-
Notifications
You must be signed in to change notification settings - Fork 26
/
userid-set.yara
66 lines (62 loc) · 1.48 KB
/
userid-set.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
rule setuid {
meta:
syscall = "setuid"
description = "set real and effective user ID of current process"
pledge = "id"
capability = "CAP_SETUID"
ref = "https://man7.org/linux/man-pages/man2/setuid.2.html"
strings:
$ref = "setuid" fullword
$not_go = "_syscall.libc_setuid_trampoline"
$not_ls = "file that is setuid"
condition:
$ref and none of ($not*)
}
rule seteuid {
meta:
syscall = "seteuid"
description = "set effective user ID of current process"
pledge = "id"
ref = "https://man7.org/linux/man-pages/man2/seteuid.2.html"
capability = "CAP_SETUID"
strings:
$ref = "seteuid" fullword
condition:
any of them
}
rule setreuid {
meta:
syscall = "setreuid"
description = "set real and effective user ID of current process"
pledge = "id"
capability = "CAP_SETUID"
ref = "https://man7.org/linux/man-pages/man2/setreuid.2.html"
strings:
$ref = "setreuid" fullword
condition:
any of them
}
rule setresuid {
meta:
syscall = "setresuid"
description = "set real, effective, and saved user ID of process"
pledge = "id"
ref = "https://man7.org/linux/man-pages/man2/setresuid.2.html"
capability = "CAP_SETUID"
strings:
$ref = "setresuid" fullword
condition:
any of them
}
rule setfsuid {
meta:
syscall = "setfsuid"
description = "set user identity used for filesystem checks"
pledge = "id"
ref = "https://man7.org/linux/man-pages/man2/setfsuid.2.html"
capability = "CAP_SETUID"
strings:
$ref = "setfsuid" fullword
condition:
any of them
}