec/dylib/iterate: low
-exec/dylib/symbol_address: medium
-exec/install_additional/package_install: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/program/hidden: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/echo: medium
-exec/shell/ignore_output: medium
-exec/shell/pipe_sh: medium
-exec/system_controls/systemd: low
-exfil/collection: medium
-exfil/proxy: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/capabilities_set: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: medium
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/mounts_read: medium
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/tmp: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/var: low
-fs/path/var_log: medium
-fs/permission/chown: low
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/cpuinfo: medium
-fs/proc/meminfo: medium
-fs/proc/net_dev: medium
-fs/proc/pid_maps: medium
-fs/proc/pid_status: medium
-fs/proc/self_cgroup: medium
-fs/proc/self_exe: medium
-fs/proc/self_status: medium
-fs/proc/stat: medium
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/watch: low
-hw/cpu: medium
-hw/dev/block_ice: medium
-impact/infection/worm: medium
-impact/remote_access/heartbeat: medium
-impact/shutdown: medium
-net/dns/over_https: medium
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download/fetch: medium
-net/email/exotic_addr: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/string: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/rpc/ntlm: medium
-net/socket/connect: medium
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/url/embedded: medium
-net/url/encode: medium
-net/url/parse: low
-os/fd/epoll: low
-os/fd/print: low
-os/fd/read: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/kernel/opencl: medium
-os/time/tzinfo: low
-persist/pid_file: medium
-privesc/setuid: low
-privesc/sudo: medium
-process/chdir: low
-process/chroot: low
-process/create: low
-process/groupid_set: low
-process/multithreaded: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/leetspeak: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index 0eb84de6..e69de29b 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -1,192 +0,0 @@
-## linux/clean/code-oss [🛑 HIGH]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
-| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
-| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
-| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
-| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) |
-| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[bIp](https://github.com/search?q=bIp&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[gIp](https://github.com/search?q=gIp&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[maxPort](https://github.com/search?q=maxPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[minPort](https://github.com/search?q=minPort&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_ip](https://github.com/search?q=quic_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code) |
-| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)<br>[server_address_](https://github.com/search?q=server_address_&type=code) |
-| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
-| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)<br>[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
-| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
-| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)<br>[eye_dropper](https://github.com/search?q=eye_dropper&type=code)<br>[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
-| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
-| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)<br>[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)<br>[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)<br>[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)<br>[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)<br>[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)<br>[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)<br>[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)<br>[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)<br>[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)<br>[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)<br>[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)<br>[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)<br>[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)<br>[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)<br>[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)<br>[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)<br>[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)<br>[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)<br>[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)<br>[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)<br>[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)<br>[leveldb_database](https://github.com/search?q=leveldb_database&type=code)<br>[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)<br>[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)<br>[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)<br>[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)<br>[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)<br>[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
-| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
-| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
-| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
-| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
-| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
-| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer <root@shellcromancer.io> | [#"!](https://github.com/search?q=%23%22%21&type=code)<br>$opt0<br>$opt1<br>$opt2<br>$opt30<br>$opt4<br>$opt5<br>$opt6<br>$opt7<br>['&%$](https://github.com/search?q=%27%26%25%24&type=code)<br>[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)<br>[/.-,](https://github.com/search?q=%2F.-%2C&type=code)<br>[3210](https://github.com/search?q=3210&type=code)<br>[7654](https://github.com/search?q=7654&type=code)<br>[;:98](https://github.com/search?q=%3B%3A98&type=code)<br>[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)<br>[CBA@](https://github.com/search?q=CBA%40&type=code)<br>[GFED](https://github.com/search?q=GFED&type=code)<br>[KJIH](https://github.com/search?q=KJIH&type=code)<br>[ONML](https://github.com/search?q=ONML&type=code)<br>[SRQP](https://github.com/search?q=SRQP&type=code)<br>[WVUT](https://github.com/search?q=WVUT&type=code)<br>[[ZYX](https://github.com/search?q=%5BZYX&type=code)<br>[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)<br>[cba`](https://github.com/search?q=cba%60&type=code)<br>[gfed](https://github.com/search?q=gfed&type=code)<br>[kjih](https://github.com/search?q=kjih&type=code)<br>[onml](https://github.com/search?q=onml&type=code)<br>[srqp](https://github.com/search?q=srqp&type=code)<br>[wvut](https://github.com/search?q=wvut&type=code)<br>[{zyx](https://github.com/search?q=%7Bzyx&type=code)<br>[����](https://github.com/search?q=%83%82%81%80&type=code)<br>[����](https://github.com/search?q=%87%86%85%84&type=code)<br>[����](https://github.com/search?q=%8B%8A%89%88&type=code)<br>[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)<br>[����](https://github.com/search?q=%93%92%91%90&type=code)<br>[����](https://github.com/search?q=%97%96%95%94&type=code)<br>[����](https://github.com/search?q=%9B%9A%99%98&type=code)<br>[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)<br>[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)<br>[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)<br>[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)<br>[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)<br>[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)<br>[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)<br>[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)<br>[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)<br>[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)<br>[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)<br>[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)<br>[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)<br>[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)<br>[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)<br>[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)<br>[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)<br>[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)<br>[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)<br>[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)<br>[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)<br>[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)<br>[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)<br>[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)<br>[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) |
-| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) |
-| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
-| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
-| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code)<br>[ifconfig](https://github.com/search?q=ifconfig&type=code)<br>[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
-| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
-| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
-| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)<br>[process.platform](https://github.com/search?q=process.platform&type=code)<br>[process.versions](https://github.com/search?q=process.versions&type=code) |
-| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
-| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
-| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
-| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) |
-| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)<br>[_executeCommand](https://github.com/search?q=_executeCommand&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code)<br>[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
-| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
-| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)<br>[bash](https://github.com/search?q=bash&type=code)<br>[exec](https://github.com/search?q=exec&type=code)<br>[system](https://github.com/search?q=system&type=code) |
-| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
-| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
-| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
-| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) |
-| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
-| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)<br>[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)<br>[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)<br>[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)<br>[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)<br>[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) |
-| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) |
-| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
-| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
-| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root-legacy.js](https://github.com/search?q=%2Froot%2Froot-legacy.js&type=code)<br>[/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)<br>[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)<br>[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)<br>[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)<br>[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)<br>[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) |
-| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code) |
-| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
-| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
-| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)<br>[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) |
-| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
-| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
-| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) |
-| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
-| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
-| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) |
-| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) |
-| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)<br>[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)<br>[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)<br>[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)<br>[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) |
-| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code) |
-| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[banner](https://github.com/search?q=banner&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
-| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) |
-| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)<br>[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
-| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)<br>[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
-| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
-| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) |
-| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
-| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)<br>[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)<br>[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)<br>[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)<br>[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)<br>[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)<br>[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)<br>[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)<br>[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)<br>[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)<br>[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)<br>[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)<br>[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)<br>[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)<br>[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)<br>[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)<br>[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)<br>[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)<br>[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)<br>[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)<br>[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)<br>[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)<br>[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)<br>[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)<br>[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)<br>[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)<br>[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)<br>[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)<br>[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)<br>[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)<br>[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)<br>[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)<br>[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)<br>[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)<br>[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)<br>[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)<br>[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)<br>[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)<br>[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code)<br>[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)<br>[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)<br>[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)<br>[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)<br>[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)<br>[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)<br>[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)<br>[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)<br>[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)<br>[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)<br>[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)<br>[host, port](https://github.com/search?q=host%2C+port&type=code)<br>[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)<br>[host.length - port](https://github.com/search?q=host.length+-+port&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)<br>[host>:<port](https://github.com/search?q=host%3E%3A%3Cport&type=code)<br>[host_import](https://github.com/search?q=host_import&type=code)<br>[hostname and port](https://github.com/search?q=hostname+and+port&type=code)<br>[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)<br>[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)<br>[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)<br>[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)<br>[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) |
-| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)<br>[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)<br>[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)<br>[ping failures and](https://github.com/search?q=ping+failures+and&type=code)<br>[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)<br>[ping interval to](https://github.com/search?q=ping+interval+to&type=code)<br>[ping interval.](https://github.com/search?q=ping+interval.&type=code)<br>[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)<br>[ping libuv](https://github.com/search?q=ping+libuv&type=code)<br>[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)<br>[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)<br>[ping received](https://github.com/search?q=ping+received&type=code)<br>[ping response](https://github.com/search?q=ping+response&type=code)<br>[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)<br>[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) |
-| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
-| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
-| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
-| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[Tunnel](https://github.com/search?q=Tunnel&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
-| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlm](https://github.com/search?q=ntlm&type=code) |
-| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
-| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)<br>[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)<br>[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)<br>[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)<br>[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
-| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
-| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code)<br>[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
-| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
-| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
-| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
-| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)<br>[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)<br>[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)<br>[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)<br>[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)<br>[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)<br>[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)<br>[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)<br>[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)<br>[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)<br>[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)<br>[EE !!](https://github.com/search?q=EE++++%21%21&type=code)<br>[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)<br>[GG !!](https://github.com/search?q=GG++++%21%21&type=code)<br>[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)<br>[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)<br>[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)<br>[return !!](https://github.com/search?q=return+%21%21&type=code) |
-| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)<br>[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)<br>[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)<br>[interceptResponse](https://github.com/search?q=interceptResponse&type=code)<br>[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)<br>[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)<br>[intercepted](https://github.com/search?q=intercepted&type=code)<br>[intercepting](https://github.com/search?q=intercepting&type=code)<br>[interceptionId](https://github.com/search?q=interceptionId&type=code)<br>[interceptionStage](https://github.com/search?q=interceptionStage&type=code)<br>[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)<br>[interceptorEv](https://github.com/search?q=interceptorEv&type=code)<br>[interceptor_config](https://github.com/search?q=interceptor_config&type=code)<br>[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)<br>[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)<br>[interceptors](https://github.com/search?q=interceptors&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
-| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
-| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)<br>[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)<br>[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)<br>[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) |
-| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://127.0.0.1](http://127.0.0.1)<br>[http://Descriptionrelatively](http://Descriptionrelatively)<br>[http://according](http://according)<br>[http://addEventListenerresponsible](http://addEventListenerresponsible)<br>[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)<br>[http://applicationslink](http://applicationslink)<br>[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)<br>[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)<br>[http://buscador.softonic.com/](http://buscador.softonic.com/)<br>[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)<br>[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)<br>[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)<br>[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)<br>[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)<br>[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)<br>[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)<br>[http://code.google.com/p/closure](http://code.google.com/p/closure)<br>[http://crbug.com/1138528](http://crbug.com/1138528)<br>[http://crbug.com/660005.](http://crbug.com/660005.)<br>[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)<br>[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)<br>[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)<br>[http://crl.globalsign.net/root](http://crl.globalsign.net/root)<br>[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)<br>[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)<br>[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)<br>[http://dts.search](http://dts.search)<br>[http://en.softonic.com/s/](http://en.softonic.com/s/)<br>[http://encoding=](http://encoding=)<br>[http://exslt.org/common](http://exslt.org/common)<br>[http://familiar](http://familiar)<br>[http://feed.snap.do/](http://feed.snap.do/)<br>[http://feed.snapdo.com/](http://feed.snapdo.com/)<br>[http://feross.org](http://feross.org)<br>[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)<br>[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)<br>[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)<br>[http://html4/loose.dtd](http://html4/loose.dtd)<br>[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)<br>[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)<br>[http://icl.com/saxon](http://icl.com/saxon)<br>[http://imEnglish](http://imEnglish)<br>[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)<br>[http://interested](http://interested)<br>[http://interpreted](http://interpreted)<br>[http://iparticipation](http://iparticipation)<br>[http://isearch.avg.com/search](http://isearch.avg.com/search)<br>[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)<br>[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)<br>[http://localhost](http://localhost)<br>[http://mathematicsmargin](http://mathematicsmargin)<br>[http://mixidj.delta](http://mixidj.delta)<br>[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)<br>[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)<br>[http://mystart.incredibar.com/](http://mystart.incredibar.com/)<br>[http://narwhaljs.org](http://narwhaljs.org)<br>[http://navigation](http://navigation)<br>[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)<br>[http://nl.softonic.com/s/](http://nl.softonic.com/s/)<br>[http://nova.rambler.ru/search](http://nova.rambler.ru/search)<br>[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)<br>[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)<br>[http://ns.adobe.com/data](http://ns.adobe.com/data)<br>[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)<br>[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)<br>[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)<br>[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)<br>[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)<br>[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)<br>[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)<br>[http://ok.hu/katalogus](http://ok.hu/katalogus)<br>[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)<br>[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)<br>[http://radce.centrum.cz/](http://radce.centrum.cz/)<br>[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)<br>[http://search.avg.com/route/](http://search.avg.com/route/)<br>[http://search.avg.com/search](http://search.avg.com/search)<br>[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)<br>[http://search.babylon.com/home](http://search.babylon.com/home)<br>[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)<br>[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)<br>[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)<br>[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)<br>[http://search.imesh.net/music](http://search.imesh.net/music)<br>[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)<br>[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)<br>[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)<br>[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)<br>[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)<br>[http://search.snap.do/](http://search.snap.do/)<br>[http://search.snapdo.com/](http://search.snapdo.com/)<br>[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)<br>[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)<br>[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)<br>[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)<br>[http://search.walla.co.il/](http://search.walla.co.il/)<br>[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)<br>[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)<br>[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)<br>[http://site_name](http://site_name)<br>[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)<br>[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)<br>[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)<br>[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)<br>[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)<br>[http://staticsuggested](http://staticsuggested)<br>[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)<br>[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)<br>[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)<br>[http://unisolated.invalid](http://unisolated.invalid)<br>[http://userguide.icu](http://userguide.icu)<br>[http://wpad/wpad.dat](http://wpad/wpad.dat)<br>[http://www./div](http://www./div)<br>[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)<br>[http://www.C//DTD](http://www.C//DTD)<br>[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)<br>[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)<br>[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)<br>[http://www.color.org](http://www.color.org)<br>[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)<br>[http://www.conduit.com/search](http://www.conduit.com/search)<br>[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)<br>[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)<br>[http://www.delta](http://www.delta)<br>[http://www.example.com](http://www.example.com)<br>[http://www.hortcut](http://www.hortcut)<br>[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)<br>[http://www.icon](http://www.icon)<br>[http://www.iec.ch](http://www.iec.ch)<br>[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)<br>[http://www.interpretation](http://www.interpretation)<br>[http://www.jclark.com/xt](http://www.jclark.com/xt)<br>[http://www.language=](http://www.language=)<br>[http://www.midnight](http://www.midnight)<br>[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)<br>[http://www.neti.ee/cgi](http://www.neti.ee/cgi)<br>[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)<br>[http://www.search.delta](http://www.search.delta)<br>[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)<br>[http://www.searchnu.com/web](http://www.searchnu.com/web)<br>[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)<br>[http://www.softonic.com/s/](http://www.softonic.com/s/)<br>[http://www.squid](http://www.squid)<br>[http://www.style=](http://www.style=)<br>[http://www.text](http://www.text)<br>[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)<br>[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)<br>[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)<br>[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)<br>[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)<br>[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)<br>[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)<br>[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)<br>[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)<br>[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)<br>[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)<br>[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)<br>[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)<br>[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)<br>[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)<br>[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)<br>[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)<br>[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)<br>[http://www.w3.org/shortcut](http://www.w3.org/shortcut)<br>[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)<br>[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)<br>[http://www.wencodeURIComponent](http://www.wencodeURIComponent)<br>[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)<br>[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)<br>[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)<br>[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)<br>[http://www.years](http://www.years)<br>[http://www.yhs.delta](http://www.yhs.delta)<br>[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)<br>[http://www1.delta](http://www1.delta)<br>[http://www2.delta](http://www2.delta)<br>[http://www2.public](http://www2.public)<br>[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)<br>[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)<br>[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)<br>[https://alekberg.net/privacy](https://alekberg.net/privacy)<br>[https://android.com/pay](https://android.com/pay)<br>[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)<br>[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)<br>[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)<br>[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)<br>[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)<br>[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)<br>[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)<br>[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)<br>[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)<br>[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)<br>[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)<br>[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)<br>[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)<br>[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)<br>[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)<br>[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)<br>[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)<br>[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)<br>[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)<br>[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)<br>[https://bit.ly/audio](https://bit.ly/audio)<br>[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)<br>[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)<br>[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)<br>[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)<br>[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)<br>[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)<br>[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)<br>[https://buscador.softonic.com/](https://buscador.softonic.com/)<br>[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)<br>[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)<br>[https://c.android.clients.google.com/](https://c.android.clients.google.com/)<br>[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)<br>[https://c.docs.google.com/](https://c.docs.google.com/)<br>[https://c.drive.google.com/](https://c.drive.google.com/)<br>[https://c.googlesyndication.com/](https://c.googlesyndication.com/)<br>[https://c.pack.google.com/](https://c.pack.google.com/)<br>[https://c.play.google.com/](https://c.play.google.com/)<br>[https://c.youtube.com/](https://c.youtube.com/)<br>[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)<br>[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)<br>[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)<br>[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)<br>[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)<br>[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)<br>[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)<br>[https://chrome.cloudflare](https://chrome.cloudflare)<br>[https://chrome.google.com/webstore](https://chrome.google.com/webstore)<br>[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)<br>[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)<br>[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)<br>[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)<br>[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)<br>[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)<br>[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)<br>[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)<br>[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)<br>[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)<br>[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)<br>[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)<br>[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)<br>[https://coccoc.com/search](https://coccoc.com/search)<br>[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)<br>[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)<br>[https://crbug.com/1025266](https://crbug.com/1025266)<br>[https://crbug.com/1038223.](https://crbug.com/1038223.)<br>[https://crbug.com/1053756](https://crbug.com/1053756)<br>[https://crbug.com/1144908.](https://crbug.com/1144908.)<br>[https://crbug.com/1154140](https://crbug.com/1154140)<br>[https://crbug.com/1161355](https://crbug.com/1161355)<br>[https://crbug.com/1214923](https://crbug.com/1214923)<br>[https://crbug.com/1302249](https://crbug.com/1302249)<br>[https://crbug.com/1313172](https://crbug.com/1313172)<br>[https://crbug.com/401439](https://crbug.com/401439)<br>[https://crbug.com/619103.](https://crbug.com/619103.)<br>[https://crbug.com/638180.](https://crbug.com/638180.)<br>[https://crbug.com/824383](https://crbug.com/824383)<br>[https://crbug.com/824647](https://crbug.com/824647)<br>[https://crbug.com/927119](https://crbug.com/927119)<br>[https://crbug.com/981419](https://crbug.com/981419)<br>[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)<br>[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)<br>[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)<br>[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)<br>[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)<br>[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)<br>[https://crbug.com/dawn/136](https://crbug.com/dawn/136)<br>[https://crbug.com/dawn/145](https://crbug.com/dawn/145)<br>[https://crbug.com/dawn/155](https://crbug.com/dawn/155)<br>[https://crbug.com/dawn/193](https://crbug.com/dawn/193)<br>[https://crbug.com/dawn/237](https://crbug.com/dawn/237)<br>[https://crbug.com/dawn/271](https://crbug.com/dawn/271)<br>[https://crbug.com/dawn/286](https://crbug.com/dawn/286)<br>[https://crbug.com/dawn/342](https://crbug.com/dawn/342)<br>[https://crbug.com/dawn/343](https://crbug.com/dawn/343)<br>[https://crbug.com/dawn/36](https://crbug.com/dawn/36)<br>[https://crbug.com/dawn/402](https://crbug.com/dawn/402)<br>[https://crbug.com/dawn/42](https://crbug.com/dawn/42)<br>[https://crbug.com/dawn/434](https://crbug.com/dawn/434)<br>[https://crbug.com/dawn/480](https://crbug.com/dawn/480)<br>[https://crbug.com/dawn/56](https://crbug.com/dawn/56)<br>[https://crbug.com/dawn/582](https://crbug.com/dawn/582)<br>[https://crbug.com/dawn/633](https://crbug.com/dawn/633)<br>[https://crbug.com/dawn/666](https://crbug.com/dawn/666)<br>[https://crbug.com/dawn/667](https://crbug.com/dawn/667)<br>[https://crbug.com/dawn/673](https://crbug.com/dawn/673)<br>[https://crbug.com/dawn/776](https://crbug.com/dawn/776)<br>[https://crbug.com/dawn/792](https://crbug.com/dawn/792)<br>[https://crbug.com/dawn/838](https://crbug.com/dawn/838)<br>[https://crbug.com/dawn/840](https://crbug.com/dawn/840)<br>[https://crbug.com/dawn/960](https://crbug.com/dawn/960)<br>[https://crbug.com/new](https://crbug.com/new)<br>[https://crbug.com/tint.](https://crbug.com/tint.)<br>[https://crbug.com/tint/1003](https://crbug.com/tint/1003)<br>[https://crbug.com/v8/7848](https://crbug.com/v8/7848)<br>[https://crbug.com/v8/8520](https://crbug.com/v8/8520)<br>[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)<br>[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)<br>[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)<br>[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)<br>[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)<br>[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)<br>[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)<br>[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)<br>[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)<br>[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)<br>[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)<br>[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)<br>[https://developer.mozilla.org/en](https://developer.mozilla.org/en)<br>[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)<br>[https://developers.google.com/speed/public](https://developers.google.com/speed/public)<br>[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)<br>[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)<br>[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)<br>[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)<br>[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)<br>[https://dns.google/dns](https://dns.google/dns)<br>[https://dns.quad9.net/dns](https://dns.quad9.net/dns)<br>[https://dns.sb/privacy/](https://dns.sb/privacy/)<br>[https://dns.switch.ch/dns](https://dns.switch.ch/dns)<br>[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)<br>[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)<br>[https://dns64.dns.google/dns](https://dns64.dns.google/dns)<br>[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)<br>[https://docs.google.com/](https://docs.google.com/)<br>[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)<br>[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)<br>[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)<br>[https://doh.cox.net/dns](https://doh.cox.net/dns)<br>[https://doh.dns.sb/dns](https://doh.dns.sb/dns)<br>[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)<br>[https://doh.opendns.com/dns](https://doh.opendns.com/dns)<br>[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)<br>[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)<br>[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)<br>[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)<br>[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)<br>[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)<br>[https://en.softonic.com/s/](https://en.softonic.com/s/)<br>[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)<br>[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)<br>[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)<br>[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)<br>[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)<br>[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)<br>[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)<br>[https://example.org](https://example.org)<br>[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)<br>[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)<br>[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)<br>[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)<br>[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)<br>[https://gcp.gvt2.com/](https://gcp.gvt2.com/)<br>[https://gcp.gvt6.com/](https://gcp.gvt6.com/)<br>[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)<br>[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)<br>[https://github.com/WICG/construct](https://github.com/WICG/construct)<br>[https://github.com/WICG/conversion](https://github.com/WICG/conversion)<br>[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)<br>[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)<br>[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)<br>[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)<br>[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)<br>[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)<br>[https://github.com/chalk/ansi](https://github.com/chalk/ansi)<br>[https://github.com/chalk/supports](https://github.com/chalk/supports)<br>[https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)<br>[https://github.com/da](https://github.com/da)<br>[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)<br>[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)<br>[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)<br>[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)<br>[https://github.com/google/closure](https://github.com/google/closure)<br>[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)<br>[https://github.com/isaacs/color](https://github.com/isaacs/color)<br>[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)<br>[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)<br>[https://github.com/mafintosh/end](https://github.com/mafintosh/end)<br>[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)<br>[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)<br>[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)<br>[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)<br>[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)<br>[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)<br>[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)<br>[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)<br>[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)<br>[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)<br>[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)<br>[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)<br>[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)<br>[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)<br>[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)<br>[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)<br>[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)<br>[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)<br>[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)<br>[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)<br>[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)<br>[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)<br>[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)<br>[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)<br>[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)<br>[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)<br>[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)<br>[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)<br>[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)<br>[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)<br>[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)<br>[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)<br>[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)<br>[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)<br>[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)<br>[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)<br>[https://github.com/standard](https://github.com/standard)<br>[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)<br>[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)<br>[https://github.com/tc39/proposal](https://github.com/tc39/proposal)<br>[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)<br>[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)<br>[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)<br>[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)<br>[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)<br>[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)<br>[https://go.mail.ru/msearch](https://go.mail.ru/msearch)<br>[https://go.mail.ru/search](https://go.mail.ru/search)<br>[https://goo.gl/4NeimX](https://goo.gl/4NeimX)<br>[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)<br>[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)<br>[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)<br>[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)<br>[https://goo.gl/LdLk22](https://goo.gl/LdLk22)<br>[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)<br>[https://goo.gl/rStTGz](https://goo.gl/rStTGz)<br>[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)<br>[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)<br>[https://goo.gl/ximf56](https://goo.gl/ximf56)<br>[https://goo.gl/yabPex](https://goo.gl/yabPex)<br>[https://google.com/pay](https://google.com/pay)<br>[https://googlevideo.com/](https://googlevideo.com/)<br>[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)<br>[https://gvt1.com/](https://gvt1.com/)<br>[https://gvt2.com/](https://gvt2.com/)<br>[https://gvt6.com/](https://gvt6.com/)<br>[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)<br>[https://history.report](https://history.report)<br>[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)<br>[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)<br>[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)<br>[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)<br>[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)<br>[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)<br>[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)<br>[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)<br>[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)<br>[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)<br>[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)<br>[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)<br>[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)<br>[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)<br>[https://invisible](https://invisible)<br>[https://isearch.avg.com/search](https://isearch.avg.com/search)<br>[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)<br>[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)<br>[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)<br>[https://m.so.com/index.php](https://m.so.com/index.php)<br>[https://m.so.com/s](https://m.so.com/s)<br>[https://m.sogou.com/web/](https://m.sogou.com/web/)<br>[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)<br>[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)<br>[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)<br>[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)<br>[https://matteomarescotti.report](https://matteomarescotti.report)<br>[https://metager.de/favicon.ico](https://metager.de/favicon.ico)<br>[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)<br>[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)<br>[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)<br>[https://mths.be/punycode](https://mths.be/punycode)<br>[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)<br>[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)<br>[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)<br>[https://nextdns.io/privacy](https://nextdns.io/privacy)<br>[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)<br>[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)<br>[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)<br>[https://nl.softonic.com/s/](https://nl.softonic.com/s/)<br>[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)<br>[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)<br>[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)<br>[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)<br>[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)<br>[https://nova.rambler.ru/search](https://nova.rambler.ru/search)<br>[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)<br>[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)<br>[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)<br>[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)<br>[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)<br>[https://oceanhero.today/web](https://oceanhero.today/web)<br>[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)<br>[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)<br>[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)<br>[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)<br>[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)<br>[https://petalsearch.com/search](https://petalsearch.com/search)<br>[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)<br>[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)<br>[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)<br>[https://play.google.com/billing](https://play.google.com/billing)<br>[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)<br>[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)<br>[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)<br>[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)<br>[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)<br>[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)<br>[https://scotthelme.report](https://scotthelme.report)<br>[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)<br>[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)<br>[https://search.avg.com/route/](https://search.avg.com/route/)<br>[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)<br>[https://search.daum.net/search](https://search.daum.net/search)<br>[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)<br>[https://search.gmx.com/web/result](https://search.gmx.com/web/result)<br>[https://search.gmx.es/web/result](https://search.gmx.es/web/result)<br>[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)<br>[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)<br>[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)<br>[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)<br>[https://search.naver.com/search.naver](https://search.naver.com/search.naver)<br>[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)<br>[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)<br>[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)<br>[https://search.softonic.com/](https://search.softonic.com/)<br>[https://search.walla.co.il/](https://search.walla.co.il/)<br>[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)<br>[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)<br>[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)<br>[https://search.yahoo.com/search](https://search.yahoo.com/search)<br>[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)<br>[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)<br>[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)<br>[https://server1.example](https://server1.example)<br>[https://server2.example](https://server2.example)<br>[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)<br>[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)<br>[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)<br>[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)<br>[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)<br>[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)<br>[https://ssl.gstatic.com/](https://ssl.gstatic.com/)<br>[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)<br>[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)<br>[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)<br>[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)<br>[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)<br>[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)<br>[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)<br>[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)<br>[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)<br>[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)<br>[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)<br>[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)<br>[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)<br>[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)<br>[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)<br>[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)<br>[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)<br>[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)<br>[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)<br>[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)<br>[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)<br>[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)<br>[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)<br>[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)<br>[https://tc39.es/ecma262/](https://tc39.es/ecma262/)<br>[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)<br>[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)<br>[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)<br>[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)<br>[https://tobiassachs.report](https://tobiassachs.report)<br>[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)<br>[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)<br>[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)<br>[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)<br>[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)<br>[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)<br>[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)<br>[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)<br>[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)<br>[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)<br>[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)<br>[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)<br>[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)<br>[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)<br>[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)<br>[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)<br>[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)<br>[https://v8.dev/blog/v8](https://v8.dev/blog/v8)<br>[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)<br>[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)<br>[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)<br>[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)<br>[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)<br>[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)<br>[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)<br>[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)<br>[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)<br>[https://webrtc.org/web](https://webrtc.org/web)<br>[https://wiki.squid](https://wiki.squid)<br>[https://www.World](https://www.World)<br>[https://www.ask.com/web](https://www.ask.com/web)<br>[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)<br>[https://www.baidu.com/s](https://www.baidu.com/s)<br>[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)<br>[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)<br>[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)<br>[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)<br>[https://www.bing.com/search](https://www.bing.com/search)<br>[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)<br>[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)<br>[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)<br>[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)<br>[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)<br>[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)<br>[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)<br>[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)<br>[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)<br>[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)<br>[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)<br>[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)<br>[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)<br>[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)<br>[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)<br>[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)<br>[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)<br>[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)<br>[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)<br>[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)<br>[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)<br>[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)<br>[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)<br>[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)<br>[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)<br>[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)<br>[https://www.ecma](https://www.ecma)<br>[https://www.ecosia.org/search](https://www.ecosia.org/search)<br>[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)<br>[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)<br>[https://www.givero.com/search](https://www.givero.com/search)<br>[https://www.givero.com/suggest](https://www.givero.com/suggest)<br>[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)<br>[https://www.google.com/speech](https://www.google.com/speech)<br>[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)<br>[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)<br>[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)<br>[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)<br>[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)<br>[https://www.info.com/serp](https://www.info.com/serp)<br>[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)<br>[https://www.microsoft.com/en](https://www.microsoft.com/en)<br>[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)<br>[https://www.neti.ee/cgi](https://www.neti.ee/cgi)<br>[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)<br>[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)<br>[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)<br>[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)<br>[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)<br>[https://www.recent](https://www.recent)<br>[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)<br>[https://www.so.com/s](https://www.so.com/s)<br>[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)<br>[https://www.softonic.com/s/](https://www.softonic.com/s/)<br>[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)<br>[https://www.sogou.com/web](https://www.sogou.com/web)<br>[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)<br>[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)<br>[https://www.verisign.com/rpa](https://www.verisign.com/rpa)<br>[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)<br>[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)<br>[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)<br>[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)<br>[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)<br>[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)<br>[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)<br>[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)<br>[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)<br>[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)<br>[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)<br>[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)<br>[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)<br>[https://yandex.by/images/search/](https://yandex.by/images/search/)<br>[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)<br>[https://yandex.com/images/search](https://yandex.com/images/search)<br>[https://yandex.com/search/](https://yandex.com/search/)<br>[https://yandex.kz/images/search/](https://yandex.kz/images/search/)<br>[https://yandex.ru/images/search/](https://yandex.ru/images/search/)<br>[https://yandex.ua/images/search/](https://yandex.ua/images/search/)<br>[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)<br>[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)<br>[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)<br>[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)<br>[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)<br>[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)<br>[PasswordH](https://github.com/search?q=PasswordH&type=code)<br>[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)<br>[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)<br>[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)<br>[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)<br>[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)<br>[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)<br>[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)<br>[a username and password](https://github.com/search?q=a+username+and+password&type=code)<br>[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)<br>[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)<br>[bPassword](https://github.com/search?q=bPassword&type=code)<br>[challengePassword](https://github.com/search?q=challengePassword&type=code)<br>[const has_password](https://github.com/search?q=const+has_password&type=code)<br>[current-password](https://github.com/search?q=current-password&type=code)<br>[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)<br>[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)<br>[get password](https://github.com/search?q=get+password&type=code)<br>[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)<br>[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)<br>[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)<br>[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)<br>[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)<br>[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)<br>[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)<br>[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)<br>[like a password](https://github.com/search?q=like+a+password&type=code)<br>[new-password](https://github.com/search?q=new-password&type=code)<br>[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)<br>[password based MAC](https://github.com/search?q=password+based+MAC&type=code)<br>[password is too large](https://github.com/search?q=password+is+too+large&type=code)<br>[password text](https://github.com/search?q=password+text&type=code)<br>[password-change](https://github.com/search?q=password-change&type=code)<br>[password-protection](https://github.com/search?q=password-protection&type=code)<br>[password-reveal](https://github.com/search?q=password-reveal&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[passwordChar](https://github.com/search?q=passwordChar&type=code)<br>[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)<br>[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)<br>[passwordEdit](https://github.com/search?q=passwordEdit&type=code)<br>[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)<br>[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)<br>[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)<br>[password_specifics](https://github.com/search?q=password_specifics&type=code)<br>[readPassword](https://github.com/search?q=readPassword&type=code)<br>[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)<br>[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)<br>[set password](https://github.com/search?q=set+password&type=code)<br>[such as passwords](https://github.com/search?q=such+as+passwords&type=code)<br>[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[username or password](https://github.com/search?q=username+or+password&type=code)<br>[writePassword](https://github.com/search?q=writePassword&type=code) |
-| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) |
-| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code) |
-| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
-| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)<br>[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)<br>[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)<br>[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)<br>[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)<br>[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)<br>[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)<br>[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)<br>[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)<br>[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)<br>[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)<br>[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)<br>[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)<br>[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)<br>[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)<br>[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)<br>[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)<br>[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)<br>[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)<br>[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)<br>[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)<br>[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)<br>[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)<br>[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)<br>[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)<br>[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)<br>[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)<br>[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)<br>[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)<br>[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)<br>[kDecryptError](https://github.com/search?q=kDecryptError&type=code)<br>[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)<br>[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)<br>[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)<br>[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) |
-| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
-| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
-| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)<br>[Public key](https://github.com/search?q=Public+key&type=code)<br>[Public-key](https://github.com/search?q=Public-key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
-| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)<br>[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) |
-| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
-| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
-| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
-| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
-| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
-| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
-| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)<br>[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
-| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
-| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) |
-| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)<br>[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)<br>[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)<br>[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)<br>[GetPlugins](https://github.com/search?q=GetPlugins&type=code)<br>[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)<br>[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)<br>[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)<br>[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)<br>[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)<br>[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)<br>[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)<br>[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)<br>[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)<br>[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)<br>[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)<br>[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)<br>[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)<br>[PluginArray](https://github.com/search?q=PluginArray&type=code)<br>[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)<br>[PluginData](https://github.com/search?q=PluginData&type=code)<br>[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)<br>[PluginLoad](https://github.com/search?q=PluginLoad&type=code)<br>[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)<br>[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)<br>[PluginResource](https://github.com/search?q=PluginResource&type=code)<br>[PluginService](https://github.com/search?q=PluginService&type=code)<br>[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)<br>[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)<br>[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)<br>[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)<br>[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)<br>[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)<br>[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)<br>[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)<br>[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)<br>[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)<br>[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)<br>[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)<br>[as a plugin](https://github.com/search?q=as+a+plugin&type=code)<br>[browserplugin](https://github.com/search?q=browserplugin&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)<br>[kPluginObject](https://github.com/search?q=kPluginObject&type=code)<br>[loadplugin](https://github.com/search?q=loadplugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)<br>[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)<br>[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)<br>[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)<br>[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)<br>[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)<br>[plugin data](https://github.com/search?q=plugin+data&type=code)<br>[pluginObject](https://github.com/search?q=pluginObject&type=code)<br>[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)<br>[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)<br>[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)<br>[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)<br>[plugin_module](https://github.com/search?q=plugin_module&type=code)<br>[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)<br>[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)<br>[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)<br>[pluginprH](https://github.com/search?q=pluginprH&type=code)<br>[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)<br>[pluginspace](https://github.com/search?q=pluginspace&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[pluginurl](https://github.com/search?q=pluginurl&type=code)<br>[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)<br>[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)<br>[r PluginH](https://github.com/search?q=r+PluginH&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)<br>[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)<br>[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)<br>[suggestplugin](https://github.com/search?q=suggestplugin&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)<br>[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)<br>[createFolder](https://github.com/search?q=createFolder&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
-| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)<br>[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) |
-| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
-| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
-| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) |
-| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)<br>[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) |
-| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
-| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)<br>[writeFileSync](https://github.com/search?q=writeFileSync&type=code)<br>[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)<br>[writeToFile](https://github.com/search?q=writeToFile&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
-| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
-| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)<br>[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)<br>[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)<br>[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)<br>[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)<br>[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)<br>[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)<br>[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)<br>[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)<br>[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)<br>[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)<br>[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)<br>[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)<br>[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)<br>[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)<br>[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)<br>[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)<br>[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)<br>[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) |
-| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) |
-| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)<br>[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) |
-| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code) |
-| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)<br>[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)<br>[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)<br>[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)<br>[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)<br>[TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
-| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
-| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
-| LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
-| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
-| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
-| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
-| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) |
-| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpClose](https://github.com/search?q=httpClose&type=code)<br>[httpConnect](https://github.com/search?q=httpConnect&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
-| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
-| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
-| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmmsg](https://github.com/search?q=sendmmsg&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
-| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[new URL](https://github.com/search?q=new+URL&type=code) |
-| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)<br>[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)<br>[env.FORCE](https://github.com/search?q=env.FORCE&type=code)<br>[env.NODE](https://github.com/search?q=env.NODE&type=code)<br>[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)<br>[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)<br>[env.TEMP](https://github.com/search?q=env.TEMP&type=code)<br>[env.TERM](https://github.com/search?q=env.TERM&type=code)<br>[env.TMP](https://github.com/search?q=env.TMP&type=code)<br>[env.TMUX](https://github.com/search?q=env.TMUX&type=code)<br>[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)<br>[env.XDG](https://github.com/search?q=env.XDG&type=code) |
-| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
-| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)<br>[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)<br>[req.read()](https://github.com/search?q=req.read%28%29&type=code)<br>[self.read()](https://github.com/search?q=self.read%28%29&type=code)<br>[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)<br>[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)<br>[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) |
-| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
-| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)<br>[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)<br>[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)<br>[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)<br>[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)<br>[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)<br>[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)<br>[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)<br>[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)<br>[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)<br>[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)<br>[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)<br>[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)<br>[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)<br>[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)<br>[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)<br>[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)<br>[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)<br>[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)<br>[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)<br>[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) |
-| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
-| LOW | [os/kernel/perfmon](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/perfmon.yara#perf_event_open) | set up performance monitoring | [perf_event_open](https://github.com/search?q=perf_event_open&type=code) |
-| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) |
-| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
-| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_vfork) | [create child process](https://man7.org/linux/man-pages/man2/vfork.2.html) | [vfork](https://github.com/search?q=vfork&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index d979ac23..e69de29b 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -1,134 +0,0 @@
-# linux/clean/containerd: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/databases/mysql: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/sniffer/pcap: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/zstd: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/hash/md5: low
-discover/network/mac_address: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/user/USER: low
-evasion/file/location/dev_mqueue: medium
-evasion/file/location/dev_shm: medium
-evasion/file/location/var_run: medium
-evasion/process_injection/ptrace: medium
-exec/plugin: low
-exec/program: medium
-exec/reconfigure/hostname_set: low
-exec/shell/TERM: low
-exec/system_controls/apparmor: medium
-exec/system_controls/systemd: low
-fs/attributes/set: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/event_monitoring: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: low
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/loopback: medium
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home: low
-fs/path/usr_local: medium
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/net_route: medium
-fs/proc/self_cgroup: medium
-fs/proc/self_mountinfo: medium
-fs/tempdir/TEMP: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-hw/dev/block_ice: medium
-hw/dev/mapper: medium
-impact/remote_access/heartbeat: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/http/websocket: medium
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/send_unicast: low
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/kcore: low
-os/kernel/netlink: low
-os/kernel/seccomp: low
-persist/pid_file: medium
-process/chdir: low
-process/groupid_set: low
-process/groups_set: low
-process/terminate/kill_multiple: medium
-sus/exclamation: medium
-sus/intercept: medium
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index 65bd4667..f1cfca48 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -1,8 +1,8 @@
-## linux/clean/cpack [🛑 HIGH]
+## linux/clean/cpack [🟡 MEDIUM]
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
index 1519652c..e69de29b 100644
--- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
+++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
@@ -1,48 +0,0 @@
-# linux/clean/kibana/securitySolution.chunk.22.js: critical
-c2/addr/url: high
-c2/discovery/dyndns: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: high
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/exe_url: high
-c2/tool_transfer/grayware: high
-c2/tool_transfer/os: medium
-collect/databases/mysql: medium
-credential/keylogger: medium
-credential/password: low
-crypto/blockchain: medium
-crypto/openssl: medium
-data/encoding/json_decode: low
-evasion/file/prefix: medium
-evasion/rootkit/refs: medium
-evasion/rootkit/userspace: low
-exec/plugin: low
-exec/shell/power: medium
-exfil/upload: medium
-fs/lock_update: low
-fs/path/dev: medium
-impact/cryptojacking/monero_pool: medium
-impact/ddos: medium
-impact/exploit: medium
-impact/exploit/cve: medium
-impact/exploit/known_s: medium
-impact/infection/infected: medium
-impact/infection/worm: medium
-impact/remote_access/backdoor: medium
-impact/remote_access/iptables: medium
-impact/remote_access/reverse_shell: high
-impact/remote_access/trojan: medium
-lateral/scan/brute_force: low
-malware/ref: medium
-net/dns/txt: low
-net/download: medium
-net/tcp/sftp: medium
-net/url/embedded: medium
-net/url/parse: low
-persist/daemon: medium
-process/chroot: low
-sec-tool/net/masscan: high
-sec-tool/net/nmap: medium
-sec-tool/pentest/metasploit_ref: medium
-sus/leetspeak: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
index 9a1d7634..e69de29b 100644
--- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
+++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
@@ -1,71 +0,0 @@
-# linux/clean/kibana/securitySolution.chunk.9.js: critical
-anti-static/obfuscation/js: medium
-anti-static/obfuscation/reverse: medium
-c2/addr/ip: medium
-c2/addr/url: high
-c2/discovery/dyndns: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: high
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/exe_url: high
-c2/tool_transfer/grayware: high
-c2/tool_transfer/os: medium
-collect/databases/mysql: medium
-credential/keylogger: medium
-credential/password: low
-crypto/blockchain: medium
-crypto/encrypt: medium
-crypto/openssl: medium
-data/embedded/base64_url: medium
-data/encoding/base64: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/md5: low
-discover/network/mac_address: medium
-discover/process/name: medium
-discover/process/parent: low
-evasion/file/prefix: medium
-evasion/rootkit/refs: medium
-evasion/rootkit/userspace: low
-exec/cmd: medium
-exec/plugin: low
-exec/shell/power: medium
-exec/system_controls/apparmor: medium
-exfil/upload: medium
-fs/lock_update: low
-fs/mount: low
-fs/path/dev: medium
-impact/cryptojacking/monero_pool: medium
-impact/ddos: medium
-impact/exploit: medium
-impact/exploit/cve: medium
-impact/exploit/known_s: medium
-impact/exploit/overflow_shellcode: high
-impact/infection/infected: medium
-impact/infection/worm: medium
-impact/remote_access/backdoor: medium
-impact/remote_access/iptables: medium
-impact/remote_access/reverse_shell: high
-impact/remote_access/trojan: medium
-lateral/scan/brute_force: low
-malware/ref: medium
-net/dns/txt: low
-net/download: medium
-net/http/post: medium
-net/http/request: low
-net/ip/addr: medium
-net/ip/host_port: medium
-net/socket/listen: medium
-net/socket/send: low
-net/tcp/sftp: medium
-net/url/embedded: medium
-net/url/parse: low
-net/url/request: medium
-os/kernel/seccomp: low
-persist/daemon: medium
-process/chroot: low
-sec-tool/net/masscan: high
-sec-tool/net/nmap: medium
-sec-tool/pentest/metasploit_ref: medium
-sus/leetspeak: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index 59142a2a..e69de29b 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -1,142 +0,0 @@
-# linux/clean/kuma-cp: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-crypto/uuid: medium
-data/base64/external: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_test_key: low
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/md5: low
-discover/network/interface_list: medium
-discover/network/mac_address: medium
-discover/network/netstat: medium
-discover/processes/list: medium
-discover/system/cpu: low
-discover/system/dmesg: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/bypass_security/linux/iptables: medium
-evasion/file/location/var_run: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/plugin: low
-exec/program: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exfil/collection: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/copy: medium
-fs/file/delete: low
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/write: low
-fs/link_read: low
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/tmp: medium
-fs/path/usr_bin: low
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/quota_manipulate: low
-fs/swap/on: low
-fs/tempdir/TEMP: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-hw/dev/block_ice: medium
-impact/remote_access/heartbeat: medium
-impact/remote_access/iptables: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/http/websocket: medium
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/kernel/seccomp: low
-persist/cron/tab: medium
-privesc/sudo: medium
-process/chroot: low
-process/groupid_set: low
-sus/exclamation: medium
-sus/intercept: medium
diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple
index a8017f32..0180d38e 100644
--- a/tests/linux/clean/ld-2.27.so.simple
+++ b/tests/linux/clean/ld-2.27.so.simple
@@ -1,7 +1,7 @@
-# linux/clean/ld-2.27.so: high
+# linux/clean/ld-2.27.so: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
 c2/tool_transfer/os: low
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index 3ec73597..e69de29b 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -1,104 +0,0 @@
-# linux/clean/libgcj.so.17.0.0: high
-3P/JPCERT/cobaltstrike_v3v4: medium
-anti-behavior/random_behavior: low
-c2/addr/ip: medium
-c2/addr/url: low
-c2/tool_transfer/os: medium
-credential/password: low
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/public_key: low
-crypto/tls: low
-crypto/uuid: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/embedded/base64_terms: medium
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/encoding/base64: low
-data/hash/md5: low
-data/hash/sha1: low
-data/hash/sha256: low
-data/hash/whirlpool: medium
-discover/network/interface_list: medium
-discover/process/name: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/user/HOME: low
-discover/user/USER: low
-evasion/hijack_execution/LD_LIBRARY_PATH: low
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/address_check: low
-exec/dylib/iterate: low
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/shell/SHELL: low
-exec/shell/command: medium
-exfil/office_file_ext: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/delete: medium
-fs/file/open: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_read: low
-fs/mounts_read: medium
-fs/path/dev: medium
-fs/path/etc: low
-fs/path/root: medium
-fs/path/usr_local: medium
-fs/path/var: low
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/mounts: medium
-fs/proc/stat: medium
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempfile: low
-hw/iokit_registry: low
-impact/remote_access/agent: medium
-lateral/scan/tool: medium
-net/dns/txt: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/ip: low
-net/ip/connect: medium
-net/ip/host_port: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/send_unicast: low
-net/ip/string: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-persist/kernel_module/name: high
-process/multithreaded: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/leetspeak: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index d63587d6..e69de29b 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -1,104 +0,0 @@
-# linux/clean/libgcj.so.17: high
-3P/JPCERT/cobaltstrike_v3v4: medium
-anti-behavior/random_behavior: low
-c2/addr/ip: medium
-c2/addr/url: low
-c2/tool_transfer/os: medium
-credential/password: low
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/public_key: low
-crypto/tls: low
-crypto/uuid: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/embedded/base64_terms: medium
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/encoding/base64: low
-data/hash/md5: low
-data/hash/sha1: low
-data/hash/sha256: low
-data/hash/whirlpool: medium
-discover/network/interface_list: medium
-discover/process/name: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: low
-discover/user/HOME: low
-discover/user/USER: low
-evasion/hijack_execution/LD_LIBRARY_PATH: low
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/address_check: low
-exec/dylib/iterate: low
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/shell/SHELL: low
-exec/shell/command: medium
-exfil/office_file_ext: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/delete: medium
-fs/file/open: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_read: low
-fs/mounts_read: medium
-fs/path/dev: medium
-fs/path/etc: low
-fs/path/root: medium
-fs/path/usr_local: medium
-fs/path/var: low
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/mounts: medium
-fs/proc/stat: medium
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempfile: low
-hw/iokit_registry: low
-impact/remote_access/agent: medium
-lateral/scan/tool: medium
-net/dns/txt: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/ip: low
-net/ip/connect: medium
-net/ip/host_port: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/send_unicast: low
-net/ip/string: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-persist/kernel_module/name: high
-process/multithreaded: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/leetspeak: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index 5c57fae0..e69de29b 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -1,160 +0,0 @@
-# linux/clean/melange: high
-anti-static/elf/multiple: high
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/client: medium
-c2/refs: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/os: medium
-collect/archives/tar_command: medium
-collect/archives/zip: medium
-collect/code/github_api: low
-credential/cloud/g: medium
-credential/keychain: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-data/base64/external: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/ssh_signature: medium
-data/embedded/zstd: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/cloud/google_storage: low
-discover/network/interface_list: medium
-discover/network/mac_address: medium
-discover/network/netstat: medium
-discover/processes/pgrep: medium
-discover/system/cpu: low
-discover/system/dmesg: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/file/location/system_directory: medium
-evasion/file/prefix: medium
-evasion/hide_artifacts/pivot_root: medium
-exec/cmd: medium
-exec/install_additional/pip_install: medium
-exec/plugin: low
-exec/program: medium
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/exec: medium
-exec/shell/pipe_sh: medium
-fs/blkid: low
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: medium
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/node_create: low
-fs/path/bin_su: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/relative: medium
-fs/path/root: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/usr_sbin: low
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/swap/off: low
-fs/swap/on: low
-fs/symlink_resolve: low
-fs/tempdir/TEMP: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-impact/remote_access/heartbeat: medium
-impact/remote_access/kill_rm: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/parse: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/env/get: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/time/clock_set: low
-persist/cron/tab: medium
-privesc/setuid: low
-process/chdir: low
-process/chroot: low
-process/groupid_set: low
-process/multithreaded: low
-process/unshare: low
-sus/exclamation: medium
-sus/intercept: medium
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index 9ef86ed4..e69de29b 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -1,194 +0,0 @@
-# linux/clean/mongosh: medium
-anti-static/obfuscation/hex: medium
-anti-static/obfuscation/obfuscate: low
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/addr/url: low
-c2/client: medium
-c2/discovery/ip_dns_resolver: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/os: medium
-collect/archives/unarchive: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/cloud/aws: medium
-credential/password: low
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ed25519: low
-crypto/encrypt: medium
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-crypto/uuid: medium
-data/base64/decode: medium
-data/base64/encode: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/base64_gzip: medium
-data/embedded/base64_terms: medium
-data/embedded/base64_url: medium
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/pem_private_key: medium
-data/encoding/base64: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/sha256: low
-data/random/insecure: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/group/lookup: medium
-discover/network/interface: low
-discover/network/interface_list: medium
-discover/network/mac_address: medium
-discover/process/name: medium
-discover/process/parent: low
-discover/process/working_directory: low
-discover/processes/list: medium
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/APPDATA: low
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/USERPROFILE: medium
-discover/user/info: medium
-discover/user/name_get: low
-evasion/file/prefix: medium
-evasion/logging/acct: low
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/address_check: low
-exec/dylib/iterate: low
-exec/dylib/symbol_address: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/script/activex: medium
-exec/script/osa: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/command: medium
-exec/shell/echo: medium
-exec/shell/exec: medium
-exec/shell/pipe_sh: medium
-exec/shell/power: medium
-exec/system_controls/systemd: low
-exec/tty/pathname: medium
-exfil/office_file_ext: medium
-exfil/stealer/credit_card: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/capabilities_set: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/path/etc: low
-fs/path/file_url: low
-fs/path/home_library: low
-fs/path/tmp: medium
-fs/path/usr_bin: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/cpuinfo: medium
-fs/proc/meminfo: medium
-fs/proc/self_cgroup: medium
-fs/proc/self_exe: medium
-fs/proc/stat: medium
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/watch: low
-hw/cpu: medium
-hw/wireless: low
-impact/remote_access/heartbeat: medium
-impact/remote_access/kill_rm: medium
-lateral/scan/tool: medium
-mem/anonymous_file: medium
-net/dns: low
-net/dns/over_https: medium
-net/dns/reverse: medium
-net/dns/txt: low
-net/download: medium
-net/download/fetch: medium
-net/ftp: low
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/websocket: medium
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/ip/send_unicast: low
-net/ip/spoof: medium
-net/ip/string: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/resolve/hostport_parse: low
-net/socket/connect: medium
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/ssh: medium
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-net/webrtc: medium
-os/env/get: low
-os/fd/read: low
-os/fd/sendfile: low
-os/fd/write: low
-persist/daemon/detach: medium
-privesc/setuid: low
-process/chdir: low
-process/chroot: low
-process/create: low
-process/groupid_set: low
-process/groups_set: low
-process/multithreaded: low
-process/namespace_set: low
-process/terminate: medium
-process/terminate/taskkill: medium
-sec-tool/net/nmap: medium
-sus/compiler: medium
-sus/exclamation: medium
-sus/intercept: medium
-sus/leetspeak: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple
index 86b5cdc8..e69de29b 100644
--- a/tests/linux/clean/opa.simple
+++ b/tests/linux/clean/opa.simple
@@ -1,106 +0,0 @@
-# linux/clean/opa: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-credential/password: low
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-data/base64/decode: medium
-data/base64/encode: medium
-data/compression/gzip: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/md5: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/USER: low
-exec/cmd: medium
-exec/plugin: low
-exec/program: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/delete: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: low
-fs/file/write: low
-fs/link_read: low
-fs/mount: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/relative: medium
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/self_cgroup: medium
-fs/proc/self_mountinfo: medium
-fs/tempdir/TEMP: low
-fs/tempfile: low
-fs/watch: low
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/send_unicast: low
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/time/tzinfo: low
-persist/pid_file: medium
-process/chdir: low
-process/groups_set: low
-sus/exclamation: medium
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 11d0e8ec..e69de29b 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -1,177 +0,0 @@
-## linux/clean/pandoc [🛑 HIGH]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)<br>[offset](https://github.com/search?q=offset&type=code)<br>[padding](https://github.com/search?q=padding&type=code)<br>[shellcode](https://github.com/search?q=shellcode&type=code) |
-| HIGH | [persist/shell/bash](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist_persistent) | acccesses multiple bash startup files | [.bash_login](https://github.com/search?q=.bash_login&type=code)<br>[.bash_profile](https://github.com/search?q=.bash_profile&type=code)<br>[.bashrc](https://github.com/search?q=.bashrc&type=code)<br>[.profile](https://github.com/search?q=.profile&type=code) |
-| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code) |
-| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
-| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |
-| MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
-| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) |
-| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) |
-| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) |
-| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) |
-| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
-| MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) |
-| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
-| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
-| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
-| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) |
-| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)<br>[getgrent](https://github.com/search?q=getgrent&type=code)<br>[setgrent](https://github.com/search?q=setgrent&type=code) |
-| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
-| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) |
-| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
-| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code) |
-| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
-| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
-| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
-| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)<br>[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)<br>[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)<br>[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)<br>[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)<br>[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)<br>[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code) |
-| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
-| MEDIUM | [exec/shell/command](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/command.yara#system) | [execute a shell command](https://man7.org/linux/man-pages/man3/system.3.html) | [system](https://github.com/search?q=system&type=code) |
-| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#system_call) | executes a shell command | [system](https://github.com/search?q=system&type=code) |
-| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
-| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershellcode](https://github.com/search?q=powershellcode&type=code) |
-| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
-| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)<br>[docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppam](https://github.com/search?q=ppam&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
-| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
-| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFile](https://github.com/search?q=CreateFile&type=code) |
-| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) |
-| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
-| MEDIUM | [fs/mounts_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mounts-read.yara#mount_files) | [Parses active mounts (/etc/fstab, /etc/mtab)](https://linux.die.net/man/3/setmntent) | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code)<br>[/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code) |
-| MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_lib_path) | path reference within /usr/local/lib | [/usr/local/lib/lua/5.4/loadall.so](https://github.com/search?q=%2Fusr%2Flocal%2Flib%2Flua%2F5.4%2Floadall.so&type=code) |
-| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
-| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) |
-| MEDIUM | [fs/proc/mounts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/mounts.yara#proc_mounts) | Parses active mounts (/proc/mounts | [/proc/mounts](https://github.com/search?q=%2Fproc%2Fmounts&type=code) |
-| MEDIUM | [fs/proc/pid_maps](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-maps.yara#proc_maps) | access process memory maps | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) |
-| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
-| MEDIUM | [impact/infection/worm](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/infection/worm.yara#worm) | References 'Worm' | [worm](https://github.com/search?q=worm&type=code) |
-| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)<br>[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)<br>[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)<br>[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)<br>[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)<br>[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)<br>[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)<br>[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)<br>[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)<br>[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)<br>[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)<br>[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)<br>[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)<br>[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)<br>[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)<br>[heartbeat](https://github.com/search?q=heartbeat&type=code)<br>[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)<br>[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code) |
-| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
-| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)<br>[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)<br>[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)<br>[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)<br>[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) |
-| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
-| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)<br>[http_cookie](https://github.com/search?q=http_cookie&type=code) |
-| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)<br>[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)<br>[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code) |
-| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)<br>[htons](https://github.com/search?q=htons&type=code)<br>[ntohs](https://github.com/search?q=ntohs&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)<br>[port](https://github.com/search?q=port&type=code) |
-| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) |
-| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
-| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)<br>[spoofchecker](https://github.com/search?q=spoofchecker&type=code) |
-| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)<br>[inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
-| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [.Socks5](https://github.com/search?q=.Socks5&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
-| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
-| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)<br>[ntlm](https://github.com/search?q=ntlm&type=code) |
-| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [connect](https://github.com/search?q=connect&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [IPPROTO_RAW](https://github.com/search?q=IPPROTO_RAW&type=code)<br>[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) |
-| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code)<br>[SO_REUSEPORT](https://github.com/search?q=SO_REUSEPORT&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
-| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) |
-| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
-| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [openURL](https://github.com/search?q=openURL&type=code) |
-| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
-| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
-| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) |
-| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
-| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
-| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
-| MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) |
-| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) |
-| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)<br>[obfuscates](https://github.com/search?q=obfuscates&type=code) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)<br>[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)<br>[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)<br>[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)<br>[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)<br>[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)<br>[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)<br>[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)<br>[JPasswordField](https://github.com/search?q=JPasswordField&type=code)<br>[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)<br>[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)<br>[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)<br>[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)<br>[PasswordView](https://github.com/search?q=PasswordView&type=code)<br>[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)<br>[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)<br>[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)<br>[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)<br>[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)<br>[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)<br>[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)<br>[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)<br>[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)<br>[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)<br>[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)<br>[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)<br>[fbsql_password](https://github.com/search?q=fbsql_password&type=code)<br>[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)<br>[groupPassword](https://github.com/search?q=groupPassword&type=code)<br>[init_with_password](https://github.com/search?q=init_with_password&type=code)<br>[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)<br>[ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)<br>[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)<br>[oci_password_change](https://github.com/search?q=oci_password_change&type=code)<br>[param_default_password](https://github.com/search?q=param_default_password&type=code)<br>[password for entry](https://github.com/search?q=password+for+entry&type=code)<br>[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)<br>[password_default](https://github.com/search?q=password_default&type=code)<br>[password_field_tag](https://github.com/search?q=password_field_tag&type=code)<br>[password_get_info](https://github.com/search?q=password_get_info&type=code)<br>[password_grace_time](https://github.com/search?q=password_grace_time&type=code)<br>[password_hash](https://github.com/search?q=password_hash&type=code)<br>[password_life_time](https://github.com/search?q=password_life_time&type=code)<br>[password_lock_time](https://github.com/search?q=password_lock_time&type=code)<br>[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)<br>[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)<br>[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)<br>[password_verify_function](https://github.com/search?q=password_verify_function&type=code)<br>[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)<br>[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)<br>[radius_user_password](https://github.com/search?q=radius_user_password&type=code)<br>[sam_password](https://github.com/search?q=sam_password&type=code)<br>[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)<br>[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code) |
-| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code)<br>[privatekey](https://github.com/search?q=privatekey&type=code) |
-| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)<br>[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) |
-| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)<br>[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)<br>[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)<br>[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)<br>[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)<br>[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)<br>[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)<br>[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)<br>[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)<br>[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)<br>[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)<br>[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)<br>[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)<br>[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)<br>[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)<br>[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)<br>[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)<br>[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)<br>[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)<br>[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)<br>[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)<br>[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)<br>[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)<br>[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)<br>[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)<br>[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)<br>[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)<br>[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)<br>[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)<br>[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)<br>[edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)<br>[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)<br>[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)<br>[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)<br>[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)<br>[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)<br>[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)<br>[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)<br>[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)<br>[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)<br>[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)<br>[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)<br>[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)<br>[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)<br>[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)<br>[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)<br>[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)<br>[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)<br>[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)<br>[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)<br>[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)<br>[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)<br>[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)<br>[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)<br>[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)<br>[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)<br>[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)<br>[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)<br>[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)<br>[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)<br>[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)<br>[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)<br>[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)<br>[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)<br>[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)<br>[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)<br>[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)<br>[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)<br>[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)<br>[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)<br>[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)<br>[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)<br>[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)<br>[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)<br>[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)<br>[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)<br>[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)<br>[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)<br>[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)<br>[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)<br>[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)<br>[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)<br>[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)<br>[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)<br>[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)<br>[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) |
-| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
-| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
-| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code) |
-| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
-| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
-| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) |
-| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
-| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)<br>[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)<br>[MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)<br>[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)<br>[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)<br>[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)<br>[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)<br>[MD5_info](https://github.com/search?q=MD5_info&type=code)<br>[MD5_str](https://github.com/search?q=MD5_str&type=code)<br>[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)<br>[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)<br>[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)<br>[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)<br>[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)<br>[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)<br>[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)<br>[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)<br>[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)<br>[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)<br>[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)<br>[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)<br>[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)<br>[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)<br>[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)<br>[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)<br>[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)<br>[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)<br>[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)<br>[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)<br>[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)<br>[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)<br>[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)<br>[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)<br>[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)<br>[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)<br>[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)<br>[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)<br>[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)<br>[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)<br>[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)<br>[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)<br>[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)<br>[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)<br>[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)<br>[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)<br>[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)<br>[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)<br>[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)<br>[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)<br>[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code) |
-| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
-| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
-| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
-| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
-| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
-| LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) |
-| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
-| LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) |
-| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)<br>[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)<br>[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)<br>[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)<br>[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)<br>[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)<br>[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)<br>[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)<br>[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)<br>[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)<br>[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)<br>[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)<br>[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)<br>[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)<br>[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)<br>[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)<br>[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)<br>[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)<br>[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[js plugins](https://github.com/search?q=js+plugins&type=code)<br>[msession_plugin](https://github.com/search?q=msession_plugin&type=code)<br>[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)<br>[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)<br>[plugin_path](https://github.com/search?q=plugin_path&type=code)<br>[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)<br>[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
-| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectory](https://github.com/search?q=CreateDirectory&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [removeDirectory](https://github.com/search?q=removeDirectory&type=code)<br>[rmdir](https://github.com/search?q=rmdir&type=code) |
-| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) |
-| LOW | [fs/file/capabilities_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-capabilities-set.yara#setfcap) | [Set file capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) | [setcap](https://github.com/search?q=setcap&type=code) |
-| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) |
-| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) |
-| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
-| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)<br>[os.rename](https://github.com/search?q=os.rename&type=code)<br>[renameFile](https://github.com/search?q=renameFile&type=code) |
-| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) |
-| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)<br>[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)<br>[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)<br>[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)<br>[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)<br>[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)<br>[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)<br>[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)<br>[29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)<br>[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)<br>[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)<br>[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)<br>[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)<br>[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)<br>[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)<br>[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)<br>[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)<br>[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)<br>[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)<br>[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)<br>[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)<br>[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)<br>[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)<br>[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)<br>[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)<br>[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)<br>[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)<br>[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)<br>[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)<br>[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)<br>[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)<br>[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)<br>[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)<br>[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)<br>[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)<br>[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)<br>[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)<br>[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)<br>[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)<br>[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)<br>[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)<br>[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)<br>[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)<br>[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)<br>[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)<br>[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)<br>[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)<br>[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)<br>[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code)<br>[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)<br>[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)<br>[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)<br>[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)<br>[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)<br>[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)<br>[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
-| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
-| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) |
-| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code)<br>[/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) |
-| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
-| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
-| LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) |
-| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
-| LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
-| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
-| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code) |
-| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
-| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
-| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_addr](https://github.com/search?q=client_addr&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
-| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
-| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/alarm](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/alarm.yara#alarm) | [set an alarm clock for delivery of a signal](https://man7.org/linux/man-pages/man2/alarm.2.html) | [alarm](https://github.com/search?q=alarm&type=code) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) |
-| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
-| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)<br>[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)<br>[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)<br>[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)<br>[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)<br>[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)<br>[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)<br>[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)<br>[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)<br>[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)<br>[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)<br>[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)<br>[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)<br>[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)<br>[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)<br>[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)<br>[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)<br>[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)<br>[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)<br>[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)<br>[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)<br>[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)<br>[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)<br>[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)<br>[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)<br>[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)<br>[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)<br>[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)<br>[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)<br>[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)<br>[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)<br>[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code)<br>[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)<br>[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)<br>[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)<br>[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)<br>[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) |
-| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
-
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index 8b17cd93..e69de29b 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -1,159 +0,0 @@
-# linux/clean/pulumi: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/os: medium
-collect/archives/zip: medium
-collect/code/github_api: low
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-credential/clipboard: medium
-credential/cloud/g: medium
-credential/keychain: medium
-credential/password: low
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/blockchain: medium
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/public_key: low
-crypto/tls: low
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/zlib: low
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/pem_test_key: low
-data/embedded/ssh_signature: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: low
-data/hash/sha1: low
-data/hash/sha256: low
-data/random/insecure: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/cloud/google_storage: low
-discover/group/lookup: medium
-discover/network/mac_address: medium
-discover/process/parent: low
-discover/process/working_directory: low
-discover/processes/list: medium
-discover/system/cpu: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/install_additional/pip_install: medium
-exec/plugin: low
-exec/program: medium
-exec/program/background: low
-exec/script/osa: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/exec: medium
-exec/shell/pipe_sh: medium
-exec/system_controls/systemd: low
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: low
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/times_set: medium
-fs/file/write: low
-fs/link_read: low
-fs/lock_update: low
-fs/mount: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/usr_bin: low
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/swap/off: low
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-hw/wireless: low
-impact/remote_access/heartbeat: medium
-lateral/scan/tool: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download: medium
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/resolve: low
-net/proxy/socks5: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/pair: medium
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: low
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-net/webrtc: medium
-os/env/get: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-persist/kernel_module/unload: medium
-persist/pid_file: medium
-privesc/sudo: medium
-process/chroot: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/lang: medium
-sus/leetspeak: medium
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index 9a8bf6f8..e69de29b 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -1,113 +0,0 @@
-## linux/clean/qemu-system-xtensa [🛑 HIGH]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) |
-| HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
-| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code) |
-| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://) |
-| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
-| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) |
-| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
-| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)<br>[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)<br>[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code)<br>[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)<br>[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)<br>[bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)<br>[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)<br>[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)<br>[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)<br>[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)<br>[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)<br>[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)<br>[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)<br>[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)<br>[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)<br>[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)<br>[t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)<br>[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)<br>[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)<br>[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)<br>[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)<br>[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)<br>[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)<br>[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)<br>[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code) |
-| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [openssl](https://github.com/search?q=openssl&type=code) |
-| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
-| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
-| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) |
-| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
-| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)<br>[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) |
-| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)<br>[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) |
-| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) |
-| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) |
-| MEDIUM | [fs/attributes/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/remove.yara#remove_xattr) | [remove an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/removexattr.2.html) | [removexattr](https://github.com/search?q=removexattr&type=code) |
-| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#set_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) |
-| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) |
-| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)<br>[touch event type](https://github.com/search?q=touch+event+type&type=code)<br>[touch slot number](https://github.com/search?q=touch+slot+number&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) |
-| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
-| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
-| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
-| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)<br>[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) |
-| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) |
-| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)<br>[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)<br>[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)<br>[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)<br>[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)<br>[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) |
-| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | executes commands, changes directories, accesses remote hosts | [chdir](https://github.com/search?q=chdir&type=code)<br>[execve](https://github.com/search?q=execve&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[gethostbyname](https://github.com/search?q=gethostbyname&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
-| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[WebSocket](https://github.com/search?q=WebSocket&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host and/or port](https://github.com/search?q=host+and%2For+port&type=code)<br>[host from port](https://github.com/search?q=host+from+port&type=code)<br>[host is not support](https://github.com/search?q=host+is+not+support&type=code)<br>[host port](https://github.com/search?q=host+port&type=code)<br>[host transport](https://github.com/search?q=host+transport&type=code)<br>[host,addr.port=port](https://github.com/search?q=host%2Caddr.port%3Dport&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=addr,local.port](https://github.com/search?q=host%3Daddr%2Clocal.port&type=code)<br>[host=host,addr.port](https://github.com/search?q=host%3Dhost%2Caddr.port&type=code)<br>[host=host],port=port](https://github.com/search?q=host%3Dhost%5D%2Cport%3Dport&type=code)<br>[host]:port](https://github.com/search?q=host%5D%3Aport&type=code)<br>[host_get_port](https://github.com/search?q=host_get_port&type=code)<br>[host_support](https://github.com/search?q=host_support&type=code)<br>[host_user.support](https://github.com/search?q=host_user.support&type=code)<br>[host_user_support](https://github.com/search?q=host_user_support&type=code)<br>[hostaddr]:hostport](https://github.com/search?q=hostaddr%5D%3Ahostport&type=code)<br>[hostname port](https://github.com/search?q=hostname+port&type=code)<br>[hostname:s,port](https://github.com/search?q=hostname%3As%2Cport&type=code) |
-| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) |
-| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
-| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) |
-| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
-| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | uses VNC remote desktop protocol | [VNC_](https://github.com/search?q=VNC_&type=code)<br>[vnc_password](https://github.com/search?q=vnc_password&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
-| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)<br>[ssh](https://github.com/search?q=ssh&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
-| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) |
-| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)<br>[daemonize](https://github.com/search?q=daemonize&type=code)<br>[is_daemon](https://github.com/search?q=is_daemon&type=code)<br>[os_daemon](https://github.com/search?q=os_daemon&type=code)<br>[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)<br>[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) |
-| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
-| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) |
-| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)<br>[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)<br>[intercept_in](https://github.com/search?q=intercept_in&type=code)<br>[intercept_out](https://github.com/search?q=intercept_out&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
-| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
-| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://wikipedia.org/wiki/WAV](http://wikipedia.org/wiki/WAV)<br>[http://www.opensound.com](http://www.opensound.com)<br>[https://qemu.org/contribute/report](https://qemu.org/contribute/report)<br>[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)<br>[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)<br>[Invalid password](https://github.com/search?q=Invalid+password&type=code)<br>[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)<br>[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)<br>[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)<br>[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)<br>[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)<br>[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)<br>[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)<br>[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)<br>[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)<br>[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)<br>[password is expired](https://github.com/search?q=password+is+expired&type=code)<br>[password is not set](https://github.com/search?q=password+is+not+set&type=code)<br>[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)<br>[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)<br>[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)<br>[protocol password](https://github.com/search?q=protocol+password&type=code)<br>[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)<br>[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)<br>[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)<br>[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)<br>[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)<br>[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)<br>[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)<br>[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)<br>[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)<br>[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)<br>[that match this password](https://github.com/search?q=that+match+this+password&type=code)<br>[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)<br>[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)<br>[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)<br>[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)<br>[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)<br>[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)<br>[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) |
-| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) |
-| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
-| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [public key](https://github.com/search?q=public+key&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
-| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) |
-| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
-| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
-| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
-| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
-| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) |
-| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
-| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
-| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
-| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)<br>[Plugin options](https://github.com/search?q=Plugin+options&type=code)<br>[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)<br>[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)<br>[load a plugin](https://github.com/search?q=load+a+plugin&type=code)<br>[op_plugin](https://github.com/search?q=op_plugin&type=code)<br>[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)<br>[plugin file](https://github.com/search?q=plugin+file&type=code)<br>[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)<br>[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)<br>[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)<br>[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)<br>[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)<br>[plugin_disas](https://github.com/search?q=plugin_disas&type=code)<br>[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)<br>[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)<br>[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)<br>[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)<br>[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)<br>[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)<br>[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)<br>[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)<br>[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)<br>[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)<br>[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)<br>[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)<br>[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)<br>[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)<br>[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)<br>[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)<br>[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)<br>[plugin_init](https://github.com/search?q=plugin_init&type=code)<br>[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)<br>[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)<br>[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)<br>[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)<br>[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)<br>[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)<br>[plugin_list](https://github.com/search?q=plugin_list&type=code)<br>[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)<br>[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)<br>[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)<br>[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)<br>[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)<br>[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)<br>[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)<br>[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)<br>[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)<br>[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)<br>[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)<br>[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)<br>[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)<br>[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)<br>[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)<br>[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)<br>[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)<br>[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)<br>[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)<br>[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)<br>[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)<br>[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)<br>[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)<br>[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)<br>[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)<br>[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)<br>[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)<br>[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)<br>[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)<br>[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)<br>[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)<br>[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)<br>[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)<br>[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)<br>[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)<br>[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)<br>[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)<br>[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)<br>[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)<br>[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)<br>[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)<br>[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)<br>[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)<br>[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)<br>[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)<br>[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)<br>[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)<br>[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)<br>[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [systemd](https://github.com/search?q=systemd&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
-| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
-| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) |
-| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
-| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) |
-| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)<br>[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)<br>[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) |
-| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
-| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
-| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
-| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) |
-| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
-| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)<br>[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) |
-| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
-| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
-
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 03b0eeff..e69de29b 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -1,193 +0,0 @@
-## linux/clean/slack [🛑 HIGH]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
-| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
-| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
-| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)<br>[https://%s](https://%s) |
-| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[endpoint_port](https://github.com/search?q=endpoint_port&type=code)<br>[firstIp](https://github.com/search?q=firstIp&type=code)<br>[hIp](https://github.com/search?q=hIp&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[multi_port](https://github.com/search?q=multi_port&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[pIp](https://github.com/search?q=pIp&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[quiche_ip](https://github.com/search?q=quiche_ip&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[required_ip](https://github.com/search?q=required_ip&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[yoIp](https://github.com/search?q=yoIp&type=code) |
-| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) |
-| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
-| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)<br>[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
-| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
-| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)<br>[eye_dropper](https://github.com/search?q=eye_dropper&type=code)<br>[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
-| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
-| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)<br>[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)<br>[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)<br>[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)<br>[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)<br>[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)<br>[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)<br>[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)<br>[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)<br>[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)<br>[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)<br>[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)<br>[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)<br>[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)<br>[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)<br>[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)<br>[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)<br>[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)<br>[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)<br>[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)<br>[leveldbH](https://github.com/search?q=leveldbH&type=code)<br>[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)<br>[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)<br>[leveldb_database](https://github.com/search?q=leveldb_database&type=code)<br>[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)<br>[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)<br>[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)<br>[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)<br>[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
-| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
-| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
-| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
-| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) |
-| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
-| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
-| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer <root@shellcromancer.io> | [#"!](https://github.com/search?q=%23%22%21&type=code)<br>$opt0<br>$opt1<br>$opt2<br>$opt30<br>$opt4<br>$opt5<br>$opt6<br>$opt7<br>['&%$](https://github.com/search?q=%27%26%25%24&type=code)<br>[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)<br>[/.-,](https://github.com/search?q=%2F.-%2C&type=code)<br>[3210](https://github.com/search?q=3210&type=code)<br>[7654](https://github.com/search?q=7654&type=code)<br>[;:98](https://github.com/search?q=%3B%3A98&type=code)<br>[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)<br>[CBA@](https://github.com/search?q=CBA%40&type=code)<br>[GFED](https://github.com/search?q=GFED&type=code)<br>[KJIH](https://github.com/search?q=KJIH&type=code)<br>[ONML](https://github.com/search?q=ONML&type=code)<br>[SRQP](https://github.com/search?q=SRQP&type=code)<br>[WVUT](https://github.com/search?q=WVUT&type=code)<br>[[ZYX](https://github.com/search?q=%5BZYX&type=code)<br>[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)<br>[cba`](https://github.com/search?q=cba%60&type=code)<br>[gfed](https://github.com/search?q=gfed&type=code)<br>[kjih](https://github.com/search?q=kjih&type=code)<br>[onml](https://github.com/search?q=onml&type=code)<br>[srqp](https://github.com/search?q=srqp&type=code)<br>[wvut](https://github.com/search?q=wvut&type=code)<br>[{zyx](https://github.com/search?q=%7Bzyx&type=code)<br>[����](https://github.com/search?q=%83%82%81%80&type=code)<br>[����](https://github.com/search?q=%87%86%85%84&type=code)<br>[����](https://github.com/search?q=%8B%8A%89%88&type=code)<br>[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)<br>[����](https://github.com/search?q=%93%92%91%90&type=code)<br>[����](https://github.com/search?q=%97%96%95%94&type=code)<br>[����](https://github.com/search?q=%9B%9A%99%98&type=code)<br>[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)<br>[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)<br>[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)<br>[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)<br>[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)<br>[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)<br>[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)<br>[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)<br>[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)<br>[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)<br>[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)<br>[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)<br>[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)<br>[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)<br>[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)<br>[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)<br>[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)<br>[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)<br>[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)<br>[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)<br>[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)<br>[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)<br>[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)<br>[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)<br>[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) |
-| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) |
-| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)<br>[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
-| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code)<br>[ifconfig](https://github.com/search?q=ifconfig&type=code)<br>[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
-| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) |
-| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
-| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
-| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)<br>[process.platform](https://github.com/search?q=process.platform&type=code)<br>[process.versions](https://github.com/search?q=process.versions&type=code) |
-| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
-| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
-| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
-| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) |
-| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) |
-| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) |
-| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)<br>[_executeCommand](https://github.com/search?q=_executeCommand&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code)<br>[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
-| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
-| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
-| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
-| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
-| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code)<br>[drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code) |
-| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
-| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)<br>[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)<br>[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code)<br>[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)<br>[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)<br>[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)<br>[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) |
-| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)<br>[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code)<br>[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) |
-| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
-| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
-| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)<br>[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)<br>[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)<br>[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) |
-| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
-| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
-| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)<br>[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) |
-| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
-| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
-| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup/sys/fs/cgroupcgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup%2Fsys%2Ffs%2Fcgroupcgroup&type=code) |
-| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) |
-| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
-| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) |
-| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
-| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) |
-| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) |
-| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)<br>[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)<br>[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)<br>[PostHeartbeatTask](https://github.com/search?q=PostHeartbeatTask&type=code)<br>[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) |
-| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code) |
-| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) |
-| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
-| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)<br>[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
-| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
-| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
-| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
-| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)<br>[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)<br>[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)<br>[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)<br>[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)<br>[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)<br>[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)<br>[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)<br>[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)<br>[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)<br>[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)<br>[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)<br>[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)<br>[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)<br>[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)<br>[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)<br>[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)<br>[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)<br>[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)<br>[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)<br>[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)<br>[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)<br>[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)<br>[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)<br>[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)<br>[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)<br>[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)<br>[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)<br>[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)<br>[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)<br>[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)<br>[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)<br>[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)<br>[WebSocketError](https://github.com/search?q=WebSocketError&type=code)<br>[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)<br>[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)<br>[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)<br>[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)<br>[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)<br>[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)<br>[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)<br>[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)<br>[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)<br>[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code)<br>[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)<br>[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)<br>[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)<br>[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)<br>[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)<br>[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)<br>[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)<br>[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)<br>[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)<br>[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)<br>[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)<br>[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)<br>[host, port](https://github.com/search?q=host%2C+port&type=code)<br>[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)<br>[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)<br>[host.length - port](https://github.com/search?q=host.length+-+port&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)<br>[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)<br>[host>:<port](https://github.com/search?q=host%3E%3A%3Cport&type=code)<br>[host_import](https://github.com/search?q=host_import&type=code)<br>[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)<br>[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)<br>[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)<br>[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)<br>[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)<br>[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)<br>[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)<br>[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) |
-| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)<br>[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)<br>[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)<br>[ping failures and](https://github.com/search?q=ping+failures+and&type=code)<br>[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)<br>[ping interval to](https://github.com/search?q=ping+interval+to&type=code)<br>[ping interval.](https://github.com/search?q=ping+interval.&type=code)<br>[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)<br>[ping libuv](https://github.com/search?q=ping+libuv&type=code)<br>[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)<br>[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)<br>[ping received](https://github.com/search?q=ping+received&type=code)<br>[ping response](https://github.com/search?q=ping+response&type=code)<br>[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)<br>[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) |
-| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
-| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)<br>[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) |
-| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
-| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
-| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[Tunnel](https://github.com/search?q=Tunnel&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
-| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)<br>[ntlm](https://github.com/search?q=ntlm&type=code) |
-| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
-| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)<br>[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)<br>[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)<br>[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)<br>[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
-| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
-| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code)<br>[openURL](https://github.com/search?q=openURL&type=code)<br>[openUrl](https://github.com/search?q=openUrl&type=code)<br>[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
-| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
-| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
-| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
-| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)<br>[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)<br>[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)<br>[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)<br>[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)<br>[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)<br>[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)<br>[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)<br>[GG !!](https://github.com/search?q=GG++++%21%21&type=code)<br>[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)<br>[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)<br>[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)<br>[return !!](https://github.com/search?q=return+%21%21&type=code) |
-| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)<br>[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)<br>[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)<br>[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)<br>[interceptResponse](https://github.com/search?q=interceptResponse&type=code)<br>[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)<br>[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)<br>[intercepted](https://github.com/search?q=intercepted&type=code)<br>[intercepting](https://github.com/search?q=intercepting&type=code)<br>[interceptionId](https://github.com/search?q=interceptionId&type=code)<br>[interceptionStage](https://github.com/search?q=interceptionStage&type=code)<br>[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)<br>[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)<br>[interceptors](https://github.com/search?q=interceptors&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
-| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
-| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)<br>[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)<br>[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)<br>[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)<br>[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)<br>[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)<br>[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)<br>[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)<br>[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)<br>[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)<br>[PasswordH](https://github.com/search?q=PasswordH&type=code)<br>[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)<br>[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)<br>[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)<br>[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)<br>[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)<br>[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)<br>[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)<br>[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)<br>[a username and password](https://github.com/search?q=a+username+and+password&type=code)<br>[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)<br>[bPassword](https://github.com/search?q=bPassword&type=code)<br>[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)<br>[challengePassword](https://github.com/search?q=challengePassword&type=code)<br>[current-password](https://github.com/search?q=current-password&type=code)<br>[fade-out-password](https://github.com/search?q=fade-out-password&type=code)<br>[for password](https://github.com/search?q=for+password&type=code)<br>[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)<br>[get password](https://github.com/search?q=get+password&type=code)<br>[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)<br>[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)<br>[input-password](https://github.com/search?q=input-password&type=code)<br>[kPassword](https://github.com/search?q=kPassword&type=code)<br>[like a password](https://github.com/search?q=like+a+password&type=code)<br>[new-password](https://github.com/search?q=new-password&type=code)<br>[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)<br>[password based MAC](https://github.com/search?q=password+based+MAC&type=code)<br>[password is too large](https://github.com/search?q=password+is+too+large&type=code)<br>[password text](https://github.com/search?q=password+text&type=code)<br>[password-change](https://github.com/search?q=password-change&type=code)<br>[password-manager](https://github.com/search?q=password-manager&type=code)<br>[password-protection](https://github.com/search?q=password-protection&type=code)<br>[password-reveal](https://github.com/search?q=password-reveal&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[password-strong-label](https://github.com/search?q=password-strong-label&type=code)<br>[passwordChar](https://github.com/search?q=passwordChar&type=code)<br>[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)<br>[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)<br>[passwordEdit](https://github.com/search?q=passwordEdit&type=code)<br>[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)<br>[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)<br>[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)<br>[readPassword](https://github.com/search?q=readPassword&type=code)<br>[reveal-password](https://github.com/search?q=reveal-password&type=code)<br>[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)<br>[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)<br>[set password](https://github.com/search?q=set+password&type=code)<br>[such as passwords](https://github.com/search?q=such+as+passwords&type=code)<br>[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[username or password](https://github.com/search?q=username+or+password&type=code)<br>[writePassword](https://github.com/search?q=writePassword&type=code) |
-| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code) |
-| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
-| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)<br>[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)<br>[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)<br>[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)<br>[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)<br>[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)<br>[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)<br>[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)<br>[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)<br>[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)<br>[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)<br>[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)<br>[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)<br>[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)<br>[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)<br>[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)<br>[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)<br>[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)<br>[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)<br>[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)<br>[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)<br>[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)<br>[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)<br>[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)<br>[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)<br>[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)<br>[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)<br>[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)<br>[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)<br>[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)<br>[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)<br>[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)<br>[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)<br>[kDecryptError](https://github.com/search?q=kDecryptError&type=code)<br>[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)<br>[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)<br>[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)<br>[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) |
-| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
-| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
-| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)<br>[Public-key](https://github.com/search?q=Public-key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
-| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)<br>[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) |
-| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
-| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
-| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(�/�](https://github.com/search?q=%28%B5%2F%FD&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
-| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
-| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
-| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
-| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
-| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)<br>[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
-| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
-| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) |
-| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)<br>[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)<br>[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)<br>[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)<br>[GetPlugins](https://github.com/search?q=GetPlugins&type=code)<br>[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)<br>[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)<br>[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)<br>[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)<br>[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)<br>[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)<br>[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)<br>[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)<br>[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)<br>[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)<br>[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)<br>[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)<br>[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)<br>[PluginArray](https://github.com/search?q=PluginArray&type=code)<br>[PluginData](https://github.com/search?q=PluginData&type=code)<br>[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)<br>[PluginLoad](https://github.com/search?q=PluginLoad&type=code)<br>[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)<br>[PluginResource](https://github.com/search?q=PluginResource&type=code)<br>[PluginService](https://github.com/search?q=PluginService&type=code)<br>[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)<br>[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)<br>[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)<br>[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)<br>[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)<br>[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)<br>[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)<br>[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)<br>[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)<br>[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)<br>[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)<br>[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)<br>[as a plugin](https://github.com/search?q=as+a+plugin&type=code)<br>[browserplugin](https://github.com/search?q=browserplugin&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)<br>[kPluginObject](https://github.com/search?q=kPluginObject&type=code)<br>[loadplugin](https://github.com/search?q=loadplugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)<br>[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)<br>[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)<br>[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)<br>[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)<br>[plugin data](https://github.com/search?q=plugin+data&type=code)<br>[pluginObject](https://github.com/search?q=pluginObject&type=code)<br>[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)<br>[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)<br>[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)<br>[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)<br>[plugin_module](https://github.com/search?q=plugin_module&type=code)<br>[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)<br>[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)<br>[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)<br>[pluginspace](https://github.com/search?q=pluginspace&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[pluginurl](https://github.com/search?q=pluginurl&type=code)<br>[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)<br>[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)<br>[r PluginH](https://github.com/search?q=r+PluginH&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)<br>[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)<br>[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)<br>[suggestplugin](https://github.com/search?q=suggestplugin&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)<br>[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)<br>[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)<br>[createFolder](https://github.com/search?q=createFolder&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
-| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
-| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)<br>[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) |
-| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
-| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
-| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) |
-| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)<br>[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) |
-| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
-| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)<br>[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)<br>[writeFileSync](https://github.com/search?q=writeFileSync&type=code)<br>[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)<br>[writeToFile](https://github.com/search?q=writeToFile&type=code) |
-| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
-| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
-| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)<br>[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)<br>[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)<br>[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)<br>[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)<br>[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)<br>[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)<br>[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)<br>[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)<br>[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)<br>[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)<br>[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)<br>[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)<br>[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)<br>[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)<br>[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)<br>[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)<br>[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)<br>[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)<br>[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)<br>[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)<br>[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) |
-| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) |
-| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)<br>[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) |
-| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)<br>[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)<br>[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)<br>[TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
-| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
-| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)<br>[bssid](https://github.com/search?q=bssid&type=code) |
-| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
-| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
-| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
-| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) |
-| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpClose](https://github.com/search?q=httpClose&type=code)<br>[httpConnect](https://github.com/search?q=httpConnect&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
-| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
-| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
-| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
-| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)<br>[client_addresses_ca](https://github.com/search?q=client_addresses_ca&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmmsg](https://github.com/search?q=sendmmsg&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
-| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[new URL](https://github.com/search?q=new+URL&type=code) |
-| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)<br>[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)<br>[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)<br>[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)<br>[env.FORCE](https://github.com/search?q=env.FORCE&type=code)<br>[env.JEST](https://github.com/search?q=env.JEST&type=code)<br>[env.NODE](https://github.com/search?q=env.NODE&type=code)<br>[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)<br>[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)<br>[env.TEMP](https://github.com/search?q=env.TEMP&type=code)<br>[env.TERM](https://github.com/search?q=env.TERM&type=code)<br>[env.TMP](https://github.com/search?q=env.TMP&type=code)<br>[env.TMUX](https://github.com/search?q=env.TMUX&type=code)<br>[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)<br>[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)<br>[env.WATCH](https://github.com/search?q=env.WATCH&type=code)<br>[env.XDG](https://github.com/search?q=env.XDG&type=code) |
-| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
-| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)<br>[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)<br>[req.read()](https://github.com/search?q=req.read%28%29&type=code)<br>[self.read()](https://github.com/search?q=self.read%28%29&type=code)<br>[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)<br>[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)<br>[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) |
-| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
-| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)<br>[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)<br>[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)<br>[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)<br>[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)<br>[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)<br>[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)<br>[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)<br>[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)<br>[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)<br>[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)<br>[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)<br>[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)<br>[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)<br>[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)<br>[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)<br>[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)<br>[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)<br>[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)<br>[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)<br>[stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)<br>[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)<br>[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)<br>[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)<br>[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)<br>[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)<br>[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)<br>[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) |
-| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
-| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
-| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
-| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-
diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple
index cdd925c6..b2b0dece 100644
--- a/tests/linux/clean/slirp4netns.simple
+++ b/tests/linux/clean/slirp4netns.simple
@@ -1,7 +1,7 @@
-# linux/clean/slirp4netns: high
+# linux/clean/slirp4netns: medium
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/elf/multiple: high
+anti-static/elf/multiple: medium
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index 3248000e..e69de29b 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -1,52 +0,0 @@
-## linux/clean/tree-sitter [🛑 HIGH]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
-| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
-| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)<br>[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)<br>[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
-| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
-| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) |
-| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/javascriptContent](https://github.com/search?q=Content-Type%3A+application%2FjavascriptContent&type=code)<br>[Content-Type: application/wasm/tree](https://github.com/search?q=Content-Type%3A+application%2Fwasm%2Ftree&type=code)<br>[Content-Type: text/htmlContent](https://github.com/search?q=Content-Type%3A+text%2FhtmlContent&type=code)<br>[Content-TypeServerupgradeassertion failed: d](https://github.com/search?q=Content-TypeServerupgradeassertion+failed%3A+d&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
-| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js)<br>[https://code.jquery.com/jquery](https://code.jquery.com/jquery)<br>[https://docs.rs/getrandom](https://docs.rs/getrandom)<br>[https://docs.rs/tree](https://docs.rs/tree)<br>[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)<br>[https://github.com/clap](https://github.com/clap)<br>[https://github.com/tree](https://github.com/tree)<br>[https://gitlab.com/https](https://gitlab.com/https)<br>[https://parser.cparser.h](https://parser.cparser.h) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
-| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
-| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) |
-| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)<br>[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)<br>[https://docs.rs/getrandom](https://docs.rs/getrandom)<br>[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)<br>[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)<br>[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)<br>[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)<br>[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)<br>[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)<br>[https://gitlab.com/https](https://gitlab.com/https)<br>[https://parser.cparser.h](https://parser.cparser.h)<br>[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)<br>[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)<br>[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)<br>[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)<br>[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)<br>[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)<br>[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)<br>[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)<br>[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)<br>[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) |
-| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index 1b30cd55..e69de29b 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -1,201 +0,0 @@
-# linux/clean/trivy: high
-anti-static/elf/multiple: high
-c2/addr/discord: medium
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/server: medium
-c2/client: medium
-c2/discovery/ip_dns_resolver: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/github: medium
-c2/tool_transfer/os: medium
-collect/archives/unarchive: medium
-collect/archives/zip: medium
-collect/code/github_api: low
-collect/databases/leveldb: medium
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/cloud/aws: medium
-credential/cloud/g: medium
-credential/keychain: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/sniffer/bpf: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/blockchain: medium
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-data/base64/decode: medium
-data/base64/encode: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/xz: medium
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/pem_private_key: medium
-data/embedded/pem_test_key: low
-data/embedded/ssh_signature: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: medium
-data/hash/sha1: low
-data/random/insecure: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/cloud/google_storage: low
-discover/network/mac_address: medium
-discover/network/netstat: medium
-discover/process/name: medium
-discover/processes/list: medium
-discover/system/cpu: low
-discover/system/dmesg: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-evasion/bypass_security/linux/iptables: medium
-evasion/file/location/chdir_unusual: medium
-evasion/file/location/dev_shm: medium
-evasion/file/location/var_run: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/symbol_address: medium
-exec/install_additional/package_install: medium
-exec/install_additional/pip_install: medium
-exec/plugin: low
-exec/program: medium
-exec/script/osa: medium
-exec/shell/SHELL: low
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/pipe_sh: medium
-exec/system_controls/apparmor: medium
-exec/system_controls/systemd: low
-exfil/collection: medium
-exfil/upload: medium
-fs/attributes/set: medium
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: medium
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/loopback: medium
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/tmp: medium
-fs/path/users: medium
-fs/path/usr_bin: low
-fs/path/usr_lib_python: medium
-fs/path/usr_local: medium
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/self_mountinfo: medium
-fs/swap/off: low
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/watch: low
-hw/dev/block_ice: medium
-hw/wireless: low
-impact/remote_access/heartbeat: medium
-impact/remote_access/iptables: medium
-impact/remote_access/kill_rm: medium
-impact/remote_access/trojan: medium
-lateral/scan/brute_force: low
-malware/ref: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/http/websocket: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/ip/syncookie: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: medium
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/kernel/opencl: medium
-os/kernel/seccomp: low
-os/time/tzinfo: low
-privesc/setuid: low
-privesc/sudo: medium
-process/chdir: low
-process/chroot: low
-process/groupid_set: low
-process/groups_set: low
-process/multithreaded: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/leetspeak: medium
-sus/malicious: medium
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 50d68ff0..e69de29b 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -1,194 +0,0 @@
-## linux/clean/trufflehog [😈 CRITICAL]
-
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--|--|--|--|
-| HIGH | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries concatenated into a single file | $elf_head |
-| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)<br>[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)<br>[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) |
-| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)<br>[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)<br>[pastebin.go](https://github.com/search?q=pastebin.go&type=code)<br>[pastebin.init](https://github.com/search?q=pastebin.init&type=code) |
-| HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) |
-| HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) |
-| HIGH | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) |
-| HIGH | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)<br>[Binance](https://github.com/search?q=Binance&type=code)<br>[Chrome](https://github.com/search?q=Chrome&type=code)<br>[Discord](https://github.com/search?q=Discord&type=code)<br>[Firefox](https://github.com/search?q=Firefox&type=code)<br>[History](https://github.com/search?q=History&type=code)<br>[OpenVPN](https://github.com/search?q=OpenVPN&type=code)<br>[Snowflake](https://github.com/search?q=Snowflake&type=code)<br>[Telegram](https://github.com/search?q=Telegram&type=code) |
-| HIGH | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)<br>[file.io](https://github.com/search?q=file.io&type=code)<br>[post](https://github.com/search?q=post&type=code) |
-| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
-| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) |
-| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)<br>[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)<br>[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)<br>[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)<br>[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)<br>[https://%s.currencycloud.com](https://%s.currencycloud.com)<br>[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)<br>[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)<br>[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)<br>[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)<br>[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)<br>[https://%s.s3](https://%s.s3)<br>[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)<br>[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)<br>[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)<br>[https://%s/account.json](https://%s/account.json)<br>[https://%s/admin/api/2024](https://%s/admin/api/2024)<br>[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)<br>[https://%s/api/laml/2010](https://%s/api/laml/2010)<br>[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)<br>[https://%s/api/v1/projects](https://%s/api/v1/projects)<br>[https://%s/api/v1/sources](https://%s/api/v1/sources)<br>[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)<br>[https://%s/api/v1/userserror](https://%s/api/v1/userserror)<br>[https://%s/api/v2/tickets](https://%s/api/v2/tickets)<br>[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)<br>[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)<br>[https://%s/invoices.json](https://%s/invoices.json)<br>[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)<br>[https://%sSCRAM](https://%sSCRAM) |
-| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[aIp](https://github.com/search?q=aIp&type=code)<br>[a_ip](https://github.com/search?q=a_ip&type=code)<br>[accel_port](https://github.com/search?q=accel_port&type=code)<br>[allowed_port](https://github.com/search?q=allowed_port&type=code)<br>[announce_port](https://github.com/search?q=announce_port&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[fastly_ip](https://github.com/search?q=fastly_ip&type=code)<br>[firewall_ip](https://github.com/search?q=firewall_ip&type=code)<br>[geo_ip](https://github.com/search?q=geo_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[htcp_port](https://github.com/search?q=htcp_port&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[i_ip](https://github.com/search?q=i_ip&type=code)<br>[icp_port](https://github.com/search?q=icp_port&type=code)<br>[in_ip](https://github.com/search?q=in_ip&type=code)<br>[ip_port](https://github.com/search?q=ip_port&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[lookupPort](https://github.com/search?q=lookupPort&type=code)<br>[m_ip](https://github.com/search?q=m_ip&type=code)<br>[miss_port](https://github.com/search?q=miss_port&type=code)<br>[nIp](https://github.com/search?q=nIp&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[old_ip](https://github.com/search?q=old_ip&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pages_ip](https://github.com/search?q=pages_ip&type=code)<br>[parsePort](https://github.com/search?q=parsePort&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[privateIp](https://github.com/search?q=privateIp&type=code)<br>[relay_port](https://github.com/search?q=relay_port&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[routedPort](https://github.com/search?q=routedPort&type=code)<br>[snmp_port](https://github.com/search?q=snmp_port&type=code)<br>[snmpd_port](https://github.com/search?q=snmpd_port&type=code)<br>[stripPort](https://github.com/search?q=stripPort&type=code)<br>[tIp](https://github.com/search?q=tIp&type=code)<br>[vIp](https://github.com/search?q=vIp&type=code) |
-| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) |
-| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)<br>[telegram.org](https://github.com/search?q=telegram.org&type=code) |
-| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)<br>[clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
-| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
-| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) |
-| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://) |
-| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)<br>[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)<br>[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) |
-| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) |
-| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) |
-| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) |
-| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
-| MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) |
-| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)<br>[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) |
-| MEDIUM | [credential/gaming/minecraft](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/gaming/minecraft.yara#minecraft) | Has references to Minecraft | [minecraft](https://github.com/search?q=minecraft&type=code) |
-| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
-| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
-| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
-| MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) |
-| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)<br>[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
-| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
-| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
-| MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) |
-| MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) |
-| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)<br>[getgrent](https://github.com/search?q=getgrent&type=code)<br>[setgrent](https://github.com/search?q=setgrent&type=code) |
-| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)<br>[macAddress](https://github.com/search?q=macAddress&type=code) |
-| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
-| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)<br>[systeminfo](https://github.com/search?q=systeminfo&type=code) |
-| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
-| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) |
-| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) |
-| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)<br>[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)<br>[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)<br>[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)<br>[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)<br>[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)<br>[execTxCommand](https://github.com/search?q=execTxCommand&type=code)<br>[executeCommand](https://github.com/search?q=executeCommand&type=code)<br>[processRunCommand](https://github.com/search?q=processRunCommand&type=code)<br>[runGitCommand](https://github.com/search?q=runGitCommand&type=code)<br>[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) |
-| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)<br>[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) |
-| MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) |
-| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) |
-| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
-| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) |
-| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) |
-| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) |
-| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utime](https://github.com/search?q=utime&type=code) |
-| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
-| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/mysql.sockclientFoundRowsmultiStatementsUNSIGNED](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiStatementsUNSIGNED&type=code)<br>[/tmp/placeholder/%v](https://github.com/search?q=%2Ftmp%2Fplaceholder%2F%25v&type=code) |
-| MEDIUM | [fs/path/users](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/users.yara#home_path_users) | references path within /Users | [/Users/%vorganizations/%v/team/%v/projectssql](https://github.com/search?q=%2FUsers%2F%25vorganizations%2F%25v%2Fteam%2F%25v%2Fprojectssql&type=code) |
-| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
-| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
-| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/statSHA256](https://github.com/search?q=%2Fproc%2F%25d%2FstatSHA256&type=code) |
-| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroupcpu](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu&type=code) |
-| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) |
-| MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) |
-| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)<br>[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)<br>[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)<br>[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)<br>[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)<br>[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)<br>[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)<br>[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)<br>[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)<br>[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)<br>[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)<br>[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)<br>[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)<br>[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)<br>[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)<br>[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)<br>[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)<br>[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)<br>[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)<br>[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)<br>[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)<br>[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)<br>[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)<br>[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)<br>[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)<br>[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)<br>[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)<br>[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)<br>[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)<br>[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)<br>[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)<br>[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)<br>[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)<br>[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)<br>[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)<br>[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) |
-| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[banner](https://github.com/search?q=banner&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[gethostbyname](https://github.com/search?q=gethostbyname&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
-| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)<br>[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
-| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)<br>[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)<br>[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)<br>[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)<br>[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)<br>[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)<br>[ExportDownload](https://github.com/search?q=ExportDownload&type=code)<br>[FTPDownload](https://github.com/search?q=FTPDownload&type=code)<br>[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)<br>[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)<br>[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)<br>[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)<br>[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)<br>[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)<br>[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)<br>[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)<br>[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)<br>[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)<br>[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)<br>[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)<br>[NextDownloader](https://github.com/search?q=NextDownloader&type=code)<br>[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)<br>[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)<br>[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)<br>[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)<br>[addDownloader](https://github.com/search?q=addDownloader&type=code)<br>[archive_download_url](https://github.com/search?q=archive_download_url&type=code)<br>[browser_download_url](https://github.com/search?q=browser_download_url&type=code)<br>[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)<br>[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)<br>[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)<br>[downloadH](https://github.com/search?q=downloadH&type=code)<br>[downloadLocation](https://github.com/search?q=downloadLocation&type=code)<br>[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)<br>[downloadPatches](https://github.com/search?q=downloadPatches&type=code)<br>[download_count](https://github.com/search?q=download_count&type=code)<br>[downloader id](https://github.com/search?q=downloader+id&type=code)<br>[downloads_url](https://github.com/search?q=downloads_url&type=code)<br>[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)<br>[failed_downloads](https://github.com/search?q=failed_downloads&type=code)<br>[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)<br>[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)<br>[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)<br>[has_downloads](https://github.com/search?q=has_downloads&type=code)<br>[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)<br>[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)<br>[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)<br>[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)<br>[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)<br>[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)<br>[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)<br>[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)<br>[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)<br>[successful_downloads](https://github.com/search?q=successful_downloads&type=code)<br>[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)<br>[temp_download_token](https://github.com/search?q=temp_download_token&type=code)<br>[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)<br>[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)<br>[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)<br>[total_download_time](https://github.com/search?q=total_download_time&type=code)<br>[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)<br>[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)<br>[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)<br>[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)<br>[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)<br>[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) |
-| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) |
-| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
-| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) |
-| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
-| MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) |
-| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
-| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)<br>[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)<br>[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)<br>[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)<br>[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code) |
-| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)<br>[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)<br>[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)<br>[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)<br>[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)<br>[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)<br>[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)<br>[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)<br>[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)<br>[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)<br>[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)<br>[WebhookAction](https://github.com/search?q=WebhookAction&type=code)<br>[WebhookH](https://github.com/search?q=WebhookH&type=code)<br>[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)<br>[WebhookResult](https://github.com/search?q=WebhookResult&type=code)<br>[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)<br>[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)<br>[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)<br>[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)<br>[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)<br>[discordwebhook](https://github.com/search?q=discordwebhook&type=code)<br>[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)<br>[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)<br>[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)<br>[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)<br>[readwebhooks](https://github.com/search?q=readwebhooks&type=code)<br>[slackwebhook](https://github.com/search?q=slackwebhook&type=code)<br>[tineswebhook](https://github.com/search?q=tineswebhook&type=code)<br>[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)<br>[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)<br>[webhook_read](https://github.com/search?q=webhook_read&type=code)<br>[webhook_secret](https://github.com/search?q=webhook_secret&type=code)<br>[webhook_write](https://github.com/search?q=webhook_write&type=code)<br>[webhookaction](https://github.com/search?q=webhookaction&type=code)<br>[webhookb2](https://github.com/search?q=webhookb2&type=code)<br>[writewebhooks](https://github.com/search?q=writewebhooks&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)<br>[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)<br>[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)<br>[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) |
-| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)<br>[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) |
-| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)<br>[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) |
-| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
-| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlmssp](https://github.com/search?q=ntlmssp&type=code) |
-| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
-| MEDIUM | [net/tcp/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp) | connects to a TCP port | [dialTCP](https://github.com/search?q=dialTCP&type=code) |
-| MEDIUM | [net/tcp/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/listen.yara#listen_tcp) | listen on a TCP port | [listening on tcp](https://github.com/search?q=listening+on+tcp&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses crypto/ssh to connect to the SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
-| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)<br>[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)<br>[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) |
-| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
-| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code) |
-| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
-| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
-| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
-| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)<br>[interceptor](https://github.com/search?q=interceptor&type=code) |
-| MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) |
-| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)<br>[amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
-| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)<br>[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) |
-| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)<br>[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)<br>[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)<br>[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)<br>[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)<br>[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)<br>[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)<br>[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)<br>[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)<br>[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)<br>[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)<br>[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)<br>[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)<br>[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)<br>[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)<br>[GetPassword](https://github.com/search?q=GetPassword&type=code)<br>[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)<br>[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)<br>[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)<br>[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)<br>[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)<br>[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)<br>[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)<br>[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)<br>[Password from](https://github.com/search?q=Password+from&type=code)<br>[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)<br>[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)<br>[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)<br>[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)<br>[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)<br>[PasswordModify](https://github.com/search?q=PasswordModify&type=code)<br>[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)<br>[PasswordSet](https://github.com/search?q=PasswordSet&type=code)<br>[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)<br>[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)<br>[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)<br>[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)<br>[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)<br>[certificatePassword](https://github.com/search?q=certificatePassword&type=code)<br>[certificate_password](https://github.com/search?q=certificate_password&type=code)<br>[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)<br>[changepassword](https://github.com/search?q=changepassword&type=code)<br>[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)<br>[empty password](https://github.com/search?q=empty+password&type=code)<br>[encryptPassword](https://github.com/search?q=encryptPassword&type=code)<br>[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)<br>[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)<br>[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)<br>[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)<br>[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)<br>[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)<br>[manglePassword](https://github.com/search?q=manglePassword&type=code)<br>[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)<br>[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)<br>[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)<br>[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)<br>[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)<br>[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)<br>[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)<br>[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[passwordFunc](https://github.com/search?q=passwordFunc&type=code)<br>[passwordSet](https://github.com/search?q=passwordSet&type=code)<br>[password_change_date](https://github.com/search?q=password_change_date&type=code)<br>[password_hash](https://github.com/search?q=password_hash&type=code)<br>[passwordattachment](https://github.com/search?q=passwordattachment&type=code)<br>[passwordf](https://github.com/search?q=passwordf&type=code)<br>[passworduser](https://github.com/search?q=passworduser&type=code)<br>[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)<br>[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)<br>[saltPassword](https://github.com/search?q=saltPassword&type=code)<br>[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)<br>[scramblePassword](https://github.com/search?q=scramblePassword&type=code)<br>[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)<br>[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)<br>[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)<br>[stripPassword](https://github.com/search?q=stripPassword&type=code)<br>[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)<br>[username AND password](https://github.com/search?q=username+AND+password&type=code)<br>[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)<br>[vcs_password](https://github.com/search?q=vcs_password&type=code)<br>[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)<br>[winvalid password](https://github.com/search?q=winvalid+password&type=code) |
-| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code)<br>[privatekey](https://github.com/search?q=privatekey&type=code) |
-| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
-| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)<br>[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)<br>[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)<br>[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)<br>[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)<br>[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)<br>[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)<br>[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)<br>[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)<br>[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)<br>[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)<br>[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)<br>[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)<br>[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)<br>[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)<br>[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)<br>[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)<br>[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)<br>[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)<br>[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)<br>[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)<br>[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)<br>[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)<br>[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)<br>[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)<br>[newDecrypter](https://github.com/search?q=newDecrypter&type=code)<br>[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)<br>[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code)<br>[pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)<br>[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)<br>[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)<br>[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)<br>[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code) |
-| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
-| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
-| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
-| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) |
-| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
-| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
-| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
-| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(�/�](https://github.com/search?q=%28%B5%2F%FD&type=code)<br>[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
-| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
-| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
-| LOW | [data/encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) |
-| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSONDecode](https://github.com/search?q=JSONDecode&type=code)<br>[json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) |
-| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSONEncode](https://github.com/search?q=JSONEncode&type=code) |
-| LOW | [data/hash/blake2b](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b) | Uses blake2b encryption algorithm | [blake2b](https://github.com/search?q=blake2b&type=code) |
-| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:copy](https://github.com/search?q=md5%3Acopy&type=code) |
-| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
-| LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) |
-| LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) |
-| LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) |
-| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
-| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
-| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) |
-| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)<br>[uname](https://github.com/search?q=uname&type=code) |
-| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)<br>[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)<br>[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)<br>[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)<br>[PluginStats](https://github.com/search?q=PluginStats&type=code)<br>[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)<br>[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)<br>[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)<br>[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)<br>[extended_plugins](https://github.com/search?q=extended_plugins&type=code)<br>[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)<br>[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)<br>[pluginVersion](https://github.com/search?q=pluginVersion&type=code)<br>[pluginclose](https://github.com/search?q=pluginclose&type=code)<br>[pluginopen](https://github.com/search?q=pluginopen&type=code)<br>[pluginpath](https://github.com/search?q=pluginpath&type=code)<br>[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)<br>[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)<br>[pluginstats](https://github.com/search?q=pluginstats&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code) |
-| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
-| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
-| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [SYSTEMD](https://github.com/search?q=SYSTEMD&type=code)<br>[systemd](https://github.com/search?q=systemd&type=code) |
-| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryFn](https://github.com/search?q=CreateDirectoryFn&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
-| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
-| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)<br>[rmdir](https://github.com/search?q=rmdir&type=code) |
-| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) |
-| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)<br>[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) |
-| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
-| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)<br>[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) |
-| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)<br>[os.rename](https://github.com/search?q=os.rename&type=code) |
-| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) |
-| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)<br>[writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)<br>[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)<br>[writeFilestat](https://github.com/search?q=writeFilestat&type=code)<br>[writeRawFile](https://github.com/search?q=writeRawFile&type=code)<br>[writerFile](https://github.com/search?q=writerFile&type=code) |
-| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) |
-| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) |
-| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
-| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
-| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)<br>[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)<br>[/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)<br>[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)<br>[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)<br>[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)<br>[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)<br>[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)<br>[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)<br>[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)<br>[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)<br>[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)<br>[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)<br>[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code)<br>[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)<br>[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)<br>[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)<br>[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)<br>[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) |
-| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
-| LOW | [fs/path/file_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/file-url.yara#file_url) | file url | [file:///tmp](https://github.com/search?q=file%3A%2F%2F%2Ftmp&type=code) |
-| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
-| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code)<br>[NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code) |
-| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/envcomments_pop_1comments_pop_2c](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2c&type=code) |
-| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) |
-| LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) |
-| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
-| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
-| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
-| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
-| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) |
-| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
-| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
-| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
-| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)<br>[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)<br>[dnsmessage](https://github.com/search?q=dnsmessage&type=code) |
-| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) |
-| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
-| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) |
-| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
-| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
-| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
-| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)<br>[oauth2](https://github.com/search?q=oauth2&type=code) |
-| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
-| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
-| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
-| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
-| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
-| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
-| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
-| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
-| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
-| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
-| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
-| LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) |
-| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)<br>[listenUDP](https://github.com/search?q=listenUDP&type=code) |
-| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)<br>[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) |
-| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) |
-| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.ANSIC](https://github.com/search?q=env.ANSIC&type=code)<br>[env.RGBC](https://github.com/search?q=env.RGBC&type=code) |
-| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)<br>[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) |
-| LOW | [os/kernel/key_management](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/key-management.yara#syscall_keyctl) | kernel key management facility | [keyctl](https://github.com/search?q=keyctl&type=code) |
-| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
-| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
-| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
-| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
-| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
-| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
-
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index 4e7539a4..e69de29b 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -1,192 +0,0 @@
-# linux/clean/wolfictl: high
-anti-static/elf/multiple: high
-c2/addr/http_dynamic: medium
-c2/addr/ip: medium
-c2/addr/url: low
-c2/client: medium
-c2/tool_transfer/arch: low
-c2/tool_transfer/download: medium
-c2/tool_transfer/dropper: medium
-c2/tool_transfer/os: medium
-collect/archives/tar_command: medium
-collect/archives/unarchive: medium
-collect/archives/zip: medium
-collect/code/github_api: low
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/clipboard: medium
-credential/cloud/g: medium
-credential/keychain: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/ssl/private_key: low
-crypto/aes: low
-crypto/blockchain: medium
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/ecdsa: low
-crypto/ed25519: low
-crypto/openssl: medium
-crypto/public_key: low
-crypto/tls: low
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/xz: medium
-data/compression/zlib: low
-data/compression/zstd: low
-data/embedded/html: medium
-data/embedded/pem_certificate: low
-data/embedded/ssh_signature: medium
-data/encoding/base64: low
-data/encoding/json: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-data/hash/blake2b: low
-data/hash/md5: low
-discover/cloud/aws_metadata: low
-discover/cloud/google_metadata: low
-discover/cloud/google_storage: low
-discover/network/interface_list: medium
-discover/network/mac_address: medium
-discover/network/netstat: medium
-discover/processes/pgrep: medium
-discover/system/cpu: low
-discover/system/dmesg: low
-discover/system/hostname: low
-discover/system/platform: medium
-discover/system/sysinfo: medium
-discover/user/HOME: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/bypass_security/linux/se: medium
-evasion/bypass_security/macos/xprotect: medium
-evasion/file/location/dev_shm: medium
-evasion/file/location/system_directory: medium
-evasion/file/prefix: medium
-exec/cmd: medium
-exec/conditional/LANG: low
-exec/dylib/symbol_address: medium
-exec/install_additional/pip_install: medium
-exec/plugin: low
-exec/program: medium
-exec/shell/TERM: low
-exec/shell/background_sleep: medium
-exec/shell/pipe_sh: medium
-exec/system_controls/systemd: low
-exfil/office_file_ext: medium
-fs/attributes/set: medium
-fs/blkid: low
-fs/directory/create: low
-fs/directory/list: low
-fs/directory/remove: low
-fs/fifo_create: low
-fs/file/copy: medium
-fs/file/create: medium
-fs/file/delete: medium
-fs/file/delete_forcibly: medium
-fs/file/open: low
-fs/file/read: low
-fs/file/rename: low
-fs/file/stat: low
-fs/file/times_set: medium
-fs/file/truncate: low
-fs/file/write: low
-fs/link_create: low
-fs/link_read: low
-fs/lock_update: low
-fs/loopback: medium
-fs/mount: low
-fs/node_create: low
-fs/path/bin_su: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/etc_resolv.conf: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/users: medium
-fs/path/usr_bin: low
-fs/path/usr_local: medium
-fs/path/usr_sbin: low
-fs/path/var: low
-fs/permission/chown: medium
-fs/permission/modify: medium
-fs/proc/arbitrary_pid: medium
-fs/proc/self_mountinfo: medium
-fs/swap/off: low
-fs/swap/on: low
-fs/symlink_resolve: low
-fs/tempdir: low
-fs/tempdir/TEMP: low
-fs/tempdir/TMPDIR: low
-fs/tempdir/create: low
-fs/tempfile: low
-fs/unmount: low
-fs/watch: low
-hw/wireless: low
-impact/ddos/raw_flooder: medium
-impact/remote_access/heartbeat: medium
-impact/remote_access/kill_rm: medium
-lateral/scan/brute_force: low
-lateral/scan/tool: medium
-malware/ref: medium
-net/dns: low
-net/dns/reverse: medium
-net/dns/servers: low
-net/dns/txt: low
-net/download/fetch: medium
-net/http/2: low
-net/http/accept: medium
-net/http/accept_encoding: low
-net/http/auth: low
-net/http/content_length: medium
-net/http/cookies: medium
-net/http/form_upload: medium
-net/http/oauth2: low
-net/http/post: medium
-net/http/proxy: low
-net/http/request: low
-net/http/webhook: medium
-net/ip: low
-net/ip/host_port: medium
-net/ip/icmp: medium
-net/ip/multicast_send: low
-net/ip/parse: medium
-net/proxy/reverse: medium
-net/proxy/socks5: medium
-net/proxy/tunnel: medium
-net/resolve/hostname: low
-net/socket/listen: medium
-net/socket/local_addr: low
-net/socket/peer_address: low
-net/socket/receive: low
-net/socket/reuseport: medium
-net/socket/send: low
-net/tcp/connect: medium
-net/tcp/grpc: low
-net/tcp/ssh: medium
-net/udp/receive: low
-net/udp/send: low
-net/url/embedded: medium
-net/url/encode: medium
-net/url/parse: low
-net/url/request: medium
-os/env/get: low
-os/fd/sendfile: low
-os/kernel/netlink: low
-os/kernel/seccomp: low
-os/time/clock_set: low
-persist/cron/tab: medium
-persist/pid_file: medium
-privesc/setuid: low
-process/chdir: low
-process/chroot: low
-process/create: low
-process/groupid_set: low
-process/groups_set: low
-process/multithreaded: low
-process/unshare: low
-sus/exclamation: medium
-sus/intercept: medium
-sus/malicious: medium

From fe4c3be740c6f49fd958ba9b7c52c314e47ae439 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 22:17:52 -0500
Subject: [PATCH 07/10] Finish dbus analysis

---
 pkg/action/testdata/scan_archive              | 2487 +++++++++++++++++
 pkg/action/testdata/scan_oci                  |   74 +
 rules/persist/kernel_module/kprobe.yara       |   10 -
 .../persist/kernel_module/module-unload.yara  |   10 -
 rules/persist/kernel_module/module.yara       |   24 +-
 rules/persist/linux_multi.yara                |   14 +-
 tests/linux/2021.FontOnLake/45E9.elf.simple   |    3 +-
 tests/linux/2023.Kinsing/install.sh.simple    |    1 +
 tests/linux/2024.Gelsemium/dbus.simple        |    4 +-
 tests/linux/2024.Gelsemium/udevd.simple       |    1 +
 tests/linux/2024.Gelsemium/udevd_multi.simple |    1 +
 .../emp3r0r.agent.simple                      |  174 ++
 .../2024.melofee/2023.758b0934b7.elf.simple   |    4 +-
 .../2024.melofee/2023.8d855c2874.elf.simple   |    4 +-
 .../2024.melofee/driver_decrypted.simple      |    1 -
 tests/linux/clean/buildah.simple              |  159 ++
 tests/linux/clean/caddy.simple                |  163 ++
 tests/linux/clean/chezmoi.simple              |  171 ++
 tests/linux/clean/chrome.simple               |  184 ++
 tests/linux/clean/clickhouse.simple           |  205 ++
 tests/linux/clean/code-oss.md                 |  192 ++
 tests/linux/clean/containerd.simple           |  134 +
 .../securitySolution.chunk.22.js.simple       |   48 +
 .../kibana/securitySolution.chunk.9.js.simple |   71 +
 tests/linux/clean/kuma-cp.simple              |  142 +
 tests/linux/clean/libgcj.so.17.0.0.simple     |  103 +
 tests/linux/clean/libgcj.so.17.simple         |  103 +
 tests/linux/clean/melange.simple              |  160 ++
 tests/linux/clean/mongosh.simple              |  194 ++
 tests/linux/clean/opa.simple                  |  106 +
 tests/linux/clean/pandoc.md                   |  177 ++
 tests/linux/clean/pulumi.simple               |  159 ++
 tests/linux/clean/qemu-system-xtensa.md       |  113 +
 tests/linux/clean/slack.md                    |  193 ++
 tests/linux/clean/tree-sitter.md              |   52 +
 tests/linux/clean/trivy.simple                |  201 ++
 tests/linux/clean/trufflehog.md               |  194 ++
 tests/linux/clean/wolfictl.simple             |  192 ++
 38 files changed, 6180 insertions(+), 48 deletions(-)
 delete mode 100644 rules/persist/kernel_module/kprobe.yara
 delete mode 100644 rules/persist/kernel_module/module-unload.yara

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index e69de29b..45e3bfcf 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -0,0 +1,2487 @@
+{
+    "Files": {
+        "/apko_0.13.2_linux_arm64/apko": {
+            "Path": "testdata/apko_nested.tar.gz ∴ /apko_0.13.2_linux_arm64/apko",
+            "SHA256": "ad237dc65d25cfe673b4891e189e9ff1fd041ec817133ac6c565120a6a189189",
+            "Size": 26400952,
+            "Syscalls": [
+                "accept",
+                "adjtimex",
+                "chmod",
+                "chown",
+                "chroot",
+                "clone",
+                "close",
+                "execve",
+                "fchmodat",
+                "fchown",
+                "flock",
+                "fsync",
+                "getegid",
+                "geteuid",
+                "getpeername",
+                "getpid",
+                "getrlimit",
+                "getsockname",
+                "getsockopt",
+                "getuid",
+                "getwd",
+                "ioctl",
+                "kill",
+                "linkat",
+                "lstat",
+                "madvise",
+                "mknod",
+                "mount",
+                "nice",
+                "open",
+                "pivot_root",
+                "posix_spawn",
+                "pread64",
+                "pwrite64",
+                "readlink",
+                "recv",
+                "rename",
+                "send",
+                "sendfile",
+                "sendmsg",
+                "sendto",
+                "setgroups",
+                "setrlimit",
+                "setsid",
+                "setsockopt",
+                "stat",
+                "swapoff",
+                "swapon",
+                "symlink",
+                "symlinkat",
+                "sysctl",
+                "truncate",
+                "umount",
+                "unlink",
+                "unshare"
+            ],
+            "Pledge": [
+                "cpath",
+                "exec",
+                "fattr",
+                "flock",
+                "id",
+                "inet",
+                "proc",
+                "rpath",
+                "settime",
+                "stdio",
+                "sysctl",
+                "wpath"
+            ],
+            "Behaviors": [
+                {
+                    "Description": "Contains a table that may be used for XOR decryption",
+                    "MatchStrings": [
+                        "56789abcdefghijklmnopqrstuvwxyzABCDE::$ref"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-table.yara#xor_table",
+                    "ID": "anti-static/xor/table",
+                    "RuleName": "xor_table"
+                },
+                {
+                    "Description": "mentions an IP and port",
+                    "MatchStrings": [
+                        "IP",
+                        "dIp",
+                        "getPort",
+                        "hIp",
+                        "hasPort",
+                        "iIp",
+                        "kIp",
+                        "lIp",
+                        "lookupPort",
+                        "mIp",
+                        "oIp",
+                        "pIp",
+                        "parsePort",
+                        "qfIp",
+                        "rxPort",
+                        "sfIp",
+                        "yIp",
+                        "zIp"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention",
+                    "ID": "c2/addr/ip",
+                    "RuleName": "ip_port_mention"
+                },
+                {
+                    "Description": "references a 'server address', possible C2 client",
+                    "MatchStrings": [
+                        "serverAddress"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address",
+                    "ID": "c2/addr/server",
+                    "RuleName": "server_address"
+                },
+                {
+                    "Description": "binary contains hardcoded URL",
+                    "MatchStrings": [
+                        "http://localhost",
+                        "http://www.w3.org/XML/1998/namespacexml",
+                        "https://GoString01234567beEfFgGvsignal",
+                        "https://alpinelinux.org/releases.jsondid",
+                        "https://github.com/chainguard",
+                        "https://github.com/google/go",
+                        "https://github.com/spf13/cobra/issues/1279",
+                        "https://github.com/spf13/cobra/issues/1508",
+                        "https://index.docker.io/v1/Path",
+                        "https://index.docker.io/v2/library/ubuntu/tags/list",
+                        "https://pkg.go.dev/text/template",
+                        "https://reproducible",
+                        "https://spdx.org/spdxdocs/apko/directory"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url",
+                    "ID": "c2/addr/url",
+                    "RuleName": "binary_with_url"
+                },
+                {
+                    "Description": "contains a client ID",
+                    "MatchStrings": [
+                        "client_id"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID",
+                    "ID": "c2/client",
+                    "RuleName": "clientID"
+                },
+                {
+                    "Description": "references a specific architecture",
+                    "MatchStrings": [
+                        "AMD64",
+                        "amd64",
+                        "arm64",
+                        "http://",
+                        "https://",
+                        "x86_64"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref",
+                    "ID": "c2/tool_transfer/arch",
+                    "RuleName": "arch_ref"
+                },
+                {
+                    "Description": "references multiple operating systems",
+                    "MatchStrings": [
+                        "Linux",
+                        "Windows",
+                        "http://",
+                        "https://",
+                        "macOS"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref",
+                    "ID": "c2/tool_transfer/os",
+                    "RuleName": "multiple_os_ref"
+                },
+                {
+                    "Description": "Works with zip files",
+                    "MatchStrings": [
+                        "archive/zip"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip",
+                    "ID": "collect/archives/zip",
+                    "RuleName": "zip"
+                },
+                {
+                    "Description": "accesses a keychain",
+                    "MatchStrings": [
+                        "Keychain",
+                        "keychain"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain",
+                    "ID": "credential/keychain",
+                    "RuleName": "keychain"
+                },
+                {
+                    "Description": "references a 'password'",
+                    "MatchStrings": [
+                        "IncorrectPasswordError",
+                        "Password from",
+                        "PasswordHashIterations",
+                        "UserPassword",
+                        "and password requiredreading",
+                        "bson bytes as Passwordopenpgp",
+                        "passwordSet",
+                        "passwordStdin",
+                        "socksUsernamePassword",
+                        "stripPassword",
+                        "with a password",
+                        "wpassword-stdinparsing"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password",
+                    "ID": "credential/password",
+                    "RuleName": "password"
+                },
+                {
+                    "Description": "References private keys",
+                    "MatchStrings": [
+                        "privateKey",
+                        "private_key"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val",
+                    "ID": "credential/ssl/private_key",
+                    "RuleName": "private_key_val"
+                },
+                {
+                    "Description": "Supports AES (Advanced Encryption Standard)",
+                    "MatchStrings": [
+                        "AES",
+                        "crypto/aes"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes",
+                    "ID": "crypto/aes",
+                    "RuleName": "crypto_aes"
+                },
+                {
+                    "Description": "mentions 'ciphertext'",
+                    "MatchStrings": [
+                        "ciphertext"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext",
+                    "ID": "crypto/cipher",
+                    "RuleName": "ciphertext"
+                },
+                {
+                    "Description": "decrypts data",
+                    "MatchStrings": [
+                        "DecryptPEMBlock",
+                        "DecryptPKCS1v15SessionK",
+                        "DecryptPrivateKeys",
+                        "DecryptTicket",
+                        "DecrypterOpts",
+                        "DecrypterreadPythonMult",
+                        "DecryptionKeys",
+                        "ErrDecryption",
+                        "NewCBCDecrypter",
+                        "NewCFBDecrypter",
+                        "NewOCFBDecrypter",
+                        "PKCS1v15DecryptOptions",
+                        "aeadDecrypter",
+                        "cbcDecrypter",
+                        "lid options for Decrypttags don",
+                        "newDecrypter",
+                        "ocfbDecrypter",
+                        "pter type in NewDecrypterPrivateKeyargu",
+                        "rsaDecryptOk"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt",
+                    "ID": "crypto/decrypt",
+                    "RuleName": "decrypt"
+                },
+                {
+                    "Description": "Uses the Go crypto/ecdsa library",
+                    "MatchStrings": [
+                        "crypto/ecdsa"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa",
+                    "ID": "crypto/ecdsa",
+                    "RuleName": "crypto_ecdsa"
+                },
+                {
+                    "Description": "Elliptic curve algorithm used by TLS and SSH",
+                    "MatchStrings": [
+                        "ed25519"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519",
+                    "ID": "crypto/ed25519",
+                    "RuleName": "ed25519"
+                },
+                {
+                    "Description": "elliptic",
+                    "MatchStrings": [
+                        "crypto/elliptic",
+                        "elliptic.p224",
+                        "elliptic.p256",
+                        "p256Inverse"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/elliptic.yara#elliptic",
+                    "ID": "crypto/elliptic",
+                    "RuleName": "elliptic"
+                },
+                {
+                    "Description": "references a 'public key'",
+                    "MatchStrings": [
+                        "Public Key",
+                        "PublicKey",
+                        "public key",
+                        "public-key",
+                        "publicKey",
+                        "public_key",
+                        "publickey"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key",
+                    "ID": "crypto/public_key",
+                    "RuleName": "public_key"
+                },
+                {
+                    "Description": "tls",
+                    "MatchStrings": [
+                        "TLS13",
+                        "TLSVersion",
+                        "crypto/tls"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls",
+                    "ID": "crypto/tls",
+                    "RuleName": "tls"
+                },
+                {
+                    "Description": "Works with bzip2 files",
+                    "MatchStrings": [
+                        "bzip2"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2",
+                    "ID": "data/compression/bzip2",
+                    "RuleName": "bzip2"
+                },
+                {
+                    "Description": "works with gzip files",
+                    "MatchStrings": [
+                        "gzip"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip",
+                    "ReferenceURL": "https://www.gnu.org/software/gzip/",
+                    "ID": "data/compression/gzip",
+                    "RuleName": "gzip"
+                },
+                {
+                    "Description": "works with lzma files",
+                    "MatchStrings": [
+                        "lzma"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma",
+                    "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm",
+                    "ID": "data/compression/lzma",
+                    "RuleName": "lzma"
+                },
+                {
+                    "Description": "uses zlib",
+                    "MatchStrings": [
+                        "zlib"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib",
+                    "ID": "data/compression/zlib",
+                    "RuleName": "zlib"
+                },
+                {
+                    "Description": "Zstandard: fast real-time compression algorithm",
+                    "MatchStrings": [
+                        "(\ufffd/\ufffd",
+                        "zstd"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd",
+                    "ID": "data/compression/zstd",
+                    "RuleName": "zstd"
+                },
+                {
+                    "Description": "Contains embedded PEM certificate",
+                    "MatchStrings": [
+                        "-----BEGIN CERTIFICATE-----"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert",
+                    "ID": "data/embedded/pem_certificate",
+                    "RuleName": "begin_cert"
+                },
+                {
+                    "Description": "Contains TESTING KEY directive",
+                    "MatchStrings": [
+                        "TESTING KEY-----"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-test_key.yara#testing_key",
+                    "ID": "data/embedded/pem_test_key",
+                    "RuleName": "testing_key"
+                },
+                {
+                    "Description": "Contains embedded SSH signature",
+                    "MatchStrings": [
+                        "--BEGIN SSH SIGNATURE--"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature",
+                    "ID": "data/embedded/ssh_signature",
+                    "RuleName": "ssh_signature"
+                },
+                {
+                    "Description": "Contains compressed content in ZStandard format",
+                    "MatchStrings": [
+                        "(\ufffd/\ufffd"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd",
+                    "ReferenceURL": "https://github.com/facebook/zstd",
+                    "ID": "data/embedded/zstd",
+                    "RuleName": "embedded_zstd"
+                },
+                {
+                    "Description": "go asn1",
+                    "MatchStrings": [
+                        "asn1.parse",
+                        "encoding/asn1"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/asn1.yara#go_asn1",
+                    "ID": "data/encoding/asn1",
+                    "RuleName": "go_asn1"
+                },
+                {
+                    "Description": "Supports base64 encoded strings",
+                    "MatchStrings": [
+                        "base64"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64",
+                    "ID": "data/encoding/base64",
+                    "RuleName": "b64"
+                },
+                {
+                    "Description": "Supports JSON encoded objects",
+                    "MatchStrings": [
+                        "encoding/json"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json",
+                    "ID": "data/encoding/json",
+                    "RuleName": "encoding_json"
+                },
+                {
+                    "Description": "Decodes JSON messages",
+                    "MatchStrings": [
+                        "json.Unmarshal"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode",
+                    "ID": "data/encoding/json_decode",
+                    "RuleName": "jsondecode"
+                },
+                {
+                    "Description": "encodes JSON",
+                    "MatchStrings": [
+                        "MarshalJSON"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#MarshalJSON",
+                    "ID": "data/encoding/json_encode",
+                    "RuleName": "MarshalJSON"
+                },
+                {
+                    "Description": "protobuf",
+                    "MatchStrings": [
+                        "protobuf"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/protobuf.yara#protobuf",
+                    "ID": "data/encoding/protobuf",
+                    "RuleName": "protobuf"
+                },
+                {
+                    "Description": "Uses blake2b encryption algorithm",
+                    "MatchStrings": [
+                        "blake2b"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b",
+                    "ID": "data/hash/blake2b",
+                    "RuleName": "crypto_blake2b"
+                },
+                {
+                    "Description": "Uses the MD5 signature format",
+                    "MatchStrings": [
+                        "md5:"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5",
+                    "ID": "data/hash/md5",
+                    "RuleName": "MD5"
+                },
+                {
+                    "Description": "Uses the SHA512 signature format",
+                    "MatchStrings": [
+                        "SHA512"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha512.yara#SHA512",
+                    "ID": "data/hash/sha512",
+                    "RuleName": "SHA512"
+                },
+                {
+                    "Description": "list network interfaces",
+                    "MatchStrings": [
+                        "ifconfig"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs",
+                    "ID": "discover/network/interface_list",
+                    "RuleName": "bsd_ifaddrs"
+                },
+                {
+                    "Description": "Retrieves network MAC address",
+                    "MatchStrings": [
+                        "MAC address"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr",
+                    "ID": "discover/network/mac_address",
+                    "RuleName": "macaddr"
+                },
+                {
+                    "Description": "Uses 'netstat' for network information",
+                    "MatchStrings": [
+                        "netstat"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat",
+                    "ID": "discover/network/netstat",
+                    "RuleName": "netstat"
+                },
+                {
+                    "Description": "returns the effective group id of the current process",
+                    "MatchStrings": [
+                        "Getegid"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#getegid",
+                    "ID": "discover/process/egid",
+                    "RuleName": "getegid"
+                },
+                {
+                    "Description": "returns the effective user id of the current process",
+                    "MatchStrings": [
+                        "Geteuid"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/euid.yara#geteuid",
+                    "ID": "discover/process/euid",
+                    "RuleName": "geteuid"
+                },
+                {
+                    "Description": "gets the active process ID",
+                    "MatchStrings": [
+                        "getpid"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/pid.yara#getpid",
+                    "ID": "discover/process/pid",
+                    "RuleName": "getpid"
+                },
+                {
+                    "Description": "retrieve resource limits",
+                    "MatchStrings": [
+                        "Getrlimit",
+                        "getrlimit"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/resource-limits.yara#getrlimit",
+                    "ID": "discover/process/resource_limits",
+                    "RuleName": "getrlimit"
+                },
+                {
+                    "Description": "returns the user id of the current process",
+                    "MatchStrings": [
+                        "Getuid"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/uid.yara#getuid",
+                    "ID": "discover/process/uid",
+                    "RuleName": "getuid"
+                },
+                {
+                    "Description": "gets current working directory",
+                    "MatchStrings": [
+                        "Getwd",
+                        "getwd"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/working_directory.yara#getwd",
+                    "ID": "discover/process/working_directory",
+                    "RuleName": "getwd"
+                },
+                {
+                    "Description": "Finds program in process table",
+                    "MatchStrings": [
+                        "pgrep"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/pgrep.yara#pgrep",
+                    "ID": "discover/processes/pgrep",
+                    "RuleName": "pgrep"
+                },
+                {
+                    "Description": "gets number of processors",
+                    "MatchStrings": [
+                        "nproc"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man3/get_nprocs.3.html",
+                    "ID": "discover/system/cpu",
+                    "RuleName": "processor_count"
+                },
+                {
+                    "Description": "accesses the kernel log ring buffer",
+                    "MatchStrings": [
+                        "dmesg"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg",
+                    "ID": "discover/system/dmesg",
+                    "RuleName": "dmesg"
+                },
+                {
+                    "Description": "get computer host name",
+                    "MatchStrings": [
+                        "/proc/sys/kernel/hostname"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/sethostname.2.html",
+                    "ID": "discover/system/hostname",
+                    "RuleName": "gethostname"
+                },
+                {
+                    "Description": "system identification",
+                    "MatchStrings": [
+                        "syscall.Uname",
+                        "uname"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man1/uname.1.html",
+                    "ID": "discover/system/platform",
+                    "RuleName": "uname"
+                },
+                {
+                    "Description": "Looks up the HOME directory for the current user",
+                    "MatchStrings": [
+                        "HOME",
+                        "getenv"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME",
+                    "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT",
+                    "ID": "discover/user/HOME",
+                    "RuleName": "HOME"
+                },
+                {
+                    "Description": "Looks up the USER name of the current user",
+                    "MatchStrings": [
+                        "USER",
+                        "environ",
+                        "getenv"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER",
+                    "ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT",
+                    "ID": "discover/user/USER",
+                    "RuleName": "USER"
+                },
+                {
+                    "Description": "get entry from passwd (user) database",
+                    "MatchStrings": [
+                        "user/lookup"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/lookup.yara#getpwuid",
+                    "ID": "discover/user/lookup",
+                    "RuleName": "getpwuid"
+                },
+                {
+                    "Description": "returns the user name running this process",
+                    "MatchStrings": [
+                        "whoami"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man1/whoami.1.html",
+                    "ID": "discover/user/name_get",
+                    "RuleName": "whoami"
+                },
+                {
+                    "Description": "hidden path generated dynamically",
+                    "MatchStrings": [
+                        "%s/.ssh"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path",
+                    "ReferenceURL": "https://objective-see.org/blog/blog_0x73.html",
+                    "ID": "evasion/file/prefix",
+                    "RuleName": "dynamic_hidden_path"
+                },
+                {
+                    "Description": "change the root mount location",
+                    "MatchStrings": [
+                        "pivot_root"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hide_artifacts/pivot_root.yara#pivot_root",
+                    "ID": "evasion/hide_artifacts/pivot_root",
+                    "RuleName": "pivot_root"
+                },
+                {
+                    "Description": "references a 'plugin'",
+                    "MatchStrings": [
+                        "ErrIntOverflowPlugin",
+                        "ErrInvalidLengthPlugin",
+                        "PluginConfigArgs",
+                        "PluginConfigInterface",
+                        "PluginConfigLinux",
+                        "PluginConfigNetwork",
+                        "PluginConfigRootfs",
+                        "PluginConfigUser",
+                        "PluginCreateOptions",
+                        "PluginDescription",
+                        "PluginDevice",
+                        "PluginDisableOptions",
+                        "PluginEnableOptions",
+                        "PluginEnv",
+                        "PluginInspectWithRaw",
+                        "PluginInstallOptions",
+                        "PluginInterfaceType",
+                        "PluginList",
+                        "PluginMount",
+                        "PluginName",
+                        "PluginPrivileges",
+                        "PluginPush",
+                        "PluginReference",
+                        "PluginRemoveOptions",
+                        "PluginSettings",
+                        "PluginSpecwrong",
+                        "PluginsFormat",
+                        "PluginsInfo",
+                        "PluginsListResponse",
+                        "SetPluginConfig",
+                        "_pingOSTypepluginsecret",
+                        "both a container spec and a plugin spec in",
+                        "denied while installing plugin",
+                        "encodeVarintPlugin",
+                        "fileDescriptorPlugin",
+                        "plugin_create",
+                        "plugin_disable",
+                        "plugin_enable",
+                        "plugin_inspect",
+                        "plugin_install",
+                        "plugin_list",
+                        "plugin_push",
+                        "plugin_remove",
+                        "plugin_responses",
+                        "plugin_set",
+                        "plugin_upgrade",
+                        "pluginpath",
+                        "pluginsFormat",
+                        "skipPlugin",
+                        "sovPlugin",
+                        "tryPluginPull",
+                        "tryPluginUpgrade"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin",
+                    "ID": "exec/plugin",
+                    "RuleName": "plugin"
+                },
+                {
+                    "Description": "executes external programs",
+                    "MatchStrings": [
+                        ").CombinedOutput",
+                        "exec.(*Cmd).Run"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run",
+                    "ID": "exec/program",
+                    "RuleName": "exec_cmd_run"
+                },
+                {
+                    "Description": "calls sleep and runs shell code in the background",
+                    "MatchStrings": [
+                        "#!",
+                        "2\u003e\u00261 \u0026",
+                        "nohup"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/background-sleep.yara#sleep_and_background",
+                    "ID": "exec/shell/background_sleep",
+                    "RuleName": "sleep_and_background"
+                },
+                {
+                    "Description": "executes shell",
+                    "MatchStrings": [
+                        "/bin/bash",
+                        "/bin/sh"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell",
+                    "ID": "exec/shell/exec",
+                    "RuleName": "calls_shell"
+                },
+                {
+                    "Description": "works with block device attributes",
+                    "MatchStrings": [
+                        "blkid"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/blkid.yara#blkid",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man8/blkid.8.html",
+                    "ID": "fs/blkid",
+                    "RuleName": "blkid"
+                },
+                {
+                    "Description": "manipulate the device parameters of special files",
+                    "MatchStrings": [
+                        "ioctl"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/device-control.yara#ioctl",
+                    "ID": "fs/device_control",
+                    "RuleName": "ioctl"
+                },
+                {
+                    "Description": "creates directories",
+                    "MatchStrings": [
+                        "mkdir"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html",
+                    "ID": "fs/directory/create",
+                    "RuleName": "mkdir"
+                },
+                {
+                    "Description": "Uses Go functions to list a directory",
+                    "MatchStrings": [
+                        ".ReadDir"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir",
+                    "ID": "fs/directory/list",
+                    "RuleName": "GoReadDir"
+                },
+                {
+                    "Description": "Uses libc functions to remove directories",
+                    "MatchStrings": [
+                        "Rmdir",
+                        "rmdir"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir",
+                    "ID": "fs/directory/remove",
+                    "RuleName": "rmdir"
+                },
+                {
+                    "Description": "make a FIFO special file (a named pipe)",
+                    "MatchStrings": [
+                        "mkfifo"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo",
+                    "ID": "fs/fifo_create",
+                    "RuleName": "mkfifo"
+                },
+                {
+                    "Description": "check if the current user can access a file",
+                    "MatchStrings": [
+                        "faccessat2"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-access-check.yara#_access",
+                    "ID": "fs/file/access_check",
+                    "RuleName": "_access"
+                },
+                {
+                    "Description": "deletes files",
+                    "MatchStrings": [
+                        "unlinkat"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html",
+                    "ID": "fs/file/delete",
+                    "RuleName": "unlink"
+                },
+                {
+                    "Description": "Forcibly deletes files",
+                    "MatchStrings": [
+                        "rm non-TreeNodersopenpgp"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force",
+                    "ID": "fs/file/delete_forcibly",
+                    "RuleName": "rm_force"
+                },
+                {
+                    "Description": "opens files",
+                    "MatchStrings": [
+                        "openFile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open",
+                    "ID": "fs/file/open",
+                    "RuleName": "java_open"
+                },
+                {
+                    "Description": "reads files",
+                    "MatchStrings": [
+                        "ReadFile",
+                        "os.(*File).Read"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read",
+                    "ID": "fs/file/read",
+                    "RuleName": "go_file_read"
+                },
+                {
+                    "Description": "renames files",
+                    "MatchStrings": [
+                        "os.rename"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename",
+                    "ID": "fs/file/rename",
+                    "RuleName": "explicit_rename"
+                },
+                {
+                    "Description": "access filesystem metadata",
+                    "MatchStrings": [
+                        "fs.statDirEntry"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat",
+                    "ID": "fs/file/stat",
+                    "RuleName": "npm_stat"
+                },
+                {
+                    "Description": "forcibly synchronizes file state to disk",
+                    "MatchStrings": [
+                        "fsync",
+                        "syscall.Fsync"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-sync.yara#fsync",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/fsync.2.html",
+                    "ID": "fs/file/sync",
+                    "RuleName": "fsync"
+                },
+                {
+                    "Description": "truncate a file to a specified length",
+                    "MatchStrings": [
+                        "truncate"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#truncate",
+                    "ID": "fs/file/truncate",
+                    "RuleName": "truncate"
+                },
+                {
+                    "Description": "writes to file",
+                    "MatchStrings": [
+                        "AllowOverwriteDirWithFile",
+                        "WriteFile",
+                        "writeFilePatchHeader",
+                        "writeIndexToFile",
+                        "writeOneFile",
+                        "writeRawFile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write",
+                    "ID": "fs/file/write",
+                    "RuleName": "file_write"
+                },
+                {
+                    "Description": "May create hard file links",
+                    "MatchStrings": [
+                        "linkat"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat",
+                    "ID": "fs/link_create",
+                    "RuleName": "linkat"
+                },
+                {
+                    "Description": "read value of a symbolic link",
+                    "MatchStrings": [
+                        "readlinkat"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/readlink.2.html",
+                    "ID": "fs/link_read",
+                    "RuleName": "readlink"
+                },
+                {
+                    "Description": "apply or remove an advisory lock on a file",
+                    "MatchStrings": [
+                        "flock"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock",
+                    "ID": "fs/lock_update",
+                    "RuleName": "flock"
+                },
+                {
+                    "Description": "mounts file systems",
+                    "MatchStrings": [
+                        "-o",
+                        "mount"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount",
+                    "ID": "fs/mount",
+                    "RuleName": "mount"
+                },
+                {
+                    "Description": "create device files",
+                    "MatchStrings": [
+                        "mknod"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/mknod.2.html",
+                    "ID": "fs/node_create",
+                    "RuleName": "mknod"
+                },
+                {
+                    "Description": "Calls /bin/su",
+                    "MatchStrings": [
+                        "/bin/su"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/bin-su.yara#bin_su",
+                    "ID": "fs/path/bin_su",
+                    "RuleName": "bin_su"
+                },
+                {
+                    "Description": "References /dev/null",
+                    "MatchStrings": [
+                        "/dev/null"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/dev-null.yara#dev_null",
+                    "ID": "fs/path/dev_null",
+                    "RuleName": "dev_null"
+                },
+                {
+                    "Description": "path reference within /etc",
+                    "MatchStrings": [
+                        "/etc/apache/mime.typeshpack",
+                        "/etc/apk/keys/etc/apk/archcached",
+                        "/etc/apk/lib/apk",
+                        "/etc/apk/repositories/lib/apk/db/inst",
+                        "/etc/apk/world",
+                        "/etc/bash",
+                        "/etc/busybox-paths.d/usr/bin/setkeyco",
+                        "/etc/default/motd-newsformat",
+                        "/etc/group",
+                        "/etc/hostsgetsockoptnetlinkrib",
+                        "/etc/httpd/conf/mime.typesmime",
+                        "/etc/mime.types",
+                        "/etc/nsswitch.confinvalid",
+                        "/etc/os-release",
+                        "/etc/passwdparse",
+                        "/etc/pki/ca-trust/extracted/pem/tls-c",
+                        "/etc/pki/tls/cacert.peminvalid",
+                        "/etc/pki/tls/certs/ca-bundle.crtx",
+                        "/etc/pki/tls/certsunexpected",
+                        "/etc/protocolsunknown",
+                        "/etc/resolv.confnon-",
+                        "/etc/security/cacertsx",
+                        "/etc/services/etc/apk/keys/etc/apk/ar",
+                        "/etc/ssh/ssh",
+                        "/etc/ssl/ca-bundle.pemx",
+                        "/etc/ssl/cert.peminvalid",
+                        "/etc/ssl/certs/ca-certificates.crttim",
+                        "/etc/ssl/certsbad",
+                        "/etc/zoneinfoparsing"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path",
+                    "ID": "fs/path/etc",
+                    "RuleName": "etc_path"
+                },
+                {
+                    "Description": "references /etc/hosts",
+                    "MatchStrings": [
+                        "/etc/hosts"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts",
+                    "ID": "fs/path/etc_hosts",
+                    "RuleName": "etc_hosts"
+                },
+                {
+                    "Description": "accesses DNS resolver configuration",
+                    "MatchStrings": [
+                        "/etc/resolv.conf"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf",
+                    "ID": "fs/path/etc_resolv.conf",
+                    "RuleName": "etc_resolv_conf"
+                },
+                {
+                    "Description": "references path within /home",
+                    "MatchStrings": [
+                        "/home/sha2561.32.11.33.01.33.11.33.21.34.01.34.11.35.01.36.0ID"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path",
+                    "ID": "fs/path/home",
+                    "RuleName": "home_path"
+                },
+                {
+                    "Description": "path reference within ~/.config",
+                    "MatchStrings": [
+                        "~/.config/fish/completions/"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path",
+                    "ID": "fs/path/home_config",
+                    "RuleName": "home_config_path"
+                },
+                {
+                    "Description": "references and possibly executes relative path",
+                    "MatchStrings": [
+                        "./line",
+                        "./pipe"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val",
+                    "ID": "fs/path/relative",
+                    "RuleName": "relative_path_val"
+                },
+                {
+                    "Description": "path reference within /root",
+                    "MatchStrings": [
+                        "/root/linuxrc/sbin/hwclock/sbin/ipneigh/sbin/iproute/sbin/logread/sbin"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val",
+                    "ID": "fs/path/root",
+                    "RuleName": "root_path_val"
+                },
+                {
+                    "Description": "path reference within /usr/bin",
+                    "MatchStrings": [
+                        "/usr/bin/ar",
+                        "/usr/bin/ascii",
+                        "/usr/bin/awk",
+                        "/usr/bin/basename",
+                        "/usr/bin/bc",
+                        "/usr/bin/beep",
+                        "/usr/bin/blkdiscard",
+                        "/usr/bin/bunzip2",
+                        "/usr/bin/bzcat",
+                        "/usr/bin/bzip2",
+                        "/usr/bin/cal",
+                        "/usr/bin/chcon",
+                        "/usr/bin/chpst",
+                        "/usr/bin/chrt",
+                        "/usr/bin/chvt",
+                        "/usr/bin/cksum",
+                        "/usr/bin/clear",
+                        "/usr/bin/cmp",
+                        "/usr/bin/comm",
+                        "/usr/bin/crc32",
+                        "/usr/bin/crontab",
+                        "/usr/bin/cryptpw",
+                        "/usr/bin/cut",
+                        "/usr/bin/dc",
+                        "/usr/bin/deallocvt",
+                        "/usr/bin/diff",
+                        "/usr/bin/dirname",
+                        "/usr/bin/dos2unix",
+                        "/usr/bin/dpkg-deb",
+                        "/usr/bin/dumpleases",
+                        "/usr/bin/eject",
+                        "/usr/bin/envdir",
+                        "/usr/bin/envuidgid",
+                        "/usr/bin/expand",
+                        "/usr/bin/expr",
+                        "/usr/bin/factor",
+                        "/usr/bin/fallocate",
+                        "/usr/bin/fgconsole",
+                        "/usr/bin/find",
+                        "/usr/bin/flock",
+                        "/usr/bin/fold",
+                        "/usr/bin/free",
+                        "/usr/bin/ftpget",
+                        "/usr/bin/ftpput",
+                        "/usr/bin/fuser",
+                        "/usr/bin/groups",
+                        "/usr/bin/hd",
+                        "/usr/bin/head",
+                        "/usr/bin/hexdump",
+                        "/usr/bin/hexedit",
+                        "/usr/bin/hostid",
+                        "/usr/bin/id",
+                        "/usr/bin/install",
+                        "/usr/bin/ipcrm",
+                        "/usr/bin/ipcs",
+                        "/usr/bin/killall",
+                        "/usr/bin/last",
+                        "/usr/bin/less",
+                        "/usr/bin/logger",
+                        "/usr/bin/logname",
+                        "/usr/bin/lpq",
+                        "/usr/bin/lpr",
+                        "/usr/bin/lsof",
+                        "/usr/bin/lspci",
+                        "/usr/bin/lsscsi",
+                        "/usr/bin/lsusb",
+                        "/usr/bin/lzcat",
+                        "/usr/bin/lzma",
+                        "/usr/bin/lzopcat",
+                        "/usr/bin/man",
+                        "/usr/bin/md5sum",
+                        "/usr/bin/mesg",
+                        "/usr/bin/microcom",
+                        "/usr/bin/mkfifo",
+                        "/usr/bin/mkpasswd",
+                        "/usr/bin/nc",
+                        "/usr/bin/netcat",
+                        "/usr/bin/nl",
+                        "/usr/bin/nmeter",
+                        "/usr/bin/nohup",
+                        "/usr/bin/nproc",
+                        "/usr/bin/nsenter",
+                        "/usr/bin/nslookup",
+                        "/usr/bin/od",
+                        "/usr/bin/openvt",
+                        "/usr/bin/passwd",
+                        "/usr/bin/paste",
+                        "/usr/bin/patch",
+                        "/usr/bin/pgrep",
+                        "/usr/bin/pkill",
+                        "/usr/bin/pmap",
+                        "/usr/bin/printf",
+                        "/usr/bin/pscan",
+                        "/usr/bin/pstree",
+                        "/usr/bin/pwdx",
+                        "/usr/bin/readlink",
+                        "/usr/bin/realpath",
+                        "/usr/bin/renice",
+                        "/usr/bin/reset",
+                        "/usr/bin/resize",
+                        "/usr/bin/rpm2cpio",
+                        "/usr/bin/runcon",
+                        "/usr/bin/runsvdir",
+                        "/usr/bin/rx",
+                        "/usr/bin/script",
+                        "/usr/bin/seq",
+                        "/usr/bin/setfattr",
+                        "/usr/bin/setkeycodes",
+                        "/usr/bin/setsid",
+                        "/usr/bin/setuidgid",
+                        "/usr/bin/sha1sum",
+                        "/usr/bin/sha256sum",
+                        "/usr/bin/sha3sum",
+                        "/usr/bin/sha512sum",
+                        "/usr/bin/showkey",
+                        "/usr/bin/shred",
+                        "/usr/bin/shuf",
+                        "/usr/bin/smemcap",
+                        "/usr/bin/softlimit",
+                        "/usr/bin/sort",
+                        "/usr/bin/split",
+                        "/usr/bin/ssl_client",
+                        "/usr/bin/strings",
+                        "/usr/bin/sum",
+                        "/usr/bin/svc",
+                        "/usr/bin/svok",
+                        "/usr/bin/tac",
+                        "/usr/bin/tail",
+                        "/usr/bin/taskset",
+                        "/usr/bin/tcpsvd",
+                        "/usr/bin/tee",
+                        "/usr/bin/telnet",
+                        "/usr/bin/test",
+                        "/usr/bin/tftp",
+                        "/usr/bin/timeout",
+                        "/usr/bin/top",
+                        "/usr/bin/traceroute6",
+                        "/usr/bin/tree",
+                        "/usr/bin/truncate",
+                        "/usr/bin/tsortVERSION_ID",
+                        "/usr/bin/ttysize",
+                        "/usr/bin/udhcpc6",
+                        "/usr/bin/udpsvd",
+                        "/usr/bin/unexpand",
+                        "/usr/bin/uniq",
+                        "/usr/bin/unit",
+                        "/usr/bin/unix2dos",
+                        "/usr/bin/unlink",
+                        "/usr/bin/unlzma",
+                        "/usr/bin/unlzop",
+                        "/usr/bin/unshare",
+                        "/usr/bin/unxz",
+                        "/usr/bin/unzip",
+                        "/usr/bin/uptime",
+                        "/usr/bin/users",
+                        "/usr/bin/uudecode",
+                        "/usr/bin/uuencode",
+                        "/usr/bin/vlock",
+                        "/usr/bin/volname",
+                        "/usr/bin/wall",
+                        "/usr/bin/wc",
+                        "/usr/bin/wget",
+                        "/usr/bin/which",
+                        "/usr/bin/whoami",
+                        "/usr/bin/whois",
+                        "/usr/bin/xargs",
+                        "/usr/bin/xxd",
+                        "/usr/bin/xzcat",
+                        "/usr/bin/yes"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path",
+                    "ID": "fs/path/usr_bin",
+                    "RuleName": "usr_bin_path"
+                },
+                {
+                    "Description": "path reference within /usr/local/bin",
+                    "MatchStrings": [
+                        "/usr/local/bin"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path",
+                    "ID": "fs/path/usr_local",
+                    "RuleName": "usr_local_bin_path"
+                },
+                {
+                    "Description": "path reference within /usr/sbin",
+                    "MatchStrings": [
+                        "/usr/sbin/add-shell/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdete",
+                        "/usr/sbin/addgroup/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/u",
+                        "/usr/sbin/adduser/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/s",
+                        "/usr/sbin/arping/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/",
+                        "/usr/sbin/brctl/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inet",
+                        "/usr/sbin/chat/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr",
+                        "/usr/sbin/chpasswd/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/u",
+                        "/usr/sbin/chroot/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/",
+                        "/usr/sbin/crond/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdat",
+                        "/usr/sbin/delgroup/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/u",
+                        "/usr/sbin/deluser/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/s",
+                        "/usr/sbin/dhcprelay/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwri",
+                        "/usr/sbin/dnsd/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr",
+                        "/usr/sbin/ether-wake/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/gete",
+                        "/usr/sbin/fakeidentd/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-",
+                        "/usr/sbin/fbset/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftp",
+                        "/usr/sbin/fdformat/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/u",
+                        "/usr/sbin/flash_eraseall/usr/sbin/selinuxenabledskipping",
+                        "/usr/sbin/flash_lock/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popm",
+                        "/usr/sbin/flash_unlock/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbi",
+                        "/usr/sbin/flashcp/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/s",
+                        "/usr/sbin/fsfreeze/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/u",
+                        "/usr/sbin/ftpd/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr",
+                        "/usr/sbin/getenforce/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/sete",
+                        "/usr/sbin/getsebool/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partpro",
+                        "/usr/sbin/httpd/usr/sbin/inetd/usr/sbin/rdate/usr/sbin/tftpd",
+                        "/usr/sbin/i2cdetect/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahe",
+                        "/usr/sbin/i2cdump/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/s",
+                        "/usr/sbin/i2cget/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/",
+                        "/usr/sbin/i2cset/usr/sbin/rfkill/usr/sbin/svlogd/usr/sbin/udhcpd",
+                        "/usr/sbin/i2ctransfer/usr/sbin/load_policy/usr/sbin/readprofile",
+                        "/usr/sbin/ifplugd/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/s",
+                        "/usr/sbin/killall5/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/u",
+                        "/usr/sbin/loadfont/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/u",
+                        "/usr/sbin/lpd/usr/sbin/mim/usr/bin/tree",
+                        "/usr/sbin/matchpathcon/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerati",
+                        "/usr/sbin/nanddump/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/u",
+                        "/usr/sbin/nandwrite/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebo",
+                        "/usr/sbin/nbd-client/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setl",
+                        "/usr/sbin/nologin/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/s",
+                        "/usr/sbin/ntpd/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERS",
+                        "/usr/sbin/partprobe/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiatta",
+                        "/usr/sbin/popmaildir/usr/sbin/setenforce/usr/sbin/setlogconsapko-generated",
+                        "/usr/sbin/powertop/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/u",
+                        "/usr/sbin/rdev/usr/bin/ascii/usr/bin/crc32/usr/bin/tsortVERSION_ID",
+                        "/usr/sbin/readahead/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubideta",
+                        "/usr/sbin/remove-shell/usr/sbin/ubiupdatevolgenerating",
+                        "/usr/sbin/rtcwake/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY",
+                        "/usr/sbin/sendmail/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/u",
+                        "/usr/sbin/sestatus/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolge",
+                        "/usr/sbin/setfont/usr/sbin/telnetd/usr/sbin/seedrngPRETTY_NAME",
+                        "/usr/sbin/setsebool/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirena",
+                        "/usr/sbin/ubiattach/usr/sbin/ubidetach/usr/sbin/ubirename",
+                        "/usr/sbin/ubimkvol/usr/sbin/ubirmvol/usr/sbin/ubirsvolgetting"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-sbin.yara#usr_sbin_path",
+                    "ID": "fs/path/usr_sbin",
+                    "RuleName": "usr_sbin_path"
+                },
+                {
+                    "Description": "path reference within /var",
+                    "MatchStrings": [
+                        "/var/cache%s",
+                        "/var/cache/apk/etc/apk/worldCalculateWorldcache",
+                        "/var/cache/miscAPKINDEX.tar.gzfetchAlpineKeyscfg.MapTo",
+                        "/var/lib/db/sbomSPDXRef-Package-remote",
+                        "/var/run/docker.sockopen"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path",
+                    "ID": "fs/path/var",
+                    "RuleName": "var_path"
+                },
+                {
+                    "Description": "Changes file ownership",
+                    "MatchStrings": [
+                        "Chown"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown",
+                    "ID": "fs/permission/chown",
+                    "RuleName": "Chown"
+                },
+                {
+                    "Description": "modifies file permissions",
+                    "MatchStrings": [
+                        "Chmod",
+                        "chmod"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod",
+                    "ReferenceURL": "https://linux.die.net/man/1/chmod",
+                    "ID": "fs/permission/modify",
+                    "RuleName": "chmod"
+                },
+                {
+                    "Description": "stop swapping to a file/device",
+                    "MatchStrings": [
+                        "swapoff"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff",
+                    "ID": "fs/swap/off",
+                    "RuleName": "swapoff"
+                },
+                {
+                    "Description": "start swapping to a file/device",
+                    "MatchStrings": [
+                        "swapon"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-on.yara#swapon",
+                    "ID": "fs/swap/on",
+                    "RuleName": "swapon"
+                },
+                {
+                    "Description": "creates symbolic links",
+                    "MatchStrings": [
+                        "symlink"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-create.yara#symlink",
+                    "ID": "fs/symlink_create",
+                    "RuleName": "symlink"
+                },
+                {
+                    "Description": "resolves symbolic links",
+                    "MatchStrings": [
+                        "realpath"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man3/realpath.3.html",
+                    "ID": "fs/symlink_resolve",
+                    "RuleName": "realpath"
+                },
+                {
+                    "Description": "temp",
+                    "MatchStrings": [
+                        "getenv",
+                        "temp"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp",
+                    "ID": "fs/tempdir/TEMP",
+                    "RuleName": "temp"
+                },
+                {
+                    "Description": "creates temporary files",
+                    "MatchStrings": [
+                        "mktemp",
+                        "temp file",
+                        "tmpfile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp",
+                    "ID": "fs/tempfile",
+                    "RuleName": "mktemp"
+                },
+                {
+                    "Description": "unmount file system",
+                    "MatchStrings": [
+                        "umount"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount",
+                    "ID": "fs/unmount",
+                    "RuleName": "umount"
+                },
+                {
+                    "Description": "references /dev/urandom",
+                    "MatchStrings": [
+                        "/dev/urandom"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/urandom.yara#urandom",
+                    "ID": "hw/urandom",
+                    "RuleName": "urandom"
+                },
+                {
+                    "Description": "references a 'heartbeat'",
+                    "MatchStrings": [
+                        "HeartbeatPeriod",
+                        "HeartbeatTick"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat",
+                    "ID": "impact/remote_access/heartbeat",
+                    "RuleName": "heartbeat"
+                },
+                {
+                    "Description": "parse command-line arguments",
+                    "MatchStrings": [
+                        "getopt"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/parses-arguments.yara#argparse",
+                    "ID": "impact/ui/parses_arguments",
+                    "RuleName": "argparse"
+                },
+                {
+                    "Description": "give advice about use of memory",
+                    "MatchStrings": [
+                        "madvise"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/advise.yara#madvise",
+                    "ID": "mem/advise",
+                    "RuleName": "madvise"
+                },
+                {
+                    "Description": "Uses DNS (Domain Name Service)",
+                    "MatchStrings": [
+                        "CNAMEResource",
+                        "SetEDNS0",
+                        "dnsmessage"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs",
+                    "ID": "net/dns",
+                    "RuleName": "go_dns_refs"
+                },
+                {
+                    "Description": "looks up the reverse hostname for an IP",
+                    "MatchStrings": [
+                        ".in-addr.arpa",
+                        "ip6.arpa"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa",
+                    "ID": "net/dns/reverse",
+                    "RuleName": "in_addr_arpa"
+                },
+                {
+                    "Description": "Examines local DNS servers",
+                    "MatchStrings": [
+                        "CNAMEResource"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local",
+                    "ID": "net/dns/servers",
+                    "RuleName": "go_dns_refs_local"
+                },
+                {
+                    "Description": "Uses DNS TXT (text) records",
+                    "MatchStrings": [
+                        "TXT",
+                        "dns"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt",
+                    "ID": "net/dns/txt",
+                    "RuleName": "dns_txt"
+                },
+                {
+                    "Description": "download files",
+                    "MatchStrings": [
+                        "DownloadLocation",
+                        "downloadLocation",
+                        "to registrySkip downloading"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
+                    "ID": "net/download",
+                    "RuleName": "download"
+                },
+                {
+                    "Description": "Invokes curl",
+                    "MatchStrings": [
+                        "curl -H \""
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value",
+                    "ID": "net/download/fetch",
+                    "RuleName": "curl_value"
+                },
+                {
+                    "Description": "Uses the HTTP/2 protocol",
+                    "MatchStrings": [
+                        "HTTP/2"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2",
+                    "ID": "net/http/2",
+                    "RuleName": "http2"
+                },
+                {
+                    "Description": "accepts binary files via HTTP",
+                    "MatchStrings": [
+                        "Accept",
+                        "application/octet-stream"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary",
+                    "ID": "net/http/accept",
+                    "RuleName": "http_accept_binary"
+                },
+                {
+                    "Description": "set HTTP response encoding format (example: gzip)",
+                    "MatchStrings": [
+                        "Accept-Encoding"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type",
+                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding",
+                    "ID": "net/http/accept_encoding",
+                    "RuleName": "content_type"
+                },
+                {
+                    "Description": "makes HTTP requests with Bearer authentication",
+                    "MatchStrings": [
+                        "WWW-Authenticate",
+                        "Www-Authenticate",
+                        "www-authenticate"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth",
+                    "ID": "net/http/auth",
+                    "RuleName": "http_auth"
+                },
+                {
+                    "Description": "Sets HTTP content length to zero",
+                    "MatchStrings": [
+                        "Content-Length: 0"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0",
+                    "ID": "net/http/content_length",
+                    "RuleName": "content_length_0"
+                },
+                {
+                    "Description": "access HTTP resources using cookies",
+                    "MatchStrings": [
+                        "Cookie",
+                        "HTTP"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie",
+                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies",
+                    "ID": "net/http/cookies",
+                    "RuleName": "http_cookie"
+                },
+                {
+                    "Description": "upload content via HTTP form",
+                    "MatchStrings": [
+                        "POST",
+                        "application/json",
+                        "application/x-www-form-urlencoded",
+                        "post"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload",
+                    "ID": "net/http/form_upload",
+                    "RuleName": "http_form_upload"
+                },
+                {
+                    "Description": "submits content to websites",
+                    "MatchStrings": [
+                        "Content-Type for PUTeach colon",
+                        "Content-Type headerdid not find expected alp",
+                        "Content-Type isn",
+                        "Content-Type: text/plain",
+                        "Content-TypeCookie.Valuecontent",
+                        "Content-Typenet/http: timeout awaiting respo",
+                        "HTTP",
+                        "POST"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post",
+                    "ID": "net/http/post",
+                    "RuleName": "http_post"
+                },
+                {
+                    "Description": "use HTTP proxy that requires authentication",
+                    "MatchStrings": [
+                        "Proxy-Authorization"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth",
+                    "ReferenceURL": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization",
+                    "ID": "net/http/proxy",
+                    "RuleName": "proxy_auth"
+                },
+                {
+                    "Description": "makes HTTP requests",
+                    "MatchStrings": [
+                        "HTTP/1.",
+                        "Referer",
+                        "User-Agent"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request",
+                    "ID": "net/http/request",
+                    "RuleName": "http_request"
+                },
+                {
+                    "Description": "access the internet",
+                    "MatchStrings": [
+                        "invalid packet"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets",
+                    "ID": "net/ip",
+                    "RuleName": "packets"
+                },
+                {
+                    "Description": "connects to an arbitrary hostname:port",
+                    "MatchStrings": [
+                        "host to transport"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref",
+                    "ID": "net/ip/host_port",
+                    "RuleName": "host_port_ref"
+                },
+                {
+                    "Description": "parses IP address (IPv4 or IPv6)",
+                    "MatchStrings": [
+                        "IsLinkLocalUnicast",
+                        "IsSingleIP"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go",
+                    "ID": "net/ip/parse",
+                    "RuleName": "ip_go"
+                },
+                {
+                    "Description": "Supports SOCK5 proxies",
+                    "MatchStrings": [
+                        "SOCKS5",
+                        "socks5"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5",
+                    "ID": "net/proxy/socks5",
+                    "RuleName": "socks5"
+                },
+                {
+                    "Description": "resolve network host name to IP address",
+                    "MatchStrings": [
+                        "net.hostLookup"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#net_hostlookup",
+                    "ID": "net/resolve/hostname",
+                    "RuleName": "net_hostlookup"
+                },
+                {
+                    "Description": "listen on a socket",
+                    "MatchStrings": [
+                        "accept",
+                        "listen",
+                        "socket"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen",
+                    "ID": "net/socket/listen",
+                    "RuleName": "listen"
+                },
+                {
+                    "Description": "get local address of connected socket",
+                    "MatchStrings": [
+                        "getsockname"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/getsockname.2.html",
+                    "ID": "net/socket/local_addr",
+                    "RuleName": "getsockname"
+                },
+                {
+                    "Description": "get socket options",
+                    "MatchStrings": [
+                        "getsockopt"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-get.yara#getsockopt",
+                    "ID": "net/socket/options_get",
+                    "RuleName": "getsockopt"
+                },
+                {
+                    "Description": "set socket options",
+                    "MatchStrings": [
+                        "setsockopt"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-options-set.yara#setsockopt",
+                    "ID": "net/socket/options_set",
+                    "RuleName": "setsockopt"
+                },
+                {
+                    "Description": "get peer address of connected socket",
+                    "MatchStrings": [
+                        "getpeername"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/getpeername.2.html",
+                    "ID": "net/socket/peer_address",
+                    "RuleName": "getpeername"
+                },
+                {
+                    "Description": "receive a message from a socket",
+                    "MatchStrings": [
+                        "recvfrom",
+                        "recvmsg"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg",
+                    "ReferenceURL": "https://linux.die.net/man/2/recvmsg",
+                    "ID": "net/socket/receive",
+                    "RuleName": "recvmsg"
+                },
+                {
+                    "Description": "send a message to a socket",
+                    "MatchStrings": [
+                        "sendmsg",
+                        "sendto"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg",
+                    "ReferenceURL": "https://linux.die.net/man/2/sendmsg",
+                    "ID": "net/socket/send",
+                    "RuleName": "sendmsg"
+                },
+                {
+                    "Description": "connects to a TCP port",
+                    "MatchStrings": [
+                        "dialTCP"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp",
+                    "ID": "net/tcp/connect",
+                    "RuleName": "connect_tcp"
+                },
+                {
+                    "Description": "Uses crypto/ssh to connect to the SSH (secure shell) service",
+                    "MatchStrings": [
+                        "SSH"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh",
+                    "ID": "net/tcp/ssh",
+                    "RuleName": "ssh"
+                },
+                {
+                    "Description": "Listens for UDP responses",
+                    "MatchStrings": [
+                        "ReadFromUDP",
+                        "listenUDP"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen",
+                    "ID": "net/udp/receive",
+                    "RuleName": "udp_listen"
+                },
+                {
+                    "Description": "Sends UDP packets",
+                    "MatchStrings": [
+                        "DialUDP",
+                        "WriteMsgUDP"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send",
+                    "ID": "net/udp/send",
+                    "RuleName": "udp_send"
+                },
+                {
+                    "Description": "contains embedded HTTPS URLs",
+                    "MatchStrings": [
+                        "https://GoString01234567beEfFgGvsignal",
+                        "https://alpinelinux.org/releases.jsondid",
+                        "https://github.com/chainguard-dev/apkocould",
+                        "https://github.com/google/go-containerregistry/issues/377internal",
+                        "https://github.com/spf13/cobra/issues/1279",
+                        "https://github.com/spf13/cobra/issues/1508",
+                        "https://index.docker.io/v1/Path",
+                        "https://index.docker.io/v2/library/ubuntu/tags/list",
+                        "https://pkg.go.dev/text/template",
+                        "https://reproducible-builds.org/docs/source-date-epoch/directory",
+                        "https://spdx.org/spdxdocs/apko/directory"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
+                    "ID": "net/url/embedded",
+                    "RuleName": "https_url"
+                },
+                {
+                    "Description": "encodes URL, likely to pass GET variables",
+                    "MatchStrings": [
+                        "urlencode"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode",
+                    "ID": "net/url/encode",
+                    "RuleName": "url_encode"
+                },
+                {
+                    "Description": "Handles URL strings",
+                    "MatchStrings": [
+                        "RequestURI"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
+                    "ID": "net/url/parse",
+                    "RuleName": "url_handle"
+                },
+                {
+                    "Description": "requests resources via URL",
+                    "MatchStrings": [
+                        "http.request",
+                        "net/url"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls",
+                    "ID": "net/url/request",
+                    "RuleName": "requests_urls"
+                },
+                {
+                    "Description": "Retrieve environment variables",
+                    "MatchStrings": [
+                        "Getenv"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#getenv",
+                    "ID": "os/env/get",
+                    "RuleName": "getenv"
+                },
+                {
+                    "Description": "places a variable into the environment",
+                    "MatchStrings": [
+                        "setenv"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/set.yara#setenv_putenv",
+                    "ID": "os/env/set",
+                    "RuleName": "setenv_putenv"
+                },
+                {
+                    "Description": "unsetenv",
+                    "MatchStrings": [
+                        "unsetenv"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/unset.yara#unsetenv",
+                    "ID": "os/env/unset",
+                    "RuleName": "unsetenv"
+                },
+                {
+                    "Description": " close",
+                    "MatchStrings": [
+                        "_close"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/access.yara#_close",
+                    "ID": "os/fd/access",
+                    "RuleName": "_close"
+                },
+                {
+                    "Description": "manipulate file descriptor with fcntl",
+                    "MatchStrings": [
+                        "fcntl"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/manipulate.yara#fcntl",
+                    "ID": "os/fd/manipulate",
+                    "RuleName": "fcntl"
+                },
+                {
+                    "Description": "Reads from file descriptors",
+                    "MatchStrings": [
+                        "pread"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#fd_read",
+                    "ID": "os/fd/read",
+                    "RuleName": "fd_read"
+                },
+                {
+                    "Description": "transfer data between file descriptors",
+                    "MatchStrings": [
+                        "sendfile",
+                        "syscall.Sendfile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/sendfile.2.html",
+                    "ID": "os/fd/sendfile",
+                    "RuleName": "sendfile"
+                },
+                {
+                    "Description": "write to file descriptor",
+                    "MatchStrings": [
+                        "pwrite"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#fd_write",
+                    "ID": "os/fd/write",
+                    "RuleName": "fd_write"
+                },
+                {
+                    "Description": "communicate with kernel services",
+                    "MatchStrings": [
+                        "netlink"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink",
+                    "ID": "os/kernel/netlink",
+                    "RuleName": "netlink"
+                },
+                {
+                    "Description": "get or set kernel stat",
+                    "MatchStrings": [
+                        "Sysctl",
+                        "sysctl"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/sysctl.yara#sysctl",
+                    "ID": "os/kernel/sysctl",
+                    "RuleName": "sysctl"
+                },
+                {
+                    "Description": "libc",
+                    "MatchStrings": [
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle.yara#libc",
+                    "ID": "os/signal/handle",
+                    "RuleName": "libc"
+                },
+                {
+                    "Description": "Listen for SIGALRM (timeout) events",
+                    "MatchStrings": [
+                        "ALRM",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-ALRM.yara#sigaction_ALRM",
+                    "ID": "os/signal/handle_ALRM",
+                    "RuleName": "sigaction_ALRM"
+                },
+                {
+                    "Description": "Listen for SIGHUP (hangup) events",
+                    "MatchStrings": [
+                        "HUP",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-HUP.yara#sigaction_SIGHUP",
+                    "ID": "os/signal/handle_HUP",
+                    "RuleName": "sigaction_SIGHUP"
+                },
+                {
+                    "Description": "Listen for SIGINT (ctrl-C) events",
+                    "MatchStrings": [
+                        "SIGINT",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-INT.yara#sigaction_SIGINT",
+                    "ID": "os/signal/handle_INT",
+                    "RuleName": "sigaction_SIGINT"
+                },
+                {
+                    "Description": "Listen for SIGQUIT (kill) events",
+                    "MatchStrings": [
+                        "QUIT",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-QUIT.yara#sigaction_SIGQUIT",
+                    "ID": "os/signal/handle_QUIT",
+                    "RuleName": "sigaction_SIGQUIT"
+                },
+                {
+                    "Description": "Listen for SIGWINCH (terminal window change) events",
+                    "MatchStrings": [
+                        "WINCH",
+                        "sigaction"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/handle-WINCH.yara#sigaction_WINCH",
+                    "ID": "os/signal/handle_WINCH",
+                    "RuleName": "sigaction_WINCH"
+                },
+                {
+                    "Description": "sigprocmask",
+                    "MatchStrings": [
+                        "sigprocmask"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/mask.yara#sigprocmask",
+                    "ID": "os/signal/mask",
+                    "RuleName": "sigprocmask"
+                },
+                {
+                    "Description": "kill",
+                    "MatchStrings": [
+                        "syscall.Kill"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/signal/send.yara#kill",
+                    "ID": "os/signal/send",
+                    "RuleName": "kill"
+                },
+                {
+                    "Description": "bsd time conversion",
+                    "MatchStrings": [
+                        "ctime"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-convert.yara#bsd_time_conversion",
+                    "ID": "os/time/clock_convert",
+                    "RuleName": "bsd_time_conversion"
+                },
+                {
+                    "Description": "set time via system clock",
+                    "MatchStrings": [
+                        "adjtimex"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/clock-set.yara#linux_adjtimex",
+                    "ID": "os/time/clock_set",
+                    "RuleName": "linux_adjtimex"
+                },
+                {
+                    "Description": "lists crontab entries, may also persist",
+                    "MatchStrings": [
+                        "crontab"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support",
+                    "ID": "persist/cron/tab",
+                    "RuleName": "crontab_support"
+                },
+                {
+                    "Description": "changes working directory",
+                    "MatchStrings": [
+                        "cd u"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell",
+                    "ID": "process/chdir",
+                    "RuleName": "chdir_shell"
+                },
+                {
+                    "Description": "change the location of root for the process",
+                    "MatchStrings": [
+                        "chroot"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot",
+                    "ID": "process/chroot",
+                    "RuleName": "chroot"
+                },
+                {
+                    "Description": "create child process",
+                    "MatchStrings": [
+                        "clone"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_clone",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/clone.2.html",
+                    "ID": "process/create",
+                    "RuleName": "syscall_clone"
+                },
+                {
+                    "Description": "creates a session and sets the process group ID",
+                    "MatchStrings": [
+                        "setsid"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/group/create.yara#syscalls",
+                    "ReferenceURL": "https://man7.org/linux/man-pages/man2/setsid.2.html",
+                    "ID": "process/group/create",
+                    "RuleName": "syscalls"
+                },
+                {
+                    "Description": "set group access list",
+                    "MatchStrings": [
+                        "setgroups"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups",
+                    "ID": "process/groups_set",
+                    "RuleName": "setgroups"
+                },
+                {
+                    "Description": "set resource limits",
+                    "MatchStrings": [
+                        "setrlimit"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/limit-set.yara#setrlimit",
+                    "ID": "process/limit_set",
+                    "RuleName": "setrlimit"
+                },
+                {
+                    "Description": "adjust the process nice value",
+                    "MatchStrings": [
+                        "renice"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/setpriority.yara#nice",
+                    "ID": "process/setpriority",
+                    "RuleName": "nice"
+                },
+                {
+                    "Description": "disassociate parts of the process execution context",
+                    "MatchStrings": [
+                        "unshare"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare",
+                    "ID": "process/unshare",
+                    "RuleName": "syscall_unshare"
+                },
+                {
+                    "Description": "gets very excited",
+                    "MatchStrings": [
+                        "does not work!!!",
+                        "ontain alphanumerical characters onlyexplicitly tagged !!"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations",
+                    "ID": "sus/exclamation",
+                    "RuleName": "exclamations"
+                }
+            ],
+            "RiskScore": 2,
+            "RiskLevel": "MEDIUM"
+        }
+    }
+}
diff --git a/pkg/action/testdata/scan_oci b/pkg/action/testdata/scan_oci
index e69de29b..5f57f73d 100644
--- a/pkg/action/testdata/scan_oci
+++ b/pkg/action/testdata/scan_oci
@@ -0,0 +1,74 @@
+{
+    "Files": {
+        "/etc/profile": {
+            "Path": "testdata/static.tar.xz ∴ /etc/profile",
+            "SHA256": "8adf547453fe02fdc92e90424bffea4130bf88cc772a492b74912fb50a85c467",
+            "Size": 534,
+            "Behaviors": [
+                {
+                    "Description": "set file mode creation mask",
+                    "MatchStrings": [
+                        "umask"
+                    ],
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-permission-mask-set.yara#umask",
+                    "ID": "fs/file/permission_mask_set",
+                    "RuleName": "umask"
+                },
+                {
+                    "Description": "path reference within /etc",
+                    "MatchStrings": [
+                        "/etc/profile.d/"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path",
+                    "ID": "fs/path/etc",
+                    "RuleName": "etc_path"
+                },
+                {
+                    "Description": "path reference within /usr/local/bin",
+                    "MatchStrings": [
+                        "/usr/local/bin"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_bin_path",
+                    "ID": "fs/path/usr_local",
+                    "RuleName": "usr_local_bin_path"
+                },
+                {
+                    "Description": "access bash startup files",
+                    "MatchStrings": [
+                        "/etc/profile"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist",
+                    "ID": "persist/shell/bash",
+                    "RuleName": "bash_persist"
+                },
+                {
+                    "Description": "etc shell init references",
+                    "MatchStrings": [
+                        "/etc/profile"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/init_files.yara#etc_shell_init_references",
+                    "ID": "persist/shell/init_files",
+                    "RuleName": "etc_shell_init_references"
+                }
+            ],
+            "RiskScore": 2,
+            "RiskLevel": "MEDIUM"
+        },
+        "/etc/profile.d/locale.sh": {
+            "Path": "testdata/static.tar.xz ∴ /etc/profile.d/locale.sh",
+            "SHA256": "",
+            "Size": 0,
+            "RiskScore": 0
+        }
+    }
+}
diff --git a/rules/persist/kernel_module/kprobe.yara b/rules/persist/kernel_module/kprobe.yara
deleted file mode 100644
index 9f419c05..00000000
--- a/rules/persist/kernel_module/kprobe.yara
+++ /dev/null
@@ -1,10 +0,0 @@
-rule register_kprobe: medium {
-  meta:
-    description = "registers a kernel probe (possibly kernel module)"
-
-  strings:
-    $ref = "register_kprobe"
-
-  condition:
-    any of them
-}
diff --git a/rules/persist/kernel_module/module-unload.yara b/rules/persist/kernel_module/module-unload.yara
deleted file mode 100644
index 7644616d..00000000
--- a/rules/persist/kernel_module/module-unload.yara
+++ /dev/null
@@ -1,10 +0,0 @@
-rule system_kext_unloader: high {
-  meta:
-    description = "unloads system kernel extensions"
-
-  strings:
-    $kextunload_sys_lib_ext = "kextunload /System/Library/Extensions/"
-
-  condition:
-    filesize < 10485760 and any of them
-}
diff --git a/rules/persist/kernel_module/module.yara b/rules/persist/kernel_module/module.yara
index 3716d162..464e7b17 100644
--- a/rules/persist/kernel_module/module.yara
+++ b/rules/persist/kernel_module/module.yara
@@ -1,5 +1,16 @@
 import "elf"
 
+rule register_kprobe: medium {
+  meta:
+    description = "registers a kernel probe (possibly kernel module)"
+
+  strings:
+    $ref = "register_kprobe"
+
+  condition:
+    any of them
+}
+
 rule lkm: medium {
   meta:
     description = "Linux kernel module"
@@ -26,19 +37,6 @@ rule lkm_embedded_in_elf: high {
     elf.type == elf.ET_EXEC and all of them
 }
 
-rule delete_module: medium {
-  meta:
-    description = "Unload Linux kernel module"
-    syscall     = "delete_module"
-    capability  = "CAP_SYS_MODULE"
-
-  strings:
-    $ref = "delete_module" fullword
-
-  condition:
-    all of them
-}
-
 rule init_module: medium linux {
   meta:
     description = "Linux kernel module"
diff --git a/rules/persist/linux_multi.yara b/rules/persist/linux_multi.yara
index 9e93d4a8..9a98dc16 100644
--- a/rules/persist/linux_multi.yara
+++ b/rules/persist/linux_multi.yara
@@ -3,12 +3,14 @@ rule linux_multi_persist: high {
     description = "references multiple Linux persistence methods"
 
   strings:
-    $o_initd   = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
-    $o_udev    = "etc/udev"
-    $o_crontab = "crontab" fullword
-    $o_xdg     = "[Desktop Entry]"
-    $o_rc_d    = "/etc/rc.d/rc.local"
-    $o_insmod  = "insmod" fullword
+    $o_initd     = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword
+    $o_udev      = "etc/udev"
+    $o_crontab   = "crontab" fullword
+    $o_xdg       = "[Desktop Entry]"
+    $o_rc_d      = "/etc/rc.d/rc.local"
+    $o_insmod    = "insmod" fullword
+    $o_preload   = "/etc/ld.so.preload"
+    $o_systemctl = "systemctl"
 
     $bash_ref  = ".bash_profile"
     $bash_ref2 = ".profile" fullword
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index 4fd6fb40..1be1eb1e 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -92,8 +92,7 @@ net/tcp/ssh: medium
 net/tun_tap: medium
 net/url/embedded: low
 persist/daemon: medium
-persist/kernel_module/install: high
-persist/kernel_module/kprobe: medium
+persist/kernel_module/load: high
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
 persist/pid_file: medium
diff --git a/tests/linux/2023.Kinsing/install.sh.simple b/tests/linux/2023.Kinsing/install.sh.simple
index 156524d4..d0dfee0a 100644
--- a/tests/linux/2023.Kinsing/install.sh.simple
+++ b/tests/linux/2023.Kinsing/install.sh.simple
@@ -68,6 +68,7 @@ net/url/embedded: low
 persist/cron/etc_d: high
 persist/cron/tab: medium
 persist/daemon: medium
+persist/linux_multi: high
 persist/shell/bash: medium
 persist/ssh_authorized_keys: medium
 persist/writeable_dir: high
diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple
index 440ce62e..fb6afb77 100644
--- a/tests/linux/2024.Gelsemium/dbus.simple
+++ b/tests/linux/2024.Gelsemium/dbus.simple
@@ -31,8 +31,8 @@ net/socket/local_addr: low
 net/socket/receive: low
 net/socket/send: low
 persist/daemon: medium
-persist/kernel_module/install: high
-persist/kernel_module/name: high
+persist/kernel_module/load: high
+persist/kernel_module/name: medium
 persist/kernel_module/unload: high
 persist/linux_multi: high
 persist/pid_file: medium
diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple
index 9ff9c9f9..8b0c60d6 100644
--- a/tests/linux/2024.Gelsemium/udevd.simple
+++ b/tests/linux/2024.Gelsemium/udevd.simple
@@ -66,6 +66,7 @@ net/socket/receive: low
 net/socket/send: low
 net/udp/kcp: medium
 net/url/embedded: low
+persist/linux_multi: high
 persist/plugin: high
 persist/shell/bash: high
 privesc/setuid: low
diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple
index 4c57b503..44a47ae0 100644
--- a/tests/linux/2024.Gelsemium/udevd_multi.simple
+++ b/tests/linux/2024.Gelsemium/udevd_multi.simple
@@ -65,6 +65,7 @@ net/socket/receive: low
 net/socket/send: low
 net/udp/kcp: medium
 net/url/embedded: low
+persist/linux_multi: high
 persist/plugin: high
 persist/shell/bash: high
 privesc/setuid: low
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index e69de29b..00225be2 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -0,0 +1,174 @@
+# linux/2024.kworker_pretenders/emp3r0r.agent: critical
+3P/elastic/exploit_cve_2021: critical
+anti-behavior/vm_check: medium
+anti-static/elf/entropy: high
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/discovery/ip_dns_resolver: medium
+c2/refs: high
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/os: medium
+collect/archives/unarchive: medium
+collect/archives/zip: medium
+credential/os/shadow: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssh/d: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/hash/sha256: low
+discover/network/connectivity: low
+discover/network/netstat: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/file/location/chdir_unusual: medium
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: high
+evasion/file/prefix/dev: high
+evasion/file/prefix/tmp: high
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+evasion/logging/current_logins: medium
+evasion/logging/hide_shell_history: high
+evasion/mimicry/fake_process: critical
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/remote_commands/code_eval: medium
+exec/script/shell: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/arbitrary_command_dev_null: medium
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/tty/open: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: medium
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/mount: low
+fs/path/bin_su: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/path/var_log: medium
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/1_cgroup: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/cpuinfo: medium
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+fs/tempfile: low
+hw/cpu: medium
+impact/exploit: high
+impact/exploit/GCONV_PATH: high
+impact/exploit/overflow_shellcode: high
+impact/exploit/pwnkit: critical
+impact/remote_access/heartbeat: medium
+impact/remote_access/kill_rm: medium
+impact/remote_access/net_exec: medium
+impact/remote_access/pseudo_terminal: medium
+impact/remote_access/reverse_shell: high
+malware/family/emp3r0r: critical
+net/dns: low
+net/dns/over_https: medium
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/tcp_state_tracker: medium
+net/proxy/shadowsocks: high
+net/proxy/socks5: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/raw: medium
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/sftp: medium
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: medium
+net/url/embedded: medium
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/netlink: low
+persist/cron/tab: medium
+persist/pid_file: medium
+persist/shell/bash: high
+privesc/linpeas: high
+privesc/setuid: low
+privesc/sudo: medium
+process/chdir: low
+process/chroot: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/terminate/killed_all: medium
+sus/exclamation: medium
diff --git a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
index f86f4e18..2bd69115 100644
--- a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
+++ b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
@@ -11,8 +11,8 @@ fs/link_read: low
 fs/path/etc: low
 malware/family/melofee: critical
 persist/daemon: medium
-persist/kernel_module/install: medium
-persist/kernel_module/name: high
+persist/kernel_module/load: medium
+persist/kernel_module/name: medium
 persist/kernel_module/unload: medium
 process/create: low
 process/terminate/kill_multiple: medium
diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
index 153c6cdb..eee2d20b 100644
--- a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
+++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
@@ -65,8 +65,8 @@ net/socket/receive: low
 net/socket/send: low
 net/tcp/ssh: medium
 persist/daemon: medium
-persist/kernel_module/install: high
-persist/kernel_module/name: high
+persist/kernel_module/load: high
+persist/kernel_module/name: medium
 persist/kernel_module/unload: medium
 process/multithreaded: low
 sus/compiler: medium
diff --git a/tests/linux/2024.melofee/driver_decrypted.simple b/tests/linux/2024.melofee/driver_decrypted.simple
index ece2a0cf..d29b0395 100644
--- a/tests/linux/2024.melofee/driver_decrypted.simple
+++ b/tests/linux/2024.melofee/driver_decrypted.simple
@@ -4,7 +4,6 @@ anti-static/binary/opaque: medium
 evasion/indicator_blocking/process: high
 evasion/mimicry/fake_process: high
 impact/rootkit: critical
-persist/kernel_module/kprobe: medium
 persist/kernel_module/module: medium
 persist/kernel_module/symbol_lookup: high
 sus/compiler: medium
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
index e69de29b..60a4df47 100644
--- a/tests/linux/clean/buildah.simple
+++ b/tests/linux/clean/buildah.simple
@@ -0,0 +1,159 @@
+# linux/clean/buildah: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/discovery/ip_dns_resolver: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/sqlite: medium
+credential/keychain: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+evasion/bypass_security/linux/iptables: medium
+evasion/file/location/dev_mqueue: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+evasion/file/prefix/dev: low
+exec/cmd: medium
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/reconfigure/hostname_set: low
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/event_monitoring: low
+fs/fifo_create: low
+fs/file/create: medium
+fs/file/delete: low
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/lib_dynamic: medium
+fs/path/relative: medium
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_cmdline: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/dev/block_ice: medium
+impact/degrade/linux_paths: medium
+impact/remote_access/iptables: medium
+mem/anonymous_file: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/parse: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/kcore: low
+os/kernel/key_management: low
+os/kernel/netlink: low
+os/kernel/seccomp: low
+persist/pid_file: medium
+privesc/setuid: low
+process/chroot: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/unshare: low
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/caddy.simple b/tests/linux/clean/caddy.simple
index e69de29b..7e0bbcea 100644
--- a/tests/linux/clean/caddy.simple
+++ b/tests/linux/clean/caddy.simple
@@ -0,0 +1,163 @@
+# linux/clean/caddy: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/discovery/ip_dns_resolver: medium
+c2/refs: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/sniffer/bpf: medium
+credential/ssh/d: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/gzip: low
+data/compression/zstd: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/pem_private_key: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/random/insecure: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/group/lookup: medium
+discover/network/mac_address: medium
+discover/process/parent: low
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: low
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/install_additional/package_install: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/script/osa: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/system_controls/stop: low
+exec/system_controls/systemd: low
+exfil/office_file_ext: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/capabilities_set: low
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/relative: medium
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/var: low
+fs/path/windows_root: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/pid_stat: medium
+fs/proc/pid_statistics: low
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/swap/off: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempfile: low
+fs/watch: low
+hw/wireless: low
+net/dns: low
+net/dns/over_https: medium
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/http/websocket: medium
+net/ip: low
+net/ip/connect: medium
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/spoof: medium
+net/proxy/reverse: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+net/webrtc: medium
+os/env/get: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+persist/kernel_module/unload: medium
+persist/pid_file: medium
+privesc/sudo: medium
+process/chroot: low
+process/groups_set: low
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/chezmoi.simple b/tests/linux/clean/chezmoi.simple
index e69de29b..22b81a60 100644
--- a/tests/linux/clean/chezmoi.simple
+++ b/tests/linux/clean/chezmoi.simple
@@ -0,0 +1,171 @@
+# linux/clean/chezmoi: medium
+c2/addr/discord: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/telegram: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/code/github_api: low
+collect/databases/leveldb: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/clipboard: medium
+credential/gaming/minecraft: medium
+credential/keychain: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/encrypt: medium
+crypto/public_key: low
+crypto/tls: low
+crypto/uuid: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/ssh_signature: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/random/insecure: low
+discover/group/lookup: medium
+discover/network/mac_address: medium
+discover/process/parent: low
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/script/osa: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/system_controls/systemd: low
+exfil/upload: medium
+fs/attributes/chattr: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/users: medium
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/swap/off: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempfile: low
+fs/watch: low
+hw/dev/block_ice: medium
+hw/wireless: low
+impact/exploit: medium
+impact/infection/worm: medium
+impact/remote_access/heartbeat: medium
+impact/remote_access/implant: medium
+impact/remote_access/pseudo_terminal: medium
+impact/remote_access/trojan: medium
+malware/ref: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/spoof: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+net/webrtc: medium
+os/env/get: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+persist/kernel_module/unload: medium
+persist/pid_file: medium
+privesc/sudo: medium
+process/chdir: low
+process/chroot: low
+process/groups_set: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/chrome.simple b/tests/linux/clean/chrome.simple
index e69de29b..b6271f90 100644
--- a/tests/linux/clean/chrome.simple
+++ b/tests/linux/clean/chrome.simple
@@ -0,0 +1,184 @@
+# linux/clean/chrome: medium
+anti-behavior/LD_DEBUG: medium
+anti-behavior/LD_PROFILE: medium
+anti-static/elf/multiple: medium
+anti-static/obfuscation/obfuscate: low
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/client: medium
+c2/discovery/ip_dns_resolver: medium
+c2/refs: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/leveldb: medium
+collect/databases/sqlite: medium
+credential/keychain: medium
+credential/keychain/gnome_keyring_daemon: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssh: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/rc4: medium
+crypto/tls: low
+crypto/uuid: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/sha1: low
+data/random/insecure: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
+discover/process/runtime_deps: medium
+discover/processes/list: medium
+discover/system/hostname: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+evasion/bypass_security/linux/ufw: medium
+evasion/file/location/dev_shm: medium
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+evasion/process_injection/ptrace: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/shell/TERM: low
+exec/shell/echo: medium
+exec/shell/pipe_sh: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/stop: low
+exfil/collection: medium
+exfil/office_file_ext: medium
+exfil/stealer/credit_card: medium
+exfil/upload: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/mounts_read: medium
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/chown: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/cpuinfo: medium
+fs/proc/meminfo: medium
+fs/proc/self_cmdline: medium
+fs/proc/self_exe: medium
+fs/proc/self_status: medium
+fs/proc/stat: medium
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/cpu: medium
+hw/dev/block_ice: medium
+hw/wireless: low
+impact/remote_access/heartbeat: medium
+lateral/scan/target_ip: medium
+malware/ref: medium
+mem/anonymous_file: medium
+net/dns/over_https: medium
+net/dns/servers: low
+net/dns/txt: low
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/fake_user_agent: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/p_request: low
+net/ip/parse: medium
+net/ip/string: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/rpc/ntlm: medium
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/tcp/ssh: medium
+net/udp/kcp: medium
+net/udp/upnp: medium
+net/url/embedded: medium
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+net/webrtc: medium
+os/fd/epoll: low
+os/kernel/netlink: low
+os/kernel/opencl: medium
+os/kernel/seccomp: low
+persist/service/start: low
+privesc/setuid: low
+privesc/sudo: medium
+process/chdir: low
+process/chroot: low
+process/create: low
+process/groups_set: low
+process/multithreaded: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index e69de29b..75be78df 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -0,0 +1,205 @@
+# linux/clean/clickhouse: high
+anti-static/elf/multiple: medium
+anti-static/obfuscation/obfuscate: low
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/client: medium
+c2/discovery/dyndns: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/grayware: high
+c2/tool_transfer/os: medium
+collect/databases/leveldb: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/cloud/g: medium
+credential/gaming/minecraft: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ed25519: low
+crypto/encrypt: medium
+crypto/gost89: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/base64/decode: medium
+data/base64/encode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_private_key: medium
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/hash/whirlpool: medium
+data/random/insecure: low
+discover/cloud/google_metadata: low
+discover/network/interface: low
+discover/network/interface_list: medium
+discover/permissions/capabilities: medium
+discover/process/name: medium
+discover/process/runtime_deps: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: low
+evasion/bypass_security/linux/ufw: medium
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: medium
+evasion/hijack_execution/DYLD_LIBRARY_PATH: medium
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+evasion/logging/acct: low
+evasion/process_injection/ptrace: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/install_additional/package_install: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/program/hidden: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/echo: medium
+exec/shell/ignore_output: medium
+exec/shell/pipe_sh: medium
+exec/system_controls/systemd: low
+exfil/collection: medium
+exfil/proxy: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/capabilities_set: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: medium
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/mounts_read: medium
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/var: low
+fs/path/var_log: medium
+fs/permission/chown: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/cpuinfo: medium
+fs/proc/meminfo: medium
+fs/proc/net_dev: medium
+fs/proc/pid_maps: medium
+fs/proc/pid_status: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/self_status: medium
+fs/proc/stat: medium
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/watch: low
+hw/cpu: medium
+hw/dev/block_ice: medium
+impact/infection/worm: medium
+impact/remote_access/heartbeat: medium
+impact/shutdown: medium
+net/dns/over_https: medium
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download/fetch: medium
+net/email/exotic_addr: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/string: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/rpc/ntlm: medium
+net/socket/connect: medium
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/url/embedded: medium
+net/url/encode: medium
+net/url/parse: low
+os/fd/epoll: low
+os/fd/print: low
+os/fd/read: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/kernel/opencl: medium
+os/time/tzinfo: low
+persist/pid_file: medium
+privesc/setuid: low
+privesc/sudo: medium
+process/chdir: low
+process/chroot: low
+process/create: low
+process/groupid_set: low
+process/multithreaded: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index e69de29b..4270357c 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -0,0 +1,192 @@
+## linux/clean/code-oss [🟡 MEDIUM]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
+| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
+| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
+| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) |
+| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[bIp](https://github.com/search?q=bIp&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[gIp](https://github.com/search?q=gIp&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[maxPort](https://github.com/search?q=maxPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[minPort](https://github.com/search?q=minPort&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_ip](https://github.com/search?q=quic_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [_quic_drop_packets_with_changed_server_address](https://github.com/search?q=_quic_drop_packets_with_changed_server_address&type=code)<br>[server_address_](https://github.com/search?q=server_address_&type=code) |
+| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
+| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)<br>[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
+| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
+| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)<br>[eye_dropper](https://github.com/search?q=eye_dropper&type=code)<br>[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
+| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
+| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)<br>[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)<br>[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)<br>[LevelDBEH](https://github.com/search?q=LevelDBEH&type=code)<br>[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)<br>[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)<br>[LevelDBLeveledLock](https://github.com/search?q=LevelDBLeveledLock&type=code)<br>[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)<br>[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)<br>[LevelDBScopesKeyRange](https://github.com/search?q=LevelDBScopesKeyRange&type=code)<br>[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)<br>[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)<br>[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)<br>[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)<br>[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)<br>[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)<br>[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)<br>[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)<br>[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)<br>[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)<br>[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)<br>[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)<br>[leveldb_database](https://github.com/search?q=leveldb_database&type=code)<br>[leveldb_factory](https://github.com/search?q=leveldb_factory&type=code)<br>[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)<br>[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)<br>[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)<br>[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)<br>[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
+| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
+| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
+| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
+| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
+| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
+| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer <root@shellcromancer.io> | [#"!](https://github.com/search?q=%23%22%21&type=code)<br>$opt0<br>$opt1<br>$opt2<br>$opt30<br>$opt4<br>$opt5<br>$opt6<br>$opt7<br>['&%$](https://github.com/search?q=%27%26%25%24&type=code)<br>[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)<br>[/.-,](https://github.com/search?q=%2F.-%2C&type=code)<br>[3210](https://github.com/search?q=3210&type=code)<br>[7654](https://github.com/search?q=7654&type=code)<br>[;:98](https://github.com/search?q=%3B%3A98&type=code)<br>[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)<br>[CBA@](https://github.com/search?q=CBA%40&type=code)<br>[GFED](https://github.com/search?q=GFED&type=code)<br>[KJIH](https://github.com/search?q=KJIH&type=code)<br>[ONML](https://github.com/search?q=ONML&type=code)<br>[SRQP](https://github.com/search?q=SRQP&type=code)<br>[WVUT](https://github.com/search?q=WVUT&type=code)<br>[[ZYX](https://github.com/search?q=%5BZYX&type=code)<br>[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)<br>[cba`](https://github.com/search?q=cba%60&type=code)<br>[gfed](https://github.com/search?q=gfed&type=code)<br>[kjih](https://github.com/search?q=kjih&type=code)<br>[onml](https://github.com/search?q=onml&type=code)<br>[srqp](https://github.com/search?q=srqp&type=code)<br>[wvut](https://github.com/search?q=wvut&type=code)<br>[{zyx](https://github.com/search?q=%7Bzyx&type=code)<br>[����](https://github.com/search?q=%83%82%81%80&type=code)<br>[����](https://github.com/search?q=%87%86%85%84&type=code)<br>[����](https://github.com/search?q=%8B%8A%89%88&type=code)<br>[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)<br>[����](https://github.com/search?q=%93%92%91%90&type=code)<br>[����](https://github.com/search?q=%97%96%95%94&type=code)<br>[����](https://github.com/search?q=%9B%9A%99%98&type=code)<br>[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)<br>[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)<br>[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)<br>[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)<br>[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)<br>[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)<br>[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)<br>[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)<br>[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)<br>[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)<br>[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)<br>[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)<br>[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)<br>[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)<br>[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)<br>[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)<br>[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)<br>[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)<br>[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)<br>[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)<br>[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)<br>[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)<br>[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)<br>[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)<br>[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) |
+| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
+| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
+| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[h0dHBzOi8v::$https](https://github.com/search?q=h0dHBzOi8v%3A%3A%24https&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code)<br>[ifconfig](https://github.com/search?q=ifconfig&type=code)<br>[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
+| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)<br>[process.platform](https://github.com/search?q=process.platform&type=code)<br>[process.versions](https://github.com/search?q=process.versions&type=code) |
+| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
+| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
+| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
+| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) |
+| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)<br>[_executeCommand](https://github.com/search?q=_executeCommand&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code)<br>[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
+| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/program/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/hidden.yara#relative_hidden_launcher) | relative hidden launcher | [./.691.9B](https://github.com/search?q=.%2F.691.9B&type=code)<br>[bash](https://github.com/search?q=bash&type=code)<br>[exec](https://github.com/search?q=exec&type=code)<br>[system](https://github.com/search?q=system&type=code) |
+| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
+| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
+| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
+| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code) |
+| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
+| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)<br>[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)<br>[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)<br>[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)<br>[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)<br>[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) |
+| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) |
+| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
+| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
+| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root-legacy.js](https://github.com/search?q=%2Froot%2Froot-legacy.js&type=code)<br>[/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)<br>[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)<br>[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)<br>[/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)<br>[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)<br>[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) |
+| MEDIUM | [fs/path/var_log](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var-log.yara#var_log_path) | path reference within /var/log | [/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code) |
+| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
+| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
+| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)<br>[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) |
+| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
+| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
+| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) |
+| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
+| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
+| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) |
+| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) |
+| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)<br>[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)<br>[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)<br>[heartbeat:](https://github.com/search?q=heartbeat%3A&type=code)<br>[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) |
+| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[banner](https://github.com/search?q=banner&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
+| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) |
+| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)<br>[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
+| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)<br>[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
+| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
+| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) |
+| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)<br>[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)<br>[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)<br>[Content-Type: multipart/form](https://github.com/search?q=Content-Type%3A+multipart%2Fform&type=code)<br>[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)<br>[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)<br>[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)<br>[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)<br>[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)<br>[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)<br>[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)<br>[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)<br>[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)<br>[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)<br>[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)<br>[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)<br>[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)<br>[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)<br>[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)<br>[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)<br>[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)<br>[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)<br>[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)<br>[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)<br>[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)<br>[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)<br>[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)<br>[WebSocketClient](https://github.com/search?q=WebSocketClient&type=code)<br>[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)<br>[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)<br>[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)<br>[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)<br>[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)<br>[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)<br>[WebSocketReassembleShortMessages](https://github.com/search?q=WebSocketReassembleShortMessages&type=code)<br>[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)<br>[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)<br>[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)<br>[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code)<br>[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)<br>[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)<br>[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)<br>[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)<br>[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)<br>[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)<br>[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)<br>[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)<br>[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)<br>[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)<br>[host, ctx.port](https://github.com/search?q=host%2C+ctx.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)<br>[host, port](https://github.com/search?q=host%2C+port&type=code)<br>[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)<br>[host.length - port](https://github.com/search?q=host.length+-+port&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)<br>[host>:<port](https://github.com/search?q=host%3E%3A%3Cport&type=code)<br>[host_import](https://github.com/search?q=host_import&type=code)<br>[hostname and port](https://github.com/search?q=hostname+and+port&type=code)<br>[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)<br>[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)<br>[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)<br>[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)<br>[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) |
+| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)<br>[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)<br>[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)<br>[ping failures and](https://github.com/search?q=ping+failures+and&type=code)<br>[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)<br>[ping interval to](https://github.com/search?q=ping+interval+to&type=code)<br>[ping interval.](https://github.com/search?q=ping+interval.&type=code)<br>[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)<br>[ping libuv](https://github.com/search?q=ping+libuv&type=code)<br>[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)<br>[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)<br>[ping received](https://github.com/search?q=ping+received&type=code)<br>[ping response](https://github.com/search?q=ping+response&type=code)<br>[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)<br>[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) |
+| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
+| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
+| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
+| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[Tunnel](https://github.com/search?q=Tunnel&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
+| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlm](https://github.com/search?q=ntlm&type=code) |
+| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)<br>[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)<br>[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)<br>[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)<br>[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
+| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
+| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code)<br>[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
+| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
+| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
+| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
+| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)<br>[0 !!!!](https://github.com/search?q=0+++++++%21%21%21%21&type=code)<br>[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)<br>[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)<br>[12366 !!!](https://github.com/search?q=12366++++++%21%21%21&type=code)<br>[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)<br>[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH++++%21%21&type=code)<br>[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)<br>[AGG !!](https://github.com/search?q=AGG+++++%21%21&type=code)<br>[CGIJMOQS !!](https://github.com/search?q=CGIJMOQS++++%21%21&type=code)<br>[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)<br>[EE !!](https://github.com/search?q=EE++++%21%21&type=code)<br>[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)<br>[GG !!](https://github.com/search?q=GG++++%21%21&type=code)<br>[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)<br>[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)<br>[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)<br>[return !!](https://github.com/search?q=return+%21%21&type=code) |
+| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)<br>[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)<br>[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)<br>[interceptResponse](https://github.com/search?q=interceptResponse&type=code)<br>[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)<br>[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)<br>[intercepted](https://github.com/search?q=intercepted&type=code)<br>[intercepting](https://github.com/search?q=intercepting&type=code)<br>[interceptionId](https://github.com/search?q=interceptionId&type=code)<br>[interceptionStage](https://github.com/search?q=interceptionStage&type=code)<br>[interceptorConfig](https://github.com/search?q=interceptorConfig&type=code)<br>[interceptorEv](https://github.com/search?q=interceptorEv&type=code)<br>[interceptor_config](https://github.com/search?q=interceptor_config&type=code)<br>[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)<br>[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)<br>[interceptors](https://github.com/search?q=interceptors&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
+| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
+| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)<br>[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)<br>[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)<br>[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://127.0.0.1](http://127.0.0.1)<br>[http://Descriptionrelatively](http://Descriptionrelatively)<br>[http://according](http://according)<br>[http://addEventListenerresponsible](http://addEventListenerresponsible)<br>[http://ak.apnstatic.com/media/images/favicon_search](http://ak.apnstatic.com/media/images/favicon_search)<br>[http://applicationslink](http://applicationslink)<br>[http://arianna.libero.it/search/abin/integrata.cgi](http://arianna.libero.it/search/abin/integrata.cgi)<br>[http://autocomplete.nigma.ru/complete/query_help.php](http://autocomplete.nigma.ru/complete/query_help.php)<br>[http://buscador.softonic.com/](http://buscador.softonic.com/)<br>[http://buscador.terra.es/Default.aspx](http://buscador.terra.es/Default.aspx)<br>[http://buscador.terra.es/favicon.ico](http://buscador.terra.es/favicon.ico)<br>[http://buscar.terra.com.ar/Default.aspx](http://buscar.terra.com.ar/Default.aspx)<br>[http://buscar.terra.com.ar/favicon.ico](http://buscar.terra.com.ar/favicon.ico)<br>[http://certificates.godaddy.com/repository/gd_intermediate.crt0](http://certificates.godaddy.com/repository/gd_intermediate.crt0)<br>[http://certificates.godaddy.com/repository100.](http://certificates.godaddy.com/repository100.)<br>[http://clients3.google.com/cert_upload_json](http://clients3.google.com/cert_upload_json)<br>[http://code.google.com/p/closure](http://code.google.com/p/closure)<br>[http://crbug.com/1138528](http://crbug.com/1138528)<br>[http://crbug.com/660005.](http://crbug.com/660005.)<br>[http://crl.comodo.net/AAACertificateServices.crl0](http://crl.comodo.net/AAACertificateServices.crl0)<br>[http://crl.comodoca.com/AAACertificateServices.crl06](http://crl.comodoca.com/AAACertificateServices.crl06)<br>[http://crl.comodoca.com/COMODOCertificationAuthority.crl0](http://crl.comodoca.com/COMODOCertificationAuthority.crl0)<br>[http://crl.globalsign.net/root](http://crl.globalsign.net/root)<br>[http://crl.godaddy.com/gds1](http://crl.godaddy.com/gds1)<br>[http://csp.yahoo.com/beacon/csp](http://csp.yahoo.com/beacon/csp)<br>[http://dictionaryperceptionrevolutionfoundationpx](http://dictionaryperceptionrevolutionfoundationpx)<br>[http://dts.search](http://dts.search)<br>[http://en.softonic.com/s/](http://en.softonic.com/s/)<br>[http://encoding=](http://encoding=)<br>[http://exslt.org/common](http://exslt.org/common)<br>[http://familiar](http://familiar)<br>[http://feed.snap.do/](http://feed.snap.do/)<br>[http://feed.snapdo.com/](http://feed.snapdo.com/)<br>[http://feross.org](http://feross.org)<br>[http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png](http://find.in.gr/Themes/1/Default/Media/Layout/icon_in.png)<br>[http://g1.delphi.lv/favicon.ico](http://g1.delphi.lv/favicon.ico)<br>[http://hladaj.atlas.sk/fulltext/](http://hladaj.atlas.sk/fulltext/)<br>[http://html4/loose.dtd](http://html4/loose.dtd)<br>[http://i.rl0.ru/2011/icons/rambler.ico](http://i.rl0.ru/2011/icons/rambler.ico)<br>[http://i.wp.pl/a/i/stg/500/favicon.ico](http://i.wp.pl/a/i/stg/500/favicon.ico)<br>[http://icl.com/saxon](http://icl.com/saxon)<br>[http://imEnglish](http://imEnglish)<br>[http://imgs.sapo.pt/images/sapo.ico](http://imgs.sapo.pt/images/sapo.ico)<br>[http://interested](http://interested)<br>[http://interpreted](http://interpreted)<br>[http://iparticipation](http://iparticipation)<br>[http://isearch.avg.com/search](http://isearch.avg.com/search)<br>[http://l.twimg.com/i/hpkp_report](http://l.twimg.com/i/hpkp_report)<br>[http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico](http://linkurystoragenorthus.blob.core.windows.net/static/favicon.ico)<br>[http://localhost](http://localhost)<br>[http://mathematicsmargin](http://mathematicsmargin)<br>[http://mixidj.delta](http://mixidj.delta)<br>[http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico](http://ms1.iol.it/graph_hf/v.8.3.04/themes/default/img/favicon.ico)<br>[http://mysearch.sweetpacks.com/](http://mysearch.sweetpacks.com/)<br>[http://mystart.incredibar.com/](http://mystart.incredibar.com/)<br>[http://narwhaljs.org](http://narwhaljs.org)<br>[http://navigation](http://navigation)<br>[http://nigma.ru/themes/nigma/img/favicon.ico](http://nigma.ru/themes/nigma/img/favicon.ico)<br>[http://nl.softonic.com/s/](http://nl.softonic.com/s/)<br>[http://nova.rambler.ru/search](http://nova.rambler.ru/search)<br>[http://nova.rambler.ru/suggest](http://nova.rambler.ru/suggest)<br>[http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/](http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/)<br>[http://ns.adobe.com/data](http://ns.adobe.com/data)<br>[http://ns.adobe.com/pdf/1.3/](http://ns.adobe.com/pdf/1.3/)<br>[http://ns.adobe.com/xap/1.0/mm/](http://ns.adobe.com/xap/1.0/mm/)<br>[http://ns.adobe.com/xdp/pdf/](http://ns.adobe.com/xdp/pdf/)<br>[http://ns.adobe.com/xfdf/](http://ns.adobe.com/xfdf/)<br>[http://ns.adobe.com/xmpmeta/](http://ns.adobe.com/xmpmeta/)<br>[http://ocsp.godaddy.com/0J](http://ocsp.godaddy.com/0J)<br>[http://ok.hu/gfx/favicon.ico](http://ok.hu/gfx/favicon.ico)<br>[http://ok.hu/katalogus](http://ok.hu/katalogus)<br>[http://pesquisa.sapo.pt/livesapo](http://pesquisa.sapo.pt/livesapo)<br>[http://purl.org/dc/elements/1.1/](http://purl.org/dc/elements/1.1/)<br>[http://radce.centrum.cz/](http://radce.centrum.cz/)<br>[http://search.avg.com/favicon.ico](http://search.avg.com/favicon.ico)<br>[http://search.avg.com/route/](http://search.avg.com/route/)<br>[http://search.avg.com/search](http://search.avg.com/search)<br>[http://search.babylon.com/favicon.ico](http://search.babylon.com/favicon.ico)<br>[http://search.babylon.com/home](http://search.babylon.com/home)<br>[http://search.conduit.com/Results.aspx](http://search.conduit.com/Results.aspx)<br>[http://search.goo.ne.jp/sgt.jsp](http://search.goo.ne.jp/sgt.jsp)<br>[http://search.goo.ne.jp/web.jsp](http://search.goo.ne.jp/web.jsp)<br>[http://search.imesh.net/favicon.ico](http://search.imesh.net/favicon.ico)<br>[http://search.imesh.net/music](http://search.imesh.net/music)<br>[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx)<br>[http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx](http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx)<br>[http://search.iminent.com/Shared/Images/favicon_gl.ico](http://search.iminent.com/Shared/Images/favicon_gl.ico)<br>[http://search.incredibar.com/favicon.ico](http://search.incredibar.com/favicon.ico)<br>[http://search.incredibar.com/search.php](http://search.incredibar.com/search.php)<br>[http://search.snap.do/](http://search.snap.do/)<br>[http://search.snapdo.com/](http://search.snapdo.com/)<br>[http://search.softonic.com/img/favicon.ico](http://search.softonic.com/img/favicon.ico)<br>[http://search.sweetim.com/favicon.ico](http://search.sweetim.com/favicon.ico)<br>[http://search.sweetim.com/search.asp](http://search.sweetim.com/search.asp)<br>[http://search.tut.by/favicon.ico](http://search.tut.by/favicon.ico)<br>[http://search.walla.co.il/](http://search.walla.co.il/)<br>[http://searchatlas.centrum.cz/](http://searchatlas.centrum.cz/)<br>[http://searchfunmoods.com/favicon.ico](http://searchfunmoods.com/favicon.ico)<br>[http://searchfunmoods.com/results.php](http://searchfunmoods.com/results.php)<br>[http://site_name](http://site_name)<br>[http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js](http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js)<br>[http://start.iminent.com/StartWeb/1033/homepage/](http://start.iminent.com/StartWeb/1033/homepage/)<br>[http://start.sweetpacks.com/favicon.ico](http://start.sweetpacks.com/favicon.ico)<br>[http://start.sweetpacks.com/search.asp](http://start.sweetpacks.com/search.asp)<br>[http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico](http://static.mediacentrum.sk/katalog/atlas.sk/images/favicon.ico)<br>[http://staticsuggested](http://staticsuggested)<br>[http://suggest.yandex.ru/suggest](http://suggest.yandex.ru/suggest)<br>[http://szukaj.wp.pl/szukaj.html](http://szukaj.wp.pl/szukaj.html)<br>[http://tools.ietf.org/html/rfc3986](http://tools.ietf.org/html/rfc3986)<br>[http://unisolated.invalid](http://unisolated.invalid)<br>[http://userguide.icu](http://userguide.icu)<br>[http://wpad/wpad.dat](http://wpad/wpad.dat)<br>[http://www./div](http://www./div)<br>[http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html](http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html)<br>[http://www.C//DTD](http://www.C//DTD)<br>[http://www.aiim.org/pdfa/ns/id/](http://www.aiim.org/pdfa/ns/id/)<br>[http://www.apache.org/licenses/LICENSE](http://www.apache.org/licenses/LICENSE)<br>[http://www.brynosaurus.com/cachedir/](http://www.brynosaurus.com/cachedir/)<br>[http://www.color.org](http://www.color.org)<br>[http://www.conduit.com/favicon.ico](http://www.conduit.com/favicon.ico)<br>[http://www.conduit.com/search](http://www.conduit.com/search)<br>[http://www.delfi.lt/paieska/](http://www.delfi.lt/paieska/)<br>[http://www.delfi.lv/search_all/](http://www.delfi.lv/search_all/)<br>[http://www.delta](http://www.delta)<br>[http://www.example.com](http://www.example.com)<br>[http://www.hortcut](http://www.hortcut)<br>[http://www.ibm.com/data/dtd/v11/ibmxhtml1](http://www.ibm.com/data/dtd/v11/ibmxhtml1)<br>[http://www.icon](http://www.icon)<br>[http://www.iec.ch](http://www.iec.ch)<br>[http://www.ietf.org/id/draft](http://www.ietf.org/id/draft)<br>[http://www.interpretation](http://www.interpretation)<br>[http://www.jclark.com/xt](http://www.jclark.com/xt)<br>[http://www.language=](http://www.language=)<br>[http://www.midnight](http://www.midnight)<br>[http://www.neti.ee/api/suggestOS](http://www.neti.ee/api/suggestOS)<br>[http://www.neti.ee/cgi](http://www.neti.ee/cgi)<br>[http://www.neti.ee/favicon.ico](http://www.neti.ee/favicon.ico)<br>[http://www.search.delta](http://www.search.delta)<br>[http://www.searchnu.com/favicon.ico](http://www.searchnu.com/favicon.ico)<br>[http://www.searchnu.com/web](http://www.searchnu.com/web)<br>[http://www.softonic.com.br/s/](http://www.softonic.com.br/s/)<br>[http://www.softonic.com/s/](http://www.softonic.com/s/)<br>[http://www.squid](http://www.squid)<br>[http://www.style=](http://www.style=)<br>[http://www.text](http://www.text)<br>[http://www.w3.org/1998/Math/MathML](http://www.w3.org/1998/Math/MathML)<br>[http://www.w3.org/1999/02/22](http://www.w3.org/1999/02/22)<br>[http://www.w3.org/1999/XSL/Transform](http://www.w3.org/1999/XSL/Transform)<br>[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)<br>[http://www.w3.org/1999/xlink](http://www.w3.org/1999/xlink)<br>[http://www.w3.org/2000/09/xmldsig](http://www.w3.org/2000/09/xmldsig)<br>[http://www.w3.org/2000/svg](http://www.w3.org/2000/svg)<br>[http://www.w3.org/2000/xmlns/](http://www.w3.org/2000/xmlns/)<br>[http://www.w3.org/2001/XMLSchema](http://www.w3.org/2001/XMLSchema)<br>[http://www.w3.org/2002/08/xquery](http://www.w3.org/2002/08/xquery)<br>[http://www.w3.org/Graphics/SVG](http://www.w3.org/Graphics/SVG)<br>[http://www.w3.org/TR/1999/REC](http://www.w3.org/TR/1999/REC)<br>[http://www.w3.org/TR/REC](http://www.w3.org/TR/REC)<br>[http://www.w3.org/TR/html4/frameset.dtd](http://www.w3.org/TR/html4/frameset.dtd)<br>[http://www.w3.org/TR/html4/loose.dtd](http://www.w3.org/TR/html4/loose.dtd)<br>[http://www.w3.org/TR/html4/strict.dtd](http://www.w3.org/TR/html4/strict.dtd)<br>[http://www.w3.org/TR/xhtml1/DTD/xhtml1](http://www.w3.org/TR/xhtml1/DTD/xhtml1)<br>[http://www.w3.org/XML/1998/namespace](http://www.w3.org/XML/1998/namespace)<br>[http://www.w3.org/shortcut](http://www.w3.org/shortcut)<br>[http://www.walla.co.il/favicon.ico](http://www.walla.co.il/favicon.ico)<br>[http://www.webrtc.org/experiments/rtp](http://www.webrtc.org/experiments/rtp)<br>[http://www.wencodeURIComponent](http://www.wencodeURIComponent)<br>[http://www.xfa.com/schema/xfa](http://www.xfa.com/schema/xfa)<br>[http://www.xfa.org/schema/xci/](http://www.xfa.org/schema/xci/)<br>[http://www.xfa.org/schema/xdc/](http://www.xfa.org/schema/xdc/)<br>[http://www.xfa.org/schema/xfa](http://www.xfa.org/schema/xfa)<br>[http://www.years](http://www.years)<br>[http://www.yhs.delta](http://www.yhs.delta)<br>[http://www.zoznam.sk/hladaj.fcgi](http://www.zoznam.sk/hladaj.fcgi)<br>[http://www1.delta](http://www1.delta)<br>[http://www2.delta](http://www2.delta)<br>[http://www2.public](http://www2.public)<br>[http://xmlsoft.org/XSLT/namespace](http://xmlsoft.org/XSLT/namespace)<br>[https://ac.ecosia.org/autocomplete](https://ac.ecosia.org/autocomplete)<br>[https://ac.search.naver.com/nx/ac](https://ac.search.naver.com/nx/ac)<br>[https://alekberg.net/privacy](https://alekberg.net/privacy)<br>[https://android.com/pay](https://android.com/pay)<br>[https://aomediacodec.github.io/av1](https://aomediacodec.github.io/av1)<br>[https://api.oceanhero.today/suggestions](https://api.oceanhero.today/suggestions)<br>[https://api.qwant.com/api/suggest/](https://api.qwant.com/api/suggest/)<br>[https://ar.search.yahoo.com/favicon.ico](https://ar.search.yahoo.com/favicon.ico)<br>[https://ar.search.yahoo.com/search](https://ar.search.yahoo.com/search)<br>[https://ar.search.yahoo.com/sugg/chrome](https://ar.search.yahoo.com/sugg/chrome)<br>[https://at.search.yahoo.com/favicon.ico](https://at.search.yahoo.com/favicon.ico)<br>[https://at.search.yahoo.com/search](https://at.search.yahoo.com/search)<br>[https://at.search.yahoo.com/sugg/chrome](https://at.search.yahoo.com/sugg/chrome)<br>[https://au.search.yahoo.com/favicon.ico](https://au.search.yahoo.com/favicon.ico)<br>[https://au.search.yahoo.com/search](https://au.search.yahoo.com/search)<br>[https://au.search.yahoo.com/sugg/chrome](https://au.search.yahoo.com/sugg/chrome)<br>[https://beacons.gcp.gvt2.com/domainreliability/upload](https://beacons.gcp.gvt2.com/domainreliability/upload)<br>[https://beacons.gvt2.com/domainreliability/upload](https://beacons.gvt2.com/domainreliability/upload)<br>[https://beacons2.gvt2.com/domainreliability/upload](https://beacons2.gvt2.com/domainreliability/upload)<br>[https://beacons3.gvt2.com/domainreliability/upload](https://beacons3.gvt2.com/domainreliability/upload)<br>[https://beacons4.gvt2.com/domainreliability/upload](https://beacons4.gvt2.com/domainreliability/upload)<br>[https://beacons5.gvt2.com/domainreliability/upload](https://beacons5.gvt2.com/domainreliability/upload)<br>[https://beacons5.gvt3.com/domainreliability/upload](https://beacons5.gvt3.com/domainreliability/upload)<br>[https://bit.ly/3rpDuEX.](https://bit.ly/3rpDuEX.)<br>[https://bit.ly/audio](https://bit.ly/audio)<br>[https://blog.chromium.org/2019/10/no](https://blog.chromium.org/2019/10/no)<br>[https://br.search.yahoo.com/favicon.ico](https://br.search.yahoo.com/favicon.ico)<br>[https://br.search.yahoo.com/search](https://br.search.yahoo.com/search)<br>[https://br.search.yahoo.com/sugg/chrome](https://br.search.yahoo.com/sugg/chrome)<br>[https://bugs.chromium.org/p/chromium/issues/detail](https://bugs.chromium.org/p/chromium/issues/detail)<br>[https://bugs.chromium.org/p/dawn/issues/detail](https://bugs.chromium.org/p/dawn/issues/detail)<br>[https://bugs.chromium.org/p/v8/issues/detail](https://bugs.chromium.org/p/v8/issues/detail)<br>[https://buscador.softonic.com/](https://buscador.softonic.com/)<br>[https://buscador.terra.com.ar/Default.aspx](https://buscador.terra.com.ar/Default.aspx)<br>[https://buscador.terra.es/Default.aspx](https://buscador.terra.es/Default.aspx)<br>[https://c.android.clients.google.com/](https://c.android.clients.google.com/)<br>[https://c.bigcache.googleapis.com/](https://c.bigcache.googleapis.com/)<br>[https://c.docs.google.com/](https://c.docs.google.com/)<br>[https://c.drive.google.com/](https://c.drive.google.com/)<br>[https://c.googlesyndication.com/](https://c.googlesyndication.com/)<br>[https://c.pack.google.com/](https://c.pack.google.com/)<br>[https://c.play.google.com/](https://c.play.google.com/)<br>[https://c.youtube.com/](https://c.youtube.com/)<br>[https://ca.search.yahoo.com/favicon.ico](https://ca.search.yahoo.com/favicon.ico)<br>[https://ca.search.yahoo.com/search](https://ca.search.yahoo.com/search)<br>[https://ca.search.yahoo.com/sugg/chrome](https://ca.search.yahoo.com/sugg/chrome)<br>[https://cdn.ecosia.org/assets/images/ico/favicon.ico](https://cdn.ecosia.org/assets/images/ico/favicon.ico)<br>[https://ch.search.yahoo.com/favicon.ico](https://ch.search.yahoo.com/favicon.ico)<br>[https://ch.search.yahoo.com/search](https://ch.search.yahoo.com/search)<br>[https://ch.search.yahoo.com/sugg/chrome](https://ch.search.yahoo.com/sugg/chrome)<br>[https://chrome.cloudflare](https://chrome.cloudflare)<br>[https://chrome.google.com/webstore](https://chrome.google.com/webstore)<br>[https://chromium.dns.nextdns.io](https://chromium.dns.nextdns.io)<br>[https://chromium.googlesource.com/chromium/src/](https://chromium.googlesource.com/chromium/src/)<br>[https://cl.search.yahoo.com/favicon.ico](https://cl.search.yahoo.com/favicon.ico)<br>[https://cl.search.yahoo.com/search](https://cl.search.yahoo.com/search)<br>[https://cl.search.yahoo.com/sugg/chrome](https://cl.search.yahoo.com/sugg/chrome)<br>[https://cleanbrowsing.org/privacy](https://cleanbrowsing.org/privacy)<br>[https://clients2.google.com/domainreliability/upload](https://clients2.google.com/domainreliability/upload)<br>[https://clients2.google.com/service/update2/crx](https://clients2.google.com/service/update2/crx)<br>[https://clients3.google.com/ct_upload](https://clients3.google.com/ct_upload)<br>[https://co.search.yahoo.com/favicon.ico](https://co.search.yahoo.com/favicon.ico)<br>[https://co.search.yahoo.com/search](https://co.search.yahoo.com/search)<br>[https://co.search.yahoo.com/sugg/chrome](https://co.search.yahoo.com/sugg/chrome)<br>[https://coccoc.com/favicon.ico](https://coccoc.com/favicon.ico)<br>[https://coccoc.com/search](https://coccoc.com/search)<br>[https://code.google.com/p/chromium/issues/detail](https://code.google.com/p/chromium/issues/detail)<br>[https://console.spec.whatwg.org/](https://console.spec.whatwg.org/)<br>[https://crbug.com/1025266](https://crbug.com/1025266)<br>[https://crbug.com/1038223.](https://crbug.com/1038223.)<br>[https://crbug.com/1053756](https://crbug.com/1053756)<br>[https://crbug.com/1144908.](https://crbug.com/1144908.)<br>[https://crbug.com/1154140](https://crbug.com/1154140)<br>[https://crbug.com/1161355](https://crbug.com/1161355)<br>[https://crbug.com/1214923](https://crbug.com/1214923)<br>[https://crbug.com/1302249](https://crbug.com/1302249)<br>[https://crbug.com/1313172](https://crbug.com/1313172)<br>[https://crbug.com/401439](https://crbug.com/401439)<br>[https://crbug.com/619103.](https://crbug.com/619103.)<br>[https://crbug.com/638180.](https://crbug.com/638180.)<br>[https://crbug.com/824383](https://crbug.com/824383)<br>[https://crbug.com/824647](https://crbug.com/824647)<br>[https://crbug.com/927119](https://crbug.com/927119)<br>[https://crbug.com/981419](https://crbug.com/981419)<br>[https://crbug.com/dawn/1016](https://crbug.com/dawn/1016)<br>[https://crbug.com/dawn/1071](https://crbug.com/dawn/1071)<br>[https://crbug.com/dawn/1203](https://crbug.com/dawn/1203)<br>[https://crbug.com/dawn/1264](https://crbug.com/dawn/1264)<br>[https://crbug.com/dawn/1302](https://crbug.com/dawn/1302)<br>[https://crbug.com/dawn/1305](https://crbug.com/dawn/1305)<br>[https://crbug.com/dawn/136](https://crbug.com/dawn/136)<br>[https://crbug.com/dawn/145](https://crbug.com/dawn/145)<br>[https://crbug.com/dawn/155](https://crbug.com/dawn/155)<br>[https://crbug.com/dawn/193](https://crbug.com/dawn/193)<br>[https://crbug.com/dawn/237](https://crbug.com/dawn/237)<br>[https://crbug.com/dawn/271](https://crbug.com/dawn/271)<br>[https://crbug.com/dawn/286](https://crbug.com/dawn/286)<br>[https://crbug.com/dawn/342](https://crbug.com/dawn/342)<br>[https://crbug.com/dawn/343](https://crbug.com/dawn/343)<br>[https://crbug.com/dawn/36](https://crbug.com/dawn/36)<br>[https://crbug.com/dawn/402](https://crbug.com/dawn/402)<br>[https://crbug.com/dawn/42](https://crbug.com/dawn/42)<br>[https://crbug.com/dawn/434](https://crbug.com/dawn/434)<br>[https://crbug.com/dawn/480](https://crbug.com/dawn/480)<br>[https://crbug.com/dawn/56](https://crbug.com/dawn/56)<br>[https://crbug.com/dawn/582](https://crbug.com/dawn/582)<br>[https://crbug.com/dawn/633](https://crbug.com/dawn/633)<br>[https://crbug.com/dawn/666](https://crbug.com/dawn/666)<br>[https://crbug.com/dawn/667](https://crbug.com/dawn/667)<br>[https://crbug.com/dawn/673](https://crbug.com/dawn/673)<br>[https://crbug.com/dawn/776](https://crbug.com/dawn/776)<br>[https://crbug.com/dawn/792](https://crbug.com/dawn/792)<br>[https://crbug.com/dawn/838](https://crbug.com/dawn/838)<br>[https://crbug.com/dawn/840](https://crbug.com/dawn/840)<br>[https://crbug.com/dawn/960](https://crbug.com/dawn/960)<br>[https://crbug.com/new](https://crbug.com/new)<br>[https://crbug.com/tint.](https://crbug.com/tint.)<br>[https://crbug.com/tint/1003](https://crbug.com/tint/1003)<br>[https://crbug.com/v8/7848](https://crbug.com/v8/7848)<br>[https://crbug.com/v8/8520](https://crbug.com/v8/8520)<br>[https://creativecommons.org/licenses/by](https://creativecommons.org/licenses/by)<br>[https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js](https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js)<br>[https://datatracker.ietf.org/doc/draft](https://datatracker.ietf.org/doc/draft)<br>[https://dawn.googlesource.com/dawn/](https://dawn.googlesource.com/dawn/)<br>[https://de.search.yahoo.com/favicon.ico](https://de.search.yahoo.com/favicon.ico)<br>[https://de.search.yahoo.com/search](https://de.search.yahoo.com/search)<br>[https://de.search.yahoo.com/sugg/chrome](https://de.search.yahoo.com/sugg/chrome)<br>[https://dev.chromium.org/throttling](https://dev.chromium.org/throttling)<br>[https://developer.chrome.com/blog/enabling](https://developer.chrome.com/blog/enabling)<br>[https://developer.chrome.com/blog/immutable](https://developer.chrome.com/blog/immutable)<br>[https://developer.chrome.com/blog/mv2](https://developer.chrome.com/blog/mv2)<br>[https://developer.chrome.com/docs/extensions/mv3/cross](https://developer.chrome.com/docs/extensions/mv3/cross)<br>[https://developer.mozilla.org/en](https://developer.mozilla.org/en)<br>[https://developers.cloudflare.com/1.1.1.1/privacy/public](https://developers.cloudflare.com/1.1.1.1/privacy/public)<br>[https://developers.google.com/speed/public](https://developers.google.com/speed/public)<br>[https://developers.google.com/web/updates/2016/08/removing](https://developers.google.com/web/updates/2016/08/removing)<br>[https://discord.com/invite/APGC3k5yaH](https://discord.com/invite/APGC3k5yaH)<br>[https://dk.search.yahoo.com/favicon.ico](https://dk.search.yahoo.com/favicon.ico)<br>[https://dk.search.yahoo.com/search](https://dk.search.yahoo.com/search)<br>[https://dl.gmx.com/apps/favicon.ico](https://dl.gmx.com/apps/favicon.ico)<br>[https://dns.google/dns](https://dns.google/dns)<br>[https://dns.quad9.net/dns](https://dns.quad9.net/dns)<br>[https://dns.sb/privacy/](https://dns.sb/privacy/)<br>[https://dns.switch.ch/dns](https://dns.switch.ch/dns)<br>[https://dns10.quad9.net/dns](https://dns10.quad9.net/dns)<br>[https://dns11.quad9.net/dns](https://dns11.quad9.net/dns)<br>[https://dns64.dns.google/dns](https://dns64.dns.google/dns)<br>[https://dnsnl.alekberg.net/dns](https://dnsnl.alekberg.net/dns)<br>[https://docs.google.com/](https://docs.google.com/)<br>[https://doh.cleanbrowsing.org/doh/adult](https://doh.cleanbrowsing.org/doh/adult)<br>[https://doh.cleanbrowsing.org/doh/family](https://doh.cleanbrowsing.org/doh/family)<br>[https://doh.cleanbrowsing.org/doh/security](https://doh.cleanbrowsing.org/doh/security)<br>[https://doh.cox.net/dns](https://doh.cox.net/dns)<br>[https://doh.dns.sb/dns](https://doh.dns.sb/dns)<br>[https://doh.familyshield.opendns.com/dns](https://doh.familyshield.opendns.com/dns)<br>[https://doh.opendns.com/dns](https://doh.opendns.com/dns)<br>[https://doh.quickline.ch/dns](https://doh.quickline.ch/dns)<br>[https://doh.xfinity.com/dns](https://doh.xfinity.com/dns)<br>[https://duckduckgo.com/ac/](https://duckduckgo.com/ac/)<br>[https://duckduckgo.com/chrome_newtab](https://duckduckgo.com/chrome_newtab)<br>[https://duckduckgo.com/favicon.ico](https://duckduckgo.com/favicon.ico)<br>[https://electronjs.org/docs/tutorial/security.](https://electronjs.org/docs/tutorial/security.)<br>[https://en.softonic.com/s/](https://en.softonic.com/s/)<br>[https://en.wikipedia.org/wiki/ANSI_escape_code](https://en.wikipedia.org/wiki/ANSI_escape_code)<br>[https://en.wikipedia.org/wiki/SPKAC](https://en.wikipedia.org/wiki/SPKAC)<br>[https://encoding.spec.whatwg.org/](https://encoding.spec.whatwg.org/)<br>[https://es.search.yahoo.com/favicon.ico](https://es.search.yahoo.com/favicon.ico)<br>[https://es.search.yahoo.com/search](https://es.search.yahoo.com/search)<br>[https://es.search.yahoo.com/sugg/chrome](https://es.search.yahoo.com/sugg/chrome)<br>[https://esdiscuss.org/topic/isconstructor](https://esdiscuss.org/topic/isconstructor)<br>[https://example.org](https://example.org)<br>[https://fi.search.yahoo.com/favicon.ico](https://fi.search.yahoo.com/favicon.ico)<br>[https://fi.search.yahoo.com/search](https://fi.search.yahoo.com/search)<br>[https://fr.search.yahoo.com/favicon.ico](https://fr.search.yahoo.com/favicon.ico)<br>[https://fr.search.yahoo.com/search](https://fr.search.yahoo.com/search)<br>[https://fr.search.yahoo.com/sugg/chrome](https://fr.search.yahoo.com/sugg/chrome)<br>[https://gcp.gvt2.com/](https://gcp.gvt2.com/)<br>[https://gcp.gvt6.com/](https://gcp.gvt6.com/)<br>[https://gist.github.com/XVilka/8346728](https://gist.github.com/XVilka/8346728)<br>[https://github.com/KhronosGroup/Vulkan](https://github.com/KhronosGroup/Vulkan)<br>[https://github.com/WICG/construct](https://github.com/WICG/construct)<br>[https://github.com/WICG/conversion](https://github.com/WICG/conversion)<br>[https://github.com/WICG/scheduling](https://github.com/WICG/scheduling)<br>[https://github.com/WebAssembly/esm](https://github.com/WebAssembly/esm)<br>[https://github.com/WebBluetoothCG/web](https://github.com/WebBluetoothCG/web)<br>[https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js](https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js)<br>[https://github.com/addaleax/eventemitter](https://github.com/addaleax/eventemitter)<br>[https://github.com/antirez/linenoise](https://github.com/antirez/linenoise)<br>[https://github.com/chalk/ansi](https://github.com/chalk/ansi)<br>[https://github.com/chalk/supports](https://github.com/chalk/supports)<br>[https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h](https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorithm_params.h)<br>[https://github.com/da](https://github.com/da)<br>[https://github.com/electron/electron/issues/18397.](https://github.com/electron/electron/issues/18397.)<br>[https://github.com/electron/electron/tree/v](https://github.com/electron/electron/tree/v)<br>[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js)<br>[https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js](https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js)<br>[https://github.com/google/closure](https://github.com/google/closure)<br>[https://github.com/gpuweb/gpuweb/issues/1565](https://github.com/gpuweb/gpuweb/issues/1565)<br>[https://github.com/isaacs/color](https://github.com/isaacs/color)<br>[https://github.com/joyent/node/issues/3295.](https://github.com/joyent/node/issues/3295.)<br>[https://github.com/libuv/libuv/pull/1501.](https://github.com/libuv/libuv/pull/1501.)<br>[https://github.com/mafintosh/end](https://github.com/mafintosh/end)<br>[https://github.com/mafintosh/pump](https://github.com/mafintosh/pump)<br>[https://github.com/mysticatea/abort](https://github.com/mysticatea/abort)<br>[https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6](https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6)<br>[https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4](https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4)<br>[https://github.com/nodejs/node/issues/13435](https://github.com/nodejs/node/issues/13435)<br>[https://github.com/nodejs/node/issues/19009](https://github.com/nodejs/node/issues/19009)<br>[https://github.com/nodejs/node/issues/2006](https://github.com/nodejs/node/issues/2006)<br>[https://github.com/nodejs/node/issues/2119](https://github.com/nodejs/node/issues/2119)<br>[https://github.com/nodejs/node/issues/31074](https://github.com/nodejs/node/issues/31074)<br>[https://github.com/nodejs/node/issues/3392](https://github.com/nodejs/node/issues/3392)<br>[https://github.com/nodejs/node/issues/34532](https://github.com/nodejs/node/issues/34532)<br>[https://github.com/nodejs/node/issues/35475](https://github.com/nodejs/node/issues/35475)<br>[https://github.com/nodejs/node/issues/35862](https://github.com/nodejs/node/issues/35862)<br>[https://github.com/nodejs/node/issues/35981](https://github.com/nodejs/node/issues/35981)<br>[https://github.com/nodejs/node/issues/39707](https://github.com/nodejs/node/issues/39707)<br>[https://github.com/nodejs/node/issues/39758](https://github.com/nodejs/node/issues/39758)<br>[https://github.com/nodejs/node/pull/12342](https://github.com/nodejs/node/pull/12342)<br>[https://github.com/nodejs/node/pull/12607](https://github.com/nodejs/node/pull/12607)<br>[https://github.com/nodejs/node/pull/13870](https://github.com/nodejs/node/pull/13870)<br>[https://github.com/nodejs/node/pull/1771](https://github.com/nodejs/node/pull/1771)<br>[https://github.com/nodejs/node/pull/21313](https://github.com/nodejs/node/pull/21313)<br>[https://github.com/nodejs/node/pull/26334.](https://github.com/nodejs/node/pull/26334.)<br>[https://github.com/nodejs/node/pull/30380](https://github.com/nodejs/node/pull/30380)<br>[https://github.com/nodejs/node/pull/30958](https://github.com/nodejs/node/pull/30958)<br>[https://github.com/nodejs/node/pull/33515.](https://github.com/nodejs/node/pull/33515.)<br>[https://github.com/nodejs/node/pull/33661](https://github.com/nodejs/node/pull/33661)<br>[https://github.com/nodejs/node/pull/3394](https://github.com/nodejs/node/pull/3394)<br>[https://github.com/nodejs/node/pull/34010](https://github.com/nodejs/node/pull/34010)<br>[https://github.com/nodejs/node/pull/34103](https://github.com/nodejs/node/pull/34103)<br>[https://github.com/nodejs/node/pull/34375](https://github.com/nodejs/node/pull/34375)<br>[https://github.com/nodejs/node/pull/34385](https://github.com/nodejs/node/pull/34385)<br>[https://github.com/nodejs/node/pull/35949](https://github.com/nodejs/node/pull/35949)<br>[https://github.com/nodejs/node/pull/36061](https://github.com/nodejs/node/pull/36061)<br>[https://github.com/nodejs/node/pull/38248](https://github.com/nodejs/node/pull/38248)<br>[https://github.com/nodejs/node/pull/38433](https://github.com/nodejs/node/pull/38433)<br>[https://github.com/nodejs/node/pull/38614](https://github.com/nodejs/node/pull/38614)<br>[https://github.com/standard](https://github.com/standard)<br>[https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md](https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md)<br>[https://github.com/tc39/ecma262/issues/1209](https://github.com/tc39/ecma262/issues/1209)<br>[https://github.com/tc39/proposal](https://github.com/tc39/proposal)<br>[https://github.com/w3c/ServiceWorker/issues/1356.](https://github.com/w3c/ServiceWorker/issues/1356.)<br>[https://github.com/w3c/gamepad/pull/112](https://github.com/w3c/gamepad/pull/112)<br>[https://github.com/w3c/gamepad/pull/120](https://github.com/w3c/gamepad/pull/120)<br>[https://github.com/w3c/webappsec](https://github.com/w3c/webappsec)<br>[https://go.imgsmail.ru/favicon.ico](https://go.imgsmail.ru/favicon.ico)<br>[https://go.mail.ru/chrome/newtab/](https://go.mail.ru/chrome/newtab/)<br>[https://go.mail.ru/msearch](https://go.mail.ru/msearch)<br>[https://go.mail.ru/search](https://go.mail.ru/search)<br>[https://goo.gl/4NeimX](https://goo.gl/4NeimX)<br>[https://goo.gl/7K7WLu](https://goo.gl/7K7WLu)<br>[https://goo.gl/EuHzyv](https://goo.gl/EuHzyv)<br>[https://goo.gl/HxfxSQ](https://goo.gl/HxfxSQ)<br>[https://goo.gl/J6ASzs](https://goo.gl/J6ASzs)<br>[https://goo.gl/LdLk22](https://goo.gl/LdLk22)<br>[https://goo.gl/Y0ZkNV](https://goo.gl/Y0ZkNV)<br>[https://goo.gl/rStTGz](https://goo.gl/rStTGz)<br>[https://goo.gl/t5IS6M](https://goo.gl/t5IS6M)<br>[https://goo.gl/xX8pDD](https://goo.gl/xX8pDD)<br>[https://goo.gl/ximf56](https://goo.gl/ximf56)<br>[https://goo.gl/yabPex](https://goo.gl/yabPex)<br>[https://google.com/pay](https://google.com/pay)<br>[https://googlevideo.com/](https://googlevideo.com/)<br>[https://gpuweb.github.io/gpuweb/wgsl/](https://gpuweb.github.io/gpuweb/wgsl/)<br>[https://gvt1.com/](https://gvt1.com/)<br>[https://gvt2.com/](https://gvt2.com/)<br>[https://gvt6.com/](https://gvt6.com/)<br>[https://heycam.github.io/webidl/](https://heycam.github.io/webidl/)<br>[https://history.report](https://history.report)<br>[https://hk.search.yahoo.com/favicon.ico](https://hk.search.yahoo.com/favicon.ico)<br>[https://hk.search.yahoo.com/search](https://hk.search.yahoo.com/search)<br>[https://hk.search.yahoo.com/sugg/chrome](https://hk.search.yahoo.com/sugg/chrome)<br>[https://hladaj.atlas.sk/fulltext/](https://hladaj.atlas.sk/fulltext/)<br>[https://html.spec.whatwg.org/multipage/browsers.html](https://html.spec.whatwg.org/multipage/browsers.html)<br>[https://html.spec.whatwg.org/multipage/timers](https://html.spec.whatwg.org/multipage/timers)<br>[https://html.spec.whatwg.org/multipage/webappapis.html](https://html.spec.whatwg.org/multipage/webappapis.html)<br>[https://id.search.yahoo.com/favicon.ico](https://id.search.yahoo.com/favicon.ico)<br>[https://id.search.yahoo.com/search](https://id.search.yahoo.com/search)<br>[https://id.search.yahoo.com/sugg/chrome](https://id.search.yahoo.com/sugg/chrome)<br>[https://in.search.yahoo.com/favicon.ico](https://in.search.yahoo.com/favicon.ico)<br>[https://in.search.yahoo.com/search](https://in.search.yahoo.com/search)<br>[https://in.search.yahoo.com/sugg/chrome](https://in.search.yahoo.com/sugg/chrome)<br>[https://infra.spec.whatwg.org/](https://infra.spec.whatwg.org/)<br>[https://invisible](https://invisible)<br>[https://isearch.avg.com/search](https://isearch.avg.com/search)<br>[https://linux.die.net/man/1/dircolors](https://linux.die.net/man/1/dircolors)<br>[https://log.getdropbox.com/hpkp](https://log.getdropbox.com/hpkp)<br>[https://log.getdropbox.com/log/expectct](https://log.getdropbox.com/log/expectct)<br>[https://m.so.com/index.php](https://m.so.com/index.php)<br>[https://m.so.com/s](https://m.so.com/s)<br>[https://m.sogou.com/web/](https://m.sogou.com/web/)<br>[https://malaysia.search.yahoo.com/favicon.ico](https://malaysia.search.yahoo.com/favicon.ico)<br>[https://malaysia.search.yahoo.com/search](https://malaysia.search.yahoo.com/search)<br>[https://malaysia.search.yahoo.com/sugg/chrome](https://malaysia.search.yahoo.com/sugg/chrome)<br>[https://mathiasbynens.be/notes/javascript](https://mathiasbynens.be/notes/javascript)<br>[https://matteomarescotti.report](https://matteomarescotti.report)<br>[https://metager.de/favicon.ico](https://metager.de/favicon.ico)<br>[https://metager.de/meta/meta.ger3](https://metager.de/meta/meta.ger3)<br>[https://metager.org/meta/meta.ger3](https://metager.org/meta/meta.ger3)<br>[https://monitoring.url.loader.factory.invalid](https://monitoring.url.loader.factory.invalid)<br>[https://mths.be/punycode](https://mths.be/punycode)<br>[https://mx.search.yahoo.com/favicon.ico](https://mx.search.yahoo.com/favicon.ico)<br>[https://mx.search.yahoo.com/search](https://mx.search.yahoo.com/search)<br>[https://mx.search.yahoo.com/sugg/chrome](https://mx.search.yahoo.com/sugg/chrome)<br>[https://nextdns.io/privacy](https://nextdns.io/privacy)<br>[https://nl.search.yahoo.com/favicon.ico](https://nl.search.yahoo.com/favicon.ico)<br>[https://nl.search.yahoo.com/search](https://nl.search.yahoo.com/search)<br>[https://nl.search.yahoo.com/sugg/chrome](https://nl.search.yahoo.com/sugg/chrome)<br>[https://nl.softonic.com/s/](https://nl.softonic.com/s/)<br>[https://nodejs.org/api/cli.html](https://nodejs.org/api/cli.html)<br>[https://nodejs.org/api/fs.html](https://nodejs.org/api/fs.html)<br>[https://nodejs.org/download/release/v16.14.2/node](https://nodejs.org/download/release/v16.14.2/node)<br>[https://nodejs.org/en/docs/inspector](https://nodejs.org/en/docs/inspector)<br>[https://nodejs.org/static/images/favicons/favicon.ico](https://nodejs.org/static/images/favicons/favicon.ico)<br>[https://nova.rambler.ru/search](https://nova.rambler.ru/search)<br>[https://nova.rambler.ru/suggest](https://nova.rambler.ru/suggest)<br>[https://nz.search.yahoo.com/favicon.ico](https://nz.search.yahoo.com/favicon.ico)<br>[https://nz.search.yahoo.com/search](https://nz.search.yahoo.com/search)<br>[https://nz.search.yahoo.com/sugg/chrome](https://nz.search.yahoo.com/sugg/chrome)<br>[https://oceanhero.today/favicon.ico](https://oceanhero.today/favicon.ico)<br>[https://oceanhero.today/web](https://oceanhero.today/web)<br>[https://odvr.nic.cz/doh](https://odvr.nic.cz/doh)<br>[https://pe.search.yahoo.com/favicon.ico](https://pe.search.yahoo.com/favicon.ico)<br>[https://pe.search.yahoo.com/search](https://pe.search.yahoo.com/search)<br>[https://pe.search.yahoo.com/sugg/chrome](https://pe.search.yahoo.com/sugg/chrome)<br>[https://perfetto.dev/docs/contributing/getting](https://perfetto.dev/docs/contributing/getting)<br>[https://petalsearch.com/search](https://petalsearch.com/search)<br>[https://ph.search.yahoo.com/favicon.ico](https://ph.search.yahoo.com/favicon.ico)<br>[https://ph.search.yahoo.com/search](https://ph.search.yahoo.com/search)<br>[https://ph.search.yahoo.com/sugg/chrome](https://ph.search.yahoo.com/sugg/chrome)<br>[https://play.google.com/billing](https://play.google.com/billing)<br>[https://public.dns.iij.jp/dns](https://public.dns.iij.jp/dns)<br>[https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys](https://publickeyservice.aws.privacysandboxservices.com/v1alpha/publicKeys)<br>[https://qc.search.yahoo.com/favicon.ico](https://qc.search.yahoo.com/favicon.ico)<br>[https://qc.search.yahoo.com/search](https://qc.search.yahoo.com/search)<br>[https://qc.search.yahoo.com/sugg/chrome](https://qc.search.yahoo.com/sugg/chrome)<br>[https://redirector.gvt1.com/edgedl/chrome/dict/](https://redirector.gvt1.com/edgedl/chrome/dict/)<br>[https://scotthelme.report](https://scotthelme.report)<br>[https://se.search.yahoo.com/favicon.ico](https://se.search.yahoo.com/favicon.ico)<br>[https://se.search.yahoo.com/search](https://se.search.yahoo.com/search)<br>[https://search.avg.com/route/](https://search.avg.com/route/)<br>[https://search.daum.net/favicon.ico](https://search.daum.net/favicon.ico)<br>[https://search.daum.net/search](https://search.daum.net/search)<br>[https://search.gmx.co.uk/web/result](https://search.gmx.co.uk/web/result)<br>[https://search.gmx.com/web/result](https://search.gmx.com/web/result)<br>[https://search.gmx.es/web/result](https://search.gmx.es/web/result)<br>[https://search.gmx.fr/web/result](https://search.gmx.fr/web/result)<br>[https://search.goo.ne.jp/cdn/common/img/favicon.ico](https://search.goo.ne.jp/cdn/common/img/favicon.ico)<br>[https://search.goo.ne.jp/sgt.jsp](https://search.goo.ne.jp/sgt.jsp)<br>[https://search.goo.ne.jp/web.jsp](https://search.goo.ne.jp/web.jsp)<br>[https://search.naver.com/search.naver](https://search.naver.com/search.naver)<br>[https://search.privacywall.org/suggest.php](https://search.privacywall.org/suggest.php)<br>[https://search.seznam.cz/favicon.ico](https://search.seznam.cz/favicon.ico)<br>[https://search.seznam.sk/favicon.ico](https://search.seznam.sk/favicon.ico)<br>[https://search.softonic.com/](https://search.softonic.com/)<br>[https://search.walla.co.il/](https://search.walla.co.il/)<br>[https://search.yahoo.co.jp/favicon.ico](https://search.yahoo.co.jp/favicon.ico)<br>[https://search.yahoo.co.jp/search](https://search.yahoo.co.jp/search)<br>[https://search.yahoo.com/favicon.ico](https://search.yahoo.com/favicon.ico)<br>[https://search.yahoo.com/search](https://search.yahoo.com/search)<br>[https://search.yahoo.com/sugg/chrome](https://search.yahoo.com/sugg/chrome)<br>[https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch](https://search.yahooapis.jp/AssistSearchService/V2/webassistSearch)<br>[https://searchatlas.centrum.cz/favicon.ico](https://searchatlas.centrum.cz/favicon.ico)<br>[https://server1.example](https://server1.example)<br>[https://server2.example](https://server2.example)<br>[https://sg.search.yahoo.com/favicon.ico](https://sg.search.yahoo.com/favicon.ico)<br>[https://sg.search.yahoo.com/search](https://sg.search.yahoo.com/search)<br>[https://sg.search.yahoo.com/sugg/chrome](https://sg.search.yahoo.com/sugg/chrome)<br>[https://source.chromium.org/chromium/chromium/src/](https://source.chromium.org/chromium/chromium/src/)<br>[https://sourcemaps.info/spec.html](https://sourcemaps.info/spec.html)<br>[https://sp.ask.com/sh/i/a16/favicon/favicon.ico](https://sp.ask.com/sh/i/a16/favicon/favicon.ico)<br>[https://ssl.gstatic.com/](https://ssl.gstatic.com/)<br>[https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico](https://ssl.pstatic.net/sstatic/search/favicon/favicon_140327.ico)<br>[https://stackoverflow.com/a/5501711/3561](https://stackoverflow.com/a/5501711/3561)<br>[https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable](https://storage.ape.yandex.net/get/browser/Doodles/yandex/drawable)<br>[https://suche.gmx.at/web/result](https://suche.gmx.at/web/result)<br>[https://suche.gmx.net/web/result](https://suche.gmx.net/web/result)<br>[https://sug.so.360.cn/suggest](https://sug.so.360.cn/suggest)<br>[https://sugg.sogou.com/sugg/ajaj_json.jsp](https://sugg.sogou.com/sugg/ajaj_json.jsp)<br>[https://suggest.search.daum.net/sushi/opensearch/pc](https://suggest.search.daum.net/sushi/opensearch/pc)<br>[https://suggest.seznam.cz/fulltext_ff](https://suggest.seznam.cz/fulltext_ff)<br>[https://suggest.seznam.sk/fulltext_ff](https://suggest.seznam.sk/fulltext_ff)<br>[https://suggest.yandex.by/suggest](https://suggest.yandex.by/suggest)<br>[https://suggest.yandex.com.tr/suggest](https://suggest.yandex.com.tr/suggest)<br>[https://suggest.yandex.com/suggest](https://suggest.yandex.com/suggest)<br>[https://suggest.yandex.kz/suggest](https://suggest.yandex.kz/suggest)<br>[https://suggest.yandex.ru/suggest](https://suggest.yandex.ru/suggest)<br>[https://suggest.yandex.ua/suggest](https://suggest.yandex.ua/suggest)<br>[https://suggestion.baidu.com/su](https://suggestion.baidu.com/su)<br>[https://suggestplugin.gmx.at/s](https://suggestplugin.gmx.at/s)<br>[https://suggestplugin.gmx.co.uk/s](https://suggestplugin.gmx.co.uk/s)<br>[https://suggestplugin.gmx.com/s](https://suggestplugin.gmx.com/s)<br>[https://suggestplugin.gmx.es/s](https://suggestplugin.gmx.es/s)<br>[https://suggestplugin.gmx.fr/s](https://suggestplugin.gmx.fr/s)<br>[https://suggestplugin.gmx.net/s](https://suggestplugin.gmx.net/s)<br>[https://suggests.go.mail.ru/chrome](https://suggests.go.mail.ru/chrome)<br>[https://tc39.es/ecma262/](https://tc39.es/ecma262/)<br>[https://tc39.github.io/ecma262/](https://tc39.github.io/ecma262/)<br>[https://th.search.yahoo.com/favicon.ico](https://th.search.yahoo.com/favicon.ico)<br>[https://th.search.yahoo.com/search](https://th.search.yahoo.com/search)<br>[https://th.search.yahoo.com/sugg/chrome](https://th.search.yahoo.com/sugg/chrome)<br>[https://tobiassachs.report](https://tobiassachs.report)<br>[https://tools.ietf.org/html/rfc2397](https://tools.ietf.org/html/rfc2397)<br>[https://tools.ietf.org/html/rfc3492](https://tools.ietf.org/html/rfc3492)<br>[https://tools.ietf.org/html/rfc3986](https://tools.ietf.org/html/rfc3986)<br>[https://tools.ietf.org/html/rfc5280](https://tools.ietf.org/html/rfc5280)<br>[https://tools.ietf.org/html/rfc6455](https://tools.ietf.org/html/rfc6455)<br>[https://tools.ietf.org/html/rfc6960](https://tools.ietf.org/html/rfc6960)<br>[https://tools.ietf.org/html/rfc7230](https://tools.ietf.org/html/rfc7230)<br>[https://tools.ietf.org/html/rfc7540](https://tools.ietf.org/html/rfc7540)<br>[https://tr.search.yahoo.com/favicon.ico](https://tr.search.yahoo.com/favicon.ico)<br>[https://tr.search.yahoo.com/search](https://tr.search.yahoo.com/search)<br>[https://tw.search.yahoo.com/favicon.ico](https://tw.search.yahoo.com/favicon.ico)<br>[https://tw.search.yahoo.com/search](https://tw.search.yahoo.com/search)<br>[https://tw.search.yahoo.com/sugg/chrome](https://tw.search.yahoo.com/sugg/chrome)<br>[https://uk.search.yahoo.com/favicon.ico](https://uk.search.yahoo.com/favicon.ico)<br>[https://uk.search.yahoo.com/search](https://uk.search.yahoo.com/search)<br>[https://uk.search.yahoo.com/sugg/chrome](https://uk.search.yahoo.com/sugg/chrome)<br>[https://url.spec.whatwg.org/](https://url.spec.whatwg.org/)<br>[https://v8.dev/blog/v8](https://v8.dev/blog/v8)<br>[https://ve.search.yahoo.com/favicon.ico](https://ve.search.yahoo.com/favicon.ico)<br>[https://ve.search.yahoo.com/search](https://ve.search.yahoo.com/search)<br>[https://ve.search.yahoo.com/sugg/chrome](https://ve.search.yahoo.com/sugg/chrome)<br>[https://vn.search.yahoo.com/favicon.ico](https://vn.search.yahoo.com/favicon.ico)<br>[https://vn.search.yahoo.com/search](https://vn.search.yahoo.com/search)<br>[https://vn.search.yahoo.com/sugg/chrome](https://vn.search.yahoo.com/sugg/chrome)<br>[https://w3c.github.io/encrypted](https://w3c.github.io/encrypted)<br>[https://w3c.github.io/manifest/](https://w3c.github.io/manifest/)<br>[https://w3c.github.io/webappsec](https://w3c.github.io/webappsec)<br>[https://webrtc.org/web](https://webrtc.org/web)<br>[https://wiki.squid](https://wiki.squid)<br>[https://www.World](https://www.World)<br>[https://www.ask.com/web](https://www.ask.com/web)<br>[https://www.baidu.com/favicon.ico](https://www.baidu.com/favicon.ico)<br>[https://www.baidu.com/s](https://www.baidu.com/s)<br>[https://www.bing.com/chrome/newtab](https://www.bing.com/chrome/newtab)<br>[https://www.bing.com/images/detail/search](https://www.bing.com/images/detail/search)<br>[https://www.bing.com/osjson.aspx](https://www.bing.com/osjson.aspx)<br>[https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico](https://www.bing.com/sa/simg/bing_p_rr_teal_min.ico)<br>[https://www.bing.com/search](https://www.bing.com/search)<br>[https://www.bluetooth.com/specifications/gatt/characteristics](https://www.bluetooth.com/specifications/gatt/characteristics)<br>[https://www.bluetooth.com/specifications/gatt/descriptors](https://www.bluetooth.com/specifications/gatt/descriptors)<br>[https://www.bluetooth.com/specifications/gatt/services](https://www.bluetooth.com/specifications/gatt/services)<br>[https://www.chromestatus.com/feature/4664843055398912](https://www.chromestatus.com/feature/4664843055398912)<br>[https://www.chromestatus.com/feature/5082396709879808](https://www.chromestatus.com/feature/5082396709879808)<br>[https://www.chromestatus.com/feature/5093566007214080](https://www.chromestatus.com/feature/5093566007214080)<br>[https://www.chromestatus.com/feature/5148698084376576](https://www.chromestatus.com/feature/5148698084376576)<br>[https://www.chromestatus.com/feature/5527160148197376](https://www.chromestatus.com/feature/5527160148197376)<br>[https://www.chromestatus.com/feature/5629582019395584.](https://www.chromestatus.com/feature/5629582019395584.)<br>[https://www.chromestatus.com/feature/5636954674692096](https://www.chromestatus.com/feature/5636954674692096)<br>[https://www.chromestatus.com/feature/5644273861001216.](https://www.chromestatus.com/feature/5644273861001216.)<br>[https://www.chromestatus.com/feature/5654791610957824](https://www.chromestatus.com/feature/5654791610957824)<br>[https://www.chromestatus.com/feature/5667793157488640](https://www.chromestatus.com/feature/5667793157488640)<br>[https://www.chromestatus.com/feature/5669008342777856](https://www.chromestatus.com/feature/5669008342777856)<br>[https://www.chromestatus.com/feature/5682658461876224.](https://www.chromestatus.com/feature/5682658461876224.)<br>[https://www.chromestatus.com/feature/5718547946799104](https://www.chromestatus.com/feature/5718547946799104)<br>[https://www.chromestatus.com/feature/5738264052891648](https://www.chromestatus.com/feature/5738264052891648)<br>[https://www.chromestatus.com/feature/5742188281462784.](https://www.chromestatus.com/feature/5742188281462784.)<br>[https://www.chromestatus.com/feature/5745543795965952](https://www.chromestatus.com/feature/5745543795965952)<br>[https://www.chromestatus.com/feature/5749447073988608](https://www.chromestatus.com/feature/5749447073988608)<br>[https://www.chromestatus.com/feature/5851021045661696.](https://www.chromestatus.com/feature/5851021045661696.)<br>[https://www.chromestatus.com/feature/6662647093133312](https://www.chromestatus.com/feature/6662647093133312)<br>[https://www.chromium.org/blink/origin](https://www.chromium.org/blink/origin)<br>[https://www.cisco.com/c/en/us/about/legal/privacy](https://www.cisco.com/c/en/us/about/legal/privacy)<br>[https://www.delfi.lt/favicon.ico](https://www.delfi.lt/favicon.ico)<br>[https://www.delfi.lt/paieska/](https://www.delfi.lt/paieska/)<br>[https://www.ecma](https://www.ecma)<br>[https://www.ecosia.org/search](https://www.ecosia.org/search)<br>[https://www.electronjs.org/docs/tutorial/application](https://www.electronjs.org/docs/tutorial/application)<br>[https://www.givero.com/favicon.ico](https://www.givero.com/favicon.ico)<br>[https://www.givero.com/search](https://www.givero.com/search)<br>[https://www.givero.com/suggest](https://www.givero.com/suggest)<br>[https://www.google.com/images/branding/product/ico/googleg_lodp.ico](https://www.google.com/images/branding/product/ico/googleg_lodp.ico)<br>[https://www.google.com/speech](https://www.google.com/speech)<br>[https://www.googleapis.com/geolocation/v1/geolocate](https://www.googleapis.com/geolocation/v1/geolocate)<br>[https://www.googleapis.com/spelling/v](https://www.googleapis.com/spelling/v)<br>[https://www.gstatic.com/securitykey/a/google.com/origins.json](https://www.gstatic.com/securitykey/a/google.com/origins.json)<br>[https://www.gstatic.com/securitykey/origins.json](https://www.gstatic.com/securitykey/origins.json)<br>[https://www.iana.org/assignments/tls](https://www.iana.org/assignments/tls)<br>[https://www.info.com/serp](https://www.info.com/serp)<br>[https://www.info.com/static/www.info.com/favicon.ico](https://www.info.com/static/www.info.com/favicon.ico)<br>[https://www.microsoft.com/en](https://www.microsoft.com/en)<br>[https://www.neti.ee/api/suggestOS](https://www.neti.ee/api/suggestOS)<br>[https://www.neti.ee/cgi](https://www.neti.ee/cgi)<br>[https://www.nic.cz/odvr/](https://www.nic.cz/odvr/)<br>[https://www.privacywall.org/images/favicon_32x32.ico](https://www.privacywall.org/images/favicon_32x32.ico)<br>[https://www.privacywall.org/search/secure/](https://www.privacywall.org/search/secure/)<br>[https://www.quad9.net/home/privacy/](https://www.quad9.net/home/privacy/)<br>[https://www.qwant.com/favicon.ico](https://www.qwant.com/favicon.ico)<br>[https://www.recent](https://www.recent)<br>[https://www.so.com/favicon.ico](https://www.so.com/favicon.ico)<br>[https://www.so.com/s](https://www.so.com/s)<br>[https://www.softonic.com.br/s/](https://www.softonic.com.br/s/)<br>[https://www.softonic.com/s/](https://www.softonic.com/s/)<br>[https://www.sogou.com/images/logo/old/favicon.ico](https://www.sogou.com/images/logo/old/favicon.ico)<br>[https://www.sogou.com/web](https://www.sogou.com/web)<br>[https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt](https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt)<br>[https://www.verisign.com/cps04000000Z](https://www.verisign.com/cps04000000Z)<br>[https://www.verisign.com/rpa](https://www.verisign.com/rpa)<br>[https://www.w3.org/TR/WebCryptoAPI/](https://www.w3.org/TR/WebCryptoAPI/)<br>[https://www.w3.org/TR/hr](https://www.w3.org/TR/hr)<br>[https://www.w3.org/TR/mse](https://www.w3.org/TR/mse)<br>[https://www.w3.org/TR/powerful](https://www.w3.org/TR/powerful)<br>[https://www.w3.org/TR/webauthn](https://www.w3.org/TR/webauthn)<br>[https://www.yandex.by/chrome/newtab](https://www.yandex.by/chrome/newtab)<br>[https://www.yandex.com.tr/chrome/newtab](https://www.yandex.com.tr/chrome/newtab)<br>[https://www.yandex.kz/chrome/newtab](https://www.yandex.kz/chrome/newtab)<br>[https://www.yandex.ru/chrome/newtab](https://www.yandex.ru/chrome/newtab)<br>[https://www.yandex.ua/chrome/newtab](https://www.yandex.ua/chrome/newtab)<br>[https://www.zoznam.sk/favicon.ico](https://www.zoznam.sk/favicon.ico)<br>[https://www.zoznam.sk/hladaj.fcgi](https://www.zoznam.sk/hladaj.fcgi)<br>[https://xhr.spec.whatwg.org/.](https://xhr.spec.whatwg.org/.)<br>[https://yandex.by/images/search/](https://yandex.by/images/search/)<br>[https://yandex.com.tr/gorsel/search](https://yandex.com.tr/gorsel/search)<br>[https://yandex.com/images/search](https://yandex.com/images/search)<br>[https://yandex.com/search/](https://yandex.com/search/)<br>[https://yandex.kz/images/search/](https://yandex.kz/images/search/)<br>[https://yandex.ru/images/search/](https://yandex.ru/images/search/)<br>[https://yandex.ua/images/search/](https://yandex.ua/images/search/)<br>[https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico](https://yastatic.net/lego/_/pDu9OWAQKB0s2J9IojKpiS_Eho.ico)<br>[https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico](https://yastatic.net/lego/_/rBTjd6UOPk5913OSn5ZQVYMTQWQ.ico) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)<br>[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)<br>[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)<br>[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)<br>[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)<br>[PasswordH](https://github.com/search?q=PasswordH&type=code)<br>[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)<br>[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)<br>[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)<br>[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)<br>[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)<br>[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)<br>[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)<br>[a username and password](https://github.com/search?q=a+username+and+password&type=code)<br>[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)<br>[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)<br>[bPassword](https://github.com/search?q=bPassword&type=code)<br>[challengePassword](https://github.com/search?q=challengePassword&type=code)<br>[const has_password](https://github.com/search?q=const+has_password&type=code)<br>[current-password](https://github.com/search?q=current-password&type=code)<br>[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)<br>[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)<br>[get password](https://github.com/search?q=get+password&type=code)<br>[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)<br>[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)<br>[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)<br>[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)<br>[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)<br>[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)<br>[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)<br>[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)<br>[like a password](https://github.com/search?q=like+a+password&type=code)<br>[new-password](https://github.com/search?q=new-password&type=code)<br>[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)<br>[password based MAC](https://github.com/search?q=password+based+MAC&type=code)<br>[password is too large](https://github.com/search?q=password+is+too+large&type=code)<br>[password text](https://github.com/search?q=password+text&type=code)<br>[password-change](https://github.com/search?q=password-change&type=code)<br>[password-protection](https://github.com/search?q=password-protection&type=code)<br>[password-reveal](https://github.com/search?q=password-reveal&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[passwordChar](https://github.com/search?q=passwordChar&type=code)<br>[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)<br>[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)<br>[passwordEdit](https://github.com/search?q=passwordEdit&type=code)<br>[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)<br>[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)<br>[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)<br>[password_specifics](https://github.com/search?q=password_specifics&type=code)<br>[readPassword](https://github.com/search?q=readPassword&type=code)<br>[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)<br>[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)<br>[set password](https://github.com/search?q=set+password&type=code)<br>[such as passwords](https://github.com/search?q=such+as+passwords&type=code)<br>[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[username or password](https://github.com/search?q=username+or+password&type=code)<br>[writePassword](https://github.com/search?q=writePassword&type=code) |
+| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) |
+| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
+| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)<br>[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)<br>[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)<br>[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)<br>[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)<br>[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)<br>[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)<br>[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)<br>[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)<br>[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)<br>[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)<br>[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)<br>[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)<br>[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)<br>[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)<br>[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)<br>[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)<br>[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)<br>[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)<br>[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)<br>[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)<br>[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)<br>[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)<br>[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)<br>[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)<br>[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)<br>[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)<br>[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)<br>[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)<br>[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)<br>[kDecryptError](https://github.com/search?q=kDecryptError&type=code)<br>[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)<br>[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)<br>[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)<br>[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) |
+| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
+| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
+| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public Key](https://github.com/search?q=Public+Key&type=code)<br>[Public key](https://github.com/search?q=Public+key&type=code)<br>[Public-key](https://github.com/search?q=Public-key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
+| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)<br>[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) |
+| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
+| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) |
+| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
+| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
+| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)<br>[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
+| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) |
+| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
+| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)<br>[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)<br>[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)<br>[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)<br>[GetPlugins](https://github.com/search?q=GetPlugins&type=code)<br>[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)<br>[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)<br>[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)<br>[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)<br>[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)<br>[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)<br>[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)<br>[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)<br>[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)<br>[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)<br>[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)<br>[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)<br>[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)<br>[PluginArray](https://github.com/search?q=PluginArray&type=code)<br>[PluginContextSecurity](https://github.com/search?q=PluginContextSecurity&type=code)<br>[PluginData](https://github.com/search?q=PluginData&type=code)<br>[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)<br>[PluginLoad](https://github.com/search?q=PluginLoad&type=code)<br>[PluginPrivate](https://github.com/search?q=PluginPrivate&type=code)<br>[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)<br>[PluginResource](https://github.com/search?q=PluginResource&type=code)<br>[PluginService](https://github.com/search?q=PluginService&type=code)<br>[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)<br>[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)<br>[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)<br>[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)<br>[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)<br>[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)<br>[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)<br>[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)<br>[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)<br>[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)<br>[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)<br>[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)<br>[as a plugin](https://github.com/search?q=as+a+plugin&type=code)<br>[browserplugin](https://github.com/search?q=browserplugin&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)<br>[kPluginObject](https://github.com/search?q=kPluginObject&type=code)<br>[loadplugin](https://github.com/search?q=loadplugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)<br>[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)<br>[pdf_view_plugin_base](https://github.com/search?q=pdf_view_plugin_base&type=code)<br>[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)<br>[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)<br>[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)<br>[plugin data](https://github.com/search?q=plugin+data&type=code)<br>[pluginObject](https://github.com/search?q=pluginObject&type=code)<br>[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)<br>[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)<br>[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)<br>[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)<br>[plugin_module](https://github.com/search?q=plugin_module&type=code)<br>[plugin_private_storage](https://github.com/search?q=plugin_private_storage&type=code)<br>[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)<br>[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)<br>[pluginprH](https://github.com/search?q=pluginprH&type=code)<br>[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)<br>[pluginspace](https://github.com/search?q=pluginspace&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[pluginurl](https://github.com/search?q=pluginurl&type=code)<br>[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)<br>[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)<br>[r PluginH](https://github.com/search?q=r+PluginH&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)<br>[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)<br>[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)<br>[suggestplugin](https://github.com/search?q=suggestplugin&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)<br>[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)<br>[createFolder](https://github.com/search?q=createFolder&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
+| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)<br>[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) |
+| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
+| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
+| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) |
+| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)<br>[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) |
+| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
+| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)<br>[writeFileSync](https://github.com/search?q=writeFileSync&type=code)<br>[writeIntoFile](https://github.com/search?q=writeIntoFile&type=code)<br>[writeToFile](https://github.com/search?q=writeToFile&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
+| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)<br>[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)<br>[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)<br>[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)<br>[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)<br>[/etc/fallback](https://github.com/search?q=%2Fetc%2Ffallback&type=code)<br>[/etc/fonts.xml](https://github.com/search?q=%2Fetc%2Ffonts.xml&type=code)<br>[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)<br>[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)<br>[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)<br>[/etc/lsb-release](https://github.com/search?q=%2Fetc%2Flsb-release&type=code)<br>[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)<br>[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)<br>[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)<br>[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)<br>[/etc/system](https://github.com/search?q=%2Fetc%2Fsystem&type=code)<br>[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)<br>[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)<br>[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) |
+| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) |
+| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)<br>[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) |
+| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code) |
+| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)<br>[/var/log/bluetooth/bluetooth_quality_report](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Fbluetooth_quality_report&type=code)<br>[/var/log/bluetooth/log.bz2.old](https://github.com/search?q=%2Fvar%2Flog%2Fbluetooth%2Flog.bz2.old&type=code)<br>[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)<br>[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)<br>[TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
+| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
+| LOW | [impact/ui/screen_capture](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ui/screen-capture.yara#macos_screen_capture) | macos screen capture | [captureScreen](https://github.com/search?q=captureScreen&type=code) |
+| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
+| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
+| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) |
+| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpClose](https://github.com/search?q=httpClose&type=code)<br>[httpConnect](https://github.com/search?q=httpConnect&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
+| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
+| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
+| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmmsg](https://github.com/search?q=sendmmsg&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[new URL](https://github.com/search?q=new+URL&type=code) |
+| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)<br>[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)<br>[env.FORCE](https://github.com/search?q=env.FORCE&type=code)<br>[env.NODE](https://github.com/search?q=env.NODE&type=code)<br>[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)<br>[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)<br>[env.TEMP](https://github.com/search?q=env.TEMP&type=code)<br>[env.TERM](https://github.com/search?q=env.TERM&type=code)<br>[env.TMP](https://github.com/search?q=env.TMP&type=code)<br>[env.TMUX](https://github.com/search?q=env.TMUX&type=code)<br>[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)<br>[env.XDG](https://github.com/search?q=env.XDG&type=code) |
+| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
+| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)<br>[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)<br>[req.read()](https://github.com/search?q=req.read%28%29&type=code)<br>[self.read()](https://github.com/search?q=self.read%28%29&type=code)<br>[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)<br>[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)<br>[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) |
+| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
+| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(b)](https://github.com/search?q=_decoder.write%28b%29&type=code)<br>[_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)<br>[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)<br>[decoder.write(chunk)](https://github.com/search?q=decoder.write%28chunk%29&type=code)<br>[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)<br>[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)<br>[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)<br>[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)<br>[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)<br>[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)<br>[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)<br>[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)<br>[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)<br>[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)<br>[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)<br>[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)<br>[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)<br>[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)<br>[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)<br>[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)<br>[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) |
+| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
+| LOW | [os/kernel/perfmon](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/perfmon.yara#perf_event_open) | set up performance monitoring | [perf_event_open](https://github.com/search?q=perf_event_open&type=code) |
+| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) |
+| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
+| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#syscall_vfork) | [create child process](https://man7.org/linux/man-pages/man2/vfork.2.html) | [vfork](https://github.com/search?q=vfork&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index e69de29b..d979ac23 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -0,0 +1,134 @@
+# linux/clean/containerd: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/mysql: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/sniffer/pcap: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/md5: low
+discover/network/mac_address: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/user/USER: low
+evasion/file/location/dev_mqueue: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/process_injection/ptrace: medium
+exec/plugin: low
+exec/program: medium
+exec/reconfigure/hostname_set: low
+exec/shell/TERM: low
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+fs/attributes/set: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/event_monitoring: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: low
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home: low
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/net_route: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir/TEMP: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/dev/block_ice: medium
+hw/dev/mapper: medium
+impact/remote_access/heartbeat: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/http/websocket: medium
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/send_unicast: low
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/kcore: low
+os/kernel/netlink: low
+os/kernel/seccomp: low
+persist/pid_file: medium
+process/chdir: low
+process/groupid_set: low
+process/groups_set: low
+process/terminate/kill_multiple: medium
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
index e69de29b..1519652c 100644
--- a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
+++ b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
@@ -0,0 +1,48 @@
+# linux/clean/kibana/securitySolution.chunk.22.js: critical
+c2/addr/url: high
+c2/discovery/dyndns: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: high
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/exe_url: high
+c2/tool_transfer/grayware: high
+c2/tool_transfer/os: medium
+collect/databases/mysql: medium
+credential/keylogger: medium
+credential/password: low
+crypto/blockchain: medium
+crypto/openssl: medium
+data/encoding/json_decode: low
+evasion/file/prefix: medium
+evasion/rootkit/refs: medium
+evasion/rootkit/userspace: low
+exec/plugin: low
+exec/shell/power: medium
+exfil/upload: medium
+fs/lock_update: low
+fs/path/dev: medium
+impact/cryptojacking/monero_pool: medium
+impact/ddos: medium
+impact/exploit: medium
+impact/exploit/cve: medium
+impact/exploit/known_s: medium
+impact/infection/infected: medium
+impact/infection/worm: medium
+impact/remote_access/backdoor: medium
+impact/remote_access/iptables: medium
+impact/remote_access/reverse_shell: high
+impact/remote_access/trojan: medium
+lateral/scan/brute_force: low
+malware/ref: medium
+net/dns/txt: low
+net/download: medium
+net/tcp/sftp: medium
+net/url/embedded: medium
+net/url/parse: low
+persist/daemon: medium
+process/chroot: low
+sec-tool/net/masscan: high
+sec-tool/net/nmap: medium
+sec-tool/pentest/metasploit_ref: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
index e69de29b..9a1d7634 100644
--- a/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
+++ b/tests/linux/clean/kibana/securitySolution.chunk.9.js.simple
@@ -0,0 +1,71 @@
+# linux/clean/kibana/securitySolution.chunk.9.js: critical
+anti-static/obfuscation/js: medium
+anti-static/obfuscation/reverse: medium
+c2/addr/ip: medium
+c2/addr/url: high
+c2/discovery/dyndns: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: high
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/exe_url: high
+c2/tool_transfer/grayware: high
+c2/tool_transfer/os: medium
+collect/databases/mysql: medium
+credential/keylogger: medium
+credential/password: low
+crypto/blockchain: medium
+crypto/encrypt: medium
+crypto/openssl: medium
+data/embedded/base64_url: medium
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/md5: low
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
+evasion/file/prefix: medium
+evasion/rootkit/refs: medium
+evasion/rootkit/userspace: low
+exec/cmd: medium
+exec/plugin: low
+exec/shell/power: medium
+exec/system_controls/apparmor: medium
+exfil/upload: medium
+fs/lock_update: low
+fs/mount: low
+fs/path/dev: medium
+impact/cryptojacking/monero_pool: medium
+impact/ddos: medium
+impact/exploit: medium
+impact/exploit/cve: medium
+impact/exploit/known_s: medium
+impact/exploit/overflow_shellcode: high
+impact/infection/infected: medium
+impact/infection/worm: medium
+impact/remote_access/backdoor: medium
+impact/remote_access/iptables: medium
+impact/remote_access/reverse_shell: high
+impact/remote_access/trojan: medium
+lateral/scan/brute_force: low
+malware/ref: medium
+net/dns/txt: low
+net/download: medium
+net/http/post: medium
+net/http/request: low
+net/ip/addr: medium
+net/ip/host_port: medium
+net/socket/listen: medium
+net/socket/send: low
+net/tcp/sftp: medium
+net/url/embedded: medium
+net/url/parse: low
+net/url/request: medium
+os/kernel/seccomp: low
+persist/daemon: medium
+process/chroot: low
+sec-tool/net/masscan: high
+sec-tool/net/nmap: medium
+sec-tool/pentest/metasploit_ref: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/kuma-cp.simple b/tests/linux/clean/kuma-cp.simple
index e69de29b..59142a2a 100644
--- a/tests/linux/clean/kuma-cp.simple
+++ b/tests/linux/clean/kuma-cp.simple
@@ -0,0 +1,142 @@
+# linux/clean/kuma-cp: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+crypto/uuid: medium
+data/base64/external: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_test_key: low
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/md5: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/network/netstat: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/bypass_security/linux/iptables: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/plugin: low
+exec/program: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exfil/collection: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/copy: medium
+fs/file/delete: low
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/write: low
+fs/link_read: low
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/quota_manipulate: low
+fs/swap/on: low
+fs/tempdir/TEMP: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/dev/block_ice: medium
+impact/remote_access/heartbeat: medium
+impact/remote_access/iptables: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/http/websocket: medium
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/kernel/seccomp: low
+persist/cron/tab: medium
+privesc/sudo: medium
+process/chroot: low
+process/groupid_set: low
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/libgcj.so.17.0.0.simple b/tests/linux/clean/libgcj.so.17.0.0.simple
index e69de29b..65b554ce 100644
--- a/tests/linux/clean/libgcj.so.17.0.0.simple
+++ b/tests/linux/clean/libgcj.so.17.0.0.simple
@@ -0,0 +1,103 @@
+# linux/clean/libgcj.so.17.0.0: medium
+3P/JPCERT/cobaltstrike_v3v4: medium
+anti-behavior/random_behavior: low
+c2/addr/ip: medium
+c2/addr/url: low
+c2/tool_transfer/os: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/public_key: low
+crypto/tls: low
+crypto/uuid: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/hash/whirlpool: medium
+discover/network/interface_list: medium
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/shell/SHELL: low
+exec/shell/command: medium
+exfil/office_file_ext: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: medium
+fs/file/open: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/mounts_read: medium
+fs/path/dev: medium
+fs/path/etc: low
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/mounts: medium
+fs/proc/stat: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempfile: low
+hw/iokit_registry: low
+impact/remote_access/agent: medium
+lateral/scan/tool: medium
+net/dns/txt: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip: low
+net/ip/connect: medium
+net/ip/host_port: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/send_unicast: low
+net/ip/string: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+process/multithreaded: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium
diff --git a/tests/linux/clean/libgcj.so.17.simple b/tests/linux/clean/libgcj.so.17.simple
index e69de29b..4a19eb23 100644
--- a/tests/linux/clean/libgcj.so.17.simple
+++ b/tests/linux/clean/libgcj.so.17.simple
@@ -0,0 +1,103 @@
+# linux/clean/libgcj.so.17: medium
+3P/JPCERT/cobaltstrike_v3v4: medium
+anti-behavior/random_behavior: low
+c2/addr/ip: medium
+c2/addr/url: low
+c2/tool_transfer/os: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/public_key: low
+crypto/tls: low
+crypto/uuid: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/hash/whirlpool: medium
+discover/network/interface_list: medium
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/shell/SHELL: low
+exec/shell/command: medium
+exfil/office_file_ext: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: medium
+fs/file/open: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/mounts_read: medium
+fs/path/dev: medium
+fs/path/etc: low
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/mounts: medium
+fs/proc/stat: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempfile: low
+hw/iokit_registry: low
+impact/remote_access/agent: medium
+lateral/scan/tool: medium
+net/dns/txt: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip: low
+net/ip/connect: medium
+net/ip/host_port: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/send_unicast: low
+net/ip/string: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+process/multithreaded: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index e69de29b..afce3a92 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -0,0 +1,160 @@
+# linux/clean/melange: medium
+anti-static/elf/multiple: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/refs: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/tar_command: medium
+collect/archives/zip: medium
+collect/code/github_api: low
+credential/cloud/g: medium
+credential/keychain: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/base64/external: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/ssh_signature: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/cloud/google_storage: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/network/netstat: medium
+discover/processes/pgrep: medium
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/file/location/system_directory: medium
+evasion/file/prefix: medium
+evasion/hide_artifacts/pivot_root: medium
+exec/cmd: medium
+exec/install_additional/pip_install: medium
+exec/plugin: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/shell/pipe_sh: medium
+fs/blkid: low
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: medium
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/node_create: low
+fs/path/bin_su: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/relative: medium
+fs/path/root: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/swap/off: low
+fs/swap/on: low
+fs/symlink_resolve: low
+fs/tempdir/TEMP: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+impact/remote_access/heartbeat: medium
+impact/remote_access/kill_rm: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/parse: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/env/get: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/time/clock_set: low
+persist/cron/tab: medium
+privesc/setuid: low
+process/chdir: low
+process/chroot: low
+process/groupid_set: low
+process/multithreaded: low
+process/unshare: low
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index e69de29b..9ef86ed4 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -0,0 +1,194 @@
+# linux/clean/mongosh: medium
+anti-static/obfuscation/hex: medium
+anti-static/obfuscation/obfuscate: low
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/addr/url: low
+c2/client: medium
+c2/discovery/ip_dns_resolver: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: medium
+collect/archives/unarchive: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ed25519: low
+crypto/encrypt: medium
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+crypto/uuid: medium
+data/base64/decode: medium
+data/base64/encode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/base64_gzip: medium
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/pem_private_key: medium
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/sha256: low
+data/random/insecure: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/group/lookup: medium
+discover/network/interface: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/process/parent: low
+discover/process/working_directory: low
+discover/processes/list: medium
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/APPDATA: low
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/USERPROFILE: medium
+discover/user/info: medium
+discover/user/name_get: low
+evasion/file/prefix: medium
+evasion/logging/acct: low
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/script/activex: medium
+exec/script/osa: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/command: medium
+exec/shell/echo: medium
+exec/shell/exec: medium
+exec/shell/pipe_sh: medium
+exec/shell/power: medium
+exec/system_controls/systemd: low
+exec/tty/pathname: medium
+exfil/office_file_ext: medium
+exfil/stealer/credit_card: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/capabilities_set: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/etc: low
+fs/path/file_url: low
+fs/path/home_library: low
+fs/path/tmp: medium
+fs/path/usr_bin: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/cpuinfo: medium
+fs/proc/meminfo: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_exe: medium
+fs/proc/stat: medium
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/watch: low
+hw/cpu: medium
+hw/wireless: low
+impact/remote_access/heartbeat: medium
+impact/remote_access/kill_rm: medium
+lateral/scan/tool: medium
+mem/anonymous_file: medium
+net/dns: low
+net/dns/over_https: medium
+net/dns/reverse: medium
+net/dns/txt: low
+net/download: medium
+net/download/fetch: medium
+net/ftp: low
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/send_unicast: low
+net/ip/spoof: medium
+net/ip/string: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/connect: medium
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/ssh: medium
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+net/webrtc: medium
+os/env/get: low
+os/fd/read: low
+os/fd/sendfile: low
+os/fd/write: low
+persist/daemon/detach: medium
+privesc/setuid: low
+process/chdir: low
+process/chroot: low
+process/create: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/namespace_set: low
+process/terminate: medium
+process/terminate/taskkill: medium
+sec-tool/net/nmap: medium
+sus/compiler: medium
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/opa.simple b/tests/linux/clean/opa.simple
index e69de29b..86b5cdc8 100644
--- a/tests/linux/clean/opa.simple
+++ b/tests/linux/clean/opa.simple
@@ -0,0 +1,106 @@
+# linux/clean/opa: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/base64/decode: medium
+data/base64/encode: medium
+data/compression/gzip: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/md5: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/USER: low
+exec/cmd: medium
+exec/plugin: low
+exec/program: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: low
+fs/file/write: low
+fs/link_read: low
+fs/mount: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/relative: medium
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir/TEMP: low
+fs/tempfile: low
+fs/watch: low
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/send_unicast: low
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/time/tzinfo: low
+persist/pid_file: medium
+process/chdir: low
+process/groups_set: low
+sus/exclamation: medium
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index e69de29b..e4f1cb3c 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -0,0 +1,177 @@
+## linux/clean/pandoc [🛑 HIGH]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| HIGH | [impact/exploit/overflow_shellcode](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/exploit/overflow-shellcode.yara#exploit) | Buffer overflow exploit | [address](https://github.com/search?q=address&type=code)<br>[offset](https://github.com/search?q=offset&type=code)<br>[padding](https://github.com/search?q=padding&type=code)<br>[shellcode](https://github.com/search?q=shellcode&type=code) |
+| HIGH | [persist/shell/bash](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/shell/bash.yara#bash_persist_persistent) | acccesses multiple bash startup files | [.bash_login](https://github.com/search?q=.bash_login&type=code)<br>[.bash_profile](https://github.com/search?q=.bash_profile&type=code)<br>[.bashrc](https://github.com/search?q=.bashrc&type=code)<br>[.profile](https://github.com/search?q=.profile&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
+| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |
+| MEDIUM | [c2/discovery/dyndns](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/dyndns.yara#dynamic_dns_user) | uses dynamic DNS service | [dyndns](https://github.com/search?q=dyndns&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
+| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [unarchived](https://github.com/search?q=unarchived&type=code) |
+| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [ZIP64](https://github.com/search?q=ZIP64&type=code) |
+| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) |
+| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) |
+| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
+| MEDIUM | [credential/server/htpasswd](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/server/htpasswd.yara#htpasswd) | Access .htpasswd files | [.htpasswd](https://github.com/search?q=.htpasswd&type=code) |
+| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
+| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [data/hash/whirlpool](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/whirlpool.yara#whirlpool) | [hash function often used for cryptomining](https://en.wikipedia.org/wiki/Whirlpool_(hash_function)) | [WHIRLPOOL](https://github.com/search?q=WHIRLPOOL&type=code) |
+| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)<br>[getgrent](https://github.com/search?q=getgrent&type=code)<br>[setgrent](https://github.com/search?q=setgrent&type=code) |
+| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
+| MEDIUM | [discover/process/egid](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/egid.yara#php_getmygid) | returns the effective group id of the current process | [getmygid](https://github.com/search?q=getmygid&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
+| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [systeminfo](https://github.com/search?q=systeminfo&type=code) |
+| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
+| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [CmdForListBodyStartCmd](https://github.com/search?q=CmdForListBodyStartCmd&type=code)<br>[SystemziProcess_runCommand1_closure](https://github.com/search?q=SystemziProcess_runCommand1_closure&type=code)<br>[SystemziProcess_runCommand1_info](https://github.com/search?q=SystemziProcess_runCommand1_info&type=code)<br>[SystemziProcess_runCommand2_closure](https://github.com/search?q=SystemziProcess_runCommand2_closure&type=code)<br>[SystemziProcess_runCommand3_bytes](https://github.com/search?q=SystemziProcess_runCommand3_bytes&type=code)<br>[SystemziProcess_runCommand_closure](https://github.com/search?q=SystemziProcess_runCommand_closure&type=code)<br>[SystemziProcess_runCommand_info](https://github.com/search?q=SystemziProcess_runCommand_info&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code) |
+| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/shell/command](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/command.yara#system) | [execute a shell command](https://man7.org/linux/man-pages/man3/system.3.html) | [system](https://github.com/search?q=system&type=code) |
+| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#system_call) | executes a shell command | [system](https://github.com/search?q=system&type=code) |
+| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
+| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershellcode](https://github.com/search?q=powershellcode&type=code) |
+| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
+| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docm](https://github.com/search?q=docm&type=code)<br>[docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppam](https://github.com/search?q=ppam&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
+| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
+| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFile](https://github.com/search?q=CreateFile&type=code) |
+| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) |
+| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
+| MEDIUM | [fs/mounts_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mounts-read.yara#mount_files) | [Parses active mounts (/etc/fstab, /etc/mtab)](https://linux.die.net/man/3/setmntent) | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/lua_XXXXXX](https://github.com/search?q=%2Ftmp%2Flua_XXXXXX&type=code)<br>[/tmp/pandoc-20241005-4994-bp6ag1/pandoc-3.5/.brew_home/.local/state/c](https://github.com/search?q=%2Ftmp%2Fpandoc-20241005-4994-bp6ag1%2Fpandoc-3.5%2F.brew_home%2F.local%2Fstate%2Fc&type=code) |
+| MEDIUM | [fs/path/usr_local](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-local.yara#usr_local_lib_path) | path reference within /usr/local/lib | [/usr/local/lib/lua/5.4/loadall.so](https://github.com/search?q=%2Fusr%2Flocal%2Flib%2Flua%2F5.4%2Floadall.so&type=code) |
+| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) |
+| MEDIUM | [fs/proc/mounts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/mounts.yara#proc_mounts) | Parses active mounts (/proc/mounts | [/proc/mounts](https://github.com/search?q=%2Fproc%2Fmounts&type=code) |
+| MEDIUM | [fs/proc/pid_maps](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-maps.yara#proc_maps) | access process memory maps | [/proc/%d/maps](https://github.com/search?q=%2Fproc%2F%25d%2Fmaps&type=code) |
+| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
+| MEDIUM | [impact/infection/worm](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/infection/worm.yara#worm) | References 'Worm' | [worm](https://github.com/search?q=worm&type=code) |
+| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [2_NetworkziTLSziExtension_decodeHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_closure&type=code)<br>[2_NetworkziTLSziExtension_decodeHeartBeat_info](https://github.com/search?q=2_NetworkziTLSziExtension_decodeHeartBeat_info&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat1_closur&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat2_closur&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat3_bytes&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode1_cl&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode2_cl&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode3_by&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeatMode_clo&type=code)<br>[2_NetworkziTLSziExtension_zdtczqHeartBeat_closure](https://github.com/search?q=2_NetworkziTLSziExtension_zdtczqHeartBeat_closure&type=code)<br>[72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeatMode_clo&type=code)<br>[72_NetworkziTLSziExtension_zdfEqHeartBeat_closure](https://github.com/search?q=72_NetworkziTLSziExtension_zdfEqHeartBeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat1_closur&type=code)<br>[72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdbEIDzuHeartbeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_closure&type=code)<br>[72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info](https://github.com/search?q=72_NetworkziTLSziStruct_zdmEIDzuHeartbeat_info&type=code)<br>[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerAl&type=code)<br>[8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdbHeartBeatzuPeerNo&type=code)<br>[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerAl&type=code)<br>[8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo](https://github.com/search?q=8f72_NetworkziTLSziExtension_zdmHeartBeatzuPeerNo&type=code)<br>[HeartBeat_PeerAll](https://github.com/search?q=HeartBeat_PeerAll&type=code)<br>[HeartBeat_PeerNot](https://github.com/search?q=HeartBeat_PeerNot&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat1_closur](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_closur&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat1_info](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat1_info&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat2_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat3_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat4_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat5_bytes&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode1_in&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode2_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode3_cl&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatMode_clo&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatModezuzd&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeat_closure](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeat_closure&type=code)<br>[_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho](https://github.com/search?q=_NetworkziTLSziExtension_zdfShowHeartBeatzuzdcsho&type=code)<br>[_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr](https://github.com/search?q=_NetworkziTLSziExtension_zdfldZCHeartBeatModeZCfr&type=code)<br>[extensionDecode: HeartBeat](https://github.com/search?q=extensionDecode%3A+HeartBeat&type=code)<br>[f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_cl&type=code)<br>[f72_NetworkziTLSziExtension_fromHeartBeatMode1_in](https://github.com/search?q=f72_NetworkziTLSziExtension_fromHeartBeatMode1_in&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat1_closur&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat2_bytes&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode1_cl&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode2_by&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeatMode_clo&type=code)<br>[f72_NetworkziTLSziExtension_zdtcHeartBeat_closure](https://github.com/search?q=f72_NetworkziTLSziExtension_zdtcHeartBeat_closure&type=code)<br>[heartbeat](https://github.com/search?q=heartbeat&type=code)<br>[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_clo&type=code)<br>[nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf](https://github.com/search?q=nsion_zdfldZCHeartBeatModeZCfromHeartBeatMode_inf&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat1_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_closur&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat1_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat1_info&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat2_closur](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_closur&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat2_info](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat2_info&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeat_closure](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeat_closure&type=code)<br>[orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext](https://github.com/search?q=orkziTLSziExtension_zdfExtensionHeartBeatzuzdcext&type=code) |
+| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
+| MEDIUM | [net/email/exotic_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/email/exotic_addr.yara#exotic_email_addr) | Contains an exotic email address | [bastianholst@gmx.de](https://github.com/search?q=bastianholst%40gmx.de&type=code)<br>[chris_hormann@gmx.de](https://github.com/search?q=chris_hormann%40gmx.de&type=code)<br>[langstefan@gmx.at](https://github.com/search?q=langstefan%40gmx.at&type=code)<br>[views@gmx.de](https://github.com/search?q=views%40gmx.de&type=code)<br>[zerokode@gmx.net](https://github.com/search?q=zerokode%40gmx.net&type=code) |
+| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
+| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP_COOKIE](https://github.com/search?q=HTTP_COOKIE&type=code)<br>[http_cookie](https://github.com/search?q=http_cookie&type=code) |
+| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: text/x](https://github.com/search?q=Content-Type%3A+text%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [QWebSocketCorsAuthenticator](https://github.com/search?q=QWebSocketCorsAuthenticator&type=code)<br>[QWebSocketHandshakeOptions](https://github.com/search?q=QWebSocketHandshakeOptions&type=code)<br>[QWebSocketServer](https://github.com/search?q=QWebSocketServer&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code) |
+| MEDIUM | [net/ip/byte_order](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-byte-order.yara#htonl) | convert values between host and network byte order | [htonl](https://github.com/search?q=htonl&type=code)<br>[htons](https://github.com/search?q=htons&type=code)<br>[ntohs](https://github.com/search?q=ntohs&type=code) |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#hostname_port) | connects to an arbitrary hostname:port | [hostname](https://github.com/search?q=hostname&type=code)<br>[port](https://github.com/search?q=port&type=code) |
+| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping frame](https://github.com/search?q=ping+frame&type=code) |
+| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
+| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [Spoofchecker](https://github.com/search?q=Spoofchecker&type=code)<br>[spoofchecker](https://github.com/search?q=spoofchecker&type=code) |
+| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code)<br>[inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
+| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [.Socks5](https://github.com/search?q=.Socks5&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
+| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
+| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)<br>[ntlm](https://github.com/search?q=ntlm&type=code) |
+| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [connect](https://github.com/search?q=connect&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [IPPROTO_RAW](https://github.com/search?q=IPPROTO_RAW&type=code)<br>[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) |
+| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code)<br>[SO_REUSEPORT](https://github.com/search?q=SO_REUSEPORT&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) |
+| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
+| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [openURL](https://github.com/search?q=openURL&type=code) |
+| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
+| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
+| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
+| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
+| MEDIUM | [sec-tool/net/nmap](https://github.com/chainguard-dev/malcontent/blob/main/rules/sec-tool/net/nmap.yara#nmap) | nmap (network map) port scanner | [nmap](https://github.com/search?q=nmap&type=code) |
+| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept](https://github.com/search?q=intercept&type=code) |
+| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscatedFont](https://github.com/search?q=obfuscatedFont&type=code)<br>[obfuscates](https://github.com/search?q=obfuscates&type=code) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [ADDefaultDomainPasswordPolicy](https://github.com/search?q=ADDefaultDomainPasswordPolicy&type=code)<br>[ADFineGrainedPasswordPolicySubject](https://github.com/search?q=ADFineGrainedPasswordPolicySubject&type=code)<br>[ADServiceAccountPassword](https://github.com/search?q=ADServiceAccountPassword&type=code)<br>[ADUserResultantPasswordPolicy](https://github.com/search?q=ADUserResultantPasswordPolicy&type=code)<br>[AuthLDAPBindPassword](https://github.com/search?q=AuthLDAPBindPassword&type=code)<br>[BadPassword_con_info](https://github.com/search?q=BadPassword_con_info&type=code)<br>[BasicPasswordFieldUI](https://github.com/search?q=BasicPasswordFieldUI&type=code)<br>[ComputerMachinePassword](https://github.com/search?q=ComputerMachinePassword&type=code)<br>[JPasswordField](https://github.com/search?q=JPasswordField&type=code)<br>[PasswordAuthentication](https://github.com/search?q=PasswordAuthentication&type=code)<br>[PasswordCallback](https://github.com/search?q=PasswordCallback&type=code)<br>[PasswordCredential](https://github.com/search?q=PasswordCredential&type=code)<br>[PasswordProtection](https://github.com/search?q=PasswordProtection&type=code)<br>[PasswordView](https://github.com/search?q=PasswordView&type=code)<br>[Set-ADAccountPassword](https://github.com/search?q=Set-ADAccountPassword&type=code)<br>[addefaultdomainpasswordpolicy](https://github.com/search?q=addefaultdomainpasswordpolicy&type=code)<br>[adfinegrainedpasswordpolicysubject](https://github.com/search?q=adfinegrainedpasswordpolicysubject&type=code)<br>[adserviceaccountpassword](https://github.com/search?q=adserviceaccountpassword&type=code)<br>[aduserresultantpasswordpolicy](https://github.com/search?q=aduserresultantpasswordpolicy&type=code)<br>[authldapbindpassword](https://github.com/search?q=authldapbindpassword&type=code)<br>[computermachinepassword](https://github.com/search?q=computermachinepassword&type=code)<br>[curle_bad_password_entered](https://github.com/search?q=curle_bad_password_entered&type=code)<br>[curle_ftp_user_password_incorrect](https://github.com/search?q=curle_ftp_user_password_incorrect&type=code)<br>[curlssh_auth_password](https://github.com/search?q=curlssh_auth_password&type=code)<br>[dont_store_passwords](https://github.com/search?q=dont_store_passwords&type=code)<br>[fbsql_database_password](https://github.com/search?q=fbsql_database_password&type=code)<br>[fbsql_password](https://github.com/search?q=fbsql_password&type=code)<br>[fbsql_set_password](https://github.com/search?q=fbsql_set_password&type=code)<br>[groupPassword](https://github.com/search?q=groupPassword&type=code)<br>[init_with_password](https://github.com/search?q=init_with_password&type=code)<br>[ldap_control_passwordpolicyrequest](https://github.com/search?q=ldap_control_passwordpolicyrequest&type=code)<br>[ldap_control_passwordpolicyresponse](https://github.com/search?q=ldap_control_passwordpolicyresponse&type=code)<br>[newt_flag_password](https://github.com/search?q=newt_flag_password&type=code)<br>[oci_password_change](https://github.com/search?q=oci_password_change&type=code)<br>[param_default_password](https://github.com/search?q=param_default_password&type=code)<br>[password for entry](https://github.com/search?q=password+for+entry&type=code)<br>[password_bcrypt](https://github.com/search?q=password_bcrypt&type=code)<br>[password_default](https://github.com/search?q=password_default&type=code)<br>[password_field_tag](https://github.com/search?q=password_field_tag&type=code)<br>[password_get_info](https://github.com/search?q=password_get_info&type=code)<br>[password_grace_time](https://github.com/search?q=password_grace_time&type=code)<br>[password_hash](https://github.com/search?q=password_hash&type=code)<br>[password_life_time](https://github.com/search?q=password_life_time&type=code)<br>[password_lock_time](https://github.com/search?q=password_lock_time&type=code)<br>[password_needs_rehash](https://github.com/search?q=password_needs_rehash&type=code)<br>[password_reuse_max](https://github.com/search?q=password_reuse_max&type=code)<br>[password_reuse_time](https://github.com/search?q=password_reuse_time&type=code)<br>[password_verify_function](https://github.com/search?q=password_verify_function&type=code)<br>[proxy_tlsauth_password](https://github.com/search?q=proxy_tlsauth_password&type=code)<br>[radius_chap_password](https://github.com/search?q=radius_chap_password&type=code)<br>[radius_user_password](https://github.com/search?q=radius_user_password&type=code)<br>[sam_password](https://github.com/search?q=sam_password&type=code)<br>[set-adaccountpassword](https://github.com/search?q=set-adaccountpassword&type=code)<br>[swftextfield_password](https://github.com/search?q=swftextfield_password&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[zdtczqBadPassword_closure](https://github.com/search?q=zdtczqBadPassword_closure&type=code) |
+| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code)<br>[privatekey](https://github.com/search?q=privatekey&type=code) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)<br>[aes_encrypt](https://github.com/search?q=aes_encrypt&type=code) |
+| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [28AES128zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES128zuzdcxtsDecrypt_closure&type=code)<br>[28AES128zuzdcxtsDecrypt_info](https://github.com/search?q=28AES128zuzdcxtsDecrypt_info&type=code)<br>[28AES192zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES192zuzdcxtsDecrypt_closure&type=code)<br>[28AES192zuzdcxtsDecrypt_info](https://github.com/search?q=28AES192zuzdcxtsDecrypt_info&type=code)<br>[28AES256zuzdcxtsDecrypt_closure](https://github.com/search?q=28AES256zuzdcxtsDecrypt_closure&type=code)<br>[28AES256zuzdcxtsDecrypt_info](https://github.com/search?q=28AES256zuzdcxtsDecrypt_info&type=code)<br>[Primitive_zdwccmDecrypt_closure](https://github.com/search?q=Primitive_zdwccmDecrypt_closure&type=code)<br>[Primitive_zdwccmDecrypt_info](https://github.com/search?q=Primitive_zdwccmDecrypt_info&type=code)<br>[TLSziCipher_BulkDecrypt_closure](https://github.com/search?q=TLSziCipher_BulkDecrypt_closure&type=code)<br>[TLSziCipher_BulkDecrypt_con_info](https://github.com/search?q=TLSziCipher_BulkDecrypt_con_info&type=code)<br>[TypesziAEAD_aeadDecrypt_closure](https://github.com/search?q=TypesziAEAD_aeadDecrypt_closure&type=code)<br>[TypesziAEAD_aeadDecrypt_info](https://github.com/search?q=TypesziAEAD_aeadDecrypt_info&type=code)<br>[TypesziBlock_cbcDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_closure&type=code)<br>[TypesziBlock_cbcDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cbcDecryptGeneric_info&type=code)<br>[TypesziBlock_cbcDecrypt_closure](https://github.com/search?q=TypesziBlock_cbcDecrypt_closure&type=code)<br>[TypesziBlock_cbcDecrypt_info](https://github.com/search?q=TypesziBlock_cbcDecrypt_info&type=code)<br>[TypesziBlock_cfbDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_closure&type=code)<br>[TypesziBlock_cfbDecryptGeneric_info](https://github.com/search?q=TypesziBlock_cfbDecryptGeneric_info&type=code)<br>[TypesziBlock_cfbDecrypt_closure](https://github.com/search?q=TypesziBlock_cfbDecrypt_closure&type=code)<br>[TypesziBlock_cfbDecrypt_info](https://github.com/search?q=TypesziBlock_cfbDecrypt_info&type=code)<br>[TypesziBlock_ecbDecrypt_closure](https://github.com/search?q=TypesziBlock_ecbDecrypt_closure&type=code)<br>[TypesziBlock_ecbDecrypt_info](https://github.com/search?q=TypesziBlock_ecbDecrypt_info&type=code)<br>[TypesziBlock_xtsDecryptGeneric_closure](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_closure&type=code)<br>[TypesziBlock_xtsDecryptGeneric_info](https://github.com/search?q=TypesziBlock_xtsDecryptGeneric_info&type=code)<br>[TypesziBlock_xtsDecrypt_closure](https://github.com/search?q=TypesziBlock_xtsDecrypt_closure&type=code)<br>[TypesziBlock_xtsDecrypt_info](https://github.com/search?q=TypesziBlock_xtsDecrypt_info&type=code)<br>[deImplZCaeadImplDecrypt_closure](https://github.com/search?q=deImplZCaeadImplDecrypt_closure&type=code)<br>[deImplZCaeadImplDecrypt_info](https://github.com/search?q=deImplZCaeadImplDecrypt_info&type=code)<br>[edentialsFindForDecrypting_closure](https://github.com/search?q=edentialsFindForDecrypting_closure&type=code)<br>[edentialsFindForDecrypting_info](https://github.com/search?q=edentialsFindForDecrypting_info&type=code)<br>[edentialsFindForDecryptingzugo1_closure](https://github.com/search?q=edentialsFindForDecryptingzugo1_closure&type=code)<br>[edentialsFindForDecryptingzugo1_info](https://github.com/search?q=edentialsFindForDecryptingzugo1_info&type=code)<br>[erAES128zuzdccbcDecrypt_closure](https://github.com/search?q=erAES128zuzdccbcDecrypt_closure&type=code)<br>[erAES128zuzdccbcDecrypt_info](https://github.com/search?q=erAES128zuzdccbcDecrypt_info&type=code)<br>[erAES128zuzdccfbDecrypt_closure](https://github.com/search?q=erAES128zuzdccfbDecrypt_closure&type=code)<br>[erAES128zuzdccfbDecrypt_info](https://github.com/search?q=erAES128zuzdccfbDecrypt_info&type=code)<br>[erAES192zuzdccbcDecrypt_closure](https://github.com/search?q=erAES192zuzdccbcDecrypt_closure&type=code)<br>[erAES192zuzdccbcDecrypt_info](https://github.com/search?q=erAES192zuzdccbcDecrypt_info&type=code)<br>[erAES192zuzdccfbDecrypt_closure](https://github.com/search?q=erAES192zuzdccfbDecrypt_closure&type=code)<br>[erAES192zuzdccfbDecrypt_info](https://github.com/search?q=erAES192zuzdccfbDecrypt_info&type=code)<br>[erAES256zuzdccbcDecrypt_closure](https://github.com/search?q=erAES256zuzdccbcDecrypt_closure&type=code)<br>[erAES256zuzdccbcDecrypt_info](https://github.com/search?q=erAES256zuzdccbcDecrypt_info&type=code)<br>[erAES256zuzdccfbDecrypt_closure](https://github.com/search?q=erAES256zuzdccfbDecrypt_closure&type=code)<br>[erAES256zuzdccfbDecrypt_info](https://github.com/search?q=erAES256zuzdccfbDecrypt_info&type=code)<br>[eyziECIES_deriveDecrypt_closure](https://github.com/search?q=eyziECIES_deriveDecrypt_closure&type=code)<br>[eyziECIES_deriveDecrypt_info](https://github.com/search?q=eyziECIES_deriveDecrypt_info&type=code)<br>[iAEAD_aeadSimpleDecrypt_closure](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_closure&type=code)<br>[iAEAD_aeadSimpleDecrypt_info](https://github.com/search?q=iAEAD_aeadSimpleDecrypt_info&type=code)<br>[iTLSziStruct_zdbDecryptError1_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError1_closure&type=code)<br>[iTLSziStruct_zdbDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdbDecryptError_closure&type=code)<br>[iTLSziStruct_zdbDecryptionFailed1_closu](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed1_closu&type=code)<br>[iTLSziStruct_zdbDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdbDecryptionFailed_closur&type=code)<br>[iTLSziStruct_zdmDecryptError_closure](https://github.com/search?q=iTLSziStruct_zdmDecryptError_closure&type=code)<br>[iTLSziStruct_zdmDecryptError_info](https://github.com/search?q=iTLSziStruct_zdmDecryptError_info&type=code)<br>[iTLSziStruct_zdmDecryptionFailed_closur](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_closur&type=code)<br>[iTLSziStruct_zdmDecryptionFailed_info](https://github.com/search?q=iTLSziStruct_zdmDecryptionFailed_info&type=code)<br>[ipherAESzuzdccfbDecrypt_closure](https://github.com/search?q=ipherAESzuzdccfbDecrypt_closure&type=code)<br>[ipherAESzuzdccfbDecrypt_info](https://github.com/search?q=ipherAESzuzdccfbDecrypt_info&type=code)<br>[ipher_zdtczqBulkDecrypt1_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt1_closure&type=code)<br>[ipher_zdtczqBulkDecrypt2_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt2_closure&type=code)<br>[ipher_zdtczqBulkDecrypt3_bytes](https://github.com/search?q=ipher_zdtczqBulkDecrypt3_bytes&type=code)<br>[ipher_zdtczqBulkDecrypt_closure](https://github.com/search?q=ipher_zdtczqBulkDecrypt_closure&type=code)<br>[ive_zdwgcmAppendDecrypt_closure](https://github.com/search?q=ive_zdwgcmAppendDecrypt_closure&type=code)<br>[ive_zdwgcmAppendDecrypt_info](https://github.com/search?q=ive_zdwgcmAppendDecrypt_info&type=code)<br>[ive_zdwocbAppendDecrypt_closure](https://github.com/search?q=ive_zdwocbAppendDecrypt_closure&type=code)<br>[ive_zdwocbAppendDecrypt_info](https://github.com/search?q=ive_zdwocbAppendDecrypt_info&type=code)<br>[iveziZZip_pkwareDecryptByte_closure](https://github.com/search?q=iveziZZip_pkwareDecryptByte_closure&type=code)<br>[iveziZZip_pkwareDecryptByte_info](https://github.com/search?q=iveziZZip_pkwareDecryptByte_info&type=code)<br>[sziBlock_zddmcbcDecrypt_closure](https://github.com/search?q=sziBlock_zddmcbcDecrypt_closure&type=code)<br>[sziBlock_zddmcbcDecrypt_info](https://github.com/search?q=sziBlock_zddmcbcDecrypt_info&type=code)<br>[sziBlock_zddmcfbDecrypt_closure](https://github.com/search?q=sziBlock_zddmcfbDecrypt_closure&type=code)<br>[sziBlock_zddmcfbDecrypt_info](https://github.com/search?q=sziBlock_zddmcfbDecrypt_info&type=code)<br>[sziBlock_zddmxtsDecrypt10_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt10_closure&type=code)<br>[sziBlock_zddmxtsDecrypt11_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt11_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt12_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt12_closure&type=code)<br>[sziBlock_zddmxtsDecrypt13_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt13_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt1_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt1_closure&type=code)<br>[sziBlock_zddmxtsDecrypt2_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt2_closure&type=code)<br>[sziBlock_zddmxtsDecrypt3_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt3_closure&type=code)<br>[sziBlock_zddmxtsDecrypt4_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt4_closure&type=code)<br>[sziBlock_zddmxtsDecrypt5_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt5_closure&type=code)<br>[sziBlock_zddmxtsDecrypt6_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt6_closure&type=code)<br>[sziBlock_zddmxtsDecrypt7_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt7_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt8_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt8_closure&type=code)<br>[sziBlock_zddmxtsDecrypt9_bytes](https://github.com/search?q=sziBlock_zddmxtsDecrypt9_bytes&type=code)<br>[sziBlock_zddmxtsDecrypt_closure](https://github.com/search?q=sziBlock_zddmxtsDecrypt_closure&type=code)<br>[sziBlock_zddmxtsDecrypt_info](https://github.com/search?q=sziBlock_zddmxtsDecrypt_info&type=code)<br>[ziTLSziCrypto_kxDecrypt1_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt1_closure&type=code)<br>[ziTLSziCrypto_kxDecrypt_closure](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_closure&type=code)<br>[ziTLSziCrypto_kxDecrypt_info](https://github.com/search?q=ziTLSziCrypto_kxDecrypt_info&type=code) |
+| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
+| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
+| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code) |
+| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
+| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [zstd](https://github.com/search?q=zstd&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_MD5_closure_tbl](https://github.com/search?q=MD5_MD5_closure_tbl&type=code)<br>[MD5_MD5_con_info](https://github.com/search?q=MD5_MD5_con_info&type=code)<br>[MD5_czumd5zufinalizz](https://github.com/search?q=MD5_czumd5zufinalizz&type=code)<br>[MD5_czumd5zuinit_clo](https://github.com/search?q=MD5_czumd5zuinit_clo&type=code)<br>[MD5_czumd5zuinit_inf](https://github.com/search?q=MD5_czumd5zuinit_inf&type=code)<br>[MD5_czumd5zuupdate_c](https://github.com/search?q=MD5_czumd5zuupdate_c&type=code)<br>[MD5_czumd5zuupdate_i](https://github.com/search?q=MD5_czumd5zuupdate_i&type=code)<br>[MD5_info](https://github.com/search?q=MD5_info&type=code)<br>[MD5_str](https://github.com/search?q=MD5_str&type=code)<br>[MD5_zdfDataMD10_clos](https://github.com/search?q=MD5_zdfDataMD10_clos&type=code)<br>[MD5_zdfDataMD11_byte](https://github.com/search?q=MD5_zdfDataMD11_byte&type=code)<br>[MD5_zdfDataMD12_clos](https://github.com/search?q=MD5_zdfDataMD12_clos&type=code)<br>[MD5_zdfDataMD12_info](https://github.com/search?q=MD5_zdfDataMD12_info&type=code)<br>[MD5_zdfDataMD1_closu](https://github.com/search?q=MD5_zdfDataMD1_closu&type=code)<br>[MD5_zdfDataMD2_closu](https://github.com/search?q=MD5_zdfDataMD2_closu&type=code)<br>[MD5_zdfDataMD2_info](https://github.com/search?q=MD5_zdfDataMD2_info&type=code)<br>[MD5_zdfDataMD3_closu](https://github.com/search?q=MD5_zdfDataMD3_closu&type=code)<br>[MD5_zdfDataMD3_info](https://github.com/search?q=MD5_zdfDataMD3_info&type=code)<br>[MD5_zdfDataMD4_closu](https://github.com/search?q=MD5_zdfDataMD4_closu&type=code)<br>[MD5_zdfDataMD4_info](https://github.com/search?q=MD5_zdfDataMD4_info&type=code)<br>[MD5_zdfDataMD5_closu](https://github.com/search?q=MD5_zdfDataMD5_closu&type=code)<br>[MD5_zdfDataMD5zuzdcd](https://github.com/search?q=MD5_zdfDataMD5zuzdcd&type=code)<br>[MD5_zdfDataMD5zuzdcg](https://github.com/search?q=MD5_zdfDataMD5zuzdcg&type=code)<br>[MD5_zdfDataMD5zuzdct](https://github.com/search?q=MD5_zdfDataMD5zuzdct&type=code)<br>[MD5_zdfDataMD6_closu](https://github.com/search?q=MD5_zdfDataMD6_closu&type=code)<br>[MD5_zdfDataMD7_closu](https://github.com/search?q=MD5_zdfDataMD7_closu&type=code)<br>[MD5_zdfDataMD8_closu](https://github.com/search?q=MD5_zdfDataMD8_closu&type=code)<br>[MD5_zdfDataMD9_closu](https://github.com/search?q=MD5_zdfDataMD9_closu&type=code)<br>[MD5_zdfHashAlgorithm](https://github.com/search?q=MD5_zdfHashAlgorithm&type=code)<br>[MD5_zdfShowMD1_closu](https://github.com/search?q=MD5_zdfShowMD1_closu&type=code)<br>[MD5_zdfShowMD1_info](https://github.com/search?q=MD5_zdfShowMD1_info&type=code)<br>[MD5_zdfShowMD2_closu](https://github.com/search?q=MD5_zdfShowMD2_closu&type=code)<br>[MD5_zdfShowMD5_closu](https://github.com/search?q=MD5_zdfShowMD5_closu&type=code)<br>[MD5_zdfShowMD5zuzdcs](https://github.com/search?q=MD5_zdfShowMD5zuzdcs&type=code)<br>[MD5_zdtcMD1_closure](https://github.com/search?q=MD5_zdtcMD1_closure&type=code)<br>[MD5_zdtcMD2_bytes](https://github.com/search?q=MD5_zdtcMD2_bytes&type=code)<br>[MD5_zdtcMD5_closure](https://github.com/search?q=MD5_zdtcMD5_closure&type=code)<br>[MD5_zdtczqMD1_closur](https://github.com/search?q=MD5_zdtczqMD1_closur&type=code)<br>[MD5_zdtczqMD2_closur](https://github.com/search?q=MD5_zdtczqMD2_closur&type=code)<br>[MD5_zdtczqMD3_bytes](https://github.com/search?q=MD5_zdtczqMD3_bytes&type=code)<br>[MD5_zdtczqMD5_closur](https://github.com/search?q=MD5_zdtczqMD5_closur&type=code)<br>[MD5_zdtrModule1_clos](https://github.com/search?q=MD5_zdtrModule1_clos&type=code)<br>[MD5_zdtrModule2_byte](https://github.com/search?q=MD5_zdtrModule2_byte&type=code)<br>[MD5_zdtrModule3_clos](https://github.com/search?q=MD5_zdtrModule3_clos&type=code)<br>[MD5_zdtrModule4_byte](https://github.com/search?q=MD5_zdtrModule4_byte&type=code)<br>[MD5_zdtrModule_closu](https://github.com/search?q=MD5_zdtrModule_closu&type=code)<br>[MD5_zdwzdcgmapMo_clo](https://github.com/search?q=MD5_zdwzdcgmapMo_clo&type=code)<br>[MD5_zdwzdcgmapMo_inf](https://github.com/search?q=MD5_zdwzdcgmapMo_inf&type=code)<br>[MD5_zdwzdcgmapMp_clo](https://github.com/search?q=MD5_zdwzdcgmapMp_clo&type=code)<br>[MD5_zdwzdcgmapMp_inf](https://github.com/search?q=MD5_zdwzdcgmapMp_inf&type=code) |
+| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
+| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
+| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
+| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/system/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) |
+| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
+| LOW | [discover/user/APPDATA](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/APPDATA.yara#APPDATA) | Looks up the application data directory for the current user | [APPDATA](https://github.com/search?q=APPDATA&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) |
+| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
+| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Plugin_Abstract](https://github.com/search?q=Plugin_Abstract&type=code)<br>[QAccessiblePlugin](https://github.com/search?q=QAccessiblePlugin&type=code)<br>[QAudioSystemPlugin](https://github.com/search?q=QAudioSystemPlugin&type=code)<br>[QGenericPluginFactory](https://github.com/search?q=QGenericPluginFactory&type=code)<br>[QIconEnginePlugin](https://github.com/search?q=QIconEnginePlugin&type=code)<br>[QImageIOPlugin](https://github.com/search?q=QImageIOPlugin&type=code)<br>[QMediaServiceProviderPlugin](https://github.com/search?q=QMediaServiceProviderPlugin&type=code)<br>[QPictureFormatPlugin](https://github.com/search?q=QPictureFormatPlugin&type=code)<br>[QPluginLoader](https://github.com/search?q=QPluginLoader&type=code)<br>[QQmlEngineExtensionPlugin](https://github.com/search?q=QQmlEngineExtensionPlugin&type=code)<br>[QQmlExtensionPlugin](https://github.com/search?q=QQmlExtensionPlugin&type=code)<br>[QScriptExtensionPlugin](https://github.com/search?q=QScriptExtensionPlugin&type=code)<br>[QSqlDriverPlugin](https://github.com/search?q=QSqlDriverPlugin&type=code)<br>[QStaticPlugin](https://github.com/search?q=QStaticPlugin&type=code)<br>[QStylePlugin](https://github.com/search?q=QStylePlugin&type=code)<br>[QTextToSpeechPlugin](https://github.com/search?q=QTextToSpeechPlugin&type=code)<br>[QVirtualKeyboardExtensionPlugin](https://github.com/search?q=QVirtualKeyboardExtensionPlugin&type=code)<br>[addCorePlugin_closure](https://github.com/search?q=addCorePlugin_closure&type=code)<br>[addCorePlugin_info](https://github.com/search?q=addCorePlugin_info&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[js plugins](https://github.com/search?q=js+plugins&type=code)<br>[msession_plugin](https://github.com/search?q=msession_plugin&type=code)<br>[mysqlnd_uh_server_option_plugin_dir](https://github.com/search?q=mysqlnd_uh_server_option_plugin_dir&type=code)<br>[plugin_abstract](https://github.com/search?q=plugin_abstract&type=code)<br>[plugin_path](https://github.com/search?q=plugin_path&type=code)<br>[qAddCorePlugin_closure](https://github.com/search?q=qAddCorePlugin_closure&type=code)<br>[qAddCorePlugin_info](https://github.com/search?q=qAddCorePlugin_info&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectory](https://github.com/search?q=CreateDirectory&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [removeDirectory](https://github.com/search?q=removeDirectory&type=code)<br>[rmdir](https://github.com/search?q=rmdir&type=code) |
+| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) |
+| LOW | [fs/file/capabilities_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-capabilities-set.yara#setfcap) | [Set file capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) | [setcap](https://github.com/search?q=setcap&type=code) |
+| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm --](https://github.com/search?q=rm++--&type=code) |
+| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#java_open) | opens files | [openFile](https://github.com/search?q=openFile&type=code) |
+| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
+| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)<br>[os.rename](https://github.com/search?q=os.rename&type=code)<br>[renameFile](https://github.com/search?q=renameFile&type=code) |
+| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) |
+| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [29762_TextziXML_writeFile1_closure](https://github.com/search?q=29762_TextziXML_writeFile1_closure&type=code)<br>[29762_TextziXML_writeFile1_info](https://github.com/search?q=29762_TextziXML_writeFile1_info&type=code)<br>[29762_TextziXML_writeFile2_closure](https://github.com/search?q=29762_TextziXML_writeFile2_closure&type=code)<br>[29762_TextziXML_writeFile2_info](https://github.com/search?q=29762_TextziXML_writeFile2_info&type=code)<br>[29762_TextziXML_writeFile3_closure](https://github.com/search?q=29762_TextziXML_writeFile3_closure&type=code)<br>[29762_TextziXML_writeFile3_info](https://github.com/search?q=29762_TextziXML_writeFile3_info&type=code)<br>[29762_TextziXML_writeFile_closure](https://github.com/search?q=29762_TextziXML_writeFile_closure&type=code)<br>[29762_TextziXML_writeFile_info](https://github.com/search?q=29762_TextziXML_writeFile_info&type=code)<br>[29762_TextziXML_writeFilezugoRight_closure](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_closure&type=code)<br>[29762_TextziXML_writeFilezugoRight_info](https://github.com/search?q=29762_TextziXML_writeFilezugoRight_info&type=code)<br>[StringziBuilder_writeFile1_closure](https://github.com/search?q=StringziBuilder_writeFile1_closure&type=code)<br>[StringziBuilder_writeFile1_info](https://github.com/search?q=StringziBuilder_writeFile1_info&type=code)<br>[StringziBuilder_writeFile_closure](https://github.com/search?q=StringziBuilder_writeFile_closure&type=code)<br>[StringziBuilder_writeFile_info](https://github.com/search?q=StringziBuilder_writeFile_info&type=code)<br>[XMLziUnresolved_writeFile1_closure](https://github.com/search?q=XMLziUnresolved_writeFile1_closure&type=code)<br>[XMLziUnresolved_writeFile1_info](https://github.com/search?q=XMLziUnresolved_writeFile1_info&type=code)<br>[XMLziUnresolved_writeFile2_closure](https://github.com/search?q=XMLziUnresolved_writeFile2_closure&type=code)<br>[XMLziUnresolved_writeFile2_info](https://github.com/search?q=XMLziUnresolved_writeFile2_info&type=code)<br>[XMLziUnresolved_writeFile3_closure](https://github.com/search?q=XMLziUnresolved_writeFile3_closure&type=code)<br>[XMLziUnresolved_writeFile3_info](https://github.com/search?q=XMLziUnresolved_writeFile3_info&type=code)<br>[XMLziUnresolved_writeFile_closure](https://github.com/search?q=XMLziUnresolved_writeFile_closure&type=code)<br>[XMLziUnresolved_writeFile_info](https://github.com/search?q=XMLziUnresolved_writeFile_info&type=code)<br>[XMLziUnresolved_writeFilezugoRight_closure](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_closure&type=code)<br>[XMLziUnresolved_writeFilezugoRight_info](https://github.com/search?q=XMLziUnresolved_writeFilezugoRight_info&type=code)<br>[_DataziTextziIO_writeFile1_closure](https://github.com/search?q=_DataziTextziIO_writeFile1_closure&type=code)<br>[_DataziTextziIO_writeFile1_info](https://github.com/search?q=_DataziTextziIO_writeFile1_info&type=code)<br>[_DataziTextziIO_writeFile_closure](https://github.com/search?q=_DataziTextziIO_writeFile_closure&type=code)<br>[_DataziTextziIO_writeFile_info](https://github.com/search?q=_DataziTextziIO_writeFile_info&type=code)<br>[ataziByteString_writeFile1_closure](https://github.com/search?q=ataziByteString_writeFile1_closure&type=code)<br>[ataziByteString_writeFile1_info](https://github.com/search?q=ataziByteString_writeFile1_info&type=code)<br>[ataziByteString_writeFile_closure](https://github.com/search?q=ataziByteString_writeFile_closure&type=code)<br>[ataziByteString_writeFile_info](https://github.com/search?q=ataziByteString_writeFile_info&type=code)<br>[base_SystemziIO_writeFile1_closure](https://github.com/search?q=base_SystemziIO_writeFile1_closure&type=code)<br>[base_SystemziIO_writeFile1_info](https://github.com/search?q=base_SystemziIO_writeFile1_info&type=code)<br>[base_SystemziIO_writeFile_closure](https://github.com/search?q=base_SystemziIO_writeFile_closure&type=code)<br>[base_SystemziIO_writeFile_info](https://github.com/search?q=base_SystemziIO_writeFile_info&type=code)<br>[teStringziLazzy_writeFile1_closure](https://github.com/search?q=teStringziLazzy_writeFile1_closure&type=code)<br>[teStringziLazzy_writeFile1_info](https://github.com/search?q=teStringziLazzy_writeFile1_info&type=code)<br>[teStringziLazzy_writeFile_closure](https://github.com/search?q=teStringziLazzy_writeFile_closure&type=code)<br>[teStringziLazzy_writeFile_info](https://github.com/search?q=teStringziLazzy_writeFile_info&type=code)<br>[tziPandocziUTF8_writeFile1_closure](https://github.com/search?q=tziPandocziUTF8_writeFile1_closure&type=code)<br>[tziPandocziUTF8_writeFile1_info](https://github.com/search?q=tziPandocziUTF8_writeFile1_info&type=code)<br>[tziPandocziUTF8_writeFileWith1_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_closure&type=code)<br>[tziPandocziUTF8_writeFileWith1_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith1_info&type=code)<br>[tziPandocziUTF8_writeFileWith_closure](https://github.com/search?q=tziPandocziUTF8_writeFileWith_closure&type=code)<br>[tziPandocziUTF8_writeFileWith_info](https://github.com/search?q=tziPandocziUTF8_writeFileWith_info&type=code)<br>[tziPandocziUTF8_writeFile_closure](https://github.com/search?q=tziPandocziUTF8_writeFile_closure&type=code)<br>[tziPandocziUTF8_writeFile_info](https://github.com/search?q=tziPandocziUTF8_writeFile_info&type=code)<br>[writeEventLogFileNoop](https://github.com/search?q=writeEventLogFileNoop&type=code)<br>[ystemziIOziTemp_writeTempFile1_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile1_closure&type=code)<br>[ystemziIOziTemp_writeTempFile2_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile2_closure&type=code)<br>[ystemziIOziTemp_writeTempFile3_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile3_closure&type=code)<br>[ystemziIOziTemp_writeTempFile4_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile4_closure&type=code)<br>[ystemziIOziTemp_writeTempFile5_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile5_closure&type=code)<br>[ystemziIOziTemp_writeTempFile_closure](https://github.com/search?q=ystemziIOziTemp_writeTempFile_closure&type=code)<br>[ystemziIOziTemp_writeTempFile_info](https://github.com/search?q=ystemziIOziTemp_writeTempFile_info&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
+| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) |
+| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/mtab](https://github.com/search?q=%2Fetc%2Fmtab&type=code)<br>[/etc/security/cacerts/](https://github.com/search?q=%2Fetc%2Fsecurity%2Fcacerts%2F&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs/](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2F&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/pandoc/3.5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fpandoc%2F3.5%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/zlib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fzlib%2Flib&type=code) |
+| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
+| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchown) | May change file ownership | [fchown](https://github.com/search?q=fchown&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [mktemp](https://github.com/search?q=mktemp&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/unmount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/unmount.yara#umount) | unmount file system | [umount](https://github.com/search?q=umount&type=code) |
+| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
+| LOW | [hw/iokit_registry](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/iokit-registry.yara#IORegistry) | access IOKit device driver registry | [IORegistry](https://github.com/search?q=IORegistry&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [EPSV](https://github.com/search?q=EPSV&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
+| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[HttpURLConnection](https://github.com/search?q=HttpURLConnection&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code) |
+| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
+| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
+| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_addr](https://github.com/search?q=client_addr&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
+| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
+| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/alarm](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/alarm.yara#alarm) | [set an alarm clock for delivery of a signal](https://man7.org/linux/man-pages/man2/alarm.2.html) | [alarm](https://github.com/search?q=alarm&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) |
+| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
+| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#CreateProcess) | create a new process | [CreateProcess1_closur](https://github.com/search?q=CreateProcess1_closur&type=code)<br>[CreateProcess1_info](https://github.com/search?q=CreateProcess1_info&type=code)<br>[CreateProcess2_bytes](https://github.com/search?q=CreateProcess2_bytes&type=code)<br>[CreateProcess2_closur](https://github.com/search?q=CreateProcess2_closur&type=code)<br>[CreateProcess2_info](https://github.com/search?q=CreateProcess2_info&type=code)<br>[CreateProcess3_bytes](https://github.com/search?q=CreateProcess3_bytes&type=code)<br>[CreateProcess3_closur](https://github.com/search?q=CreateProcess3_closur&type=code)<br>[CreateProcess3_info](https://github.com/search?q=CreateProcess3_info&type=code)<br>[CreateProcess4_closur](https://github.com/search?q=CreateProcess4_closur&type=code)<br>[CreateProcess4_info](https://github.com/search?q=CreateProcess4_info&type=code)<br>[CreateProcess5_closur](https://github.com/search?q=CreateProcess5_closur&type=code)<br>[CreateProcess6_bytes](https://github.com/search?q=CreateProcess6_bytes&type=code)<br>[CreateProcessWithExit](https://github.com/search?q=CreateProcessWithExit&type=code)<br>[CreateProcessZCchildz](https://github.com/search?q=CreateProcessZCchildz&type=code)<br>[CreateProcessZCclosez](https://github.com/search?q=CreateProcessZCclosez&type=code)<br>[CreateProcessZCcmdspe](https://github.com/search?q=CreateProcessZCcmdspe&type=code)<br>[CreateProcessZCcreate](https://github.com/search?q=CreateProcessZCcreate&type=code)<br>[CreateProcessZCcwd_cl](https://github.com/search?q=CreateProcessZCcwd_cl&type=code)<br>[CreateProcessZCcwd_in](https://github.com/search?q=CreateProcessZCcwd_in&type=code)<br>[CreateProcessZCdelega](https://github.com/search?q=CreateProcessZCdelega&type=code)<br>[CreateProcessZCdetach](https://github.com/search?q=CreateProcessZCdetach&type=code)<br>[CreateProcessZCenv_cl](https://github.com/search?q=CreateProcessZCenv_cl&type=code)<br>[CreateProcessZCenv_in](https://github.com/search?q=CreateProcessZCenv_in&type=code)<br>[CreateProcessZCnewzus](https://github.com/search?q=CreateProcessZCnewzus&type=code)<br>[CreateProcessZCstdzue](https://github.com/search?q=CreateProcessZCstdzue&type=code)<br>[CreateProcessZCstdzui](https://github.com/search?q=CreateProcessZCstdzui&type=code)<br>[CreateProcessZCstdzuo](https://github.com/search?q=CreateProcessZCstdzuo&type=code)<br>[CreateProcessZCusezup](https://github.com/search?q=CreateProcessZCusezup&type=code)<br>[CreateProcess_closure](https://github.com/search?q=CreateProcess_closure&type=code)<br>[CreateProcess_con_inf](https://github.com/search?q=CreateProcess_con_inf&type=code)<br>[CreateProcess_info](https://github.com/search?q=CreateProcess_info&type=code)<br>[CreateProcess_slow](https://github.com/search?q=CreateProcess_slow&type=code)<br>[CreateProcesszugo1_cl](https://github.com/search?q=CreateProcesszugo1_cl&type=code)<br>[CreateProcesszugo1_in](https://github.com/search?q=CreateProcesszugo1_in&type=code)<br>[CreateProcesszuzdcsho](https://github.com/search?q=CreateProcesszuzdcsho&type=code)<br>[CreateProcesszuzdczez](https://github.com/search?q=CreateProcesszuzdczez&type=code)<br>[CreateProcesszuzdczsz](https://github.com/search?q=CreateProcesszuzdczsz&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+| LOW | [process/namespace_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) |
+| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
+
diff --git a/tests/linux/clean/pulumi.simple b/tests/linux/clean/pulumi.simple
index e69de29b..8b17cd93 100644
--- a/tests/linux/clean/pulumi.simple
+++ b/tests/linux/clean/pulumi.simple
@@ -0,0 +1,159 @@
+# linux/clean/pulumi: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/os: medium
+collect/archives/zip: medium
+collect/code/github_api: low
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+credential/clipboard: medium
+credential/cloud/g: medium
+credential/keychain: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/blockchain: medium
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/public_key: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/zlib: low
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/pem_test_key: low
+data/embedded/ssh_signature: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/random/insecure: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/cloud/google_storage: low
+discover/group/lookup: medium
+discover/network/mac_address: medium
+discover/process/parent: low
+discover/process/working_directory: low
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/install_additional/pip_install: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/script/osa: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/shell/pipe_sh: medium
+exec/system_controls/systemd: low
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: low
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/write: low
+fs/link_read: low
+fs/lock_update: low
+fs/mount: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/usr_bin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/swap/off: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+hw/wireless: low
+impact/remote_access/heartbeat: medium
+lateral/scan/tool: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/proxy/socks5: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/pair: medium
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+net/webrtc: medium
+os/env/get: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+persist/kernel_module/unload: medium
+persist/pid_file: medium
+privesc/sudo: medium
+process/chroot: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/lang: medium
+sus/leetspeak: medium
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index e69de29b..f24a1df5 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -0,0 +1,113 @@
+## linux/clean/qemu-system-xtensa [🛑 HIGH]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| HIGH | [crypto/xor](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/xor.yara#xor_decode_encode) | decodes/encodes XOR content | [Opcode_xor_encode_fns](https://github.com/search?q=Opcode_xor_encode_fns&type=code) |
+| HIGH | [fs/proc/pid_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-cmdline.yara#proc_d_cmdline) | access command-line of other processes | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[add_port](https://github.com/search?q=add_port&type=code)<br>[ahci_port](https://github.com/search?q=ahci_port&type=code)<br>[and_port](https://github.com/search?q=and_port&type=code)<br>[be_port](https://github.com/search?q=be_port&type=code)<br>[claim_port](https://github.com/search?q=claim_port&type=code)<br>[clear_port](https://github.com/search?q=clear_port&type=code)<br>[compare_ip](https://github.com/search?q=compare_ip&type=code)<br>[ehci_port](https://github.com/search?q=ehci_port&type=code)<br>[extract_ip](https://github.com/search?q=extract_ip&type=code)<br>[find_port](https://github.com/search?q=find_port&type=code)<br>[fix_port](https://github.com/search?q=fix_port&type=code)<br>[get_ip](https://github.com/search?q=get_ip&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[handle_port](https://github.com/search?q=handle_port&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[hub_port](https://github.com/search?q=hub_port&type=code)<br>[megasas_port](https://github.com/search?q=megasas_port&type=code)<br>[mem_port](https://github.com/search?q=mem_port&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[metadata_ip](https://github.com/search?q=metadata_ip&type=code)<br>[mmio_port](https://github.com/search?q=mmio_port&type=code)<br>[mptsas_port](https://github.com/search?q=mptsas_port&type=code)<br>[ohci_port](https://github.com/search?q=ohci_port&type=code)<br>[pcie_port](https://github.com/search?q=pcie_port&type=code)<br>[register_port](https://github.com/search?q=register_port&type=code)<br>[release_port](https://github.com/search?q=release_port&type=code)<br>[remove_port](https://github.com/search?q=remove_port&type=code)<br>[reset_port](https://github.com/search?q=reset_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[spdm_port](https://github.com/search?q=spdm_port&type=code)<br>[state_port](https://github.com/search?q=state_port&type=code)<br>[throttle_port](https://github.com/search?q=throttle_port&type=code)<br>[uhci_port](https://github.com/search?q=uhci_port&type=code)<br>[update_ip](https://github.com/search?q=update_ip&type=code)<br>[upstream_port](https://github.com/search?q=upstream_port&type=code)<br>[usb_port](https://github.com/search?q=usb_port&type=code)<br>[virtser_port](https://github.com/search?q=virtser_port&type=code)<br>[write_port](https://github.com/search?q=write_port&type=code)<br>[xhci_port](https://github.com/search?q=xhci_port&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [vnc_init_basic_info_from_server_addr](https://github.com/search?q=vnc_init_basic_info_from_server_addr&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://) |
+| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
+| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [~/.ssh/config](https://github.com/search?q=~%2F.ssh%2Fconfig&type=code) |
+| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
+| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [BlockdevQcow2EncryptionFormat_lookup](https://github.com/search?q=BlockdevQcow2EncryptionFormat_lookup&type=code)<br>[BlockdevQcowEncryptionFormat_lookup](https://github.com/search?q=BlockdevQcowEncryptionFormat_lookup&type=code)<br>[Encrypt the image with](https://github.com/search?q=Encrypt+the+image+with&type=code)<br>[Encryption header offse](https://github.com/search?q=Encryption+header+offse&type=code)<br>[RbdImageEncryptionFormat_lookup](https://github.com/search?q=RbdImageEncryptionFormat_lookup&type=code)<br>[bj_BlockdevQcow2Encryption_base_members](https://github.com/search?q=bj_BlockdevQcow2Encryption_base_members&type=code)<br>[ee_BlockdevQcow2Encryption](https://github.com/search?q=ee_BlockdevQcow2Encryption&type=code)<br>[it_type_RbdImageEncryptionFormat](https://github.com/search?q=it_type_RbdImageEncryptionFormat&type=code)<br>[nfoSpecificQCow2EncryptionBase_members](https://github.com/search?q=nfoSpecificQCow2EncryptionBase_members&type=code)<br>[nfoSpecificQCow2Encryption_members](https://github.com/search?q=nfoSpecificQCow2Encryption_members&type=code)<br>[obj_BlockdevQcowEncryption_base_members](https://github.com/search?q=obj_BlockdevQcowEncryption_base_members&type=code)<br>[pe_BlockdevQcow2EncryptionFormat](https://github.com/search?q=pe_BlockdevQcow2EncryptionFormat&type=code)<br>[pe_BlockdevQcow2Encryption_members](https://github.com/search?q=pe_BlockdevQcow2Encryption_members&type=code)<br>[qapi_free_RbdEncryptionCreateOptions](https://github.com/search?q=qapi_free_RbdEncryptionCreateOptions&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKS2](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKS2&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSAn&type=code)<br>[qapi_free_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=qapi_free_RbdEncryptionOptionsLUKSBa&type=code)<br>[ree_BlockdevQcowEncryption](https://github.com/search?q=ree_BlockdevQcowEncryption&type=code)<br>[t_type_q_obj_RbdEncryptionCreateOptions](https://github.com/search?q=t_type_q_obj_RbdEncryptionCreateOptions&type=code)<br>[t_type_q_obj_RbdEncryptionOptions_base_](https://github.com/search?q=t_type_q_obj_RbdEncryptionOptions_base_&type=code)<br>[visit_type_RbdEncryptionCreateOptions](https://github.com/search?q=visit_type_RbdEncryptionCreateOptions&type=code)<br>[visit_type_RbdEncryptionOptionsLUKS2_](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS2_&type=code)<br>[visit_type_RbdEncryptionOptionsLUKSAn](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSAn&type=code)<br>[visit_type_RbdEncryptionOptionsLUKSBa](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKSBa&type=code)<br>[visit_type_RbdEncryptionOptionsLUKS_m](https://github.com/search?q=visit_type_RbdEncryptionOptionsLUKS_m&type=code)<br>[visit_type_RbdEncryptionOptions_membe](https://github.com/search?q=visit_type_RbdEncryptionOptions_membe&type=code)<br>[ype_BlockdevQcowEncryptionFormat](https://github.com/search?q=ype_BlockdevQcowEncryptionFormat&type=code)<br>[ype_BlockdevQcowEncryption_members](https://github.com/search?q=ype_BlockdevQcowEncryption_members&type=code) |
+| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [openssl](https://github.com/search?q=openssl&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [base64_encode](https://github.com/search?q=base64_encode&type=code) |
+| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [evasion/indicator_blocking/vm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/indicator_blocking/vm.yara#hidden_qemu) | operates a QEMU VM | [QEMU_VFIO](https://github.com/search?q=QEMU_VFIO&type=code)<br>[unable to find CPU model '%s'](https://github.com/search?q=unable+to+find+CPU+model+%27%25s%27&type=code) |
+| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [qapi_free_MigrationExecCommand](https://github.com/search?q=qapi_free_MigrationExecCommand&type=code)<br>[visit_type_MigrationExecCommand_members](https://github.com/search?q=visit_type_MigrationExecCommand_members&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execv](https://github.com/search?q=execv&type=code) |
+| MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) |
+| MEDIUM | [exec/tty/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/open.yara#openpty) | finds and opens an available pseudoterminal | [openpty](https://github.com/search?q=openpty&type=code) |
+| MEDIUM | [fs/attributes/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/remove.yara#remove_xattr) | [remove an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/removexattr.2.html) | [removexattr](https://github.com/search?q=removexattr&type=code) |
+| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#set_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) |
+| MEDIUM | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_recursive_force) | Forcibly deletes files recursively | [rm -rf](https://github.com/search?q=rm+-rf&type=code) |
+| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#shell_toucher) | change file timestamps | [touch event kind](https://github.com/search?q=touch+event+kind&type=code)<br>[touch event type](https://github.com/search?q=touch+event+type&type=code)<br>[touch slot number](https://github.com/search?q=touch+slot+number&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/perf-%d.map](https://github.com/search?q=%2Ftmp%2Fperf-%25d.map&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/block/block-gen.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fblock%2Fblock-gen.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/hw/usb/hcd-ehci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fhw%2Fusb%2Fhcd-ehci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/base.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fbase.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/list.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flist.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/listfile.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Flistfile.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/authz/simple.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fauthz%2Fsimple.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/block/throttle-gro](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fblock%2Fthrottle-gro&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-fd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-fd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char-socke](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar-socke&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/chardev/char.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fchardev%2Fchar.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_comm](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_comm&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/secret_keyr](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Fsecret_keyr&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tls-cipher-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftls-cipher-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscreds.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscreds.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsano](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsano&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredspsk](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredspsk&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/crypto/tlscredsx50](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fcrypto%2Ftlscredsx50&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/memory_ldst_c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fmemory_ldst_c&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/exec/ram_addr.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fexec%2Fram_addr.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_aml_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_aml_i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/acpi_dev_i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Facpi_dev_i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/acpi/vmgenid.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Facpi%2Fvmgenid.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/block/flash.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fblock%2Fflash.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/boards.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fboards.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/char/serial.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fchar%2Fserial.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/clock.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fclock.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/cpu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fcpu.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/generic-lo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fgeneric-lo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/core/resetconta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcore%2Fresetconta&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/cluster.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcluster.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/cpu/core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fcpu%2Fcore.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/display/i2c-ddc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fdisplay%2Fi2c-ddc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/elf_ops.h.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Felf_ops.h.inc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/fw-path-provide](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Ffw-path-provide&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/hotplug.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fhotplug.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/i2c/i2c.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fi2c%2Fi2c.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-pci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ahci-sysbus](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fahci-sysbus&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-bus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-bus.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ide/ide-dev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fide%2Fide-dev.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/intc/intc.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fintc%2Fintc.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/ipack/ipack.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fipack%2Fipack.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/misc/vmcoreinfo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fmisc%2Fvmcoreinfo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nmi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnmi.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/nvram/fw_cfg.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fnvram%2Ffw_cfg.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci-host/gpex.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci-host%2Fgpex.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_bridge.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_bridge.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_device.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_device.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pci_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpci_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/pci/pcie_port.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fpci%2Fpcie_port.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/qdev-core.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fqdev-core.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/resettable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fresettable.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/esp.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fesp.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/scsi/scsi.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fscsi%2Fscsi.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sd/sdhci.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsd%2Fsdhci.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/sysbus.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fsysbus.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/imx-usb-phy](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fimx-usb-phy&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/usb/msd.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fusb%2Fmsd.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-commo](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-commo&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vfio/vfio-conta](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvfio%2Fvfio-conta&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vdpa-dev](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvdpa-dev&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-sc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-sc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-us](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-us&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/vhost-vs](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvhost-vs&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-b](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-b&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-c](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-c&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-g](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-g&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-i](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-i&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-n](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-n&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-p](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-p&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-r](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-r&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio-s](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio-s&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/virtio/virtio.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvirtio%2Fvirtio.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/hw/vmstate-if.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fhw%2Fvmstate-if.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-buffer.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-buffer.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-command](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-command&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-file.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-file.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-null.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-null.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-socket.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-socket.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-tls.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-tls.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel-websock](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel-websock&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/channel.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fchannel.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/dns-resolver.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fdns-resolver.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/io/net-listener.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fio%2Fnet-listener.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/can_host.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Fcan_host.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/net/filter.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fnet%2Ffilter.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qapi/qmp/qobject.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqapi%2Fqmp%2Fqobject.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bitops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbitops.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/bswap.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fbswap.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/coroutine.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fcoroutine.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/int128.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fint128.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/iov.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fiov.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/lockable.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Flockable.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/main-loop.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fmain-loop.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/range.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frange.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/ratelimit.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fratelimit.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/rcu.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Frcu.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qemu/thread-contex](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqemu%2Fthread-contex&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/qom/object_interfa](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fqom%2Fobject_interfa&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/scsi/pr-manager.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fscsi%2Fpr-manager.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/accel-ops.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Faccel-ops.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/cryptodev.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fcryptodev.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/event-loop-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fevent-loop-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/host_iommu_](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhost_iommu_&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/hostmem.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fhostmem.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/iothread.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fiothread.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng-random.](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng-random.&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/rng.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Frng.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/tpm_backend](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Ftpm_backend&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/sysemu/vhost-user-](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fsysemu%2Fvhost-user-&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/console.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fconsole.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/dbus-display.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fdbus-display.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/include/ui/qemu-spice.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Finclude%2Fui%2Fqemu-spice.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/migration/channel-block.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Fmigration%2Fchannel-block.h&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/tcg/i386/tcg-target.c.inc](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftcg%2Fi386%2Ftcg-target.c.inc&type=code)<br>[/tmp/qemu-20240904-24095-51glkd/qemu-9.1.0/trace/control-internal.h](https://github.com/search?q=%2Ftmp%2Fqemu-20240904-24095-51glkd%2Fqemu-9.1.0%2Ftrace%2Fcontrol-internal.h&type=code) |
+| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/cmdline](https://github.com/search?q=%2Fproc%2F%25d%2Fcmdline&type=code) |
+| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
+| MEDIUM | [hw/dev/block_ice](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/dev/block-device.yara#block_devices) | works with block devices | [/dev/block/%u](https://github.com/search?q=%2Fdev%2Fblock%2F%25u&type=code)<br>[/sys/dev/block](https://github.com/search?q=%2Fsys%2Fdev%2Fblock&type=code) |
+| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [vdagent](https://github.com/search?q=vdagent&type=code) |
+| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [06zu:qmp_enter_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_enter_x_colo_lost_heartbeat&type=code)<br>[06zu:qmp_exit_x_colo_lost_heartbeat](https://github.com/search?q=06zu%3Aqmp_exit_x_colo_lost_heartbeat&type=code)<br>[Tell COLO that heartbeat is lost](https://github.com/search?q=Tell+COLO+that+heartbeat+is+lost&type=code)<br>[hmp_x_colo_lost_heartbeat](https://github.com/search?q=hmp_x_colo_lost_heartbeat&type=code)<br>[qmp_marshal_x_colo_lost_heartbeat](https://github.com/search?q=qmp_marshal_x_colo_lost_heartbeat&type=code)<br>[qmp_x_colo_lost_heartbeat](https://github.com/search?q=qmp_x_colo_lost_heartbeat&type=code) |
+| MEDIUM | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#exec_chdir_and_socket) | executes commands, changes directories, accesses remote hosts | [chdir](https://github.com/search?q=chdir&type=code)<br>[execve](https://github.com/search?q=execve&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[gethostbyname](https://github.com/search?q=gethostbyname&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
+| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[WebSocket](https://github.com/search?q=WebSocket&type=code) |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host and/or port](https://github.com/search?q=host+and%2For+port&type=code)<br>[host from port](https://github.com/search?q=host+from+port&type=code)<br>[host is not support](https://github.com/search?q=host+is+not+support&type=code)<br>[host port](https://github.com/search?q=host+port&type=code)<br>[host transport](https://github.com/search?q=host+transport&type=code)<br>[host,addr.port=port](https://github.com/search?q=host%2Caddr.port%3Dport&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=addr,local.port](https://github.com/search?q=host%3Daddr%2Clocal.port&type=code)<br>[host=host,addr.port](https://github.com/search?q=host%3Dhost%2Caddr.port&type=code)<br>[host=host],port=port](https://github.com/search?q=host%3Dhost%5D%2Cport%3Dport&type=code)<br>[host]:port](https://github.com/search?q=host%5D%3Aport&type=code)<br>[host_get_port](https://github.com/search?q=host_get_port&type=code)<br>[host_support](https://github.com/search?q=host_support&type=code)<br>[host_user.support](https://github.com/search?q=host_user.support&type=code)<br>[host_user_support](https://github.com/search?q=host_user_support&type=code)<br>[hostaddr]:hostport](https://github.com/search?q=hostaddr%5D%3Ahostport&type=code)<br>[hostname port](https://github.com/search?q=hostname+port&type=code)<br>[hostname:s,port](https://github.com/search?q=hostname%3As%2Cport&type=code) |
+| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping 0x](https://github.com/search?q=ping+0x&type=code) |
+| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
+| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) |
+| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
+| MEDIUM | [net/remote_control/vnc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/remote_control/vnc.yara#vnc_user) | uses VNC remote desktop protocol | [VNC_](https://github.com/search?q=VNC_&type=code)<br>[vnc_password](https://github.com/search?q=vnc_password&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
+| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)<br>[ssh](https://github.com/search?q=ssh&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) |
+| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)<br>[daemonize](https://github.com/search?q=daemonize&type=code)<br>[is_daemon](https://github.com/search?q=is_daemon&type=code)<br>[os_daemon](https://github.com/search?q=os_daemon&type=code)<br>[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)<br>[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) |
+| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
+| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [d is not known!!](https://github.com/search?q=d+is+not+known%21%21&type=code) |
+| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercept_dev](https://github.com/search?q=intercept_dev&type=code)<br>[intercept_gpio_out](https://github.com/search?q=intercept_gpio_out&type=code)<br>[intercept_in](https://github.com/search?q=intercept_in&type=code)<br>[intercept_out](https://github.com/search?q=intercept_out&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
+| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://wikipedia.org/wiki/WAV](http://wikipedia.org/wiki/WAV)<br>[http://www.opensound.com](http://www.opensound.com)<br>[https://qemu.org/contribute/report](https://qemu.org/contribute/report)<br>[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [Cannot derive password](https://github.com/search?q=Cannot+derive+password&type=code)<br>[Could not set password expire time](https://github.com/search?q=Could+not+set+password+expire+time&type=code)<br>[Invalid password](https://github.com/search?q=Invalid+password&type=code)<br>[SetPasswordAction_lookup](https://github.com/search?q=SetPasswordAction_lookup&type=code)<br>[change-vnc-password](https://github.com/search?q=change-vnc-password&type=code)<br>[enter_expire_password](https://github.com/search?q=enter_expire_password&type=code)<br>[exit_change_vnc_password](https://github.com/search?q=exit_change_vnc_password&type=code)<br>[hmp_expire_password](https://github.com/search?q=hmp_expire_password&type=code)<br>[hmp_set_password](https://github.com/search?q=hmp_set_password&type=code)<br>[marshal_expire_password](https://github.com/search?q=marshal_expire_password&type=code)<br>[monitor_read_password](https://github.com/search?q=monitor_read_password&type=code)<br>[not support password prompting](https://github.com/search?q=not+support+password+prompting&type=code)<br>[obj_change_vnc_password_arg_members](https://github.com/search?q=obj_change_vnc_password_arg_members&type=code)<br>[password is expired](https://github.com/search?q=password+is+expired&type=code)<br>[password is not set](https://github.com/search?q=password+is+not+set&type=code)<br>[please enable password auth using](https://github.com/search?q=please+enable+password+auth+using&type=code)<br>[prop_get_passwordid](https://github.com/search?q=prop_get_passwordid&type=code)<br>[prop_set_passwordid](https://github.com/search?q=prop_set_passwordid&type=code)<br>[protocol password](https://github.com/search?q=protocol+password&type=code)<br>[proxy-password-secret](https://github.com/search?q=proxy-password-secret&type=code)<br>[qapi_free_ExpirePasswordOptionsVnc](https://github.com/search?q=qapi_free_ExpirePasswordOptionsVnc&type=code)<br>[qapi_free_SetPasswordOptionsVnc](https://github.com/search?q=qapi_free_SetPasswordOptionsVnc&type=code)<br>[qmp_change_vnc_password](https://github.com/search?q=qmp_change_vnc_password&type=code)<br>[qmp_enter_set_password](https://github.com/search?q=qmp_enter_set_password&type=code)<br>[qmp_exit_expire_password](https://github.com/search?q=qmp_exit_expire_password&type=code)<br>[qmp_exit_set_password](https://github.com/search?q=qmp_exit_set_password&type=code)<br>[qmp_expire_password](https://github.com/search?q=qmp_expire_password&type=code)<br>[qmp_marshal_set_password](https://github.com/search?q=qmp_marshal_set_password&type=code)<br>[qmp_set_password](https://github.com/search?q=qmp_set_password&type=code)<br>[that match this password](https://github.com/search?q=that+match+this+password&type=code)<br>[type_ExpirePasswordOptionsVnc](https://github.com/search?q=type_ExpirePasswordOptionsVnc&type=code)<br>[type_ExpirePasswordOptions_members](https://github.com/search?q=type_ExpirePasswordOptions_members&type=code)<br>[visit_type_SetPasswordAction](https://github.com/search?q=visit_type_SetPasswordAction&type=code)<br>[visit_type_SetPasswordOptionsVnc](https://github.com/search?q=visit_type_SetPasswordOptionsVnc&type=code)<br>[visit_type_SetPasswordOptions_members](https://github.com/search?q=visit_type_SetPasswordOptions_members&type=code)<br>[vnc password expire-time](https://github.com/search?q=vnc+password+expire-time&type=code)<br>[vnc_display_password](https://github.com/search?q=vnc_display_password&type=code) |
+| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [private_key](https://github.com/search?q=private_key&type=code) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [public key](https://github.com/search?q=public+key&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
+| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) |
+| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
+| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) |
+| LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/dmesg](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/dmesg.yara#dmesg) | accesses the kernel log ring buffer | [dmesg](https://github.com/search?q=dmesg&type=code) |
+| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
+| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [evasion/logging/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/logging/acct.yara#acct) | switch process accounting on or off | [acct](https://github.com/search?q=acct&type=code) |
+| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Could not load plugin](https://github.com/search?q=Could+not+load+plugin&type=code)<br>[Plugin options](https://github.com/search?q=Plugin+options&type=code)<br>[cap_disas_plugin](https://github.com/search?q=cap_disas_plugin&type=code)<br>[gen_plugin_u64_ptr](https://github.com/search?q=gen_plugin_u64_ptr&type=code)<br>[load a plugin](https://github.com/search?q=load+a+plugin&type=code)<br>[op_plugin](https://github.com/search?q=op_plugin&type=code)<br>[output from TCG plugins](https://github.com/search?q=output+from+TCG+plugins&type=code)<br>[plugin file](https://github.com/search?q=plugin+file&type=code)<br>[plugin_add_dyn_cb_arr](https://github.com/search?q=plugin_add_dyn_cb_arr&type=code)<br>[plugin_atexit_cb](https://github.com/search?q=plugin_atexit_cb&type=code)<br>[plugin_bool_parse](https://github.com/search?q=plugin_bool_parse&type=code)<br>[plugin_cb__udata](https://github.com/search?q=plugin_cb__udata&type=code)<br>[plugin_cond_to_tcgcond](https://github.com/search?q=plugin_cond_to_tcgcond&type=code)<br>[plugin_disas](https://github.com/search?q=plugin_disas&type=code)<br>[plugin_dyn_cb_arr_cmp](https://github.com/search?q=plugin_dyn_cb_arr_cmp&type=code)<br>[plugin_end_code](https://github.com/search?q=plugin_end_code&type=code)<br>[plugin_entry_code](https://github.com/search?q=plugin_entry_code&type=code)<br>[plugin_flush_cb](https://github.com/search?q=plugin_flush_cb&type=code)<br>[plugin_flush_destroy](https://github.com/search?q=plugin_flush_destroy&type=code)<br>[plugin_from_name](https://github.com/search?q=plugin_from_name&type=code)<br>[plugin_gen_disable_mem](https://github.com/search?q=plugin_gen_disable_mem&type=code)<br>[plugin_gen_inject](https://github.com/search?q=plugin_gen_inject&type=code)<br>[plugin_gen_insn_end](https://github.com/search?q=plugin_gen_insn_end&type=code)<br>[plugin_gen_insn_start](https://github.com/search?q=plugin_gen_insn_start&type=code)<br>[plugin_gen_mem](https://github.com/search?q=plugin_gen_mem&type=code)<br>[plugin_gen_tb_end](https://github.com/search?q=plugin_gen_tb_end&type=code)<br>[plugin_gen_tb_start](https://github.com/search?q=plugin_gen_tb_start&type=code)<br>[plugin_get_dyn_cb](https://github.com/search?q=plugin_get_dyn_cb&type=code)<br>[plugin_get_hwaddr](https://github.com/search?q=plugin_get_hwaddr&type=code)<br>[plugin_get_registers](https://github.com/search?q=plugin_get_registers&type=code)<br>[plugin_hwaddr_is_io](https://github.com/search?q=plugin_hwaddr_is_io&type=code)<br>[plugin_init](https://github.com/search?q=plugin_init&type=code)<br>[plugin_insn_data](https://github.com/search?q=plugin_insn_data&type=code)<br>[plugin_insn_disas](https://github.com/search?q=plugin_insn_disas&type=code)<br>[plugin_insn_haddr](https://github.com/search?q=plugin_insn_haddr&type=code)<br>[plugin_insn_size](https://github.com/search?q=plugin_insn_size&type=code)<br>[plugin_insn_symbol](https://github.com/search?q=plugin_insn_symbol&type=code)<br>[plugin_insn_vaddr](https://github.com/search?q=plugin_insn_vaddr&type=code)<br>[plugin_list](https://github.com/search?q=plugin_list&type=code)<br>[plugin_load_list](https://github.com/search?q=plugin_load_list&type=code)<br>[plugin_mem_is_store](https://github.com/search?q=plugin_mem_is_store&type=code)<br>[plugin_mem_size_shift](https://github.com/search?q=plugin_mem_size_shift&type=code)<br>[plugin_num_vcpus](https://github.com/search?q=plugin_num_vcpus&type=code)<br>[plugin_opt_parse](https://github.com/search?q=plugin_opt_parse&type=code)<br>[plugin_path_to_binary](https://github.com/search?q=plugin_path_to_binary&type=code)<br>[plugin_print_address](https://github.com/search?q=plugin_print_address&type=code)<br>[plugin_read_register](https://github.com/search?q=plugin_read_register&type=code)<br>[plugin_register_atexit](https://github.com/search?q=plugin_register_atexit&type=code)<br>[plugin_register_cb](https://github.com/search?q=plugin_register_cb&type=code)<br>[plugin_register_dyn_cb](https://github.com/search?q=plugin_register_dyn_cb&type=code)<br>[plugin_register_inline](https://github.com/search?q=plugin_register_inline&type=code)<br>[plugin_reset_destroy](https://github.com/search?q=plugin_reset_destroy&type=code)<br>[plugin_reset_uninstall](https://github.com/search?q=plugin_reset_uninstall&type=code)<br>[plugin_scoreboard_find](https://github.com/search?q=plugin_scoreboard_find&type=code)<br>[plugin_scoreboard_free](https://github.com/search?q=plugin_scoreboard_free&type=code)<br>[plugin_scoreboard_new](https://github.com/search?q=plugin_scoreboard_new&type=code)<br>[plugin_start_code](https://github.com/search?q=plugin_start_code&type=code)<br>[plugin_tb_get_insn](https://github.com/search?q=plugin_tb_get_insn&type=code)<br>[plugin_tb_n_insns](https://github.com/search?q=plugin_tb_n_insns&type=code)<br>[plugin_tb_trans_cb](https://github.com/search?q=plugin_tb_trans_cb&type=code)<br>[plugin_tb_vaddr](https://github.com/search?q=plugin_tb_vaddr&type=code)<br>[plugin_uninstall](https://github.com/search?q=plugin_uninstall&type=code)<br>[plugin_update_ns](https://github.com/search?q=plugin_update_ns&type=code)<br>[plugin_user_exit](https://github.com/search?q=plugin_user_exit&type=code)<br>[plugin_user_postfork](https://github.com/search?q=plugin_user_postfork&type=code)<br>[plugin_vcpu_cb__simple](https://github.com/search?q=plugin_vcpu_cb__simple&type=code)<br>[plugin_vcpu_exit_hook](https://github.com/search?q=plugin_vcpu_exit_hook&type=code)<br>[plugin_vcpu_for_each](https://github.com/search?q=plugin_vcpu_for_each&type=code)<br>[plugin_vcpu_idle_cb](https://github.com/search?q=plugin_vcpu_idle_cb&type=code)<br>[plugin_vcpu_init_hook](https://github.com/search?q=plugin_vcpu_init_hook&type=code)<br>[plugin_vcpu_mem_cb](https://github.com/search?q=plugin_vcpu_mem_cb&type=code)<br>[plugin_vcpu_resume_cb](https://github.com/search?q=plugin_vcpu_resume_cb&type=code)<br>[plugin_vcpu_syscall](https://github.com/search?q=plugin_vcpu_syscall&type=code)<br>[qemu_plugin_add_dyn](https://github.com/search?q=qemu_plugin_add_dyn&type=code)<br>[qemu_plugin_install](https://github.com/search?q=qemu_plugin_install&type=code)<br>[qemu_plugin_opts](https://github.com/search?q=qemu_plugin_opts&type=code)<br>[qemu_plugin_outs](https://github.com/search?q=qemu_plugin_outs&type=code)<br>[qemu_plugin_path_to](https://github.com/search?q=qemu_plugin_path_to&type=code)<br>[qemu_plugin_request](https://github.com/search?q=qemu_plugin_request&type=code)<br>[qemu_plugin_reset](https://github.com/search?q=qemu_plugin_reset&type=code)<br>[qemu_plugin_u64_add](https://github.com/search?q=qemu_plugin_u64_add&type=code)<br>[qemu_plugin_u64_get](https://github.com/search?q=qemu_plugin_u64_get&type=code)<br>[qemu_plugin_u64_set](https://github.com/search?q=qemu_plugin_u64_set&type=code)<br>[qemu_plugin_u64_sum](https://github.com/search?q=qemu_plugin_u64_sum&type=code)<br>[qemu_plugin_version](https://github.com/search?q=qemu_plugin_version&type=code)<br>[tcg_gen_plugin_cb](https://github.com/search?q=tcg_gen_plugin_cb&type=code)<br>[tcg_gen_plugin_mem_cb](https://github.com/search?q=tcg_gen_plugin_mem_cb&type=code)<br>[tlb_plugin_lookup](https://github.com/search?q=tlb_plugin_lookup&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [systemd](https://github.com/search?q=systemd&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
+| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
+| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) |
+| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
+| LOW | [fs/node_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) |
+| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/qemu-ifdown](https://github.com/search?q=%2Fetc%2Fqemu-ifdown&type=code)<br>[/etc/qemu-ifup](https://github.com/search?q=%2Fetc%2Fqemu-ifup&type=code)<br>[/etc/qemu/qemu.conf](https://github.com/search?q=%2Fetc%2Fqemu%2Fqemu.conf&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/bin](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fbin&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifdown](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifdown&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu-ifup](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu-ifup&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/etc/qemu/qemu.conf](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fetc%2Fqemu%2Fqemu.conf&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/libexec/qemu-bridge-helpe](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Flibexec%2Fqemu-bridge-helpe&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/icons](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Ficons&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/locale](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Flocale&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/share/qemu-firmware](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fshare%2Fqemu-firmware&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/qemu/9.1.0/var](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Fqemu%2F9.1.0%2Fvar&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/at-spi2-core/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fat-spi2-core%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/attr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fattr%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/berkeley-db](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fberkeley-db&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/binutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbinutils%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/bzip2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fbzip2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/cairo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcairo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/capstone/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fcapstone%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/dbus/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdbus%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/dtc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fdtc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/elfutils/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Felfutils%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/expat/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fexpat%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/fontconfig/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffontconfig%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/freeglut/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreeglut%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/freetype/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffreetype%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/fribidi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ffribidi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gdk-pixbuf/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgdk-pixbuf%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/glib/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglib%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/glslang/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fglslang%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gmp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgmp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gnutls/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgnutls%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/graphite2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgraphite2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gsettings-desktop-schemas/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgsettings-desktop-schemas%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gtk](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgtk&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/harfbuzz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fharfbuzz%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/icu4c/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Ficu4c%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/jpeg-turbo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fjpeg-turbo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/krb5/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fkrb5%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libcap-ng/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap-ng%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libcap/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibcap%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libdrm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibdrm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libedit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibedit%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libepoxy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibepoxy%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libevent/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibevent%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libffi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibffi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libfontenc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibfontenc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libice/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibice%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libidn2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibidn2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libnghttp2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnghttp2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libnsl/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibnsl%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libpciaccess/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibpciaccess%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libslirp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibslirp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libsm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibsm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libssh/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibssh%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtasn1/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtasn1%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtiff/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtiff%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libtirpc/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibtirpc%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libunistring/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibunistring%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libusb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibusb%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libva/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibva%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libvdpau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibvdpau%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libx11/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibx11%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxau/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxau%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcb/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcb%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcrypt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcrypt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxcvt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxcvt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxdamage/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdamage%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxdmcp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxdmcp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxext/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxext%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxfixes/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfixes%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxfont2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxfont2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxi/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxi%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxinerama/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxinerama%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxkbcommon/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbcommon%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxkbfile/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxkbfile%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxml2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxml2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxmu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxmu%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxrandr/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrandr%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxrender/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxrender%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxshmfence/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxshmfence%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxt/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxt%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxtst/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxtst%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxv/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxv%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/libxxf86vm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flibxxf86vm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/llvm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fllvm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lm-sensors/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flm-sensors%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lz4/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flz4%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/lzo/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Flzo%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mesa-glu/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa-glu%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mesa/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmesa%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/mpdecimal/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fmpdecimal%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/ncurses/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fncurses%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/nettle/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fnettle%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/openssl](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fopenssl&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/p11-kit/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fp11-kit%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pango/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpango%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pcre2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpcre2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/pixman/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpixman%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/python](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fpython&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/readline/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Freadline%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/snappy/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsnappy%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/spirv-llvm-translator/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-llvm-translator%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/spirv-tools/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fspirv-tools%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/sqlite/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsqlite%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/systemd/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fsystemd%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/unbound/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Funbound%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/util-linux/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Futil-linux%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/valgrind/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvalgrind%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/vde/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fvde%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/wayland/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fwayland%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-image/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-image%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-keysyms/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-keysyms%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-renderutil/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-renderutil%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util-wm/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util-wm%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xcb-util/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxcb-util%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xkbcomp/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxkbcomp%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xorg-server/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxorg-server%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/xz/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fxz%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/z3/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fz3%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/sbin/samba-dot-org-smbd](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fsbin%2Fsamba-dot-org-smbd&type=code) |
+| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
+| LOW | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#fchownat) | May change file ownership | [fchownat](https://github.com/search?q=fchownat&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
+| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
+| LOW | [net/ip/send_unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) |
+| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
+| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://qemu.org/contribute/report-a-bug](https://qemu.org/contribute/report-a-bug)<br>[https://wiki.qemu.org/Documentation/9psetup](https://wiki.qemu.org/Documentation/9psetup) |
+| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
+| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+| LOW | [process/unshare](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/unshare.yara#syscall_unshare) | disassociate parts of the process execution context | [unshare](https://github.com/search?q=unshare&type=code) |
+
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index e69de29b..89d44ca7 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -0,0 +1,193 @@
+## linux/clean/slack [🟡 MEDIUM]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
+| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
+| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)<br>[https://%s](https://%s) |
+| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[allow_port](https://github.com/search?q=allow_port&type=code)<br>[any_port](https://github.com/search?q=any_port&type=code)<br>[basic_port](https://github.com/search?q=basic_port&type=code)<br>[check_ip](https://github.com/search?q=check_ip&type=code)<br>[debugPort](https://github.com/search?q=debugPort&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[endpoint_port](https://github.com/search?q=endpoint_port&type=code)<br>[firstIp](https://github.com/search?q=firstIp&type=code)<br>[hIp](https://github.com/search?q=hIp&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[host_port](https://github.com/search?q=host_port&type=code)<br>[inspectPort](https://github.com/search?q=inspectPort&type=code)<br>[internalPort](https://github.com/search?q=internalPort&type=code)<br>[kPort](https://github.com/search?q=kPort&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[messagePort](https://github.com/search?q=messagePort&type=code)<br>[message_port](https://github.com/search?q=message_port&type=code)<br>[midi_port](https://github.com/search?q=midi_port&type=code)<br>[multi_port](https://github.com/search?q=multi_port&type=code)<br>[next_port](https://github.com/search?q=next_port&type=code)<br>[on_ip](https://github.com/search?q=on_ip&type=code)<br>[origin_port](https://github.com/search?q=origin_port&type=code)<br>[pIp](https://github.com/search?q=pIp&type=code)<br>[parentPort](https://github.com/search?q=parentPort&type=code)<br>[parent_port](https://github.com/search?q=parent_port&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[peer_port](https://github.com/search?q=peer_port&type=code)<br>[publicPort](https://github.com/search?q=publicPort&type=code)<br>[public_ip](https://github.com/search?q=public_ip&type=code)<br>[quic_port](https://github.com/search?q=quic_port&type=code)<br>[quiche_ip](https://github.com/search?q=quiche_ip&type=code)<br>[received_ip](https://github.com/search?q=received_ip&type=code)<br>[relatedPort](https://github.com/search?q=relatedPort&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[requestPort](https://github.com/search?q=requestPort&type=code)<br>[required_ip](https://github.com/search?q=required_ip&type=code)<br>[seq_port](https://github.com/search?q=seq_port&type=code)<br>[serial_port](https://github.com/search?q=serial_port&type=code)<br>[server_ip](https://github.com/search?q=server_ip&type=code)<br>[set_port](https://github.com/search?q=set_port&type=code)<br>[simple_port](https://github.com/search?q=simple_port&type=code)<br>[sourcePort](https://github.com/search?q=sourcePort&type=code)<br>[source_port](https://github.com/search?q=source_port&type=code)<br>[stun_port](https://github.com/search?q=stun_port&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[turn_port](https://github.com/search?q=turn_port&type=code)<br>[udp_port](https://github.com/search?q=udp_port&type=code)<br>[uv_ip](https://github.com/search?q=uv_ip&type=code)<br>[validatePort](https://github.com/search?q=validatePort&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[yoIp](https://github.com/search?q=yoIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [server_address_](https://github.com/search?q=server_address_&type=code) |
+| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
+| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.4.4](https://github.com/search?q=8.8.4.4&type=code)<br>[8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
+| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#remote_control) | Uses terms that may reference remote control abilities | [remote control](https://github.com/search?q=remote+control&type=code) |
+| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [FrameDropper](https://github.com/search?q=FrameDropper&type=code)<br>[eye_dropper](https://github.com/search?q=eye_dropper&type=code)<br>[openEyeDropper](https://github.com/search?q=openEyeDropper&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
+| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) |
+| MEDIUM | [collect/databases/leveldb](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/leveldb.yara#leveldb) | accesses LevelDB databases | [LEVELDB_DATABASE](https://github.com/search?q=LEVELDB_DATABASE&type=code)<br>[LEVELDB_ITERATOR](https://github.com/search?q=LEVELDB_ITERATOR&type=code)<br>[LEVELDB_TRANSACTION](https://github.com/search?q=LEVELDB_TRANSACTION&type=code)<br>[LevelDBEnv](https://github.com/search?q=LevelDBEnv&type=code)<br>[LevelDBIH](https://github.com/search?q=LevelDBIH&type=code)<br>[LevelDBIterator](https://github.com/search?q=LevelDBIterator&type=code)<br>[LevelDBOpenErrors](https://github.com/search?q=LevelDBOpenErrors&type=code)<br>[LevelDBPartitionedLock](https://github.com/search?q=LevelDBPartitionedLock&type=code)<br>[LevelDBReadErrors](https://github.com/search?q=LevelDBReadErrors&type=code)<br>[LevelDBScopesKey](https://github.com/search?q=LevelDBScopesKey&type=code)<br>[LevelDBScopesMetadata](https://github.com/search?q=LevelDBScopesMetadata&type=code)<br>[LevelDBScopesUndoTask](https://github.com/search?q=LevelDBScopesUndoTask&type=code)<br>[LevelDBTransaction](https://github.com/search?q=LevelDBTransaction&type=code)<br>[LevelDBWrapper](https://github.com/search?q=LevelDBWrapper&type=code)<br>[LevelDBWriteErrors](https://github.com/search?q=LevelDBWriteErrors&type=code)<br>[MojoLevelDB](https://github.com/search?q=MojoLevelDB&type=code)<br>[OpenAndVerifyLevelDBDatabase](https://github.com/search?q=OpenAndVerifyLevelDBDatabase&type=code)<br>[OpenLevelDBScopes](https://github.com/search?q=OpenLevelDBScopes&type=code)<br>[indexed_db_leveldb_operations](https://github.com/search?q=indexed_db_leveldb_operations&type=code)<br>[lazy_leveldb](https://github.com/search?q=lazy_leveldb&type=code)<br>[leveldbH](https://github.com/search?q=leveldbH&type=code)<br>[leveldb_0x](https://github.com/search?q=leveldb_0x&type=code)<br>[leveldb_chrome](https://github.com/search?q=leveldb_chrome&type=code)<br>[leveldb_database](https://github.com/search?q=leveldb_database&type=code)<br>[leveldb_proto](https://github.com/search?q=leveldb_proto&type=code)<br>[leveldb_scopes](https://github.com/search?q=leveldb_scopes&type=code)<br>[leveldb_value_store](https://github.com/search?q=leveldb_value_store&type=code)<br>[proto_leveldb_wrapper](https://github.com/search?q=proto_leveldb_wrapper&type=code)<br>[transactional_leveldb_iterator](https://github.com/search?q=transactional_leveldb_iterator&type=code) |
+| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite](https://github.com/search?q=sqlite&type=code) |
+| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
+| MEDIUM | [credential/sniffer/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/sniffer/bpf.yara#sniffer_bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) |
+| MEDIUM | [credential/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssh/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh](https://github.com/search?q=.ssh&type=code) |
+| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
+| MEDIUM | [crypto/openssl](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/openssl.yara#openssl_user) | Uses OpenSSL | [OpenSSL](https://github.com/search?q=OpenSSL&type=code)<br>[openssl](https://github.com/search?q=openssl&type=code) |
+| MEDIUM | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer <root@shellcromancer.io> | [#"!](https://github.com/search?q=%23%22%21&type=code)<br>$opt0<br>$opt1<br>$opt2<br>$opt30<br>$opt4<br>$opt5<br>$opt6<br>$opt7<br>['&%$](https://github.com/search?q=%27%26%25%24&type=code)<br>[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)<br>[/.-,](https://github.com/search?q=%2F.-%2C&type=code)<br>[3210](https://github.com/search?q=3210&type=code)<br>[7654](https://github.com/search?q=7654&type=code)<br>[;:98](https://github.com/search?q=%3B%3A98&type=code)<br>[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)<br>[CBA@](https://github.com/search?q=CBA%40&type=code)<br>[GFED](https://github.com/search?q=GFED&type=code)<br>[KJIH](https://github.com/search?q=KJIH&type=code)<br>[ONML](https://github.com/search?q=ONML&type=code)<br>[SRQP](https://github.com/search?q=SRQP&type=code)<br>[WVUT](https://github.com/search?q=WVUT&type=code)<br>[[ZYX](https://github.com/search?q=%5BZYX&type=code)<br>[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)<br>[cba`](https://github.com/search?q=cba%60&type=code)<br>[gfed](https://github.com/search?q=gfed&type=code)<br>[kjih](https://github.com/search?q=kjih&type=code)<br>[onml](https://github.com/search?q=onml&type=code)<br>[srqp](https://github.com/search?q=srqp&type=code)<br>[wvut](https://github.com/search?q=wvut&type=code)<br>[{zyx](https://github.com/search?q=%7Bzyx&type=code)<br>[����](https://github.com/search?q=%83%82%81%80&type=code)<br>[����](https://github.com/search?q=%87%86%85%84&type=code)<br>[����](https://github.com/search?q=%8B%8A%89%88&type=code)<br>[����](https://github.com/search?q=%8F%8E%8D%8C&type=code)<br>[����](https://github.com/search?q=%93%92%91%90&type=code)<br>[����](https://github.com/search?q=%97%96%95%94&type=code)<br>[����](https://github.com/search?q=%9B%9A%99%98&type=code)<br>[����](https://github.com/search?q=%9F%9E%9D%9C&type=code)<br>[����](https://github.com/search?q=%A3%A2%A1%A0&type=code)<br>[����](https://github.com/search?q=%A7%A6%A5%A4&type=code)<br>[����](https://github.com/search?q=%AB%AA%A9%A8&type=code)<br>[����](https://github.com/search?q=%AF%AE%AD%AC&type=code)<br>[����](https://github.com/search?q=%B3%B2%B1%B0&type=code)<br>[����](https://github.com/search?q=%B7%B6%B5%B4&type=code)<br>[����](https://github.com/search?q=%BB%BA%B9%B8&type=code)<br>[����](https://github.com/search?q=%BF%BE%BD%BC&type=code)<br>[����](https://github.com/search?q=%C3%C2%C1%C0&type=code)<br>[����](https://github.com/search?q=%C7%C6%C5%C4&type=code)<br>[����](https://github.com/search?q=%CB%CA%C9%C8&type=code)<br>[����](https://github.com/search?q=%CF%CE%CD%CC&type=code)<br>[����](https://github.com/search?q=%D3%D2%D1%D0&type=code)<br>[����](https://github.com/search?q=%D7%D6%D5%D4&type=code)<br>[����](https://github.com/search?q=%DB%DA%D9%D8&type=code)<br>[����](https://github.com/search?q=%DF%DE%DD%DC&type=code)<br>[����](https://github.com/search?q=%E3%E2%E1%E0&type=code)<br>[����](https://github.com/search?q=%E7%E6%E5%E4&type=code)<br>[����](https://github.com/search?q=%EB%EA%E9%E8&type=code)<br>[����](https://github.com/search?q=%EF%EE%ED%EC&type=code)<br>[����](https://github.com/search?q=%F3%F2%F1%F0&type=code)<br>[����](https://github.com/search?q=%F7%F6%F5%F4&type=code)<br>[����](https://github.com/search?q=%FB%FA%F9%F8&type=code)<br>[����](https://github.com/search?q=%FF%FE%FD%FC&type=code) |
+| MEDIUM | [crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid) | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) |
+| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)<br>[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
+| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code)<br>[ifconfig](https://github.com/search?q=ifconfig&type=code)<br>[networkInterfaces](https://github.com/search?q=networkInterfaces&type=code) |
+| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [macAddress](https://github.com/search?q=macAddress&type=code) |
+| MEDIUM | [discover/process/name](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/name.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
+| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname) | [get system identification](https://nodejs.org/api/process.html) | [process.arch](https://github.com/search?q=process.arch&type=code)<br>[process.platform](https://github.com/search?q=process.platform&type=code)<br>[process.versions](https://github.com/search?q=process.versions&type=code) |
+| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) |
+| MEDIUM | [discover/user/USERPROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USERPROFILE.yara#USERPROFILE_Desktop) | Looks up the Desktop directory for the current user | [Desktop](https://github.com/search?q=Desktop&type=code)<br>[USERPROFILE](https://github.com/search?q=USERPROFILE&type=code) |
+| MEDIUM | [discover/user/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/userinfo.yara#userinfo) | returns user info for the current process | [os.homedir](https://github.com/search?q=os.homedir&type=code) |
+| MEDIUM | [evasion/file/location/dev_shm](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/dev-shm.yara#dev_shm) | references path within /dev/shm (world writeable) | [/dev/shm/](https://github.com/search?q=%2Fdev%2Fshm%2F&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/usr/lib/debug/.build-id](https://github.com/search?q=%2Fusr%2Flib%2Fdebug%2F.build-id&type=code) |
+| MEDIUM | [evasion/process_injection/ptrace](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/process_injection/ptrace.yara#ptrace) | trace or modify system calls | [ptrace](https://github.com/search?q=ptrace&type=code) |
+| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecuteCommandLists](https://github.com/search?q=ExecuteCommandLists&type=code)<br>[_executeCommand](https://github.com/search?q=_executeCommand&type=code)<br>[execCommand](https://github.com/search?q=execCommand&type=code)<br>[vkCmdExecuteCommands](https://github.com/search?q=vkCmdExecuteCommands&type=code) |
+| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/shell/pipe_sh](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/pipe_sh.yara#pipe_to_shell) | pipes to shell | [| sh](https://github.com/search?q=%7C+sh&type=code) |
+| MEDIUM | [exec/tty/pathname](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/tty/pathname.yara#ttyname) | returns the pathname of a terminal device | [ttyname](https://github.com/search?q=ttyname&type=code) |
+| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[eml](https://github.com/search?q=eml&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
+| MEDIUM | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [drive.google.com/](https://github.com/search?q=drive.google.com%2F&type=code)<br>[drive.google.comtabs](https://github.com/search?q=drive.google.comtabs&type=code) |
+| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy) | copy files using cp | [copyFile](https://github.com/search?q=copyFile&type=code) |
+| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileAndStart](https://github.com/search?q=CreateFileAndStart&type=code)<br>[CreateFileAndWrite](https://github.com/search?q=CreateFileAndWrite&type=code)<br>[CreateFileHelper](https://github.com/search?q=CreateFileHelper&type=code)<br>[CreateFileOpenDial](https://github.com/search?q=CreateFileOpenDial&type=code)<br>[CreateFileToTrunca](https://github.com/search?q=CreateFileToTrunca&type=code)<br>[CreateFileURLLoade](https://github.com/search?q=CreateFileURLLoade&type=code)<br>[CreateFileWriterIm](https://github.com/search?q=CreateFileWriterIm&type=code) |
+| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFileCallback](https://github.com/search?q=DeleteFileCallback&type=code)<br>[DeleteFileError](https://github.com/search?q=DeleteFileError&type=code)<br>[DeleteFileOnFileSe](https://github.com/search?q=DeleteFileOnFileSe&type=code) |
+| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) |
+| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
+| MEDIUM | [fs/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/root.yara#root_path_val) | path reference within /root | [/root/root.js](https://github.com/search?q=%2Froot%2Froot.js&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)<br>[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)<br>[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)<br>[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code) |
+| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
+| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
+| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/$](https://github.com/search?q=%2Fproc%2F%24&type=code)<br>[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code) |
+| MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
+| MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
+| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup/sys/fs/cgroupcgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup%2Fsys%2Ffs%2Fcgroupcgroup&type=code) |
+| MEDIUM | [fs/proc/self_cmdline](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cmdline.yara#proc_self_cmdline) | gets process command-line | [/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code) |
+| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
+| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) |
+| MEDIUM | [fs/proc/self_status](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-status.yara#proc_self_status) | gets status associated to this process, including capabilities | [/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code) |
+| MEDIUM | [fs/proc/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/stat.yara#proc_stat) | gets kernel/system statistics | [/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code) |
+| MEDIUM | [hw/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/cpu.yara#sys_devices_cpu) | Get information about CPUs | [/sys/devices/system/cpu](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu&type=code) |
+| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [Failed to deserialized Heartbeat info pa](https://github.com/search?q=Failed+to+deserialized+Heartbeat+info+pa&type=code)<br>[Invalid heartbeat info:](https://github.com/search?q=Invalid+heartbeat+info%3A&type=code)<br>[No Heartbeat Info pa](https://github.com/search?q=No+Heartbeat+Info+pa&type=code)<br>[PostHeartbeatTask](https://github.com/search?q=PostHeartbeatTask&type=code)<br>[heartbeat_handler](https://github.com/search?q=heartbeat_handler&type=code) |
+| MEDIUM | [lateral/scan/target_ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/target_ip.yara#target_ip) | References a target IP | [target IP](https://github.com/search?q=target+IP&type=code)<br>[target_ip](https://github.com/search?q=target_ip&type=code) |
+| MEDIUM | [malware/ref](https://github.com/chainguard-dev/malcontent/blob/main/rules/malware/ref.yara#malware) | mentions 'malware' | [_malware](https://github.com/search?q=_malware&type=code) |
+| MEDIUM | [mem/anonymous_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/mem/anonymous-file.yara#memfd_create) | create an anonymous file | [memfd_create](https://github.com/search?q=memfd_create&type=code) |
+| MEDIUM | [net/dns/over_https](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-over-https.yara#doh_refs) | Supports DNS (Domain Name Service) over HTTPS | [DnsOverHttps](https://github.com/search?q=DnsOverHttps&type=code)<br>[application/dns-message](https://github.com/search?q=application%2Fdns-message&type=code) |
+| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
+| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
+| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type header.](https://github.com/search?q=Content-Type+header.&type=code)<br>[Content-Type too large](https://github.com/search?q=Content-Type+too+large&type=code)<br>[Content-Type was not one of](https://github.com/search?q=Content-Type+was+not+one+of&type=code)<br>[Content-Type: application/json](https://github.com/search?q=Content-Type%3A+application%2Fjson&type=code)<br>[Content-Type: application/octet](https://github.com/search?q=Content-Type%3A+application%2Foctet&type=code)<br>[Content-Type: multipart/related](https://github.com/search?q=Content-Type%3A+multipart%2Frelated&type=code)<br>[Content-Type: text/html](https://github.com/search?q=Content-Type%3A+text%2Fhtml&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/http/websocket](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/websocket.yara#websocket) | [supports web sockets](https://www.rfc-editor.org/rfc/rfc6455) | [258EAFA5-E914-47DA-95CA-C5AB0DC85B11](https://github.com/search?q=258EAFA5-E914-47DA-95CA-C5AB0DC85B11&type=code)<br>[AcceptWebSocket](https://github.com/search?q=AcceptWebSocket&type=code)<br>[DOMWebSocket](https://github.com/search?q=DOMWebSocket&type=code)<br>[EnclaveWebSocketClient](https://github.com/search?q=EnclaveWebSocketClient&type=code)<br>[OnWebSocketMessage](https://github.com/search?q=OnWebSocketMessage&type=code)<br>[OnWebSocketRequest](https://github.com/search?q=OnWebSocketRequest&type=code)<br>[ServerSupportsWebSocket](https://github.com/search?q=ServerSupportsWebSocket&type=code)<br>[WebSocket::Close](https://github.com/search?q=WebSocket%3A%3AClose&type=code)<br>[WebSocket::Connect](https://github.com/search?q=WebSocket%3A%3AConnect&type=code)<br>[WebSocket::Create](https://github.com/search?q=WebSocket%3A%3ACreate&type=code)<br>[WebSocket::GetBufferedAmount](https://github.com/search?q=WebSocket%3A%3AGetBufferedAmount&type=code)<br>[WebSocket::GetCloseCode](https://github.com/search?q=WebSocket%3A%3AGetCloseCode&type=code)<br>[WebSocket::GetCloseReason](https://github.com/search?q=WebSocket%3A%3AGetCloseReason&type=code)<br>[WebSocket::GetCloseWasClean](https://github.com/search?q=WebSocket%3A%3AGetCloseWasClean&type=code)<br>[WebSocket::GetExtensions](https://github.com/search?q=WebSocket%3A%3AGetExtensions&type=code)<br>[WebSocket::GetProtocol](https://github.com/search?q=WebSocket%3A%3AGetProtocol&type=code)<br>[WebSocket::GetReadyState](https://github.com/search?q=WebSocket%3A%3AGetReadyState&type=code)<br>[WebSocket::GetURL](https://github.com/search?q=WebSocket%3A%3AGetURL&type=code)<br>[WebSocket::IsWebSocket](https://github.com/search?q=WebSocket%3A%3AIsWebSocket&type=code)<br>[WebSocket::ReceiveMessage](https://github.com/search?q=WebSocket%3A%3AReceiveMessage&type=code)<br>[WebSocket::SendMessage](https://github.com/search?q=WebSocket%3A%3ASendMessage&type=code)<br>[WebSocketAdapter](https://github.com/search?q=WebSocketAdapter&type=code)<br>[WebSocketAuthenticationHandler](https://github.com/search?q=WebSocketAuthenticationHandler&type=code)<br>[WebSocketChannelImpl](https://github.com/search?q=WebSocketChannelImpl&type=code)<br>[WebSocketCloseInfo](https://github.com/search?q=WebSocketCloseInfo&type=code)<br>[WebSocketConnector](https://github.com/search?q=WebSocketConnector&type=code)<br>[WebSocketCreate](https://github.com/search?q=WebSocketCreate&type=code)<br>[WebSocketDestroy](https://github.com/search?q=WebSocketDestroy&type=code)<br>[WebSocketError](https://github.com/search?q=WebSocketError&type=code)<br>[WebSocketHTTPURL](https://github.com/search?q=WebSocketHTTPURL&type=code)<br>[WebSocketHandshakeClient](https://github.com/search?q=WebSocketHandshakeClient&type=code)<br>[WebSocketInit](https://github.com/search?q=WebSocketInit&type=code)<br>[WebSocketMessageChunkAccumulator::Segment](https://github.com/search?q=WebSocketMessageChunkAccumulator%3A%3ASegment&type=code)<br>[WebSocketReceiveHandshakeResponse](https://github.com/search?q=WebSocketReceiveHandshakeResponse&type=code)<br>[WebSocketSendData](https://github.com/search?q=WebSocketSendData&type=code)<br>[WebSocketSendHandshakeRequest](https://github.com/search?q=WebSocketSendHandshakeRequest&type=code)<br>[WebSocketSticky](https://github.com/search?q=WebSocketSticky&type=code)<br>[WebSocketStream::Delegate::OnAuthRequired](https://github.com/search?q=WebSocketStream%3A%3ADelegate%3A%3AOnAuthRequired&type=code)<br>[WebSocketStreamOptions](https://github.com/search?q=WebSocketStreamOptions&type=code)<br>[WebSockets](https://github.com/search?q=WebSockets&type=code)<br>[establishWebSocketConnection](https://github.com/search?q=establishWebSocketConnection&type=code)<br>[kWebSocketURL:](https://github.com/search?q=kWebSocketURL%3A&type=code)<br>[testWebSocketPort](https://github.com/search?q=testWebSocketPort&type=code)<br>[webSocketClosed](https://github.com/search?q=webSocketClosed&type=code)<br>[webSocketCreated](https://github.com/search?q=webSocketCreated&type=code)<br>[webSocketDebuggerUrl](https://github.com/search?q=webSocketDebuggerUrl&type=code)<br>[webSocketFrameError](https://github.com/search?q=webSocketFrameError&type=code)<br>[webSocketFrameReceived](https://github.com/search?q=webSocketFrameReceived&type=code)<br>[webSocketFrameSent](https://github.com/search?q=webSocketFrameSent&type=code)<br>[webSocketHandshakeResponseReceived](https://github.com/search?q=webSocketHandshakeResponseReceived&type=code)<br>[webSocketProtocol](https://github.com/search?q=webSocketProtocol&type=code)<br>[webSocketWillSendHandshakeRequest](https://github.com/search?q=webSocketWillSendHandshakeRequest&type=code) |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | $host_port<br>[host and port](https://github.com/search?q=host+and+port&type=code)<br>[host",t.port](https://github.com/search?q=host%22%2Ct.port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+++origin_port&type=code)<br>[host, origin_port](https://github.com/search?q=host%2C+origin_port&type=code)<br>[host, port](https://github.com/search?q=host%2C+port&type=code)<br>[host, protocol, port](https://github.com/search?q=host%2C+protocol%2C+port&type=code)<br>[host,r.port=e.port](https://github.com/search?q=host%2Cr.port%3De.port&type=code)<br>[host.length - port](https://github.com/search?q=host.length+-+port&type=code)<br>[host/port](https://github.com/search?q=host%2Fport&type=code)<br>[host: address, port](https://github.com/search?q=host%3A+address%2C+port&type=code)<br>[host:]port](https://github.com/search?q=host%3A%5Dport&type=code)<br>[host:port](https://github.com/search?q=host%3Aport&type=code)<br>[host=null,this.port](https://github.com/search?q=host%3Dnull%2Cthis.port&type=code)<br>[host>:<port](https://github.com/search?q=host%3E%3A%3Cport&type=code)<br>[host_import](https://github.com/search?q=host_import&type=code)<br>[hostname && A.port](https://github.com/search?q=hostname+%26%26+A.port&type=code)<br>[hostname, port](https://github.com/search?q=hostname%2C+port&type=code)<br>[hostname="",r.port](https://github.com/search?q=hostname%3D%22%22%2Cr.port&type=code)<br>[hostname=null,e.port](https://github.com/search?q=hostname%3Dnull%2Ce.port&type=code)<br>[hostname}${port](https://github.com/search?q=hostname%7D%24%7Bport&type=code)<br>[hostname}:${port](https://github.com/search?q=hostname%7D%3A%24%7Bport&type=code)<br>[host}${port](https://github.com/search?q=host%7D%24%7Bport&type=code)<br>[host}:${port](https://github.com/search?q=host%7D%3A%24%7Bport&type=code) |
+| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping err](https://github.com/search?q=ping++err&type=code)<br>[ping cancelled](https://github.com/search?q=ping+cancelled&type=code)<br>[ping connectivity probe](https://github.com/search?q=ping+connectivity+probe&type=code)<br>[ping failures and](https://github.com/search?q=ping+failures+and&type=code)<br>[ping from zygote child](https://github.com/search?q=ping+from+zygote+child&type=code)<br>[ping interval to](https://github.com/search?q=ping+interval+to&type=code)<br>[ping interval.](https://github.com/search?q=ping+interval.&type=code)<br>[ping last_ping_sent_:](https://github.com/search?q=ping+last_ping_sent_%3A&type=code)<br>[ping libuv](https://github.com/search?q=ping+libuv&type=code)<br>[ping most likely connection to](https://github.com/search?q=ping+most+likely+connection+to&type=code)<br>[ping payload must be 8 bytes](https://github.com/search?q=ping+payload+must+be+8+bytes&type=code)<br>[ping received](https://github.com/search?q=ping+received&type=code)<br>[ping response](https://github.com/search?q=ping+response&type=code)<br>[ping was sent and the ack](https://github.com/search?q=ping+was+sent+and+the+ack&type=code)<br>[ping with high retransmit count:](https://github.com/search?q=ping+with+high+retransmit+count%3A&type=code) |
+| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
+| MEDIUM | [net/ip/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/spoof.yara#spoof) | references spoofing | [of hostname spoofing](https://github.com/search?q=of+hostname+spoofing&type=code)<br>[protocol spoofing](https://github.com/search?q=protocol+spoofing&type=code) |
+| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
+| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [CONNECT %s](https://github.com/search?q=CONNECT+%25s&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
+| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)<br>[SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[Tunnel](https://github.com/search?q=Tunnel&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[proxy](https://github.com/search?q=proxy&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[tunnel](https://github.com/search?q=tunnel&type=code) |
+| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [NTLM](https://github.com/search?q=NTLM&type=code)<br>[ntlm](https://github.com/search?q=ntlm&type=code) |
+| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)<br>[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)<br>[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)<br>[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)<br>[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
+| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
+| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code)<br>[openURL](https://github.com/search?q=openURL&type=code)<br>[openUrl](https://github.com/search?q=openUrl&type=code)<br>[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
+| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
+| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
+| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo chmod 1777 /dev/shm](https://github.com/search?q=sudo+chmod+1777+%2Fdev%2Fshm&type=code) |
+| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [!!!!!!!!!!!!!!!!](https://github.com/search?q=%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21%21&type=code)<br>[0 !!!](https://github.com/search?q=0+++++%21%21%21&type=code)<br>[11366 !!](https://github.com/search?q=11366++++++%21%21&type=code)<br>[12366 !!](https://github.com/search?q=12366+++++%21%21&type=code)<br>[AAHHKKO !!](https://github.com/search?q=AAHHKKO+++%21%21&type=code)<br>[ABHH !!](https://github.com/search?q=ABHH+++++%21%21&type=code)<br>[ACHIJNPRU !!](https://github.com/search?q=ACHIJNPRU+++%21%21&type=code)<br>[Could not format log message !!](https://github.com/search?q=Could+not+format+log+message+%21%21&type=code)<br>[FFHHL !!](https://github.com/search?q=FFHHL+++%21%21&type=code)<br>[GG !!](https://github.com/search?q=GG++++%21%21&type=code)<br>[INVALID CONSTRUCTOR!!!](https://github.com/search?q=INVALID+CONSTRUCTOR%21%21%21&type=code)<br>[INVALID MAP!!!](https://github.com/search?q=INVALID+MAP%21%21%21&type=code)<br>[INVALID SHARED ON CONSTRUCTOR!!!](https://github.com/search?q=INVALID+SHARED+ON+CONSTRUCTOR%21%21%21&type=code)<br>[return !!](https://github.com/search?q=return+%21%21&type=code) |
+| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [interceptBufferProtocol](https://github.com/search?q=interceptBufferProtocol&type=code)<br>[interceptFileProtocol](https://github.com/search?q=interceptFileProtocol&type=code)<br>[interceptHttpProtocol](https://github.com/search?q=interceptHttpProtocol&type=code)<br>[interceptProtocol](https://github.com/search?q=interceptProtocol&type=code)<br>[interceptResponse](https://github.com/search?q=interceptResponse&type=code)<br>[interceptStreamProtocol](https://github.com/search?q=interceptStreamProtocol&type=code)<br>[interceptStringProtocol](https://github.com/search?q=interceptStringProtocol&type=code)<br>[intercepted](https://github.com/search?q=intercepted&type=code)<br>[intercepting](https://github.com/search?q=intercepting&type=code)<br>[interceptionId](https://github.com/search?q=interceptionId&type=code)<br>[interceptionStage](https://github.com/search?q=interceptionStage&type=code)<br>[interceptor_info_map](https://github.com/search?q=interceptor_info_map&type=code)<br>[interceptor_url_loader_throttle](https://github.com/search?q=interceptor_url_loader_throttle&type=code)<br>[interceptors](https://github.com/search?q=interceptors&type=code)<br>[intercepts](https://github.com/search?q=intercepts&type=code) |
+| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
+| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)<br>[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)<br>[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)<br>[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)<br>[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)<br>[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)<br>[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)<br>[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)<br>[PasswordGroupData](https://github.com/search?q=PasswordGroupData&type=code)<br>[PasswordGroupElementData](https://github.com/search?q=PasswordGroupElementData&type=code)<br>[PasswordH](https://github.com/search?q=PasswordH&type=code)<br>[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)<br>[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)<br>[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)<br>[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)<br>[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)<br>[PasswordStrongLabel](https://github.com/search?q=PasswordStrongLabel&type=code)<br>[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)<br>[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)<br>[a username and password](https://github.com/search?q=a+username+and+password&type=code)<br>[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)<br>[bPassword](https://github.com/search?q=bPassword&type=code)<br>[called on a passwordless request](https://github.com/search?q=called+on+a+passwordless+request&type=code)<br>[challengePassword](https://github.com/search?q=challengePassword&type=code)<br>[current-password](https://github.com/search?q=current-password&type=code)<br>[fade-out-password](https://github.com/search?q=fade-out-password&type=code)<br>[for password](https://github.com/search?q=for+password&type=code)<br>[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)<br>[get password](https://github.com/search?q=get+password&type=code)<br>[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)<br>[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)<br>[input-password](https://github.com/search?q=input-password&type=code)<br>[kPassword](https://github.com/search?q=kPassword&type=code)<br>[like a password](https://github.com/search?q=like+a+password&type=code)<br>[new-password](https://github.com/search?q=new-password&type=code)<br>[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)<br>[password based MAC](https://github.com/search?q=password+based+MAC&type=code)<br>[password is too large](https://github.com/search?q=password+is+too+large&type=code)<br>[password text](https://github.com/search?q=password+text&type=code)<br>[password-change](https://github.com/search?q=password-change&type=code)<br>[password-manager](https://github.com/search?q=password-manager&type=code)<br>[password-protection](https://github.com/search?q=password-protection&type=code)<br>[password-reveal](https://github.com/search?q=password-reveal&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[password-strong-label](https://github.com/search?q=password-strong-label&type=code)<br>[passwordChar](https://github.com/search?q=passwordChar&type=code)<br>[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)<br>[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)<br>[passwordEdit](https://github.com/search?q=passwordEdit&type=code)<br>[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)<br>[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)<br>[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)<br>[readPassword](https://github.com/search?q=readPassword&type=code)<br>[reveal-password](https://github.com/search?q=reveal-password&type=code)<br>[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)<br>[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)<br>[set password](https://github.com/search?q=set+password&type=code)<br>[such as passwords](https://github.com/search?q=such+as+passwords&type=code)<br>[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)<br>[userPassword](https://github.com/search?q=userPassword&type=code)<br>[username or password](https://github.com/search?q=username+or+password&type=code)<br>[writePassword](https://github.com/search?q=writePassword&type=code) |
+| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)<br>[privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
+| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [AeadEncryptDecrypt](https://github.com/search?q=AeadEncryptDecrypt&type=code)<br>[AesCbcEncryptDecrypt](https://github.com/search?q=AesCbcEncryptDecrypt&type=code)<br>[CommonEncryptDecrypt](https://github.com/search?q=CommonEncryptDecrypt&type=code)<br>[ContentDecryptionModuleClient](https://github.com/search?q=ContentDecryptionModuleClient&type=code)<br>[CreateContentDecryptionModule](https://github.com/search?q=CreateContentDecryptionModule&type=code)<br>[Creation of DecryptConfig failed](https://github.com/search?q=Creation+of+DecryptConfig+failed&type=code)<br>[DecryptAndDecodeAudio](https://github.com/search?q=DecryptAndDecodeAudio&type=code)<br>[DecryptAndDecodeVideo](https://github.com/search?q=DecryptAndDecodeVideo&type=code)<br>[DecryptPendingBuffer](https://github.com/search?q=DecryptPendingBuffer&type=code)<br>[Decrypted a 0](https://github.com/search?q=Decrypted+a+0&type=code)<br>[DecryptedWithEmptyKey](https://github.com/search?q=DecryptedWithEmptyKey&type=code)<br>[DecryptingAudioDecoder](https://github.com/search?q=DecryptingAudioDecoder&type=code)<br>[DecryptingVideoDecoder](https://github.com/search?q=DecryptingVideoDecoder&type=code)<br>[Decryption failed](https://github.com/search?q=Decryption+failed&type=code)<br>[Decryption is not avail](https://github.com/search?q=Decryption+is+not+avail&type=code)<br>[Decryption succeeded af](https://github.com/search?q=Decryption+succeeded+af&type=code)<br>[DoDecryptReply](https://github.com/search?q=DoDecryptReply&type=code)<br>[For a Content Decryption Module](https://github.com/search?q=For+a+Content+Decryption+Module&type=code)<br>[GetFrameDecryptor](https://github.com/search?q=GetFrameDecryptor&type=code)<br>[Hardware Secure Decryption is disabled](https://github.com/search?q=Hardware+Secure+Decryption+is+disabled&type=code)<br>[HardwareSecureDecryptionExperiment](https://github.com/search?q=HardwareSecureDecryptionExperiment&type=code)<br>[MojoDecryptorService](https://github.com/search?q=MojoDecryptorService&type=code)<br>[OnDecryptingDemuxerStream](https://github.com/search?q=OnDecryptingDemuxerStream&type=code)<br>[Selected DecryptingDemuxerStream](https://github.com/search?q=Selected+DecryptingDemuxerStream&type=code)<br>[Setting FrameDecryptor](https://github.com/search?q=Setting+FrameDecryptor&type=code)<br>[WaitingForDecryptionKey](https://github.com/search?q=WaitingForDecryptionKey&type=code)<br>[_privateDecrypt](https://github.com/search?q=_privateDecrypt&type=code)<br>[_publicDecrypt](https://github.com/search?q=_publicDecrypt&type=code)<br>[ause of SetFrameDecryptor](https://github.com/search?q=ause+of+SetFrameDecryptor&type=code)<br>[const privateDecrypt](https://github.com/search?q=const+privateDecrypt&type=code)<br>[const publicDecrypt](https://github.com/search?q=const+publicDecrypt&type=code)<br>[e to set ContentDecryptionModule object](https://github.com/search?q=e+to+set+ContentDecryptionModule+object&type=code)<br>[existing ContentDecryptionModule object](https://github.com/search?q=existing+ContentDecryptionModule+object&type=code)<br>[kDecryptError](https://github.com/search?q=kDecryptError&type=code)<br>[kIsAudioDecryptingDemuxerStream](https://github.com/search?q=kIsAudioDecryptingDemuxerStream&type=code)<br>[kIsVideoDecryptingDemuxerStream](https://github.com/search?q=kIsVideoDecryptingDemuxerStream&type=code)<br>[kWebCryptoCipherDecrypt](https://github.com/search?q=kWebCryptoCipherDecrypt&type=code)<br>[ketsReceivedWithDecrypter](https://github.com/search?q=ketsReceivedWithDecrypter&type=code) |
+| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
+| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
+| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)<br>[Public-key](https://github.com/search?q=Public-key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
+| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code)<br>[require('tls')](https://github.com/search?q=require%28%27tls%27%29&type=code) |
+| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
+| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(�/�](https://github.com/search?q=%28%B5%2F%FD&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
+| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSON.parse](https://github.com/search?q=JSON.parse&type=code) |
+| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
+| LOW | [data/hash/sha1](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha1.yara#SHA1) | Uses the SHA1 signature format | [SHA1_](https://github.com/search?q=SHA1_&type=code) |
+| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) |
+| LOW | [discover/network/interface](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface.yara#bsd_if) | get network interfaces by name or index | [if_indextoname](https://github.com/search?q=if_indextoname&type=code)<br>[if_nametoindex](https://github.com/search?q=if_nametoindex&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [evasion/hijack_execution/LD_LIBRARY_PATH](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/hijack_execution/LD_LIBRARY_PATH.yara#ld_library_path) | ld library path | [LD_LIBRARY_PATH](https://github.com/search?q=LD_LIBRARY_PATH&type=code) |
+| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/dylib/address_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) |
+| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
+| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [Chromium PDF Plugin](https://github.com/search?q=Chromium+PDF+Plugin&type=code)<br>[ContainsPlugins](https://github.com/search?q=ContainsPlugins&type=code)<br>[Failed to generate a plugin id](https://github.com/search?q=Failed+to+generate+a+plugin+id&type=code)<br>[GetPluginInfo](https://github.com/search?q=GetPluginInfo&type=code)<br>[GetPlugins](https://github.com/search?q=GetPlugins&type=code)<br>[If you want to block plugins](https://github.com/search?q=If+you+want+to+block+plugins&type=code)<br>[Is an accelerated plugin](https://github.com/search?q=Is+an+accelerated+plugin&type=code)<br>[LoadPluginsSoon](https://github.com/search?q=LoadPluginsSoon&type=code)<br>[No PPP_GetInterface in plugin library](https://github.com/search?q=No+PPP_GetInterface+in+plugin+library&type=code)<br>[No PPP_InitializeModule in plugin library](https://github.com/search?q=No+PPP_InitializeModule+in+plugin+library&type=code)<br>[OnPepperPluginCrashed](https://github.com/search?q=OnPepperPluginCrashed&type=code)<br>[OnPepperPluginHung](https://github.com/search?q=OnPepperPluginHung&type=code)<br>[OpenChannelToPepperPlugin](https://github.com/search?q=OpenChannelToPepperPlugin&type=code)<br>[Pepper Plugin Broker](https://github.com/search?q=Pepper+Plugin+Broker&type=code)<br>[PepperPluginInstance](https://github.com/search?q=PepperPluginInstance&type=code)<br>[Plugin Changed](https://github.com/search?q=Plugin+Changed&type=code)<br>[Plugin URL](https://github.com/search?q=Plugin+URL&type=code)<br>[Plugin doesn](https://github.com/search?q=Plugin+doesn&type=code)<br>[PluginArray](https://github.com/search?q=PluginArray&type=code)<br>[PluginData](https://github.com/search?q=PluginData&type=code)<br>[PluginDispatcher](https://github.com/search?q=PluginDispatcher&type=code)<br>[PluginLoad](https://github.com/search?q=PluginLoad&type=code)<br>[PluginRegistry](https://github.com/search?q=PluginRegistry&type=code)<br>[PluginResource](https://github.com/search?q=PluginResource&type=code)<br>[PluginService](https://github.com/search?q=PluginService&type=code)<br>[PluginSizeUpdated](https://github.com/search?q=PluginSizeUpdated&type=code)<br>[PpapiMsg_LoadPlugin](https://github.com/search?q=PpapiMsg_LoadPlugin&type=code)<br>[PpapiPluginMain](https://github.com/search?q=PpapiPluginMain&type=code)<br>[PpapiPluginMetrics](https://github.com/search?q=PpapiPluginMetrics&type=code)<br>[RemoveBrowserPluginEmbedder](https://github.com/search?q=RemoveBrowserPluginEmbedder&type=code)<br>[SendToPlugin](https://github.com/search?q=SendToPlugin&type=code)<br>[SetBrowserPluginGuest](https://github.com/search?q=SetBrowserPluginGuest&type=code)<br>[The plugin has not](https://github.com/search?q=The+plugin+has+not&type=code)<br>[Unable to create ppapi plugin process](https://github.com/search?q=Unable+to+create+ppapi+plugin+process&type=code)<br>[Unable to load plugin](https://github.com/search?q=Unable+to+load+plugin&type=code)<br>[Unable to load ppapi plugin](https://github.com/search?q=Unable+to+load+ppapi+plugin&type=code)<br>[allowNonEmptyNavigatorPlugins](https://github.com/search?q=allowNonEmptyNavigatorPlugins&type=code)<br>[as a plugin](https://github.com/search?q=as+a+plugin&type=code)<br>[browserplugin](https://github.com/search?q=browserplugin&type=code)<br>[enabledPlugin](https://github.com/search?q=enabledPlugin&type=code)<br>[html_plugin_element](https://github.com/search?q=html_plugin_element&type=code)<br>[kPluginObject](https://github.com/search?q=kPluginObject&type=code)<br>[loadplugin](https://github.com/search?q=loadplugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[page contains plugins](https://github.com/search?q=page+contains+plugins&type=code)<br>[pdf_internal_plugin_wrapper](https://github.com/search?q=pdf_internal_plugin_wrapper&type=code)<br>[pdf_view_web_plugin](https://github.com/search?q=pdf_view_web_plugin&type=code)<br>[pepper_hung_plugin_filter](https://github.com/search?q=pepper_hung_plugin_filter&type=code)<br>[pepper_webplugin_impl](https://github.com/search?q=pepper_webplugin_impl&type=code)<br>[plugin data](https://github.com/search?q=plugin+data&type=code)<br>[pluginObject](https://github.com/search?q=pluginObject&type=code)<br>[plugin_audio_thread](https://github.com/search?q=plugin_audio_thread&type=code)<br>[plugin_container_impl](https://github.com/search?q=plugin_container_impl&type=code)<br>[plugin_instance_impl](https://github.com/search?q=plugin_instance_impl&type=code)<br>[plugin_message_filter](https://github.com/search?q=plugin_message_filter&type=code)<br>[plugin_module](https://github.com/search?q=plugin_module&type=code)<br>[plugin_process_host](https://github.com/search?q=plugin_process_host&type=code)<br>[plugin_service_impl](https://github.com/search?q=plugin_service_impl&type=code)<br>[pluginsEnabled](https://github.com/search?q=pluginsEnabled&type=code)<br>[pluginspace](https://github.com/search?q=pluginspace&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[pluginurl](https://github.com/search?q=pluginurl&type=code)<br>[ppapi_plugin_main](https://github.com/search?q=ppapi_plugin_main&type=code)<br>[ppapi_plugin_process](https://github.com/search?q=ppapi_plugin_process&type=code)<br>[r PluginH](https://github.com/search?q=r+PluginH&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code)<br>[security origin than your plugin](https://github.com/search?q=security+origin+than+your+plugin&type=code)<br>[strictMixedContentCheckingForPlugin](https://github.com/search?q=strictMixedContentCheckingForPlugin&type=code)<br>[suggestplugin](https://github.com/search?q=suggestplugin&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryAndGetEr](https://github.com/search?q=CreateDirectoryAndGetEr&type=code)<br>[CreateDirectoryError](https://github.com/search?q=CreateDirectoryError&type=code)<br>[CreateDirectoryResult](https://github.com/search?q=CreateDirectoryResult&type=code)<br>[createFolder](https://github.com/search?q=createFolder&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
+| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) |
+| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm HP-USB500 5.1 Headset](https://github.com/search?q=rm+HP-USB500+5.1+Headset&type=code)<br>[rm PA-WL54GU](https://github.com/search?q=rm+PA-WL54GU&type=code) |
+| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
+| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code) |
+| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code) |
+| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.stat(base](https://github.com/search?q=fs.stat%28base&type=code)<br>[fs.statSync(file)](https://github.com/search?q=fs.statSync%28file%29&type=code) |
+| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) |
+| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[_writeFilesForTesting](https://github.com/search?q=_writeFilesForTesting&type=code)<br>[writeFileHandle](https://github.com/search?q=writeFileHandle&type=code)<br>[writeFileSync](https://github.com/search?q=writeFileSync&type=code)<br>[writeFileUtf8](https://github.com/search?q=writeFileUtf8&type=code)<br>[writeToFile](https://github.com/search?q=writeToFile&type=code) |
+| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
+| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/asound.conf](https://github.com/search?q=%2Fetc%2Fasound.conf&type=code)<br>[/etc/ati/amdpcsdb.default](https://github.com/search?q=%2Fetc%2Fati%2Famdpcsdb.default&type=code)<br>[/etc/catalog](https://github.com/search?q=%2Fetc%2Fcatalog&type=code)<br>[/etc/chromium/native-messaging-hosts](https://github.com/search?q=%2Fetc%2Fchromium%2Fnative-messaging-hosts&type=code)<br>[/etc/chromium/policies](https://github.com/search?q=%2Fetc%2Fchromium%2Fpolicies&type=code)<br>[/etc/drirc](https://github.com/search?q=%2Fetc%2Fdrirc&type=code)<br>[/etc/fonts/conf.d](https://github.com/search?q=%2Fetc%2Ffonts%2Fconf.d&type=code)<br>[/etc/gai.conf](https://github.com/search?q=%2Fetc%2Fgai.conf&type=code)<br>[/etc/group](https://github.com/search?q=%2Fetc%2Fgroup&type=code)<br>[/etc/host.conf](https://github.com/search?q=%2Fetc%2Fhost.conf&type=code)<br>[/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code)<br>[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)<br>[/etc/machine-id](https://github.com/search?q=%2Fetc%2Fmachine-id&type=code)<br>[/etc/netsvc.conf](https://github.com/search?q=%2Fetc%2Fnetsvc.conf&type=code)<br>[/etc/nsswitch.conf](https://github.com/search?q=%2Fetc%2Fnsswitch.conf&type=code)<br>[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)<br>[/etc/pulse/](https://github.com/search?q=%2Fetc%2Fpulse%2F&type=code)<br>[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)<br>[/etc/ssl/cert.pem](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.pem&type=code)<br>[/etc/ssl/certs](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts&type=code)<br>[/etc/svc.conf](https://github.com/search?q=%2Fetc%2Fsvc.conf&type=code)<br>[/etc/timezone](https://github.com/search?q=%2Fetc%2Ftimezone&type=code)<br>[/etc/vulkan/icd.d](https://github.com/search?q=%2Fetc%2Fvulkan%2Ficd.d&type=code)<br>[/etc/xml/catalog](https://github.com/search?q=%2Fetc%2Fxml%2Fcatalog&type=code) |
+| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/privacy/](https://github.com/search?q=%2Fhome%2Fprivacy%2F&type=code) |
+| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [.config/pulse](https://github.com/search?q=.config%2Fpulse&type=code)<br>[/.config/user](https://github.com/search?q=%2F.config%2Fuser&type=code) |
+| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/cache/fontconfig](https://github.com/search?q=%2Fvar%2Fcache%2Ffontconfig&type=code)<br>[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code)<br>[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TEMPDIR](https://github.com/search?q=TEMPDIR&type=code)<br>[TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [mkdtemp](https://github.com/search?q=mkdtemp&type=code)<br>[temp dir](https://github.com/search?q=temp+dir&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
+| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code)<br>[bssid](https://github.com/search?q=bssid&type=code) |
+| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [require('dns')](https://github.com/search?q=require%28%27dns%27%29&type=code) |
+| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [resolv.conf](https://github.com/search?q=resolv.conf&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
+| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [oauth2](https://github.com/search?q=oauth2&type=code) |
+| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpClose](https://github.com/search?q=httpClose&type=code)<br>[httpConnect](https://github.com/search?q=httpConnect&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
+| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
+| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
+| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
+| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [client_address_spac](https://github.com/search?q=client_address_spac&type=code)<br>[client_addresses_ca](https://github.com/search?q=client_addresses_ca&type=code)<br>[getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmmsg](https://github.com/search?q=sendmmsg&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[new URL](https://github.com/search?q=new+URL&type=code) |
+| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.COLORTERM](https://github.com/search?q=env.COLORTERM&type=code)<br>[env.CRASHDUMP](https://github.com/search?q=env.CRASHDUMP&type=code)<br>[env.CRASHPAD](https://github.com/search?q=env.CRASHPAD&type=code)<br>[env.ELECTRON](https://github.com/search?q=env.ELECTRON&type=code)<br>[env.FORCE](https://github.com/search?q=env.FORCE&type=code)<br>[env.JEST](https://github.com/search?q=env.JEST&type=code)<br>[env.NODE](https://github.com/search?q=env.NODE&type=code)<br>[env.ORIGINAL](https://github.com/search?q=env.ORIGINAL&type=code)<br>[env.TEAMCITY](https://github.com/search?q=env.TEAMCITY&type=code)<br>[env.TEMP](https://github.com/search?q=env.TEMP&type=code)<br>[env.TERM](https://github.com/search?q=env.TERM&type=code)<br>[env.TMP](https://github.com/search?q=env.TMP&type=code)<br>[env.TMUX](https://github.com/search?q=env.TMUX&type=code)<br>[env.UNDICI](https://github.com/search?q=env.UNDICI&type=code)<br>[env.USERPROFILE](https://github.com/search?q=env.USERPROFILE&type=code)<br>[env.WATCH](https://github.com/search?q=env.WATCH&type=code)<br>[env.XDG](https://github.com/search?q=env.XDG&type=code) |
+| LOW | [os/fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)<br>[epoll_wait](https://github.com/search?q=epoll_wait&type=code) |
+| LOW | [os/fd/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read) | reads from a file handle | [context.read()](https://github.com/search?q=context.read%28%29&type=code)<br>[reader.read()](https://github.com/search?q=reader.read%28%29&type=code)<br>[req.read()](https://github.com/search?q=req.read%28%29&type=code)<br>[self.read()](https://github.com/search?q=self.read%28%29&type=code)<br>[socket.read()](https://github.com/search?q=socket.read%28%29&type=code)<br>[stream.read()](https://github.com/search?q=stream.read%28%29&type=code)<br>[tail.read()](https://github.com/search?q=tail.read%28%29&type=code) |
+| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code) |
+| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [_decoder.write(ret)](https://github.com/search?q=_decoder.write%28ret%29&type=code)<br>[_downstream.write(e)](https://github.com/search?q=_downstream.write%28e%29&type=code)<br>[decoder.write(data)](https://github.com/search?q=decoder.write%28data%29&type=code)<br>[decoder.write(readBuffer)](https://github.com/search?q=decoder.write%28readBuffer%29&type=code)<br>[dest.write(chunk)](https://github.com/search?q=dest.write%28chunk%29&type=code)<br>[h2stream.write(body)](https://github.com/search?q=h2stream.write%28body%29&type=code)<br>[h2stream.write(buffer)](https://github.com/search?q=h2stream.write%28buffer%29&type=code)<br>[h2stream.write(chunk)](https://github.com/search?q=h2stream.write%28chunk%29&type=code)<br>[output.write(errStack)](https://github.com/search?q=output.write%28errStack%29&type=code)<br>[output.write(line)](https://github.com/search?q=output.write%28line%29&type=code)<br>[output.write(result)](https://github.com/search?q=output.write%28result%29&type=code)<br>[output.write(stringToWrite)](https://github.com/search?q=output.write%28stringToWrite%29&type=code)<br>[pt.write(val)](https://github.com/search?q=pt.write%28val%29&type=code)<br>[self.write(prefix)](https://github.com/search?q=self.write%28prefix%29&type=code)<br>[socket.write(body)](https://github.com/search?q=socket.write%28body%29&type=code)<br>[socket.write(buffer)](https://github.com/search?q=socket.write%28buffer%29&type=code)<br>[socket.write(chunk)](https://github.com/search?q=socket.write%28chunk%29&type=code)<br>[stdout.write(clear)](https://github.com/search?q=stdout.write%28clear%29&type=code)<br>[stdout.write(s)](https://github.com/search?q=stdout.write%28s%29&type=code)<br>[stream.write(data)](https://github.com/search?q=stream.write%28data%29&type=code)<br>[stream.write(kClearScreenDown)](https://github.com/search?q=stream.write%28kClearScreenDown%29&type=code)<br>[stream.write(string)](https://github.com/search?q=stream.write%28string%29&type=code)<br>[streamWritable.write(chunk)](https://github.com/search?q=streamWritable.write%28chunk%29&type=code)<br>[this.write(buf)](https://github.com/search?q=this.write%28buf%29&type=code)<br>[this.write(data)](https://github.com/search?q=this.write%28data%29&type=code)<br>[this.write(response)](https://github.com/search?q=this.write%28response%29&type=code)<br>[writable.write(chunk)](https://github.com/search?q=writable.write%28chunk%29&type=code)<br>[writer.write(chunk)](https://github.com/search?q=writer.write%28chunk%29&type=code) |
+| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
+| LOW | [os/kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
+| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
+| LOW | [process/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/linux/clean/tree-sitter.md b/tests/linux/clean/tree-sitter.md
index e69de29b..9daab615 100644
--- a/tests/linux/clean/tree-sitter.md
+++ b/tests/linux/clean/tree-sitter.md
@@ -0,0 +1,52 @@
+## linux/clean/tree-sitter [🛑 HIGH]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| HIGH | [exec/shell/tmp_semicolon](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/tmp_semicolon.yara#semicolon_short_tmp) | unusual one-liners involving /tmp | [--;/tmp/rust-20241004-6494-uljaw4/rustc-1](https://github.com/search?q=--%3B%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [c2/tool_transfer/dropper](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/dropper.yara#dropper) | References a 'dropper' | [Dropper](https://github.com/search?q=Dropper&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://)<br>[macOS](https://github.com/search?q=macOS&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [discover/process/runtime_deps](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#tls_get_addr) | [looks up thread private variables, may be used for loaded library discovery](https://chao-tic.github.io/blog/2018/12/25/tls) | [__tls_get_addr](https://github.com/search?q=__tls_get_addr&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/clap/issues/home/linuxbrew/.cache](https://github.com/search?q=%2Fclap%2Fissues%2Fhome%2Flinuxbrew%2F.cache&type=code)<br>[/debug/.J](https://github.com/search?q=%2Fdebug%2F.J&type=code)<br>[/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
+| MEDIUM | [exec/dylib/symbol_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#execall) | executes external programs | [execvp](https://github.com/search?q=execvp&type=code) |
+| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/col](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fcol&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/raw](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fraw&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/str](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fstr&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/syn](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fsyn&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/alloc/src/vec](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Falloc%2Fsrc%2Fvec&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/cell](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fcell&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/esca](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fesca&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/io/b](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fio%2Fb&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/num/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fnum%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/ops/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fops%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/slic](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fslic&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/str/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Fstr%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/core/src/time](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fcore%2Fsrc%2Ftime&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/mo](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fmo&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/io/st](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fio%2Fst&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/os/fd](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fos%2Ffd&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sync/](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsync%2F&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/p](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fp&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/sys/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fsys%2Fs&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/library/std/src/threa](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Flibrary%2Fstd%2Fsrc%2Fthrea&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/addr2line-0.22](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Faddr2line-0.22&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/gimli-0.29.0/s](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fgimli-0.29.0%2Fs&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/hashbrown-0.14](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fhashbrown-0.14&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/miniz_oxide-0.](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Fminiz_oxide-0.&type=code)<br>[/tmp/rust-20241004-6494-uljaw4/rustc-1.81.0-src/vendor/rustc-demangle](https://github.com/search?q=%2Ftmp%2Frust-20241004-6494-uljaw4%2Frustc-1.81.0-src%2Fvendor%2Frustc-demangle&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/config/s](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fconfig%2Fs&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/generate](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fgenerate&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/cli/src/high](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fcli%2Fsrc%2Fhigh&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/highlight/sr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Fhighlight%2Fsr&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/binding_](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fbinding_&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/././](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2F.%2F&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./ge](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fge&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./la](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fla&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./pa](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fpa&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./qu](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fqu&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./st](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fst&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./su](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Fsu&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/lib/src/./tr](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Flib%2Fsrc%2F.%2Ftr&type=code)<br>[/tmp/tree-sitter-20241006-6697-pa8oo4/tree-sitter-0.24.2/tags/src/lib](https://github.com/search?q=%2Ftmp%2Ftree-sitter-20241006-6697-pa8oo4%2Ftree-sitter-0.24.2%2Ftags%2Fsrc%2Flib&type=code) |
+| MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/javascriptContent](https://github.com/search?q=Content-Type%3A+application%2FjavascriptContent&type=code)<br>[Content-Type: application/wasm/tree](https://github.com/search?q=Content-Type%3A+application%2Fwasm%2Ftree&type=code)<br>[Content-Type: text/htmlContent](https://github.com/search?q=Content-Type%3A+text%2FhtmlContent&type=code)<br>[Content-TypeServerupgradeassertion failed: d](https://github.com/search?q=Content-TypeServerupgradeassertion+failed%3A+d&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgopythonswift)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.css)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.min.js)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.css)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.js)<br>[https://code.jquery.com/jquery](https://code.jquery.com/jquery)<br>[https://docs.rs/getrandom](https://docs.rs/getrandom)<br>[https://docs.rs/tree](https://docs.rs/tree)<br>[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)<br>[https://github.com/clap](https://github.com/clap)<br>[https://github.com/tree](https://github.com/tree)<br>[https://gitlab.com/https](https://gitlab.com/https)<br>[https://parser.cparser.h](https://parser.cparser.h) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSON.stringify](https://github.com/search?q=JSON.stringify&type=code) |
+| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/dylib/iterate](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/dylib/iterate.yara#dl_iterate_phdr) | [iterate over list of shared objects](https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html) | [dl_iterate_phdr](https://github.com/search?q=dl_iterate_phdr&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
+| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.cache/Homebrew/cargo_cache/registry/src/index.crates.](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.cache%2FHomebrew%2Fcargo_cache%2Fregistry%2Fsrc%2Findex.crates.&type=code)<br>[/home/linuxbrew/.linuxbrew/Cellar/tree-sitter/0.24.2/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftree-sitter%2F0.24.2%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [temp file](https://github.com/search?q=temp+file&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code) |
+| LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop](https://bitbucket.org/grammar.js.gitignore.gitattributes.editorconfigcgop)<br>[https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi](https://cdnjs.cloudflare.com/ajax/libs/clusterize.js/0.18.0/clusterize.mi)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.c)<br>[https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j](https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.45.0/codemirror.min.j)<br>[https://code.jquery.com/jquery-3.3.1.min.js](https://code.jquery.com/jquery-3.3.1.min.js)<br>[https://docs.rs/getrandom](https://docs.rs/getrandom)<br>[https://docs.rs/tree-sitter-language/](https://docs.rs/tree-sitter-language/)<br>[https://docs.rs/tree-sitter/](https://docs.rs/tree-sitter/)<br>[https://github.com/ChimeHQ/SwiftTreeSitter](https://github.com/ChimeHQ/SwiftTreeSitter)<br>[https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car](https://github.com/clap-rs/clap/issues/home/linuxbrew/.cache/Homebrew/car)<br>[https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c](https://github.com/clap-rs/clap/issues=-/home/linuxbrew/.cache/Homebrew/c)<br>[https://github.com/tree-sitter/tree-sitter-Failed](https://github.com/tree-sitter/tree-sitter-Failed)<br>[https://gitlab.com/https](https://gitlab.com/https)<br>[https://parser.cparser.h](https://parser.cparser.h)<br>[https://tree-sitter.github.io/tree-sitter.jshttps](https://tree-sitter.github.io/tree-sitter.jshttps)<br>[https://tree-sitter.github.io/tree-sitter.wasmhttps](https://tree-sitter.github.io/tree-sitter.wasmhttps)<br>[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-16x16.png)<br>[https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png](https://tree-sitter.github.io/tree-sitter/assets/images/favicon-32x32.png)<br>[https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT](https://tree-sitter.github.io/tree-sitter/assets/js/playground.jsTREE_SIT)<br>[https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j](https://tree-sitter.github.io/tree-sitter/assets/schemas/grammar.schema.j)<br>[https://tree-sitter.github.io/tree-sitter/creating-parsers](https://tree-sitter.github.io/tree-sitter/creating-parsers)<br>[https://tree-sitter.github.io/tree-sitter/playground](https://tree-sitter.github.io/tree-sitter/playground)<br>[https://tree-sitter.github.io/tree-sitter/syntax-highlighting](https://tree-sitter.github.io/tree-sitter/syntax-highlighting)<br>[https://tree-sitter.github.io/tree-sitter/using-parsers](https://tree-sitter.github.io/tree-sitter/using-parsers) |
+| LOW | [os/fd/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write) | writes to a file handle | [stdout.write(output)](https://github.com/search?q=stdout.write%28output%29&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd -u env -i](https://github.com/search?q=cd+-u++env+-i&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real and effective group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index e69de29b..8d67345f 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -0,0 +1,201 @@
+# linux/clean/trivy: medium
+anti-static/elf/multiple: medium
+c2/addr/discord: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/server: medium
+c2/client: medium
+c2/discovery/ip_dns_resolver: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/github: medium
+c2/tool_transfer/os: medium
+collect/archives/unarchive: medium
+collect/archives/zip: medium
+collect/code/github_api: low
+collect/databases/leveldb: medium
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/cloud/g: medium
+credential/keychain: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/blockchain: medium
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/base64/decode: medium
+data/base64/encode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/pem_private_key: medium
+data/embedded/pem_test_key: low
+data/embedded/ssh_signature: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: medium
+data/hash/sha1: low
+data/random/insecure: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/cloud/google_storage: low
+discover/network/mac_address: medium
+discover/network/netstat: medium
+discover/process/name: medium
+discover/processes/list: medium
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+evasion/bypass_security/linux/iptables: medium
+evasion/file/location/chdir_unusual: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/symbol_address: medium
+exec/install_additional/package_install: medium
+exec/install_additional/pip_install: medium
+exec/plugin: low
+exec/program: medium
+exec/script/osa: medium
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/pipe_sh: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+exfil/collection: medium
+exfil/upload: medium
+fs/attributes/set: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: medium
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_lib_python: medium
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/self_mountinfo: medium
+fs/swap/off: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/watch: low
+hw/dev/block_ice: medium
+hw/wireless: low
+impact/remote_access/heartbeat: medium
+impact/remote_access/iptables: medium
+impact/remote_access/kill_rm: medium
+impact/remote_access/trojan: medium
+lateral/scan/brute_force: low
+malware/ref: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/http/websocket: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/syncookie: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: medium
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/kernel/opencl: medium
+os/kernel/seccomp: low
+os/time/tzinfo: low
+privesc/setuid: low
+privesc/sudo: medium
+process/chdir: low
+process/chroot: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index e69de29b..ad6c6c17 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -0,0 +1,194 @@
+## linux/clean/trufflehog [😈 CRITICAL]
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| HIGH | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_url_with_question) | binary contains hardcoded URL with question mark | [https://api.mesibo.com/api.php?op=useradd&token=https](https://api.mesibo.com/api.php?op=useradd&token=https)<br>[https://api.route4me.com/api.v4/address_book.php?api_key=https](https://api.route4me.com/api.v4/address_book.php?api_key=https)<br>[https://api.websitepulse.com/textserver.php?method=GetContacts&username=](https://api.websitepulse.com/textserver.php?method=GetContacts&username=)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https) |
+| HIGH | [c2/tool_transfer/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#download_sites) | [References known file hosting site](https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001) | [pastebin.Scanner](https://github.com/search?q=pastebin.Scanner&type=code)<br>[pastebin.com/api/api_post](https://github.com/search?q=pastebin.com%2Fapi%2Fapi_post&type=code)<br>[pastebin.go](https://github.com/search?q=pastebin.go&type=code)<br>[pastebin.init](https://github.com/search?q=pastebin.init&type=code) |
+| HIGH | [c2/tool_transfer/grayware](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/grayware.yara#grayware_sites) | References websites that host code that can be used maliciously | [shodan.io](https://github.com/search?q=shodan.io&type=code) |
+| HIGH | [discover/ip/public](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/ip/public_ip.yara#iplookup_website) | public service to discover external IP address | [ipify.or](https://github.com/search?q=ipify.or&type=code) |
+| HIGH | [exfil/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/discord.yara#discord_bot) | [Uses the Discord webhooks API](https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_high.yar#L706) | [discord.com/api/webhooks/](https://github.com/search?q=discord.com%2Fapi%2Fwebhooks%2F&type=code) |
+| HIGH | [exfil/stealer/creds](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/creds.yara#suspected_data_stealer) | suspected data stealer | [Atomic](https://github.com/search?q=Atomic&type=code)<br>[Binance](https://github.com/search?q=Binance&type=code)<br>[Chrome](https://github.com/search?q=Chrome&type=code)<br>[Discord](https://github.com/search?q=Discord&type=code)<br>[Firefox](https://github.com/search?q=Firefox&type=code)<br>[History](https://github.com/search?q=History&type=code)<br>[OpenVPN](https://github.com/search?q=OpenVPN&type=code)<br>[Snowflake](https://github.com/search?q=Snowflake&type=code)<br>[Telegram](https://github.com/search?q=Telegram&type=code) |
+| HIGH | [exfil/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#file_io_uploader) | uploads content to file.io | [POST](https://github.com/search?q=POST&type=code)<br>[file.io](https://github.com/search?q=file.io&type=code)<br>[post](https://github.com/search?q=post&type=code) |
+| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)<br>[VMware](https://github.com/search?q=VMware&type=code) |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | $elf_head |
+| MEDIUM | [c2/addr/discord](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/discord.yara#discord) | may report back to 'Discord' | [Discord](https://github.com/search?q=Discord&type=code) |
+| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba](http://%sIncrementDecrementN1QLQueryGetRandom/api/pingrangeScanObserveVba)<br>[https://%s.api.mailchimp.com/3.0/https](https://%s.api.mailchimp.com/3.0/https)<br>[https://%s.api.mailchimp.com/3.0https](https://%s.api.mailchimp.com/3.0https)<br>[https://%s.billomat.net/api/v2/clients/myself](https://%s.billomat.net/api/v2/clients/myself)<br>[https://%s.caspio.com/oauth/tokenhttps](https://%s.caspio.com/oauth/tokenhttps)<br>[https://%s.currencycloud.com](https://%s.currencycloud.com)<br>[https://%s.fibery.io/api/commandsTruffleHog3](https://%s.fibery.io/api/commandsTruffleHog3)<br>[https://%s.flowlu.com/api/v1/module/crm/lead/list](https://%s.flowlu.com/api/v1/module/crm/lead/list)<br>[https://%s.formsite.com/api/v2/](https://%s.formsite.com/api/v2/)<br>[https://%s.kanbantool.com/api/v3/users/current.jsonhttps](https://%s.kanbantool.com/api/v3/users/current.jsonhttps)<br>[https://%s.leankit.com/io/accounthttps](https://%s.leankit.com/io/accounthttps)<br>[https://%s.s3](https://%s.s3)<br>[https://%s.salesmate.io/apis/v3/companies/1](https://%s.salesmate.io/apis/v3/companies/1)<br>[https://%s.scalr.io/api/iacp/v3/agentshttps](https://%s.scalr.io/api/iacp/v3/agentshttps)<br>[https://%s.vouchery.io/api/v2.0/usershttps](https://%s.vouchery.io/api/v2.0/usershttps)<br>[https://%s/account.json](https://%s/account.json)<br>[https://%s/admin/api/2024](https://%s/admin/api/2024)<br>[https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR](https://%s/admin/oauth/access_scopes.jsonadmin.conversations.removeCustomR)<br>[https://%s/api/laml/2010](https://%s/api/laml/2010)<br>[https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx](https://%s/api/v1/me20060102T150405Z0700InvalidClientTokenIdx)<br>[https://%s/api/v1/projects](https://%s/api/v1/projects)<br>[https://%s/api/v1/sources](https://%s/api/v1/sources)<br>[https://%s/api/v1/users/meopsgenie.com/alert/detail/https](https://%s/api/v1/users/meopsgenie.com/alert/detail/https)<br>[https://%s/api/v1/userserror](https://%s/api/v1/userserror)<br>[https://%s/api/v2/tickets](https://%s/api/v2/tickets)<br>[https://%s/api/v3/users/current.json](https://%s/api/v3/users/current.json)<br>[https://%s/auth/oauth2/v2/tokenhttps](https://%s/auth/oauth2/v2/tokenhttps)<br>[https://%s/invoices.json](https://%s/invoices.json)<br>[https://%s/v2/lastUpdateTimeBeamer](https://%s/v2/lastUpdateTimeBeamer)<br>[https://%sSCRAM](https://%sSCRAM) |
+| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)<br>[aIp](https://github.com/search?q=aIp&type=code)<br>[a_ip](https://github.com/search?q=a_ip&type=code)<br>[accel_port](https://github.com/search?q=accel_port&type=code)<br>[allowed_port](https://github.com/search?q=allowed_port&type=code)<br>[announce_port](https://github.com/search?q=announce_port&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[fastly_ip](https://github.com/search?q=fastly_ip&type=code)<br>[firewall_ip](https://github.com/search?q=firewall_ip&type=code)<br>[geo_ip](https://github.com/search?q=geo_ip&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[hasPort](https://github.com/search?q=hasPort&type=code)<br>[htcp_port](https://github.com/search?q=htcp_port&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[i_ip](https://github.com/search?q=i_ip&type=code)<br>[icp_port](https://github.com/search?q=icp_port&type=code)<br>[in_ip](https://github.com/search?q=in_ip&type=code)<br>[ip_port](https://github.com/search?q=ip_port&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[lIp](https://github.com/search?q=lIp&type=code)<br>[localPort](https://github.com/search?q=localPort&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[lookupPort](https://github.com/search?q=lookupPort&type=code)<br>[m_ip](https://github.com/search?q=m_ip&type=code)<br>[miss_port](https://github.com/search?q=miss_port&type=code)<br>[nIp](https://github.com/search?q=nIp&type=code)<br>[oIp](https://github.com/search?q=oIp&type=code)<br>[old_ip](https://github.com/search?q=old_ip&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[pages_ip](https://github.com/search?q=pages_ip&type=code)<br>[parsePort](https://github.com/search?q=parsePort&type=code)<br>[peerPort](https://github.com/search?q=peerPort&type=code)<br>[privateIp](https://github.com/search?q=privateIp&type=code)<br>[relay_port](https://github.com/search?q=relay_port&type=code)<br>[remotePort](https://github.com/search?q=remotePort&type=code)<br>[routedPort](https://github.com/search?q=routedPort&type=code)<br>[snmp_port](https://github.com/search?q=snmp_port&type=code)<br>[snmpd_port](https://github.com/search?q=snmpd_port&type=code)<br>[stripPort](https://github.com/search?q=stripPort&type=code)<br>[tIp](https://github.com/search?q=tIp&type=code)<br>[vIp](https://github.com/search?q=vIp&type=code) |
+| MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [ConnectServer](https://github.com/search?q=ConnectServer&type=code) |
+| MEDIUM | [c2/addr/telegram](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/telegram.yara#telegram) | telegram | [Telegram](https://github.com/search?q=Telegram&type=code)<br>[telegram.org](https://github.com/search?q=telegram.org&type=code) |
+| MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code)<br>[clientId](https://github.com/search?q=clientId&type=code)<br>[client_id](https://github.com/search?q=client_id&type=code) |
+| MEDIUM | [c2/discovery/ip_dns_resolver](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#google_dns_ip) | contains Google Public DNS resolver IP | [8.8.8.8](https://github.com/search?q=8.8.8.8&type=code) |
+| MEDIUM | [c2/refs](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref) | downloads files | [download file](https://github.com/search?q=download+file&type=code) |
+| MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[https://](https://) |
+| MEDIUM | [collect/archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)<br>[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)<br>[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) |
+| MEDIUM | [collect/archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) |
+| MEDIUM | [collect/databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) |
+| MEDIUM | [collect/databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) |
+| MEDIUM | [collect/databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) |
+| MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) |
+| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)<br>[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) |
+| MEDIUM | [credential/gaming/minecraft](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/gaming/minecraft.yara#minecraft) | Has references to Minecraft | [minecraft](https://github.com/search?q=minecraft&type=code) |
+| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | accesses a keychain | [Keychain](https://github.com/search?q=Keychain&type=code)<br>[keychain](https://github.com/search?q=keychain&type=code) |
+| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
+| MEDIUM | [crypto/cipher](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/cipher.yara#ciphertext) | mentions 'ciphertext' | [ciphertext](https://github.com/search?q=ciphertext&type=code) |
+| MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) |
+| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)<br>[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)<br>[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
+| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)<br>[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)<br>[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)<br>[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |
+| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html lang](https://github.com/search?q=%3Chtml+lang&type=code)<br>[<html>](https://github.com/search?q=%3Chtml%3E&type=code)<br>[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) |
+| MEDIUM | [data/embedded/pem_private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-private_key.yara#begin_private_key) | Contains RSA PRIVATE KEY directive | [PRIVATE KEY--](https://github.com/search?q=PRIVATE+KEY--&type=code) |
+| MEDIUM | [data/embedded/ssh_signature](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-ssh-signature.yara#ssh_signature) | Contains embedded SSH signature | [--BEGIN SSH SIGNATURE--](https://github.com/search?q=--BEGIN+SSH+SIGNATURE--&type=code) |
+| MEDIUM | [discover/group/lookup](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/group/lookup.yara#getgrent) | get entry from group database | [endgrent](https://github.com/search?q=endgrent&type=code)<br>[getgrent](https://github.com/search?q=getgrent&type=code)<br>[setgrent](https://github.com/search?q=setgrent&type=code) |
+| MEDIUM | [discover/network/mac_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)<br>[macAddress](https://github.com/search?q=macAddress&type=code) |
+| MEDIUM | [discover/network/netstat](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/netstat.yara#netstat) | Uses 'netstat' for network information | [netstat](https://github.com/search?q=netstat&type=code) |
+| MEDIUM | [discover/system/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code)<br>[systeminfo](https://github.com/search?q=systeminfo&type=code) |
+| MEDIUM | [discover/user/name_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) |
+| MEDIUM | [evasion/file/location/var_run](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/slapd/](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2F&type=code) |
+| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.ssh](https://github.com/search?q=%25s%2F.ssh&type=code) |
+| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [ExecCommand](https://github.com/search?q=ExecCommand&type=code)<br>[Execute_Command_Line](https://github.com/search?q=Execute_Command_Line&type=code)<br>[MergeRunCmdOptions](https://github.com/search?q=MergeRunCmdOptions&type=code)<br>[RunCommandCursor](https://github.com/search?q=RunCommandCursor&type=code)<br>[StartCmdTrace](https://github.com/search?q=StartCmdTrace&type=code)<br>[StartCommandOptions](https://github.com/search?q=StartCommandOptions&type=code)<br>[execTxCommand](https://github.com/search?q=execTxCommand&type=code)<br>[executeCommand](https://github.com/search?q=executeCommand&type=code)<br>[processRunCommand](https://github.com/search?q=processRunCommand&type=code)<br>[runGitCommand](https://github.com/search?q=runGitCommand&type=code)<br>[runShellCommandAsynchronously](https://github.com/search?q=runShellCommandAsynchronously&type=code) |
+| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)<br>[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) |
+| MEDIUM | [exec/script/osa](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/script/osascript.yara#osascript_caller) | runs osascript | [display dialog](https://github.com/search?q=display+dialog&type=code) |
+| MEDIUM | [exec/shell/power](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/powershell.yara#powershell) | runs powershell scripts | [powershell](https://github.com/search?q=powershell&type=code) |
+| MEDIUM | [exfil/office_file_ext](https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/office_file_ext.yara#office_extensions) | References multiple Office file extensions (possible exfil) | [docx](https://github.com/search?q=docx&type=code)<br>[ppt](https://github.com/search?q=ppt&type=code)<br>[pst](https://github.com/search?q=pst&type=code)<br>[xlsx](https://github.com/search?q=xlsx&type=code) |
+| MEDIUM | [fs/file/copy](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-copy.yara#file_copy_cp) | copy files using cp | [cp](https://github.com/search?q=cp&type=code) |
+| MEDIUM | [fs/file/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-create.yara#CreateFile) | create a new file | [CreateFileProperty](https://github.com/search?q=CreateFileProperty&type=code) |
+| MEDIUM | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#DeleteFile) | delete a file | [DeleteFile](https://github.com/search?q=DeleteFile&type=code) |
+| MEDIUM | [fs/file/times_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utime](https://github.com/search?q=utime&type=code) |
+| MEDIUM | [fs/path/etc_hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/mysql.sockclientFoundRowsmultiStatementsUNSIGNED](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiStatementsUNSIGNED&type=code)<br>[/tmp/placeholder/%v](https://github.com/search?q=%2Ftmp%2Fplaceholder%2F%25v&type=code) |
+| MEDIUM | [fs/path/users](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/users.yara#home_path_users) | references path within /Users | [/Users/%vorganizations/%v/team/%v/projectssql](https://github.com/search?q=%2FUsers%2F%25vorganizations%2F%25v%2Fteam%2F%25v%2Fprojectssql&type=code) |
+| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) |
+| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code) |
+| MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/statSHA256](https://github.com/search?q=%2Fproc%2F%25d%2FstatSHA256&type=code) |
+| MEDIUM | [fs/proc/self_cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroupcpu](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu&type=code) |
+| MEDIUM | [fs/proc/self_mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) |
+| MEDIUM | [impact/ddos](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/ddos/ddos.yara#ddos) | References DDoS | [DDoS](https://github.com/search?q=DDoS&type=code) |
+| MEDIUM | [impact/remote_access/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/heartbeat.yara#heartbeat) | references a 'heartbeat' | [:CodeWithScopeSpacerheartbeatinterval](https://github.com/search?q=%3ACodeWithScopeSpacerheartbeatinterval&type=code)<br>[ConnServer heartbeat started](https://github.com/search?q=ConnServer+heartbeat+started&type=code)<br>[HeartbeatMS](https://github.com/search?q=HeartbeatMS&type=code)<br>[SetHeartbeatInterval](https://github.com/search?q=SetHeartbeatInterval&type=code)<br>[WithHeartbeatInterval](https://github.com/search?q=WithHeartbeatInterval&type=code)<br>[WithHeartbeatTimeout](https://github.com/search?q=WithHeartbeatTimeout&type=code)<br>[be greater than or equal to the heartbeat interva](https://github.com/search?q=be+greater+than+or+equal+to+the+heartbeat+interva&type=code)<br>[comWriteDocumentElementheartbeatfrequenc](https://github.com/search?q=comWriteDocumentElementheartbeatfrequenc&type=code)<br>[comheartbeatMain: re](https://github.com/search?q=comheartbeatMain%3A+re&type=code)<br>[crc32Rolling backcleanup docsheartbeat_msgeo_d](https://github.com/search?q=crc32Rolling+backcleanup+docsheartbeat_msgeo_d&type=code)<br>[edConnection pool clearedServer heartbeat failedS](https://github.com/search?q=edConnection+pool+clearedServer+heartbeat+failedS&type=code)<br>[edclient_sql_exceptionFailed to heartbeat](https://github.com/search?q=edclient_sql_exceptionFailed+to+heartbeat&type=code)<br>[eerror setting read deadline in heartbeater:](https://github.com/search?q=eerror+setting+read+deadline+in+heartbeater%3A&type=code)<br>[eonly valid as initial handshakeheartbeat is not](https://github.com/search?q=eonly+valid+as+initial+handshakeheartbeat+is+not&type=code)<br>[heartbeatCtxCance](https://github.com/search?q=heartbeatCtxCance&type=code)<br>[heartbeatFrame](https://github.com/search?q=heartbeatFrame&type=code)<br>[heartbeatInterval](https://github.com/search?q=heartbeatInterval&type=code)<br>[heartbeatLock](https://github.com/search?q=heartbeatLock&type=code)<br>[heartbeatTimeout](https://github.com/search?q=heartbeatTimeout&type=code)<br>[icedisableConsoleLoginfailed to heartbeat](https://github.com/search?q=icedisableConsoleLoginfailed+to+heartbeat&type=code)<br>[newHeartbeatDuration](https://github.com/search?q=newHeartbeatDuration&type=code)<br>[orcHeartbeating](https://github.com/search?q=orcHeartbeating&type=code)<br>[overflow reading version stringHeartbeats should](https://github.com/search?q=overflow+reading+version+stringHeartbeats+should&type=code)<br>[parquetheartbeat started](https://github.com/search?q=parquetheartbeat+started&type=code)<br>[parseHeartbeatFrame](https://github.com/search?q=parseHeartbeatFrame&type=code)<br>[pollHeartbeatTime](https://github.com/search?q=pollHeartbeatTime&type=code)<br>[publishServerHeartbeatFailedEv](https://github.com/search?q=publishServerHeartbeatFailedEv&type=code)<br>[publishServerHeartbeatStartedE](https://github.com/search?q=publishServerHeartbeatStartedE&type=code)<br>[publishServerHeartbeatSucceede](https://github.com/search?q=publishServerHeartbeatSucceede&type=code)<br>[setupHeartbeatConnecti](https://github.com/search?q=setupHeartbeatConnecti&type=code)<br>[sha1publickeysubsystemheartbeatwithcoor](https://github.com/search?q=sha1publickeysubsystemheartbeatwithcoor&type=code)<br>[sheartbeat stopped](https://github.com/search?q=sheartbeat+stopped&type=code)<br>[startHeartBeat](https://github.com/search?q=startHeartBeat&type=code)<br>[stopHeartBeat](https://github.com/search?q=stopHeartBeat&type=code)<br>[swordincludeRetryReasonstopping heartbeat](https://github.com/search?q=swordincludeRetryReasonstopping+heartbeat&type=code)<br>[tarting server monitoringServer heartbeat succeed](https://github.com/search?q=tarting+server+monitoringServer+heartbeat+succeed&type=code) |
+| MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [Port](https://github.com/search?q=Port&type=code)<br>[Probe](https://github.com/search?q=Probe&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[banner](https://github.com/search?q=banner&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[gethostbyname](https://github.com/search?q=gethostbyname&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |
+| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)<br>[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) |
+| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download) | download files | [DoneDownloadCond](https://github.com/search?q=DoneDownloadCond&type=code)<br>[DownloadArtifactsFile](https://github.com/search?q=DownloadArtifactsFile&type=code)<br>[DownloadAvatar](https://github.com/search?q=DownloadAvatar&type=code)<br>[DownloadContentsWithMeta](https://github.com/search?q=DownloadContentsWithMeta&type=code)<br>[DownloadPackageFile](https://github.com/search?q=DownloadPackageFile&type=code)<br>[DownloadReleaseAsset](https://github.com/search?q=DownloadReleaseAsset&type=code)<br>[ExportDownload](https://github.com/search?q=ExportDownload&type=code)<br>[FTPDownload](https://github.com/search?q=FTPDownload&type=code)<br>[FailedDownloads](https://github.com/search?q=FailedDownloads&type=code)<br>[FuncDownloadHelper](https://github.com/search?q=FuncDownloadHelper&type=code)<br>[GeoIpDownloadStatistics](https://github.com/search?q=GeoIpDownloadStatistics&type=code)<br>[GetArchiveDownloadURL](https://github.com/search?q=GetArchiveDownloadURL&type=code)<br>[GetBrowserDownloadURL](https://github.com/search?q=GetBrowserDownloadURL&type=code)<br>[GetDownloadCount](https://github.com/search?q=GetDownloadCount&type=code)<br>[GetDownloadLocation](https://github.com/search?q=GetDownloadLocation&type=code)<br>[GetDownloadURL](https://github.com/search?q=GetDownloadURL&type=code)<br>[GetDownloadsURL](https://github.com/search?q=GetDownloadsURL&type=code)<br>[GetHasDownloads](https://github.com/search?q=GetHasDownloads&type=code)<br>[GetTempDownloadToken](https://github.com/search?q=GetTempDownloadToken&type=code)<br>[MFA_TOKENdownload start chunk](https://github.com/search?q=MFA_TOKENdownload+start+chunk&type=code)<br>[NextDownloader](https://github.com/search?q=NextDownloader&type=code)<br>[NodeInfoIngestDownloader](https://github.com/search?q=NodeInfoIngestDownloader&type=code)<br>[STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG](https://github.com/search?q=STREAM_CHUNK_DOWNLOADSF_CLIENT_CONFIG&type=code)<br>[SuccessfulDownloads](https://github.com/search?q=SuccessfulDownloads&type=code)<br>[URLDownloadToFile](https://github.com/search?q=URLDownloadToFile&type=code)<br>[addDownloader](https://github.com/search?q=addDownloader&type=code)<br>[archive_download_url](https://github.com/search?q=archive_download_url&type=code)<br>[browser_download_url](https://github.com/search?q=browser_download_url&type=code)<br>[chunkDownloader](https://github.com/search?q=chunkDownloader&type=code)<br>[chunk_downloader](https://github.com/search?q=chunk_downloader&type=code)<br>[downloadChunkHelper](https://github.com/search?q=downloadChunkHelper&type=code)<br>[downloadH](https://github.com/search?q=downloadH&type=code)<br>[downloadLocation](https://github.com/search?q=downloadLocation&type=code)<br>[downloadOCSPCacheServer](https://github.com/search?q=downloadOCSPCacheServer&type=code)<br>[downloadPatches](https://github.com/search?q=downloadPatches&type=code)<br>[download_count](https://github.com/search?q=download_count&type=code)<br>[downloader id](https://github.com/search?q=downloader+id&type=code)<br>[downloads_url](https://github.com/search?q=downloads_url&type=code)<br>[downloadsrepos](https://github.com/search?q=downloadsrepos&type=code)<br>[failed_downloads](https://github.com/search?q=failed_downloads&type=code)<br>[funcDownloadHelper](https://github.com/search?q=funcDownloadHelper&type=code)<br>[geoipdownloadstatistics](https://github.com/search?q=geoipdownloadstatistics&type=code)<br>[getNextChunkDownloader](https://github.com/search?q=getNextChunkDownloader&type=code)<br>[has_downloads](https://github.com/search?q=has_downloads&type=code)<br>[methodTotalDownloadTimeshards](https://github.com/search?q=methodTotalDownloadTimeshards&type=code)<br>[newStreamChunkDownloader](https://github.com/search?q=newStreamChunkDownloader&type=code)<br>[nodeinfoingestdownloader](https://github.com/search?q=nodeinfoingestdownloader&type=code)<br>[populateChunkDownloader](https://github.com/search?q=populateChunkDownloader&type=code)<br>[profileno download link found for](https://github.com/search?q=profileno+download+link+found+for&type=code)<br>[setNextChunkDownloader](https://github.com/search?q=setNextChunkDownloader&type=code)<br>[snowflakeChunkDownloader](https://github.com/search?q=snowflakeChunkDownloader&type=code)<br>[sstart downloading](https://github.com/search?q=sstart+downloading&type=code)<br>[streamChunkDownloader](https://github.com/search?q=streamChunkDownloader&type=code)<br>[successful_downloads](https://github.com/search?q=successful_downloads&type=code)<br>[tailChunkDownloader](https://github.com/search?q=tailChunkDownloader&type=code)<br>[temp_download_token](https://github.com/search?q=temp_download_token&type=code)<br>[the scheduleddownloads](https://github.com/search?q=the+scheduleddownloads&type=code)<br>[theequationsdownload](https://github.com/search?q=theequationsdownload&type=code)<br>[thresholddownloading error](https://github.com/search?q=thresholddownloading+error&type=code)<br>[total_download_time](https://github.com/search?q=total_download_time&type=code)<br>[useStreamDownloader](https://github.com/search?q=useStreamDownloader&type=code)<br>[vMaxChunkDownloadWorkers](https://github.com/search?q=vMaxChunkDownloadWorkers&type=code)<br>[vmsdownloading done](https://github.com/search?q=vmsdownloading+done&type=code)<br>[wcould not download file for scan](https://github.com/search?q=wcould+not+download+file+for+scan&type=code)<br>[wfailed to download patches](https://github.com/search?q=wfailed+to+download+patches&type=code)<br>[when trying to download file for scan](https://github.com/search?q=when+trying+to+download+file+for+scan&type=code) |
+| MEDIUM | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value) | Invokes curl | [curl / libcurl / php_curl](https://github.com/search?q=curl+%2F+libcurl+%2F+php_curl&type=code) |
+| MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [Accept](https://github.com/search?q=Accept&type=code)<br>[application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code) |
+| MEDIUM | [net/http/content_length](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/content-length.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) |
+| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| MEDIUM | [net/http/fake_user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/fake-user-agent.yara#fake_user_agent_chrome) | pretends to be Chrome | [(KHTML, like Gecko) Chrome](https://github.com/search?q=%28KHTML%2C+like+Gecko%29+Chrome&type=code) |
+| MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)<br>[application/json](https://github.com/search?q=application%2Fjson&type=code)<br>[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[post](https://github.com/search?q=post&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits form content to websites | [Content-Type from get jenkins builds request](https://github.com/search?q=Content-Type+from+get+jenkins+builds+request&type=code)<br>[Content-Type from get jenkins jobs request:](https://github.com/search?q=Content-Type+from+get+jenkins+jobs+request%3A&type=code)<br>[Content-Type headerstorage: at least one sou](https://github.com/search?q=Content-Type+headerstorage%3A+at+least+one+sou&type=code)<br>[Content-Type isn](https://github.com/search?q=Content-Type+isn&type=code)<br>[Content-Type: text/plain](https://github.com/search?q=Content-Type%3A+text%2Fplain&type=code)<br>[Content-TypePUSH_PROMISECONTINUATIONCookie.V](https://github.com/search?q=Content-TypePUSH_PROMISECONTINUATIONCookie.V&type=code)<br>[Content-Typeding](https://github.com/search?q=Content-Typeding&type=code)<br>[Content-Typeinvalid nesting depthcould not p](https://github.com/search?q=Content-Typeinvalid+nesting+depthcould+not+p&type=code)<br>[Content-Typenet/http: timeout awaiting respo](https://github.com/search?q=Content-Typenet%2Fhttp%3A+timeout+awaiting+respo&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code) |
+| MEDIUM | [net/http/webhook](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/webhook.yara#webhook) | supports webhooks | [CustomRegexWebhook](https://github.com/search?q=CustomRegexWebhook&type=code)<br>[DiscordWebhook](https://github.com/search?q=DiscordWebhook&type=code)<br>[GetWebhookSecret](https://github.com/search?q=GetWebhookSecret&type=code)<br>[IncomingWebhook](https://github.com/search?q=IncomingWebhook&type=code)<br>[KeypipelineWebhooksCategoryread_apiReporterorg](https://github.com/search?q=KeypipelineWebhooksCategoryread_apiReporterorg&type=code)<br>[MicrosoftTeamsWebhook](https://github.com/search?q=MicrosoftTeamsWebhook&type=code)<br>[NewWebhookCustomRegex](https://github.com/search?q=NewWebhookCustomRegex&type=code)<br>[Sessionwebhook](https://github.com/search?q=Sessionwebhook&type=code)<br>[SlackWebhook](https://github.com/search?q=SlackWebhook&type=code)<br>[TinesWebhook](https://github.com/search?q=TinesWebhook&type=code)<br>[Webhook1protobuf](https://github.com/search?q=Webhook1protobuf&type=code)<br>[WebhookAction](https://github.com/search?q=WebhookAction&type=code)<br>[WebhookH](https://github.com/search?q=WebhookH&type=code)<br>[WebhookMultiError](https://github.com/search?q=WebhookMultiError&type=code)<br>[WebhookResult](https://github.com/search?q=WebhookResult&type=code)<br>[WebhookSubuser](https://github.com/search?q=WebhookSubuser&type=code)<br>[WebhookValidationError](https://github.com/search?q=WebhookValidationError&type=code)<br>[Webhook_Header](https://github.com/search?q=Webhook_Header&type=code)<br>[Webhook_Vector](https://github.com/search?q=Webhook_Vector&type=code)<br>[ZapierWebhook](https://github.com/search?q=ZapierWebhook&type=code)<br>[discordwebhook](https://github.com/search?q=discordwebhook&type=code)<br>[getWebhooksPermission](https://github.com/search?q=getWebhooksPermission&type=code)<br>[isWebhook_Credential](https://github.com/search?q=isWebhook_Credential&type=code)<br>[isWebhook_Data](https://github.com/search?q=isWebhook_Data&type=code)<br>[microsoftteamswebhook](https://github.com/search?q=microsoftteamswebhook&type=code)<br>[readwebhooks](https://github.com/search?q=readwebhooks&type=code)<br>[slackwebhook](https://github.com/search?q=slackwebhook&type=code)<br>[tineswebhook](https://github.com/search?q=tineswebhook&type=code)<br>[verifyWebhook](https://github.com/search?q=verifyWebhook&type=code)<br>[webhook_endpoints](https://github.com/search?q=webhook_endpoints&type=code)<br>[webhook_read](https://github.com/search?q=webhook_read&type=code)<br>[webhook_secret](https://github.com/search?q=webhook_secret&type=code)<br>[webhook_write](https://github.com/search?q=webhook_write&type=code)<br>[webhookaction](https://github.com/search?q=webhookaction&type=code)<br>[webhookb2](https://github.com/search?q=webhookb2&type=code)<br>[writewebhooks](https://github.com/search?q=writewebhooks&type=code) |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)<br>[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)<br>[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)<br>[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) |
+| MEDIUM | [net/ip/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping interval to minimum period of](https://github.com/search?q=ping+interval+to+minimum+period+of&type=code)<br>[ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) |
+| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)<br>[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) |
+| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
+| MEDIUM | [net/rpc/ntlm](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/rpc/ntlm.yara#windows_ntlm_auth) | supports Windows NTLM authentication | [ntlmssp](https://github.com/search?q=ntlmssp&type=code) |
+| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socket](https://github.com/search?q=socket&type=code) |
+| MEDIUM | [net/socket/pair](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/pair.yara#socket_pair) | create a pair of connected sockets | [socketpair](https://github.com/search?q=socketpair&type=code) |
+| MEDIUM | [net/tcp/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/connect.yara#connect_tcp) | connects to a TCP port | [dialTCP](https://github.com/search?q=dialTCP&type=code) |
+| MEDIUM | [net/tcp/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/listen.yara#listen_tcp) | listen on a TCP port | [listening on tcp](https://github.com/search?q=listening+on+tcp&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses crypto/ssh to connect to the SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)<br>[25https://api.websitepulse.com/textserver.php?method=GetContacts](https://github.com/search?q=25https%3A%2F%2Fapi.websitepulse.com%2Ftextserver.php%3Fmethod%3DGetContacts&type=code)<br>[bhttps://api.route4me.com/api.v4/address_book.php?api_key=https](https://github.com/search?q=bhttps%3A%2F%2Fapi.route4me.com%2Fapi.v4%2Faddress_book.php%3Fapi_key%3Dhttps&type=code)<br>[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)<br>[https://pastebin.com/api/api_post.php](https://pastebin.com/api/api_post.php)<br>[https://us1.locationiq.com/v1/reverse.php?key=https](https://us1.locationiq.com/v1/reverse.php?key=https)<br>[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code)<br>[shttps://api.mesibo.com/api.php?op=useradd](https://github.com/search?q=shttps%3A%2F%2Fapi.mesibo.com%2Fapi.php%3Fop%3Duseradd&type=code) |
+| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
+| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)<br>[net/url](https://github.com/search?q=net%2Furl&type=code) |
+| MEDIUM | [persist/kernel_module/unload](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/unload.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
+| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
+| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
+| MEDIUM | [sus/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/intercept.yara#interceptor) | References interception | [intercepted](https://github.com/search?q=intercepted&type=code)<br>[interceptor](https://github.com/search?q=interceptor&type=code) |
+| MEDIUM | [sus/malicious](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/malicious.yara#malicious) | References 'malicious' | [other kinds of malicious content](https://github.com/search?q=other+kinds+of+malicious+content&type=code) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [AMD64](https://github.com/search?q=AMD64&type=code)<br>[amd64](https://github.com/search?q=amd64&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[http://](http://)<br>[https://](https://)<br>[x86_64](https://github.com/search?q=x86_64&type=code) |
+| LOW | [collect/code/github_api](https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user) | access GitHub API | [api.github.com](https://github.com/search?q=api.github.com&type=code)<br>[google/go-github](https://github.com/search?q=google%2Fgo-github&type=code) |
+| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [- pairs with password](https://github.com/search?q=-+pairs+with+password&type=code)<br>[AllowCleartextPasswords](https://github.com/search?q=AllowCleartextPasswords&type=code)<br>[AllowEmptyPassword](https://github.com/search?q=AllowEmptyPassword&type=code)<br>[AllowNativePasswords](https://github.com/search?q=AllowNativePasswords&type=code)<br>[AllowOldPasswords](https://github.com/search?q=AllowOldPasswords&type=code)<br>[Attribute SyntaxPassword must be changed](https://github.com/search?q=Attribute+SyntaxPassword+must+be+changed&type=code)<br>[CertificatePasswordvprotobuf](https://github.com/search?q=CertificatePasswordvprotobuf&type=code)<br>[ChangePasswordLength](https://github.com/search?q=ChangePasswordLength&type=code)<br>[ChangePasswordOffset](https://github.com/search?q=ChangePasswordOffset&type=code)<br>[ChangePasswordOptions](https://github.com/search?q=ChangePasswordOptions&type=code)<br>[ControlVChuPasswordMustChange](https://github.com/search?q=ControlVChuPasswordMustChange&type=code)<br>[ControlVChuPasswordWarning](https://github.com/search?q=ControlVChuPasswordWarning&type=code)<br>[Elasticsearch password](https://github.com/search?q=Elasticsearch+password&type=code)<br>[FilePasswordFunc](https://github.com/search?q=FilePasswordFunc&type=code)<br>[GetCertificatePassword](https://github.com/search?q=GetCertificatePassword&type=code)<br>[GetPassword](https://github.com/search?q=GetPassword&type=code)<br>[GetVCSPassword](https://github.com/search?q=GetVCSPassword&type=code)<br>[GetVerifiablePasswordAuthentication](https://github.com/search?q=GetVerifiablePasswordAuthentication&type=code)<br>[KeychainPasswordFunc](https://github.com/search?q=KeychainPasswordFunc&type=code)<br>[NewChangePasswordFunc](https://github.com/search?q=NewChangePasswordFunc&type=code)<br>[NewControlBeheraPasswordPolicy](https://github.com/search?q=NewControlBeheraPasswordPolicy&type=code)<br>[NewReaderWithPassword](https://github.com/search?q=NewReaderWithPassword&type=code)<br>[Pairs with password](https://github.com/search?q=Pairs+with+password&type=code)<br>[PasscodeInPassword](https://github.com/search?q=PasscodeInPassword&type=code)<br>[Password from](https://github.com/search?q=Password+from&type=code)<br>[PasswordAuthenticator](https://github.com/search?q=PasswordAuthenticator&type=code)<br>[PasswordChanged](https://github.com/search?q=PasswordChanged&type=code)<br>[PasswordCredentialsToken](https://github.com/search?q=PasswordCredentialsToken&type=code)<br>[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)<br>[PasswordHashIterations](https://github.com/search?q=PasswordHashIterations&type=code)<br>[PasswordModify](https://github.com/search?q=PasswordModify&type=code)<br>[PasswordRegexCheck](https://github.com/search?q=PasswordRegexCheck&type=code)<br>[PasswordSet](https://github.com/search?q=PasswordSet&type=code)<br>[SASLprepping password](https://github.com/search?q=SASLprepping+password&type=code)<br>[SecureSettingsPassword](https://github.com/search?q=SecureSettingsPassword&type=code)<br>[allowCleartextPasswords](https://github.com/search?q=allowCleartextPasswords&type=code)<br>[allowOldPasswords](https://github.com/search?q=allowOldPasswords&type=code)<br>[authRequiresPassword](https://github.com/search?q=authRequiresPassword&type=code)<br>[certificatePassword](https://github.com/search?q=certificatePassword&type=code)<br>[certificate_password](https://github.com/search?q=certificate_password&type=code)<br>[change_passwordsecurity](https://github.com/search?q=change_passwordsecurity&type=code)<br>[changepassword](https://github.com/search?q=changepassword&type=code)<br>[dPassword Policy - Behera](https://github.com/search?q=dPassword+Policy+-+Behera&type=code)<br>[empty password](https://github.com/search?q=empty+password&type=code)<br>[encryptPassword](https://github.com/search?q=encryptPassword&type=code)<br>[errEmptyPassword](https://github.com/search?q=errEmptyPassword&type=code)<br>[for ChangePassword](https://github.com/search?q=for+ChangePassword&type=code)<br>[in list of old passwordsldap](https://github.com/search?q=in+list+of+old+passwordsldap&type=code)<br>[incorrect passwordrardecode](https://github.com/search?q=incorrect+passwordrardecode&type=code)<br>[json into Changepassword request](https://github.com/search?q=json+into+Changepassword+request&type=code)<br>[key is not password protectedssh](https://github.com/search?q=key+is+not+password+protectedssh&type=code)<br>[manglePassword](https://github.com/search?q=manglePassword&type=code)<br>[meetsCouchbasePasswordRequirements](https://github.com/search?q=meetsCouchbasePasswordRequirements&type=code)<br>[meetsSnowflakePasswordRequirements](https://github.com/search?q=meetsSnowflakePasswordRequirements&type=code)<br>[mongoPasswordDigest](https://github.com/search?q=mongoPasswordDigest&type=code)<br>[native_passwordinvalid dbname](https://github.com/search?q=native_passwordinvalid+dbname&type=code)<br>[nil ValueWriterpassword must not be set](https://github.com/search?q=nil+ValueWriterpassword+must+not+be+set&type=code)<br>[no username and password are provided](https://github.com/search?q=no+username+and+password+are+provided&type=code)<br>[old_passwordsRepositories to](https://github.com/search?q=old_passwordsRepositories+to&type=code)<br>[parseUserPassword](https://github.com/search?q=parseUserPassword&type=code)<br>[password-store](https://github.com/search?q=password-store&type=code)<br>[passwordFunc](https://github.com/search?q=passwordFunc&type=code)<br>[passwordSet](https://github.com/search?q=passwordSet&type=code)<br>[password_change_date](https://github.com/search?q=password_change_date&type=code)<br>[password_hash](https://github.com/search?q=password_hash&type=code)<br>[passwordattachment](https://github.com/search?q=passwordattachment&type=code)<br>[passwordf](https://github.com/search?q=passwordf&type=code)<br>[passworduser](https://github.com/search?q=passworduser&type=code)<br>[qunexpected password response](https://github.com/search?q=qunexpected+password+response&type=code)<br>[requires old password authentication](https://github.com/search?q=requires+old+password+authentication&type=code)<br>[saltPassword](https://github.com/search?q=saltPassword&type=code)<br>[scrambleOldPassword](https://github.com/search?q=scrambleOldPassword&type=code)<br>[scramblePassword](https://github.com/search?q=scramblePassword&type=code)<br>[secure_settings_password](https://github.com/search?q=secure_settings_password&type=code)<br>[sendEncryptedPassword](https://github.com/search?q=sendEncryptedPassword&type=code)<br>[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)<br>[stripPassword](https://github.com/search?q=stripPassword&type=code)<br>[the ChangePassword query execution](https://github.com/search?q=the+ChangePassword+query+execution&type=code)<br>[username AND password](https://github.com/search?q=username+AND+password&type=code)<br>[username or password was specified](https://github.com/search?q=username+or+password+was+specified&type=code)<br>[vcs_password](https://github.com/search?q=vcs_password&type=code)<br>[verifiable_password_authentication](https://github.com/search?q=verifiable_password_authentication&type=code)<br>[winvalid password](https://github.com/search?q=winvalid+password&type=code) |
+| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code)<br>[private_key](https://github.com/search?q=private_key&type=code)<br>[privatekey](https://github.com/search?q=privatekey&type=code) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)<br>[aes_256_cbc](https://github.com/search?q=aes_256_cbc&type=code)<br>[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
+| LOW | [crypto/decrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/decrypt.yara#decrypt) | decrypts data | [DecryptArgs](https://github.com/search?q=DecryptArgs&type=code)<br>[DecryptColumnEncryption](https://github.com/search?q=DecryptColumnEncryption&type=code)<br>[DecryptExplicit](https://github.com/search?q=DecryptExplicit&type=code)<br>[DecryptOAEP](https://github.com/search?q=DecryptOAEP&type=code)<br>[DecryptPEMBlock](https://github.com/search?q=DecryptPEMBlock&type=code)<br>[DecryptPKCS1v15SessionK](https://github.com/search?q=DecryptPKCS1v15SessionK&type=code)<br>[DecryptPrivateKeys](https://github.com/search?q=DecryptPrivateKeys&type=code)<br>[DecryptTicket](https://github.com/search?q=DecryptTicket&type=code)<br>[Decrypt_html_template_r](https://github.com/search?q=Decrypt_html_template_r&type=code)<br>[DecrypterInteract with](https://github.com/search?q=DecrypterInteract+with&type=code)<br>[DecrypterOpts](https://github.com/search?q=DecrypterOpts&type=code)<br>[DecryptionKeys](https://github.com/search?q=DecryptionKeys&type=code)<br>[GetDecryptedKey](https://github.com/search?q=GetDecryptedKey&type=code)<br>[NewCBCDecrypter](https://github.com/search?q=NewCBCDecrypter&type=code)<br>[NewCFBDecrypter](https://github.com/search?q=NewCFBDecrypter&type=code)<br>[NewECBDecrypter](https://github.com/search?q=NewECBDecrypter&type=code)<br>[NewOCFBDecrypter](https://github.com/search?q=NewOCFBDecrypter&type=code)<br>[PKCS1v15DecryptOptions](https://github.com/search?q=PKCS1v15DecryptOptions&type=code)<br>[aeadDecrypter](https://github.com/search?q=aeadDecrypter&type=code)<br>[cbcDecrypter](https://github.com/search?q=cbcDecrypter&type=code)<br>[decbDecrypter](https://github.com/search?q=decbDecrypter&type=code)<br>[ecDecrypterSigner](https://github.com/search?q=ecDecrypterSigner&type=code)<br>[edDecrypterSigner](https://github.com/search?q=edDecrypterSigner&type=code)<br>[lid options for Decryptcipher](https://github.com/search?q=lid+options+for+Decryptcipher&type=code)<br>[newAesDecryptReader](https://github.com/search?q=newAesDecryptReader&type=code)<br>[newDecrypter](https://github.com/search?q=newDecrypter&type=code)<br>[ocfbDecrypter](https://github.com/search?q=ocfbDecrypter&type=code)<br>[pkeDecrypt](https://github.com/search?q=pkeDecrypt&type=code)<br>[pter type in NewDecrypterPrivateKeyCoun](https://github.com/search?q=pter+type+in+NewDecrypterPrivateKeyCoun&type=code)<br>[rsaDecryptOk](https://github.com/search?q=rsaDecryptOk&type=code)<br>[rsaDecrypterSigner](https://github.com/search?q=rsaDecrypterSigner&type=code)<br>[vDecrypting column](https://github.com/search?q=vDecrypting+column&type=code)<br>[wecbDecrypter](https://github.com/search?q=wecbDecrypter&type=code) |
+| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
+| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) |
+| LOW | [crypto/public_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/public_key.yara#public_key) | references a 'public key' | [Public key](https://github.com/search?q=Public+key&type=code)<br>[PublicKey](https://github.com/search?q=PublicKey&type=code)<br>[public key](https://github.com/search?q=public+key&type=code)<br>[public-key](https://github.com/search?q=public-key&type=code)<br>[publicKey](https://github.com/search?q=publicKey&type=code)<br>[public_key](https://github.com/search?q=public_key&type=code)<br>[publickey](https://github.com/search?q=publickey&type=code) |
+| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)<br>[TLSVersion](https://github.com/search?q=TLSVersion&type=code)<br>[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) |
+| LOW | [data/compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) |
+| LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(�/�](https://github.com/search?q=%28%B5%2F%FD&type=code)<br>[ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
+| LOW | [data/embedded/pem_certificate](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-pem-certificate.yara#begin_cert) | Contains embedded PEM certificate | [--BEGIN CERTIFICATE--](https://github.com/search?q=--BEGIN+CERTIFICATE--&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [data/encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) |
+| LOW | [data/encoding/json_decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [JSONDecode](https://github.com/search?q=JSONDecode&type=code)<br>[json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) |
+| LOW | [data/encoding/json_encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-encode.yara#JSONEncode) | encodes JSON | [JSONEncode](https://github.com/search?q=JSONEncode&type=code) |
+| LOW | [data/hash/blake2b](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/blake2b.yara#crypto_blake2b) | Uses blake2b encryption algorithm | [blake2b](https://github.com/search?q=blake2b&type=code) |
+| LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:copy](https://github.com/search?q=md5%3Acopy&type=code) |
+| LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| LOW | [discover/cloud/aws_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/aws-metadata.yara#aws_metadata) | References the AWS EC2 metadata token | [X-aws-ec2-metadata-token](https://github.com/search?q=X-aws-ec2-metadata-token&type=code) |
+| LOW | [discover/cloud/google_metadata](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-metadata.yara#google_metadata) | Includes the token required to use the Google Cloud Platform metadata server | [Metadata-Flavor](https://github.com/search?q=Metadata-Flavor&type=code) |
+| LOW | [discover/cloud/google_storage](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/cloud/google-storage.yara#go_import) | Capable of using Google Cloud Storage (GCS) | [cloud.google.com/go/storage](https://github.com/search?q=cloud.google.com%2Fgo%2Fstorage&type=code) |
+| LOW | [discover/process/parent](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/parent.yara#getppid) | gets parent process ID | [getppid](https://github.com/search?q=getppid&type=code) |
+| LOW | [discover/system/cpu](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/cpu.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) |
+| LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) |
+| LOW | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)<br>[uname](https://github.com/search?q=uname&type=code) |
+| LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [discover/user/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [ENV](https://github.com/search?q=ENV&type=code)<br>[USER](https://github.com/search?q=USER&type=code)<br>[environ](https://github.com/search?q=environ&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/conditional/LANG](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/conditional/LANG.yara#LANG_getenv) | Looks up language of current user | [LANG](https://github.com/search?q=LANG&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [exec/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/plugin/plugin.yara#plugin) | references a 'plugin' | [EditorImportPlugin](https://github.com/search?q=EditorImportPlugin&type=code)<br>[EditorPlugin](https://github.com/search?q=EditorPlugin&type=code)<br>[ExtendedPlugins](https://github.com/search?q=ExtendedPlugins&type=code)<br>[NewPluginsFunc](https://github.com/search?q=NewPluginsFunc&type=code)<br>[PluginStats](https://github.com/search?q=PluginStats&type=code)<br>[PluginsFormat](https://github.com/search?q=PluginsFormat&type=code)<br>[PluginsRecord](https://github.com/search?q=PluginsRecord&type=code)<br>[PluginsStatus](https://github.com/search?q=PluginsStatus&type=code)<br>[SetPluginConfig](https://github.com/search?q=SetPluginConfig&type=code)<br>[extended_plugins](https://github.com/search?q=extended_plugins&type=code)<br>[hungarian_ciunknown auth plugin](https://github.com/search?q=hungarian_ciunknown+auth+plugin&type=code)<br>[not use requested auth plugin](https://github.com/search?q=not+use+requested+auth+plugin&type=code)<br>[of theremnants ofpluginspage](https://github.com/search?q=of+theremnants+ofpluginspage&type=code)<br>[plugin loaded](https://github.com/search?q=plugin+loaded&type=code)<br>[pluginVersion](https://github.com/search?q=pluginVersion&type=code)<br>[pluginclose](https://github.com/search?q=pluginclose&type=code)<br>[pluginopen](https://github.com/search?q=pluginopen&type=code)<br>[pluginpath](https://github.com/search?q=pluginpath&type=code)<br>[pluginsFormat](https://github.com/search?q=pluginsFormat&type=code)<br>[pluginsrecord](https://github.com/search?q=pluginsrecord&type=code)<br>[pluginstats](https://github.com/search?q=pluginstats&type=code)<br>[pluginswithin](https://github.com/search?q=pluginswithin&type=code)<br>[relativebringingincreasegovernorplugins](https://github.com/search?q=relativebringingincreasegovernorplugins&type=code) |
+| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) |
+| LOW | [exec/shell/SHELL](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) |
+| LOW | [exec/system_controls/systemd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/system_controls/systemd.yara#ref_systemd) | makes references to systemd | [SYSTEMD](https://github.com/search?q=SYSTEMD&type=code)<br>[systemd](https://github.com/search?q=systemd&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [CreateDirectoryFn](https://github.com/search?q=CreateDirectoryFn&type=code)<br>[mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) |
+| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)<br>[rmdir](https://github.com/search?q=rmdir&type=code) |
+| LOW | [fs/fifo_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/fifo-create.yara#mkfifo) | make a FIFO special file (a named pipe) | [mkfifo](https://github.com/search?q=mkfifo&type=code) |
+| LOW | [fs/file/delete_forcibly](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force) | Forcibly deletes files | [rm non-TreeNoderserror creating cancelr](https://github.com/search?q=rm+non-TreeNoderserror+creating+cancelr&type=code)<br>[rm on-chain due to too low of a transa](https://github.com/search?q=rm+on-chain+due+to+too+low+of+a+transa&type=code) |
+| LOW | [fs/file/open](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open) | opens files | [open(](https://github.com/search?q=open%28&type=code) |
+| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)<br>[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) |
+| LOW | [fs/file/rename](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-rename.yara#explicit_rename) | renames files | [MoveFile](https://github.com/search?q=MoveFile&type=code)<br>[os.rename](https://github.com/search?q=os.rename&type=code) |
+| LOW | [fs/file/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat) | access filesystem metadata | [fs.statFile](https://github.com/search?q=fs.statFile&type=code) |
+| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-write.yara#file_write) | writes to file | [WriteFile](https://github.com/search?q=WriteFile&type=code)<br>[writeCacheFile](https://github.com/search?q=writeCacheFile&type=code)<br>[writeFilePatchHeader](https://github.com/search?q=writeFilePatchHeader&type=code)<br>[writeFileToArchive](https://github.com/search?q=writeFileToArchive&type=code)<br>[writeFilestat](https://github.com/search?q=writeFilestat&type=code)<br>[writeRawFile](https://github.com/search?q=writeRawFile&type=code)<br>[writerFile](https://github.com/search?q=writerFile&type=code) |
+| LOW | [fs/link_create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) |
+| LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) |
+| LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)<br>[mount](https://github.com/search?q=mount&type=code) |
+| LOW | [fs/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typesgzip](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typesgzip&type=code)<br>[/etc/gitconfigempty](https://github.com/search?q=%2Fetc%2Fgitconfigempty&type=code)<br>[/etc/hosts.localhostgetsockoptnetlink](https://github.com/search?q=%2Fetc%2Fhosts.localhostgetsockoptnetlink&type=code)<br>[/etc/httpd/conf/mime.typesmime](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesmime&type=code)<br>[/etc/mdns.allow/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmdns.allow%2Fetc%2Fmime.types&type=code)<br>[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)<br>[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)<br>[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)<br>[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)<br>[/etc/pki/tls/certsperforming](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcertsperforming&type=code)<br>[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)<br>[/etc/resolv.confnon-](https://github.com/search?q=%2Fetc%2Fresolv.confnon-&type=code)<br>[/etc/servicesdal](https://github.com/search?q=%2Fetc%2Fservicesdal&type=code)<br>[/etc/ssh/ssh](https://github.com/search?q=%2Fetc%2Fssh%2Fssh&type=code)<br>[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)<br>[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)<br>[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)<br>[/etc/ssl/certsinvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcertsinvalid&type=code)<br>[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) |
+| LOW | [fs/path/etc_resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) |
+| LOW | [fs/path/file_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/file-url.yara#file_url) | file url | [file:///tmp](https://github.com/search?q=file%3A%2F%2F%2Ftmp&type=code) |
+| LOW | [fs/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home.yara#home_path) | references path within /home | [/home/linuxbrew/.linuxbrew/Cellar/trufflehog/3.82.6/lib](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2FCellar%2Ftrufflehog%2F3.82.6%2Flib&type=code)<br>[/home/linuxbrew/.linuxbrew/lib/ld.so](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Flib%2Fld.so&type=code)<br>[/home/linuxbrew/.linuxbrew/opt/gcc/lib/gcc/current](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew%2Fopt%2Fgcc%2Flib%2Fgcc%2Fcurrent&type=code) |
+| LOW | [fs/path/home_config](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/home-config.yara#home_config_path) | path reference within ~/.config | [GRITY_ONLY.config/gcloudf32](https://github.com/search?q=GRITY_ONLY.config%2Fgcloudf32&type=code)<br>[NumberLine.config/git/configunknown channel](https://github.com/search?q=NumberLine.config%2Fgit%2Fconfigunknown+channel&type=code) |
+| LOW | [fs/path/usr_bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/envcomments_pop_1comments_pop_2c](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2c&type=code) |
+| LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) |
+| LOW | [fs/swap/off](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/swap/swap-off.yara#swapoff) | stop swapping to a file/device | [swapoff](https://github.com/search?q=swapoff&type=code) |
+| LOW | [fs/symlink_resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) |
+| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) |
+| LOW | [fs/tempdir/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TEMP.yara#temp) | temp | [TEMP](https://github.com/search?q=TEMP&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code)<br>[temp](https://github.com/search?q=temp&type=code) |
+| LOW | [fs/tempdir/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)<br>[getenv](https://github.com/search?q=getenv&type=code) |
+| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) |
+| LOW | [fs/tempfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile.yara#mktemp) | creates temporary files | [createTempFile](https://github.com/search?q=createTempFile&type=code)<br>[temp file](https://github.com/search?q=temp+file&type=code)<br>[tmpfile](https://github.com/search?q=tmpfile&type=code) |
+| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) |
+| LOW | [hw/wireless](https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/wireless.yara#bssid) | wireless network base station ID | [BSSID](https://github.com/search?q=BSSID&type=code) |
+| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)<br>[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)<br>[dnsmessage](https://github.com/search?q=dnsmessage&type=code) |
+| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) |
+| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)<br>[dns](https://github.com/search?q=dns&type=code) |
+| LOW | [net/ftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ftp/ftp.yara#ftp) | File Transfer Protocol (FTP) | [ftp.Dial](https://github.com/search?q=ftp.Dial&type=code) |
+| LOW | [net/http/2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) |
+| LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/auth.yara#http_auth) | makes HTTP requests with Bearer authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)<br>[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)<br>[www-authenticate](https://github.com/search?q=www-authenticate&type=code) |
+| LOW | [net/http/oauth2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/oauth2.yara#oauth2) | supports OAuth2 | [OAuth 2](https://github.com/search?q=OAuth+2&type=code)<br>[oauth2](https://github.com/search?q=oauth2&type=code) |
+| LOW | [net/http/proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) |
+| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)<br>[Referer](https://github.com/search?q=Referer&type=code)<br>[User-Agent](https://github.com/search?q=User-Agent&type=code)<br>[http.get](https://github.com/search?q=http.get&type=code)<br>[httpRequest](https://github.com/search?q=httpRequest&type=code) |
+| LOW | [net/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip.yara#packets) | access the internet | [invalid packet](https://github.com/search?q=invalid+packet&type=code) |
+| LOW | [net/ip/multicast_send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-multicast-send.yara#multicast) | [send data to multiple nodes simultaneously](https://en.wikipedia.org/wiki/IP_multicast) | [multicast](https://github.com/search?q=multicast&type=code) |
+| LOW | [net/ip/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-resolve.yara#gethostbyaddr) | [resolves network hosts via IP address](https://linux.die.net/man/3/gethostbyaddr) | [gethostbyaddr](https://github.com/search?q=gethostbyaddr&type=code) |
+| LOW | [net/resolve/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) |
+| LOW | [net/resolve/hostport_parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/resolve/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)<br>[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) |
+| LOW | [net/socket/local_addr](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-local_addr.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) |
+| LOW | [net/socket/peer_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) |
+| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)<br>[recvmsg](https://github.com/search?q=recvmsg&type=code) |
+| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code)<br>[sendmsg](https://github.com/search?q=sendmsg&type=code)<br>[sendto](https://github.com/search?q=sendto&type=code) |
+| LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) |
+| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)<br>[listenUDP](https://github.com/search?q=listenUDP&type=code) |
+| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)<br>[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) |
+| LOW | [os/env/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#get_env_val) | Retrieve environment variable values | [env.ANSIC](https://github.com/search?q=env.ANSIC&type=code)<br>[env.RGBC](https://github.com/search?q=env.RGBC&type=code) |
+| LOW | [os/fd/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)<br>[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) |
+| LOW | [os/kernel/key_management](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/key-management.yara#syscall_keyctl) | kernel key management facility | [keyctl](https://github.com/search?q=keyctl&type=code) |
+| LOW | [os/kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) |
+| LOW | [privesc/setuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/setuid.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) |
+| LOW | [process/chroot](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chroot.yara#chroot) | change the location of root for the process | [chroot](https://github.com/search?q=chroot&type=code) |
+| LOW | [process/groupid_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) |
+| LOW | [process/groups_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index e69de29b..5a76c42d 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -0,0 +1,192 @@
+# linux/clean/wolfictl: medium
+anti-static/elf/multiple: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/addr/url: low
+c2/client: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/download: medium
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/os: medium
+collect/archives/tar_command: medium
+collect/archives/unarchive: medium
+collect/archives/zip: medium
+collect/code/github_api: low
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/clipboard: medium
+credential/cloud/g: medium
+credential/keychain: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/blockchain: medium
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/openssl: medium
+crypto/public_key: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zlib: low
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/embedded/ssh_signature: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/cloud/aws_metadata: low
+discover/cloud/google_metadata: low
+discover/cloud/google_storage: low
+discover/network/interface_list: medium
+discover/network/mac_address: medium
+discover/network/netstat: medium
+discover/processes/pgrep: medium
+discover/system/cpu: low
+discover/system/dmesg: low
+discover/system/hostname: low
+discover/system/platform: medium
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/bypass_security/linux/se: medium
+evasion/bypass_security/macos/xprotect: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/system_directory: medium
+evasion/file/prefix: medium
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/symbol_address: medium
+exec/install_additional/pip_install: medium
+exec/plugin: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/pipe_sh: medium
+exec/system_controls/systemd: low
+exfil/office_file_ext: medium
+fs/attributes/set: medium
+fs/blkid: low
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/fifo_create: low
+fs/file/copy: medium
+fs/file/create: medium
+fs/file/delete: medium
+fs/file/delete_forcibly: medium
+fs/file/open: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/stat: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/node_create: low
+fs/path/bin_su: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/self_mountinfo: medium
+fs/swap/off: low
+fs/swap/on: low
+fs/symlink_resolve: low
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/tempfile: low
+fs/unmount: low
+fs/watch: low
+hw/wireless: low
+impact/ddos/raw_flooder: medium
+impact/remote_access/heartbeat: medium
+impact/remote_access/kill_rm: medium
+lateral/scan/brute_force: low
+lateral/scan/tool: medium
+malware/ref: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download/fetch: medium
+net/http/2: low
+net/http/accept: medium
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/http/webhook: medium
+net/ip: low
+net/ip/host_port: medium
+net/ip/icmp: medium
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/proxy/reverse: medium
+net/proxy/socks5: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: medium
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/env/get: low
+os/fd/sendfile: low
+os/kernel/netlink: low
+os/kernel/seccomp: low
+os/time/clock_set: low
+persist/cron/tab: medium
+persist/pid_file: medium
+privesc/setuid: low
+process/chdir: low
+process/chroot: low
+process/create: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/unshare: low
+sus/exclamation: medium
+sus/intercept: medium
+sus/malicious: medium

From 458eb48c3143eb9d1a52f04b986d3b2a6c21d1d6 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 12 Dec 2024 22:24:47 -0500
Subject: [PATCH 08/10] add rules

---
 rules/anti-static/elf/multiple.yara     | 12 +++++++
 rules/impact/degrade/systemd.yara       | 21 +++++++++++
 rules/net/udp/kcp.yara                  | 15 ++++++++
 rules/persist/kernel_module/load.yara   | 46 +++++++++++++++++++++++++
 rules/persist/kernel_module/name.yara   | 18 ++++++++++
 rules/persist/kernel_module/unload.yara | 45 ++++++++++++++++++++++++
 rules/persist/plugin.yara               | 10 ++++++
 rules/persist/xdg_desktop_entry.yara    | 25 ++++++++++++++
 rules/process/terminate/arbitrary.yara  | 22 ++++++++++++
 rules/sus/lang.yara                     | 10 ++++++
 10 files changed, 224 insertions(+)
 create mode 100644 rules/anti-static/elf/multiple.yara
 create mode 100644 rules/impact/degrade/systemd.yara
 create mode 100644 rules/net/udp/kcp.yara
 create mode 100644 rules/persist/kernel_module/load.yara
 create mode 100644 rules/persist/kernel_module/name.yara
 create mode 100644 rules/persist/kernel_module/unload.yara
 create mode 100644 rules/persist/plugin.yara
 create mode 100644 rules/persist/xdg_desktop_entry.yara
 create mode 100644 rules/process/terminate/arbitrary.yara
 create mode 100644 rules/sus/lang.yara

diff --git a/rules/anti-static/elf/multiple.yara b/rules/anti-static/elf/multiple.yara
new file mode 100644
index 00000000..db1efd6c
--- /dev/null
+++ b/rules/anti-static/elf/multiple.yara
@@ -0,0 +1,12 @@
+import "elf"
+
+rule multiple_elf: medium {
+  meta:
+    description = "multiple ELF binaries within an ELF binary"
+
+  strings:
+    $elf_head = "\x7fELF"
+
+  condition:
+    uint32(0) == 1179403647 and #elf_head > 1
+}
diff --git a/rules/impact/degrade/systemd.yara b/rules/impact/degrade/systemd.yara
new file mode 100644
index 00000000..f030e435
--- /dev/null
+++ b/rules/impact/degrade/systemd.yara
@@ -0,0 +1,21 @@
+rule systemd_disabler: medium {
+  meta:
+    description = "disables systemd services"
+
+  strings:
+    $ref = "systemctl disable"
+
+  condition:
+    filesize < 10MB and any of them
+}
+
+rule systemd_disabler_high: high {
+  meta:
+    description = "disables arbitrary systemd services, hiding output"
+
+  strings:
+    $ref = "systemctl disable %s 2>/dev/null"
+
+  condition:
+    filesize < 10MB and any of them
+}
diff --git a/rules/net/udp/kcp.yara b/rules/net/udp/kcp.yara
new file mode 100644
index 00000000..636e8f9b
--- /dev/null
+++ b/rules/net/udp/kcp.yara
@@ -0,0 +1,15 @@
+rule kcp_go: medium {
+  meta:
+    description = "uses kcp-go, a reliable UDP library for Go"
+
+  strings:
+    $                = "ikcp_waitsnd"
+    $                = "IKCP_CMD_WINS"
+    $u_ssdp_discover = "ssdp:discover"
+    $u_addr          = "239.255.255.250"
+    $not_igd         = "UPnP/IGD"
+    $not_c1          = "CaptureOne"
+
+  condition:
+    any of them
+}
diff --git a/rules/persist/kernel_module/load.yara b/rules/persist/kernel_module/load.yara
new file mode 100644
index 00000000..62bf3eb7
--- /dev/null
+++ b/rules/persist/kernel_module/load.yara
@@ -0,0 +1,46 @@
+rule kernel_module_loader: medium linux {
+  meta:
+    description = "loads Linux kernel module via insmod"
+
+  strings:
+    $insmod = /insmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule kernel_module_loader_ko: high linux {
+  meta:
+    description = "loads Linux kernel module .ko via insmod"
+
+  strings:
+    $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule kernel_module_loader_sus_redir: high linux {
+  meta:
+    description = "suspiciously loads Linux kernel module via insmod"
+
+  strings:
+    $insmod  = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}\/dev\/null 2\>\&1/
+    $insmod2 = /insmod [ \$\%\w\.\/_-]{1,32} .{0,16}2>\/dev\/null/
+
+  condition:
+    filesize < 10MB and any of them
+}
+
+rule cha_cha_tests: override linux {
+  meta:
+    description             = "test_cipher.ko"
+    filetypes               = "sh"
+    kernel_module_loader_ko = "medium"
+
+  strings:
+    $test = "insmod test_cipher.ko size"
+
+  condition:
+    filesize < 2KB and any of them
+}
diff --git a/rules/persist/kernel_module/name.yara b/rules/persist/kernel_module/name.yara
new file mode 100644
index 00000000..1e0ac2d4
--- /dev/null
+++ b/rules/persist/kernel_module/name.yara
@@ -0,0 +1,18 @@
+rule lkm_name: medium {
+  meta:
+    description = "mentions Linux kernel module by name"
+    capability  = "CAP_SYS_MODULE"
+
+  strings:
+    $ko = /[a-z_]{2,12}\.ko/ fullword
+
+    $o_kernel         = "kernel"
+    $o_lsmod          = "lsmod"
+    $o_rmmod          = "rmmod"
+    $o_insmod         = "insmod"
+    $o_modprobe       = "modprobe"
+    $not_languages_ko = "languages.ko"
+
+  condition:
+    $ko and any of ($o*) and none of ($not*)
+}
diff --git a/rules/persist/kernel_module/unload.yara b/rules/persist/kernel_module/unload.yara
new file mode 100644
index 00000000..afdca2f8
--- /dev/null
+++ b/rules/persist/kernel_module/unload.yara
@@ -0,0 +1,45 @@
+rule kernel_module_unloader: medium linux {
+  meta:
+    description = "unloads Linux kernel module via rmmod"
+
+  strings:
+    $insmod = /rmmod [ \#\{\}\$\%\w\.\/_-]{1,32}/
+
+  condition:
+    filesize < 10MB and all of them
+}
+
+rule kernel_module_unloader_sus: high linux {
+  meta:
+    description = "unloads Linux kernel module via rmmod, discarding output"
+
+  strings:
+    $insmod = /rmmod.{0,32}2\>\s{0,2}\/dev\/null/
+
+  condition:
+    filesize < 10MB and any of them
+}
+
+rule delete_module: medium {
+  meta:
+    description = "Unload Linux kernel module"
+    syscall     = "delete_module"
+    capability  = "CAP_SYS_MODULE"
+
+  strings:
+    $ref = "delete_module" fullword
+
+  condition:
+    all of them
+}
+
+rule system_kext_unloader: high {
+  meta:
+    description = "unloads system kernel extensions"
+
+  strings:
+    $kextunload_sys_lib_ext = "kextunload /System/Library/Extensions/"
+
+  condition:
+    filesize < 10485760 and any of them
+}
diff --git a/rules/persist/plugin.yara b/rules/persist/plugin.yara
new file mode 100644
index 00000000..17a59327
--- /dev/null
+++ b/rules/persist/plugin.yara
@@ -0,0 +1,10 @@
+rule plugin_persist: high {
+  meta:
+    description = "may use persistence plugins"
+
+  strings:
+    $ref = "plugin_persist"
+
+  condition:
+    any of them
+}
diff --git a/rules/persist/xdg_desktop_entry.yara b/rules/persist/xdg_desktop_entry.yara
new file mode 100644
index 00000000..abe04f41
--- /dev/null
+++ b/rules/persist/xdg_desktop_entry.yara
@@ -0,0 +1,25 @@
+rule desktop_app_exec_entry: medium {
+  meta:
+    description = "creates an XDG Desktop Entry to execute an application"
+
+  strings:
+    $ = "[Desktop Entry]"
+    $ = "Type=Application"
+    $ = "Exec="
+
+  condition:
+    filesize < 20MB and all of them
+}
+
+rule elf_desktop_app_exec_entry: high {
+  meta:
+    description = "persists via an XDG Desktop Entry"
+
+  strings:
+    $ = "[Desktop Entry]"
+    $ = "Type=Application"
+    $ = "Exec="
+
+  condition:
+    filesize < 20MB and uint32(0) == 1179403647 and all of them
+}
diff --git a/rules/process/terminate/arbitrary.yara b/rules/process/terminate/arbitrary.yara
new file mode 100644
index 00000000..84d971d6
--- /dev/null
+++ b/rules/process/terminate/arbitrary.yara
@@ -0,0 +1,22 @@
+rule kill_d: high {
+  meta:
+    description = "kills arbitrary process, hiding errors"
+
+  strings:
+    $kill_9 = "kill %d 2>/dev/null"
+
+  condition:
+    any of them
+}
+
+rule kill_9_d: high {
+  meta:
+    description = "terminates arbitrary process, hiding errors"
+
+  strings:
+    $kill_9 = "kill -9 %d 2>/dev/null"
+
+  condition:
+    any of them
+}
+
diff --git a/rules/sus/lang.yara b/rules/sus/lang.yara
new file mode 100644
index 00000000..1929504e
--- /dev/null
+++ b/rules/sus/lang.yara
@@ -0,0 +1,10 @@
+rule en_us_utf8: medium {
+  meta:
+    description = "hardcodes language to American English"
+
+  strings:
+    $ = "en_US.UTF-8" fullword
+
+  condition:
+    any of them
+}

From 7ab24ec8249fdf890e31b4cae4e03f53a02c0f1c Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 16 Dec 2024 16:40:06 -0500
Subject: [PATCH 09/10] fix yara compile errors (duplicated rule names)

---
 rules/evasion/file/location/multiple.yara |  2 +-
 rules/fs/proc/pid-stat.yara               |  4 ++--
 rules/os/fd/socket.yara                   | 11 -----------
 3 files changed, 3 insertions(+), 14 deletions(-)
 delete mode 100644 rules/os/fd/socket.yara

diff --git a/rules/evasion/file/location/multiple.yara b/rules/evasion/file/location/multiple.yara
index 7039993b..675c7221 100644
--- a/rules/evasion/file/location/multiple.yara
+++ b/rules/evasion/file/location/multiple.yara
@@ -1,4 +1,4 @@
-rule multiple_elf: high linux {
+rule multiple_elf_system_paths: high linux {
   meta:
     description = "references multiple system paths, may be trying to hide content"
 
diff --git a/rules/fs/proc/pid-stat.yara b/rules/fs/proc/pid-stat.yara
index 1a1a64c6..947fbeee 100644
--- a/rules/fs/proc/pid-stat.yara
+++ b/rules/fs/proc/pid-stat.yara
@@ -1,6 +1,6 @@
 import "math"
 
-rule proc_stat: medium {
+rule proc_pid_stat: medium {
   meta:
     description = "access status fields for other processes"
 
@@ -13,7 +13,7 @@ rule proc_stat: medium {
     any of them
 }
 
-rule proc_stat_near: medium {
+rule proc_pid_stat_near: medium {
   meta:
     description = "access status fields for other processes"
 
diff --git a/rules/os/fd/socket.yara b/rules/os/fd/socket.yara
deleted file mode 100644
index e278e3ff..00000000
--- a/rules/os/fd/socket.yara
+++ /dev/null
@@ -1,11 +0,0 @@
-rule inspects_opened_sockets: medium {
-  meta:
-    description = "inspects open file descriptors for sockets"
-
-  strings:
-    $ref  = "socket:[" fullword
-    $ref2 = /\/proc\/[%{$][\w\}]{0,12}\/fd/
-
-  condition:
-    all of them
-}

From e42fdf8cee696ec4e3f312f25ad9586a77ca8597 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 16 Dec 2024 16:43:20 -0500
Subject: [PATCH 10/10] Update testdata

---
 tests/linux/2024.Gelsemium/libselinux.so.simple | 2 +-
 tests/linux/clean/busybox.simple                | 4 ++--
 tests/linux/clean/cpack.md                      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple
index b2c8d26f..e8a77072 100644
--- a/tests/linux/2024.Gelsemium/libselinux.so.simple
+++ b/tests/linux/2024.Gelsemium/libselinux.so.simple
@@ -13,10 +13,10 @@ fs/file/delete: low
 fs/link_read: low
 fs/proc/arbitrary_pid: medium
 fs/proc/pid_cmdline: high
+fs/proc/pid_fd: high
 fs/proc/pid_stat: medium
 fs/tempfile: low
 malware/family/beurk: critical
 malware/family/gelsemium: critical
 os/fd/multiplex: low
 os/fd/print: low
-os/fd/socket: medium
diff --git a/tests/linux/clean/busybox.simple b/tests/linux/clean/busybox.simple
index 2308ffd5..36ad08b1 100644
--- a/tests/linux/clean/busybox.simple
+++ b/tests/linux/clean/busybox.simple
@@ -1,4 +1,4 @@
-# linux/clean/busybox: medium
+# linux/clean/busybox: high
 c2/addr/ip: medium
 c2/addr/url: low
 c2/tool_transfer/os: low
@@ -60,6 +60,7 @@ fs/permission/modify: medium
 fs/proc/arbitrary_pid: medium
 fs/proc/meminfo: medium
 fs/proc/mounts: medium
+fs/proc/pid_fd: high
 fs/proc/stat: medium
 fs/symlink_resolve: low
 fs/tempdir: low
@@ -87,7 +88,6 @@ net/socket/send: low
 net/tun_tap: medium
 net/url/embedded: low
 os/fd/print: low
-os/fd/socket: medium
 os/time/clock_set: low
 persist/daemon: medium
 privesc/setuid: low
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index f1cfca48..fc838a67 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -31,7 +31,7 @@
 | MEDIUM | [fs/proc/arbitrary_pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) |
 | MEDIUM | [fs/proc/meminfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/meminfo.yara#proc_meminfo_val) | get memory info | [/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code) |
-| MEDIUM | [fs/proc/pid_stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-stat.yara#proc_stat) | access status fields for other processes | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
+| MEDIUM | [fs/proc/pid_stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/pid-stat.yara#proc_pid_stat) | access status fields for other processes | [/proc/%d/stat](https://github.com/search?q=%2Fproc%2F%25d%2Fstat&type=code) |
 | MEDIUM | [fs/proc/self_exe](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/proc/self-exe.yara#proc_self_exe) | gets executable associated to this process | [/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code) |
 | MEDIUM | [impact/remote_access/crypto_listen_socks](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/crypto_listen_socks.yara#socks_crypto_listener) | listens, uses SOCKS5, and cryptography | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[crypto](https://github.com/search?q=crypto&type=code)<br>[listen](https://github.com/search?q=listen&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
 | MEDIUM | [lateral/scan/tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/lateral/scan/scan_tool.yara#generic_scan_tool) | may scan networks | [%d.%d.%d.%d](https://github.com/search?q=%25d.%25d.%25d.%25d&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[Target](https://github.com/search?q=Target&type=code)<br>[connect](https://github.com/search?q=connect&type=code)<br>[port](https://github.com/search?q=port&type=code)<br>[probe](https://github.com/search?q=probe&type=code)<br>[scan](https://github.com/search?q=scan&type=code)<br>[socket](https://github.com/search?q=socket&type=code)<br>[target](https://github.com/search?q=target&type=code) |