diff --git a/Makefile b/Makefile
index 5353d7e35..35ce40971 100644
--- a/Makefile
+++ b/Makefile
@@ -3,7 +3,7 @@
SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= f9198d7c1952b589a1de56515193c79c1b25b4bc
+SAMPLES_COMMIT ?= e5bfacbe59bd9b7889609bf24bd96ed2fb08c784
# BEGIN: lint-install ../malcontent
# http://github.com/tinkerbell/lint-install
diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index 5254be250..abea67bbc 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -2429,7 +2429,7 @@
"RuleName": "linux_adjtimex"
},
{
- "Description": "supports crontab manipulation",
+ "Description": "lists crontab entries, may also persist",
"MatchStrings": [
"crontab"
],
@@ -2473,20 +2473,6 @@
"ID": "process/create",
"RuleName": "syscall_clone"
},
- {
- "Description": "sets a custom PATH",
- "MatchStrings": [
- "/bin:/usr/",
- "/sbin:/bin",
- "/usr/bin:/sbin",
- "PATH"
- ],
- "RiskScore": 1,
- "RiskLevel": "LOW",
- "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/executable_path.yara#custom_path",
- "ID": "process/executable_path",
- "RuleName": "custom_path"
- },
{
"Description": "creates a session and sets the process group ID",
"MatchStrings": [
diff --git a/rules/anti-behavior/LD_DEBUG.yara b/rules/anti-behavior/LD_DEBUG.yara
index 27bd79021..697dad395 100644
--- a/rules/anti-behavior/LD_DEBUG.yara
+++ b/rules/anti-behavior/LD_DEBUG.yara
@@ -1,6 +1,6 @@
rule env_LD_DEBUG: medium {
meta:
- description = "Checks if dynamic linker debugging is enabled"
+ description = "may check if dynamic linker debugging is enabled"
hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
diff --git a/rules/anti-behavior/LD_PROFILE.yara b/rules/anti-behavior/LD_PROFILE.yara
index 20bcd9778..79cd6e2f7 100644
--- a/rules/anti-behavior/LD_PROFILE.yara
+++ b/rules/anti-behavior/LD_PROFILE.yara
@@ -1,6 +1,6 @@
rule env_LD_PROFILE: medium {
meta:
- description = "Checks if dynamic linker profiling is enabled"
+ description = "may check if dynamic linker profiling is enabled"
hash_2024_Downloads_036a = "036a2f04ab56b5e7098c7d866eb21307011b812f126793159be1c853a6a54796"
hash_2024_Downloads_0ca7 = "0ca7e0eddd11dfaefe0a0721673427dd441e29cf98064dd0f7b295eae416fe1b"
hash_2023_Downloads_311c = "311c93575efd4eeeb9c6674d0ab8de263b72a8fb060d04450daccc78ec095151"
diff --git a/rules/anti-behavior/anti-debugger.yara b/rules/anti-behavior/anti-debugger.yara
index e12caf5e9..450f61828 100644
--- a/rules/anti-behavior/anti-debugger.yara
+++ b/rules/anti-behavior/anti-debugger.yara
@@ -23,3 +23,26 @@ rule win_debugger_or_vm: medium windows {
condition:
filesize < 25MB and 2 of ($debug*) and any of ($cpu*)
}
+
+rule multiple_linux_methods: high linux {
+ meta:
+ description = "possible debugger detection across multiple methods"
+
+ strings:
+ $ld_profile = "LD_PROFILE" fullword
+ $ld_debug = "LD_DEBUG" fullword
+ $proc_exe = /\/proc\/.{0,5}\/exe/
+ $proc_status = /\/proc\/.{0,5}\/status/
+ $sys_kern = "/proc/sys/kernel/osrelease"
+ $sys_device = "/sys/devices/system/cpu"
+ $sys_cpuinfo = "/proc/cpuinfo"
+ $not_busybox = "BusyBox"
+ $not_rtld = "RTLD_NEXT"
+ $not_rtld2 = "HRTIMER_SOFTIRQ"
+ $not_snapd = "SNAPD" fullword
+ $not_ld_origin = "LD_ORIGIN_PATH"
+ $not_ld_mask = "LD_HWCAP_MASK"
+
+ condition:
+ filesize < 8MB and all of ($ld*) and any of ($proc*) and any of ($sys*) and none of ($not*)
+}
diff --git a/rules/anti-static/elf/entropy.yara b/rules/anti-static/elf/entropy.yara
index e47b11a12..e52844171 100644
--- a/rules/anti-static/elf/entropy.yara
+++ b/rules/anti-static/elf/entropy.yara
@@ -28,3 +28,23 @@ rule normal_elf_high_entropy_7_4: high {
condition:
normal_elf and math.entropy(1, filesize) >= 7.4 and none of ($not*)
}
+
+rule normal_elf_high_entropy_footer_7_4: high {
+ meta:
+ description = "high entropy footer in ELF binary (>7.4)"
+
+ condition:
+ normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4
+}
+
+rule normal_elf_high_entropy_footer_7_4_rc4: critical {
+ meta:
+ description = "high entropy footer in ELF binary (>7.4), likely RC4 encrypted"
+
+ strings:
+ $cmp_e_x_256 = { 81 f? 00 01 00 00 } // cmp {ebx, ecx, edx}, 256
+ $cmp_r_x_256 = { 48 81 f? 00 01 00 00 } // cmp {rbx, rcx, …}, 256
+
+ condition:
+ filesize < 25MB and normal_elf and math.entropy(filesize - 8192, filesize) >= 7.4 and any of them
+}
diff --git a/rules/data/builtin/glibc.yara b/rules/data/builtin/glibc.yara
new file mode 100644
index 000000000..a6c796189
--- /dev/null
+++ b/rules/data/builtin/glibc.yara
@@ -0,0 +1,14 @@
+import "elf"
+
+rule elf_with_bundled_glibc: medium {
+ meta:
+ description = "includes bundled copy of glibc"
+
+ strings:
+ $glibc_private = "GLIBC_PRIVATE"
+ $glibc_tunables = "GLIBC_TUNABLES"
+ $setup_vdso = "setup_vdso"
+
+ condition:
+ filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
+}
diff --git a/rules/data/builtin/multiple.yara b/rules/data/builtin/multiple.yara
new file mode 100644
index 000000000..e76018435
--- /dev/null
+++ b/rules/data/builtin/multiple.yara
@@ -0,0 +1,36 @@
+import "elf"
+
+private rule _bundled_openssl: medium {
+ meta:
+ description = "includes bundled copy of OpenSSL"
+
+ strings:
+ $ref = "OpenSSL/"
+ $aes_part = "AES part of OpenSSL"
+ $montgomery = "Montgomery Multiplication for x86_64, CRYPTOGAMS"
+ $rc4 = "RC4 for x86_64, CRYPTOGAMS"
+
+ condition:
+ filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
+}
+
+private rule _bundled_glibc: medium {
+ meta:
+ description = "includes bundled copy of glibc"
+
+ strings:
+ $glibc_private = "GLIBC_PRIVATE"
+ $glibc_tunables = "GLIBC_TUNABLES"
+ $setup_vdso = "setup_vdso"
+
+ condition:
+ filesize > 1024 and filesize < 25MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and all of them
+}
+
+rule elf_with_bundled_glibc_and_openssl: high {
+ meta:
+ description = "includes bundled copy of glibc and OpenSSL"
+
+ condition:
+ _bundled_openssl and _bundled_glibc
+}
diff --git a/rules/data/builtin/openssl.yara b/rules/data/builtin/openssl.yara
index ea21f1756..12a9c77d7 100644
--- a/rules/data/builtin/openssl.yara
+++ b/rules/data/builtin/openssl.yara
@@ -1,26 +1,15 @@
-rule openssl: medium {
- meta:
- description = "This binary includes OpenSSL source code"
- hash_2023_Linux_Malware_Samples_00ae = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a"
- hash_2023_Linux_Malware_Samples_04b5 = "04b5e29283c60fcc255f8d2f289238430a10624e457f12f1bc866454110830a2"
- hash_2023_Linux_Malware_Samples_0ad6 = "0ad6c635d583de499148b1ec46d8b39ae2785303e8b81996d3e9e47934644e73"
-
- strings:
- $ref = "OpenSSL/"
+import "elf"
- condition:
- any of them
-}
-
-rule elf_with_bundled_openssl: high {
+rule openssl: medium {
meta:
- hash_2023_Unix_Malware_Bruteforce_4020 = "4020b018fcebf76672af2824636e7948131b313f723adef6cf41ad06bd2c6a6f"
- hash_2023_Linux_Malware_Samples_24ee = "24ee0e3d65b0593198fbe973a58ca54402b0879d71912f44f4b831003a5c7819"
- hash_2023_Linux_Malware_Samples_2f85 = "2f85ca8f89dfb014b03afb11e5d2198a8adbae1da0fd76c81c67a81a80bf1965"
+ description = "includes bundled copy of OpenSSL"
strings:
- $aes_part = "AES part of OpenSSL"
+ $ref = "OpenSSL/"
+ $aes_part = "AES part of OpenSSL"
+ $montgomery = "Montgomery Multiplication for x86_64, CRYPTOGAMS"
+ $rc4 = "RC4 for x86_64, CRYPTOGAMS"
condition:
- uint32(0) == 1179403647 and $aes_part
+ filesize > 1024 and filesize < 150MB and elf.type == elf.ET_EXEC and uint32(0) == 1179403647 and any of them
}
diff --git a/rules/discover/network/interface-list.yara b/rules/discover/network/interface-list.yara
index 6ac03a98f..c663d5101 100644
--- a/rules/discover/network/interface-list.yara
+++ b/rules/discover/network/interface-list.yara
@@ -15,3 +15,20 @@ rule bsd_ifaddrs: medium {
condition:
any of them
}
+
+rule getifaddrs_avoid_debug: high {
+ meta:
+ description = "list network interfaces, avoids debugging"
+
+ strings:
+ $getifaddrs = "getifaddrs" fullword
+ $gethostbyname = "gethostbyname"
+ $LD_DEBUG = "LD_DEBUG"
+ $LD_PROFILE = "LD_PROFILE"
+ $not_busybox = "BusyBox" fullword
+ $not_snapd = "SNAPD" fullword
+ $not_rtld = "RTLD_NEXT"
+
+ condition:
+ filesize < 10MB and all of ($get*) and all of ($LD*) and none of ($not*)
+}
diff --git a/rules/discover/processes/list.yara b/rules/discover/processes/list.yara
index 68494d944..0537599c6 100644
--- a/rules/discover/processes/list.yara
+++ b/rules/discover/processes/list.yara
@@ -11,6 +11,17 @@ rule proc_listallpids: medium {
any of them
}
+rule ps_exec_pipe: critical {
+ meta:
+ description = "gets list of processes, isolating username, pid, ppid, cmdline"
+
+ strings:
+ $ps_ef = /ps -ef {0,2}\| {0,2}awk.{1,16}\$1.{1,5}\$2.{1,4}\$3.{1,4}\$8/
+
+ condition:
+ filesize < 25MB and any of them
+}
+
rule ps_exec: medium {
meta:
pledge = "exec"
@@ -18,9 +29,10 @@ rule ps_exec: medium {
hash_2018_org_logind_ctp_archive = "02e4d0e23391bbbb75c47f5db44d119176803da74b1c170250e848de51632ae9"
hash_2022_Gimmick_CorelDRAW = "2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f"
hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
+ description = "executes ps(1) for a list of processes"
strings:
- $ps_ef = "ps -ef |"
+ $ps_ef = "ps -ef"
$ps__ax = "ps -ax"
$ps_ax = "ps ax"
$hash_bang = "#!"
diff --git a/rules/discover/system/dev_full.yara b/rules/discover/system/dev_full.yara
index ee88bdd61..14770c8c7 100644
--- a/rules/discover/system/dev_full.yara
+++ b/rules/discover/system/dev_full.yara
@@ -1,4 +1,4 @@
-rule dev_full: low linux {
+rule dev_full: harmless linux {
meta:
description = "tests full disk behavior"
diff --git a/rules/evasion/file/location/x11-unix.yara b/rules/evasion/file/location/x11-unix.yara
index 9145dc33a..bf2697fe7 100644
--- a/rules/evasion/file/location/x11-unix.yara
+++ b/rules/evasion/file/location/x11-unix.yara
@@ -4,7 +4,7 @@ rule hidden_x11: high {
ref = "https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/"
strings:
- $x11 = /\/tmp\/\.X11-unix.{1,16}/
+ $x11 = /\/tmp\/\.X11-unix\/[\.\w\%\$\{\}\/\-]{1,16}/
condition:
filesize < 10MB and all of them
diff --git a/rules/evasion/mimicry/fake-process.yara b/rules/evasion/mimicry/fake-process.yara
index cf0b772bf..99d2e3469 100644
--- a/rules/evasion/mimicry/fake-process.yara
+++ b/rules/evasion/mimicry/fake-process.yara
@@ -64,7 +64,7 @@ rule known_fake_process_names: high {
strings:
$e_kdevchecker = "kdevchecker" fullword
- $e_kworkerr = "kworkerr" fullword
+ $e_kworkerr = /kworker[a-z]/ fullword
$e_ksoftriqd = "ksoftriqd" fullword
$e_kdevtmpfsi = "kdevtmpfsi" fullword
$e_kthreaddk = "kthreaddk" fullword
@@ -79,7 +79,7 @@ rule multiple_known_fake_process_names: critical {
strings:
$kdevchecker = "kdevchecker" fullword
- $kworkerr = "kworkerr" fullword
+ $e_kworkerr = /kworker[a-z]/ fullword
$ksoftriqd = "ksoftriqd" fullword
$kdevtmpfsi = "kdevtmpfsi" fullword
$kthreaddk = "kthreaddk" fullword
diff --git a/rules/fs/path/var-profile.yara b/rules/fs/path/var-profile.yara
index de629c005..0ca458058 100644
--- a/rules/fs/path/var-profile.yara
+++ b/rules/fs/path/var-profile.yara
@@ -1,6 +1,6 @@
rule var_profile: medium {
meta:
- description = "references '/var/profile', found on routers or embedded systems"
+ description = "references '/var/profile', the default target of LD_PROFILE_OUTPUT"
strings:
$ref = "/var/profile" fullword
diff --git a/rules/impact/remote_access/backdoor.yara b/rules/impact/remote_access/backdoor.yara
index 513495015..bfd455f2c 100644
--- a/rules/impact/remote_access/backdoor.yara
+++ b/rules/impact/remote_access/backdoor.yara
@@ -85,3 +85,16 @@ rule backdoor_leet: critical {
condition:
filesize < 100MB and any of them and not wordlist
}
+
+rule commands: high {
+ meta:
+ description = "may accept backdoor commands"
+
+ strings:
+ $hide = "hide ok" fullword
+ $show = "show ok" fullword
+ $kill = "kill ok" fullword
+
+ condition:
+ all of them
+}
diff --git a/rules/impact/rootkit/rootkit.yara b/rules/impact/rootkit/rootkit.yara
index 0c029eb19..9a31b41f7 100644
--- a/rules/impact/rootkit/rootkit.yara
+++ b/rules/impact/rootkit/rootkit.yara
@@ -8,11 +8,45 @@ rule linux_kernel_module_getdents64: critical linux {
filetypes = "elf,so"
strings:
- $getdents64 = "getdents64"
$register_kprobe = "register_kprobe"
+ $f_getdents64 = "getdents64"
+ $f_filldir64 = "filldir64"
condition:
- filesize < 1MB and all of them
+ filesize < 1MB and $register_kprobe and any of ($f*)
+}
+
+rule linux_kernel_module_hider: critical linux {
+ meta:
+ description = "kernel module that hides files and open ports"
+ ref = "https://github.com/m0nad/Diamorphine"
+ hash_2022_LQvKibDTq4_diamorphine = "aec68cfa75b582616c8fbce22eecf463ddb0c09b692a1b82a8de23fb0203fede"
+ hash_2023_LQvKibDTq4_diamorphine = "e93e524797907d57cb37effc8ebe14e6968f6bca899600561971e39dfd49831d"
+ hash_2023_LQvKibDTq4_diamorphine = "d83f43f47c1438d900143891e7a542d1d24f9adcbd649b7698d8ee7585068039"
+ filetypes = "elf,so"
+
+ strings:
+ $register_kprobe = "register_kprobe"
+ $f_getdents64 = "getdents64"
+ $f_filldir64 = "filldir64"
+ $n_tcp4_seq_show = "tcp4_seq_show"
+
+ condition:
+ filesize < 1MB and $register_kprobe and any of ($f*) and any of ($n*)
+}
+
+rule linux_kernel_module_hide_self: critical linux {
+ meta:
+ description = "kernel module that hides itself"
+ filetypes = "elf,so"
+
+ strings:
+ $register_kprobe = "register_kprobe"
+ $hide_self = "hide_self"
+ $hide_module = "hide_module"
+
+ condition:
+ filesize < 1MB and $register_kprobe and any of ($hide*)
}
rule funky_high_signal_killer: high {
diff --git a/rules/malware/family/melofee.yara b/rules/malware/family/melofee.yara
new file mode 100644
index 000000000..e23ca80dc
--- /dev/null
+++ b/rules/malware/family/melofee.yara
@@ -0,0 +1,28 @@
+rule melofee_2023: critical linux {
+ meta:
+ description = "Melofee rootkit (2023)"
+ ref = "https://blog.exatrack.com/melofee/"
+
+ strings:
+ $loader = "/etc/intel_audio/audio | xargs kill"
+ $failed = "create rootkit file failed"
+ $insmod = "/sbin/insmod /etc/intel_audio/intel_audio.ko"
+ $lock = "/var/lock/%s.lock"
+
+ condition:
+ filesize < 5MB and uint32(0) == 1179403647 and 2 of them
+}
+
+rule melofee_2024: critical linux {
+ meta:
+ description = "Melofee rootkit (2024)"
+ ref = "https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/"
+
+ strings:
+ $sodl = "/var/run/nscd/sodl-close.c"
+ $hide_ok = "hide ok"
+ $show_ok = "show ok"
+
+ condition:
+ filesize < 7MB and uint32(0) == 1179403647 and all of them
+}
diff --git a/rules/net/tcp/ssh.yara b/rules/net/tcp/ssh.yara
index 817f56003..137f1ed1c 100644
--- a/rules/net/tcp/ssh.yara
+++ b/rules/net/tcp/ssh.yara
@@ -1,6 +1,6 @@
rule ssh: medium {
meta:
- description = "Uses SSH (secure shell) service"
+ description = "Supports SSH (secure shell)"
hash_2024_2022_Conti_8b57e96_elf = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201"
hash_2024_2022_Conti_bb64b27 = "bb64b27bff106d30a7b74b3589cc081c345a2b485a831d7e8c8837af3f238e1e"
hash_1985_deploy = "8729e61daf18a196f7571fa097be32dd7b4dbcc3e3794be1102aa2ad91f4cbe0"
@@ -8,6 +8,7 @@ rule ssh: medium {
strings:
$ = "SSH" fullword
$ = "ssh_packet" fullword
+ $ = "secureShellClient"
condition:
any of them
diff --git a/rules/persist/cron/tab.yara b/rules/persist/cron/tab.yara
index c3720fe5c..58179be8a 100644
--- a/rules/persist/cron/tab.yara
+++ b/rules/persist/cron/tab.yara
@@ -9,6 +9,17 @@ rule crontab_support: medium {
any of them
}
+rule crontab_list: medium {
+ meta:
+ description = "lists crontab entries, may also persist"
+
+ strings:
+ $crontab = "crontab" fullword
+
+ condition:
+ any of them
+}
+
rule crontab_writer: medium {
meta:
description = "May use crontab to persist"
@@ -86,9 +97,7 @@ rule hidden_crontab: critical {
rule echo_crontab: high {
meta:
- hash_2020_Enigma = "6b2ff7ae79caf306c381a55409c6b969c04b20c8fda25e6d590e0dadfcf452de"
- hash_2024_Chaos_1d36 = "1d36f4bebd21a01c12fde522defee4c6b4d3d574c825ecc20a2b7a8baa122819"
- hash_2024_Chaos_1fc4 = "1fc412b47b736f8405992e3744690b58ec4d611c550a1b4f92f08dfdad5f7a30"
+ description = "persists via crontab entry (echo)"
strings:
$echo = /echo.{0,10}\* \* \* \*.{0,24}cron[\w\/ \-]{0,16}/
@@ -96,3 +105,15 @@ rule echo_crontab: high {
condition:
$echo
}
+
+rule c_string_crontab: high {
+ meta:
+ description = "persists via crontab entry (C formatted string)"
+
+ strings:
+ $c_string = /\*[\/0-9]{0,3}\s{1,4}\*\s{1,4}\*\s{1,4}\*\s{1,4}\*\s.{0,4}\%s[\"\w\-]{0,8}/
+ $crontab = "crontab"
+
+ condition:
+ all of them
+}
diff --git a/rules/process/executable_path.yara b/rules/process/executable_path.yara
index 85f86644d..d94d2495a 100644
--- a/rules/process/executable_path.yara
+++ b/rules/process/executable_path.yara
@@ -15,11 +15,11 @@ rule custom_path: low {
strings:
$path = "PATH"
- $ref = "/sbin:/bin"
- $ref2 = "/bin:/usr/"
- $ref3 = "/usr/bin:/sbin"
- $ref4 = "/bin:/sbin"
+ $ref1 = /[\/\w:\-]{0,64}\/sbin:\/bin[\/\w:\-]{0,64}/ fullword
+ $ref2 = /[\/\w:\-]{0,64}\/bin:\/usr[\/\w:\-]{0,64}/ fullword
+ $ref3 = /[\/\w:\-]{0,64}\/usr\/bin:\/sbin[\/\w:\-]{0,64}/ fullword
+ $ref4 = /[\/\w:\-]{0,64}\/bin:\/sbin[\/\w:\-]{0,64}/ fullword
condition:
- $path and any of ($ref*)
+ filesize < 20MB and $path and any of ($ref*)
}
diff --git a/rules/sus/ancient_gcc.yara b/rules/sus/compiler.yara
similarity index 62%
rename from rules/sus/ancient_gcc.yara
rename to rules/sus/compiler.yara
index 664e8a059..84357cb31 100644
--- a/rules/sus/ancient_gcc.yara
+++ b/rules/sus/compiler.yara
@@ -28,3 +28,22 @@ rule small_opaque_archaic_gcc: high linux {
condition:
filesize < 30KB and $gcc_v4 and $fork in (1000..3000) and none of ($not*) and #word_with_spaces < 15
}
+
+private rule binary {
+ condition:
+ // matches ELF or machO binary
+ filesize < 40MB and (uint32(0) == 1179403647 or uint32(0) == 4277009102 or uint32(0) == 3472551422 or uint32(0) == 4277009103 or uint32(0) == 3489328638 or uint32(0) == 3405691582 or uint32(0) == 3199925962)
+}
+
+rule multiple_gcc: high {
+ meta:
+ description = "built with multiple versions of GCC"
+
+ strings:
+ $gcc = /GCC: \([\w \.\-\~\(\)]{8,64}/ fullword
+ $not_go_testdata_ranges_elf = "/home/iant/foo4.c"
+ $not_go_testdata = "dwarf/testdata"
+
+ condition:
+ binary and #gcc > 1 and !gcc[1] != !gcc[2] and none of ($not*)
+}
diff --git a/rules/sus/exclamation.yara b/rules/sus/exclamation.yara
index c7168cac3..83694c401 100644
--- a/rules/sus/exclamation.yara
+++ b/rules/sus/exclamation.yara
@@ -8,6 +8,8 @@ rule exclamations: medium {
strings:
$exclaim = /[\w ]{2,32} [\w ]{2,32}\!{2,16}/
+ $not_bug = "DYNAMIC LINKER BUG!!!"
+
condition:
- any of them
+ $exclaim and none of ($not*)
}
diff --git a/tests/linux/2019.ChinaZ/yk.simple b/tests/linux/2019.ChinaZ/yk.simple
index 34d8bba35..a549e6607 100644
--- a/tests/linux/2019.ChinaZ/yk.simple
+++ b/tests/linux/2019.ChinaZ/yk.simple
@@ -5,7 +5,6 @@ anti-static/obfuscation/js: medium
c2/addr/server: medium
crypto/rc4: low
discover/network/interface_list: medium
-discover/system/dev_full: low
discover/system/proc: high
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/logging/dev_log: medium
@@ -32,5 +31,4 @@ net/socket/receive: low
net/socket/send: low
net/url/embedded: low
persist/sysv: high
-sus/ancient_gcc: medium
-sus/exclamation: medium
+sus/compiler: medium
diff --git a/tests/linux/2021.FontOnLake/45E9.elf.simple b/tests/linux/2021.FontOnLake/45E9.elf.simple
index 03d6be089..5b6163ee5 100644
--- a/tests/linux/2021.FontOnLake/45E9.elf.simple
+++ b/tests/linux/2021.FontOnLake/45E9.elf.simple
@@ -95,4 +95,4 @@ process/groups_set: low
process/name_set: medium
process/userid_set: low
process/username_set: medium
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
index 7f4cfd118..b2fa02494 100644
--- a/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
+++ b/tests/linux/2022.Symbiote/kerneldev.so.bkp.simple
@@ -25,4 +25,4 @@ net/ip/byte_order: medium
net/ip/parse: medium
net/socket/receive: low
net/socket/send: low
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2022.bpfdoor/bpfdoor_1.simple b/tests/linux/2022.bpfdoor/bpfdoor_1.simple
index a52e13a44..f812f57d7 100644
--- a/tests/linux/2022.bpfdoor/bpfdoor_1.simple
+++ b/tests/linux/2022.bpfdoor/bpfdoor_1.simple
@@ -23,4 +23,4 @@ os/fd/multiplex: low
persist/daemon: medium
process/chroot: low
process/create: low
-sus/ancient_gcc: high
+sus/compiler: high
diff --git a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
index 1b3eef0cb..fe1ce743a 100644
--- a/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
+++ b/tests/linux/2023.Gafgyt/5636cddb43.elf.x86.simple
@@ -27,4 +27,4 @@ net/socket/local_addr: low
net/socket/raw: medium
net/socket/receive: low
net/socket/send: low
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple
index 77a248d51..885244d4a 100644
--- a/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple
+++ b/tests/linux/2024.Beast/wyoming-xray-undress-robert.simple
@@ -1,4 +1,5 @@
# linux/2024.Beast/wyoming-xray-undress-robert: critical
+anti-static/elf/entropy: high
fs/path/dev: medium
fs/path/tmp: medium
impact/ransom/linux: high
diff --git a/tests/linux/2024.Mirai/ppc.simple b/tests/linux/2024.Mirai/ppc.simple
index 63989f0ad..5298a70e7 100644
--- a/tests/linux/2024.Mirai/ppc.simple
+++ b/tests/linux/2024.Mirai/ppc.simple
@@ -12,4 +12,4 @@ net/socket/receive: low
net/socket/send: low
process/create: low
process/name_set: medium
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple b/tests/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
index 55ca8d698..3dd256784 100644
--- a/tests/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
+++ b/tests/linux/2024.fog/5a99a15406c218fd6862f90ed3534fb8f0a888bb0c5a09192eae01d595f05bc5.elf.simple
@@ -14,4 +14,4 @@ lateral/vmware/vms: medium
net/p2p/tor: high
persist/daemon: medium
process/multithreaded: low
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2024.gas/gas.simple b/tests/linux/2024.gas/gas.simple
index 4e9ee323b..ac4d25278 100644
--- a/tests/linux/2024.gas/gas.simple
+++ b/tests/linux/2024.gas/gas.simple
@@ -2,8 +2,8 @@
anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
crypto/rc4: low
+data/builtin/glibc: medium
discover/system/cpu: low
-discover/system/dev_full: low
discover/system/platform: low
discover/system/sysinfo: medium
evasion/hijack_execution/LD_LIBRARY_PATH: low
@@ -33,4 +33,3 @@ net/url/embedded: low
process/create: low
process/executable_path: low
process/name_set: medium
-sus/exclamation: medium
diff --git a/tests/linux/2024.httpd_killer/c1248351b7474443e53a14be4901136077738798d34a93040cffdc6daef31586.elf.simple b/tests/linux/2024.httpd_killer/c1248351b7474443e53a14be4901136077738798d34a93040cffdc6daef31586.elf.simple
index e05bafd9b..fa55579d0 100644
--- a/tests/linux/2024.httpd_killer/c1248351b7474443e53a14be4901136077738798d34a93040cffdc6daef31586.elf.simple
+++ b/tests/linux/2024.httpd_killer/c1248351b7474443e53a14be4901136077738798d34a93040cffdc6daef31586.elf.simple
@@ -4,4 +4,4 @@ exec/shell/command: medium
exec/shell/exec: medium
impact/degrade/httpd: high
process/terminate/kill_multiple: medium
-sus/ancient_gcc: medium
+sus/compiler: medium
diff --git a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
index f7983ea6d..e51f1a335 100644
--- a/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
+++ b/tests/linux/2024.kworker_pretenders/emp3r0r.agent.simple
@@ -4,6 +4,7 @@
3P/threat_hunting/maccaronic2: medium
3P/threat_hunting/tor: medium
anti-behavior/vm_check: medium
+anti-static/elf/entropy: high
c2/addr/http_dynamic: medium
c2/addr/ip: medium
c2/discovery/ip_dns_resolver: medium
diff --git a/tests/linux/2024.medusa/rkload.simple b/tests/linux/2024.medusa/rkload.simple
index 848ed49c6..9e5bd337f 100644
--- a/tests/linux/2024.medusa/rkload.simple
+++ b/tests/linux/2024.medusa/rkload.simple
@@ -5,8 +5,8 @@ anti-behavior/LD_PROFILE: medium
anti-static/xor/commands: high
credential/ssh/d: medium
crypto/rc4: low
+data/builtin/glibc: medium
discover/system/cpu: low
-discover/system/dev_full: low
discover/system/sysinfo: medium
evasion/file/location/dev_shm: high
evasion/file/location/lib: high
@@ -50,4 +50,3 @@ process/executable_path: low
process/groupid_set: low
process/name_set: medium
process/userid_set: low
-sus/exclamation: medium
diff --git a/tests/linux/2024.melofee/2023.758b0934b7.elf.simple b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
new file mode 100644
index 000000000..e39c82293
--- /dev/null
+++ b/tests/linux/2024.melofee/2023.758b0934b7.elf.simple
@@ -0,0 +1,17 @@
+# linux/2024.melofee/2023.758b0934b7.elf: critical
+discover/processes/list: medium
+evasion/rootkit/refs: high
+exec/program: medium
+exec/shell/command: medium
+exec/shell/exec: medium
+fs/directory/create: low
+fs/file/delete: low
+fs/file/delete_forcibly: medium
+fs/link_read: low
+fs/path/etc: low
+malware/family/melofee: critical
+persist/daemon: medium
+persist/kernel_module/insert: medium
+process/create: low
+process/terminate/kill_multiple: medium
+sus/compiler: high
diff --git a/tests/linux/2024.melofee/2023.8d855c2874.elf.simple b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
new file mode 100644
index 000000000..866e1e31a
--- /dev/null
+++ b/tests/linux/2024.melofee/2023.8d855c2874.elf.simple
@@ -0,0 +1,64 @@
+# linux/2024.melofee/2023.8d855c2874.elf: critical
+c2/addr/ip: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/ed25519: low
+crypto/gost89: low
+crypto/rc4: low
+data/base64/decode: medium
+data/builtin/openssl: medium
+data/encoding/base64: low
+data/hash/blake2b: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/random/insecure: low
+discover/process/parent: low
+discover/system/hostname: low
+discover/system/platform: low
+exec/dylib/address_check: low
+exec/dylib/symbol_address: medium
+exec/program: medium
+exec/program/background: low
+exec/shell/TERM: low
+exec/shell/arbitrary_command_dev_null: medium
+exec/shell/exec: medium
+exec/shell/ignore_output: medium
+exec/tty/open: medium
+exec/tty/pathname: medium
+exfil/collection: medium
+fs/directory/create: low
+fs/file/delete: low
+fs/file/delete_forcibly: medium
+fs/link_read: low
+fs/lock_update: low
+fs/path/etc: low
+fs/path/home: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/cpuinfo: medium
+fs/proc/pid_status: medium
+fs/proc/self_exe: medium
+impact/remote_access/heartbeat: medium
+lateral/scan/tool: medium
+malware/family/melofee: critical
+net/http/post: medium
+net/http/request: low
+net/ip/addr: medium
+net/ip/parse: medium
+net/ip/string: medium
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/ssh: medium
+persist/daemon: medium
+persist/kernel_module/insert: high
+process/multithreaded: low
+sus/compiler: medium
diff --git a/tests/linux/2024.melofee/driver_decrypted.simple b/tests/linux/2024.melofee/driver_decrypted.simple
new file mode 100644
index 000000000..ba74a47d6
--- /dev/null
+++ b/tests/linux/2024.melofee/driver_decrypted.simple
@@ -0,0 +1,9 @@
+# linux/2024.melofee/driver_decrypted: critical
+evasion/indicator_blocking/process: high
+evasion/mimicry/fake_process: high
+impact/rootkit: critical
+persist/kernel_module/insert: medium
+persist/kernel_module/kprobe: medium
+persist/kernel_module/module: medium
+persist/kernel_module/symbol_lookup: high
+sus/compiler: medium
diff --git a/tests/linux/2024.melofee/pskt.simple b/tests/linux/2024.melofee/pskt.simple
new file mode 100644
index 000000000..fa3c946f0
--- /dev/null
+++ b/tests/linux/2024.melofee/pskt.simple
@@ -0,0 +1,71 @@
+# linux/2024.melofee/pskt: critical
+anti-behavior/LD_DEBUG: medium
+anti-behavior/LD_PROFILE: medium
+anti-static/elf/entropy: critical
+c2/addr/ip: medium
+credential/os/gshadow: medium
+credential/os/shadow: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/ed25519: low
+crypto/gost89: low
+crypto/rc4: low
+data/base64/decode: medium
+data/builtin/glibc: medium
+data/builtin/multiple: high
+data/builtin/openssl: medium
+data/encoding/base64: low
+data/hash/blake2b: low
+data/hash/sha1: low
+discover/group/lookup: medium
+discover/network/interface_list: medium
+discover/processes/list: critical
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+evasion/file/prefix/tmp: high
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+exec/program: medium
+exec/shell/TERM: low
+exec/shell/exec: medium
+exfil/collection: medium
+fs/file/copy: medium
+fs/file/delete_forcibly: medium
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/tmp: medium
+fs/path/var: low
+fs/path/var_profile: medium
+fs/proc/meminfo: medium
+fs/proc/self_exe: medium
+fs/proc/stat: medium
+fs/proc/sys_kernel_osrelease: medium
+fs/tempdir: low
+hw/cpu: medium
+impact/remote_access/backdoor: high
+impact/remote_access/heartbeat: medium
+lateral/scan/tool: medium
+malware/family/melofee: critical
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/http/post: medium
+net/http/request: low
+net/ip/addr: medium
+net/ip/resolve: low
+net/proxy/tunnel: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/send: low
+net/tcp/ssh: medium
+net/url/embedded: low
+os/kernel/netlink: low
+persist/cron/tab: high
+persist/writeable_dir: medium
+process/executable_path: low
+process/multithreaded: low
+sus/compiler: high
diff --git a/tests/linux/UPX/06ed158.md b/tests/linux/UPX/06ed158.md
index 08b10ab08..1d914f237 100644
--- a/tests/linux/UPX/06ed158.md
+++ b/tests/linux/UPX/06ed158.md
@@ -1,11 +1,11 @@
## linux/UPX/06ed158 [😈 CRITICAL]
-| RISK | KEY | DESCRIPTION | EVIDENCE |
-|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|------------------------------------------------------|
-| HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
-| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy ELF binary (>7.4) | |
-| HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | |
-| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) |
-| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--------|--------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|------------------------------------------------------|
+| HIGH | [anti-static/elf/content](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/content.yara#obfuscated_elf) | Obfuscated ELF binary (missing symbols) | |
+| HIGH | [anti-static/elf/entropy](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/entropy.yara#normal_elf_high_entropy_7_4) | high entropy footer in ELF binary (>7.4) | |
+| HIGH | [anti-static/elf/header](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/header.yara#high_entropy_header) | high entropy ELF header (>7) | |
+| HIGH | [anti-static/packer/upx](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/packer/upx.yara#upx) | Binary is packed with UPX | [UPX!](https://github.com/search?q=UPX%21&type=code) |
+| MEDIUM | [anti-static/binary/opaque](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/binary/opaque.yara#opaque_binary) | binary contains little text content | |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
diff --git a/tests/linux/clean/clickhouse.simple b/tests/linux/clean/clickhouse.simple
index e553dea58..685d18758 100644
--- a/tests/linux/clean/clickhouse.simple
+++ b/tests/linux/clean/clickhouse.simple
@@ -25,7 +25,6 @@ crypto/file_encrypter: medium
crypto/gost89: low
crypto/tls: low
data/base64/decode: medium
-data/builtin/openssl: medium
data/compression/bzip2: low
data/compression/lzma: low
data/compression/zstd: low
@@ -180,7 +179,6 @@ privesc/sudo: medium
process/chdir: low
process/chroot: low
process/create: low
-process/executable_path: low
process/groupid_set: low
process/multithreaded: low
process/userid_set: low
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index fd23f19d2..6a91a01e1 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -4,8 +4,8 @@
|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MEDIUM | [3P/threat_hunting/google_remote_desktop](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Google_Remote_Desktop_greyware_tool_keyword) | [references 'Google Remote Desktop' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [inomeogfingihgjfjlpeplalcfajhgai](https://github.com/search?q=inomeogfingihgjfjlpeplalcfajhgai&type=code) |
| MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) |
-| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | Checks if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
-| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | Checks if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
+| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
+| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
| MEDIUM | [anti-behavior/vm_check](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/vm-check.yara#vm_checker) | Checks to see if it is running with a VM | [GenuineIntel](https://github.com/search?q=GenuineIntel&type=code)
[VMware](https://github.com/search?q=VMware&type=code) |
| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s) |
@@ -76,7 +76,7 @@
| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
diff --git a/tests/linux/clean/containerd.simple b/tests/linux/clean/containerd.simple
index 9aa8f5f07..b60baa88f 100644
--- a/tests/linux/clean/containerd.simple
+++ b/tests/linux/clean/containerd.simple
@@ -115,7 +115,6 @@ os/kernel/netlink: low
os/kernel/seccomp: low
persist/pid_file: medium
process/chdir: low
-process/executable_path: low
process/groupid_set: low
process/groups_set: low
process/terminate/kill_multiple: medium
diff --git a/tests/linux/clean/cpack.md b/tests/linux/clean/cpack.md
index ca1168f2f..13876d1e9 100644
--- a/tests/linux/clean/cpack.md
+++ b/tests/linux/clean/cpack.md
@@ -9,7 +9,7 @@
| MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [](https://github.com/search?q=%3Chtml%3E&type=code) |
| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | [(µ/ý](https://github.com/search?q=%28%B5%2F%FD&type=code) |
| MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)
[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
-| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | ps exec | [#!](https://github.com/search?q=%23%21&type=code)
[ps ax](https://github.com/search?q=ps+ax&type=code) |
+| MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | executes ps(1) for a list of processes | [#!](https://github.com/search?q=%23%21&type=code)
[ps ax](https://github.com/search?q=ps+ax&type=code) |
| MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#os_release) | [operating-system identification](https://developer.apple.com/documentation/os/1524245-os_release) | [os_release](https://github.com/search?q=os_release&type=code) |
| MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#static_hidden_path) | possible hidden file path | [/home/linuxbrew/.linuxbrew](https://github.com/search?q=%2Fhome%2Flinuxbrew%2F.linuxbrew&type=code) |
| MEDIUM | [exec/cmd](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/cmd.yara#exec) | executes a command | [N_125cmFunctionFunctionBlocker16StartCommandNameEv](https://github.com/search?q=N_125cmFunctionFunctionBlocker16StartCommandNameEv&type=code)
[StartupCommands](https://github.com/search?q=StartupCommands&type=code)
[_N_122cmBlockFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmBlockFunctionBlocker16StartCommandNameEv&type=code)
[_N_122cmMacroFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_122cmMacroFunctionBlocker16StartCommandNameEv&type=code)
[_N_124cmForEachFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_N_124cmForEachFunctionBlocker16StartCommandNameEv&type=code)
[_ZN13cmSystemTools23s_RunCommandHideConsoleE](https://github.com/search?q=_ZN13cmSystemTools23s_RunCommandHideConsoleE&type=code)
[_ZN13cmSystemTools25s_DisableRunCommandOutputE](https://github.com/search?q=_ZN13cmSystemTools25s_DisableRunCommandOutputE&type=code)
[_ZNK19cmIfFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK19cmIfFunctionBlocker16StartCommandNameEv&type=code)
[_ZNK22cmWhileFunctionBlocker16StartCommandNameEv](https://github.com/search?q=_ZNK22cmWhileFunctionBlocker16StartCommandNameEv&type=code)
[_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_](https://github.com/search?q=_ZZN12_GLOBAL__N_117TryRunCommandImpl18DoNotRunExecutableERKNSt7_&type=code)
[cmExecuteCommand](https://github.com/search?q=cmExecuteCommand&type=code) |
@@ -42,7 +42,7 @@
| MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[socks5](https://github.com/search?q=socks5&type=code) |
| MEDIUM | [net/proxy/tunnel](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/tunnel_proxy.yara#tunnel_proxy) | network tunnel proxy | [Proxy](https://github.com/search?q=Proxy&type=code)
[SOCKS5](https://github.com/search?q=SOCKS5&type=code)
[TLSVersion](https://github.com/search?q=TLSVersion&type=code)
[crypto](https://github.com/search?q=crypto&type=code)
[proxy](https://github.com/search?q=proxy&type=code)
[socket](https://github.com/search?q=socket&type=code)
[tunnel](https://github.com/search?q=tunnel&type=code) |
| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [https://jrsoftware.org/isinfo.php?](https://jrsoftware.org/isinfo.php?) |
| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
| MEDIUM | [sus/exclamation](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/exclamation.yara#exclamations) | gets very excited | [Could not find CMAKE_ROOT !!!](https://github.com/search?q=Could+not+find+CMAKE_ROOT+%21%21%21&type=code) |
diff --git a/tests/linux/clean/ld-2.27.so.simple b/tests/linux/clean/ld-2.27.so.simple
index d35fb32aa..15f905579 100644
--- a/tests/linux/clean/ld-2.27.so.simple
+++ b/tests/linux/clean/ld-2.27.so.simple
@@ -2,7 +2,6 @@
anti-behavior/LD_DEBUG: medium
anti-behavior/LD_PROFILE: medium
discover/process/runtime_deps: medium
-discover/system/dev_full: low
evasion/hijack_execution/LD_LIBRARY_PATH: low
evasion/hijack_execution/etc_ld.so.preload: medium
fs/path/etc: low
@@ -13,4 +12,3 @@ fs/proc/sys_kernel_osrelease: medium
fs/tempdir: low
net/url/embedded: low
persist/shell/bash: medium
-sus/exclamation: medium
diff --git a/tests/linux/clean/libc.so.6.simple b/tests/linux/clean/libc.so.6.simple
index 683a88cfc..ce1ded6ee 100644
--- a/tests/linux/clean/libc.so.6.simple
+++ b/tests/linux/clean/libc.so.6.simple
@@ -10,7 +10,6 @@ discover/network/interface_list: medium
discover/process/parent: low
discover/process/runtime_deps: medium
discover/system/cpu: low
-discover/system/dev_full: low
discover/system/hostname: low
discover/system/platform: low
discover/system/sysinfo: medium
diff --git a/tests/linux/clean/melange.simple b/tests/linux/clean/melange.simple
index 5eb8ec8f2..8b986eab6 100644
--- a/tests/linux/clean/melange.simple
+++ b/tests/linux/clean/melange.simple
@@ -140,7 +140,6 @@ os/time/clock_set: low
persist/cron/tab: medium
process/chdir: low
process/chroot: low
-process/executable_path: low
process/groupid_set: low
process/multithreaded: low
process/unshare: low
diff --git a/tests/linux/clean/mongosh.simple b/tests/linux/clean/mongosh.simple
index 0ca21ffb0..9ba0f7a87 100644
--- a/tests/linux/clean/mongosh.simple
+++ b/tests/linux/clean/mongosh.simple
@@ -167,7 +167,7 @@ process/terminate: medium
process/terminate/taskkill: medium
process/userid_set: low
sec-tool/net/nmap: medium
-sus/ancient_gcc: medium
+sus/compiler: medium
sus/exclamation: medium
sus/intercept: medium
sus/leetspeak: medium
diff --git a/tests/linux/clean/pandoc.md b/tests/linux/clean/pandoc.md
index 18564e881..38f4c64eb 100644
--- a/tests/linux/clean/pandoc.md
+++ b/tests/linux/clean/pandoc.md
@@ -64,12 +64,12 @@
| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
| MEDIUM | [net/socket/raw](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/raw.yara#raw_sockets) | [send raw and/or malformed IP packets](https://man7.org/linux/man-pages/man7/raw.7.html) | [IPPROTO_RAW](https://github.com/search?q=IPPROTO_RAW&type=code)
[SOCK_RAW](https://github.com/search?q=SOCK_RAW&type=code) |
| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code)
[SO_REUSEPORT](https://github.com/search?q=SO_REUSEPORT&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [http://www.fictionbook.org/index.php](http://www.fictionbook.org/index.php) |
| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
| MEDIUM | [net/webrtc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/webrtc.yara#webrtc_peer) | makes outgoing WebRTC connections | [RTCPeerConnection](https://github.com/search?q=RTCPeerConnection&type=code) |
| MEDIUM | [os/kernel/opencl](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/opencl.yara#OpenCL) | support for OpenCL | [OpenCL](https://github.com/search?q=OpenCL&type=code) |
-| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | supports crontab manipulation | [crontab](https://github.com/search?q=crontab&type=code) |
+| MEDIUM | [persist/cron/tab](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/cron/tab.yara#crontab_support) | lists crontab entries, may also persist | [crontab](https://github.com/search?q=crontab&type=code) |
| MEDIUM | [persist/kernel_module/module](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/kernel_module/module.yara#delete_module) | Unload Linux kernel module | [delete_module](https://github.com/search?q=delete_module&type=code) |
| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [PidFile](https://github.com/search?q=PidFile&type=code) |
| MEDIUM | [privesc/sudo](https://github.com/chainguard-dev/malcontent/blob/main/rules/privesc/sudo.yara#sudo) | calls sudo | [sudo](https://github.com/search?q=sudo&type=code) |
diff --git a/tests/linux/clean/qemu-system-xtensa.md b/tests/linux/clean/qemu-system-xtensa.md
index b10c9afac..e80869729 100644
--- a/tests/linux/clean/qemu-system-xtensa.md
+++ b/tests/linux/clean/qemu-system-xtensa.md
@@ -41,7 +41,7 @@
| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | listen on a socket | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
| MEDIUM | [net/tcp/sftp](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/sftp.yara#sftp) | Supports sftp (FTP over SSH) | [sftp](https://github.com/search?q=sftp&type=code)
[ssh](https://github.com/search?q=ssh&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
| MEDIUM | [net/tun_tap](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tun_tap.yara#tun_tap) | accesses the TUN/TAP device driver | [/dev/net/tun](https://github.com/search?q=%2Fdev%2Fnet%2Ftun&type=code) |
| MEDIUM | [persist/daemon](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/daemon/daemon.yara#daemon) | Run as a background daemon | [-daemon](https://github.com/search?q=-daemon&type=code)
[daemonize](https://github.com/search?q=daemonize&type=code)
[is_daemon](https://github.com/search?q=is_daemon&type=code)
[os_daemon](https://github.com/search?q=os_daemon&type=code)
[os_set_daemon](https://github.com/search?q=os_set_daemon&type=code)
[qemu_daemon](https://github.com/search?q=qemu_daemon&type=code) |
| MEDIUM | [persist/pid_file](https://github.com/chainguard-dev/malcontent/blob/main/rules/persist/pid_file.yara#pid_file) | pid file, likely DIY daemon | [pid_file](https://github.com/search?q=pid_file&type=code) |
diff --git a/tests/linux/clean/slack.md b/tests/linux/clean/slack.md
index 82b00729f..952a88ecd 100644
--- a/tests/linux/clean/slack.md
+++ b/tests/linux/clean/slack.md
@@ -4,8 +4,8 @@
|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MEDIUM | [3P/threat_hunting/metasploit](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#metasploit_offensive_tool_keyword) | [references 'metasploit' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [encrypted_payload](https://github.com/search?q=encrypted_payload&type=code) |
| MEDIUM | [3P/threat_hunting/proxmark](https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/threat_hunting/all.yara#Proxmark_offensive_tool_keyword) | [references 'Proxmark' tool](https://github.com/mthcht/ThreatHunting-Keywords), by mthcht | [ProxMark](https://github.com/search?q=ProxMark&type=code) |
-| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | Checks if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
-| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | Checks if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
+| MEDIUM | [anti-behavior/LD_DEBUG](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_DEBUG.yara#env_LD_DEBUG) | may check if dynamic linker debugging is enabled | [LD_DEBUG](https://github.com/search?q=LD_DEBUG&type=code) |
+| MEDIUM | [anti-behavior/LD_PROFILE](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/LD_PROFILE.yara#env_LD_PROFILE) | may check if dynamic linker profiling is enabled | [LD_PROFILE](https://github.com/search?q=LD_PROFILE&type=code) |
| MEDIUM | [anti-static/obfuscation/hex](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/hex.yara#hex_parse) | converts hex data to ASCII | [Buffer.from(padded, 'hex')](https://github.com/search?q=Buffer.from%28padded%2C+%27hex%27%29&type=code) |
| MEDIUM | [c2/addr/http_dynamic](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/http-dynamic.yara#http_dynamic) | URL that is dynamically generated | [http://%s](http://%s)
[https://%s](https://%s) |
| MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [IP](https://github.com/search?q=IP&type=code)
[allow_port](https://github.com/search?q=allow_port&type=code)
[any_port](https://github.com/search?q=any_port&type=code)
[basic_port](https://github.com/search?q=basic_port&type=code)
[check_ip](https://github.com/search?q=check_ip&type=code)
[debugPort](https://github.com/search?q=debugPort&type=code)
[defaultPort](https://github.com/search?q=defaultPort&type=code)
[endpoint_port](https://github.com/search?q=endpoint_port&type=code)
[firstIp](https://github.com/search?q=firstIp&type=code)
[hIp](https://github.com/search?q=hIp&type=code)
[hasPort](https://github.com/search?q=hasPort&type=code)
[host_port](https://github.com/search?q=host_port&type=code)
[inspectPort](https://github.com/search?q=inspectPort&type=code)
[internalPort](https://github.com/search?q=internalPort&type=code)
[kPort](https://github.com/search?q=kPort&type=code)
[lIp](https://github.com/search?q=lIp&type=code)
[localPort](https://github.com/search?q=localPort&type=code)
[messagePort](https://github.com/search?q=messagePort&type=code)
[message_port](https://github.com/search?q=message_port&type=code)
[midi_port](https://github.com/search?q=midi_port&type=code)
[multi_port](https://github.com/search?q=multi_port&type=code)
[next_port](https://github.com/search?q=next_port&type=code)
[on_ip](https://github.com/search?q=on_ip&type=code)
[origin_port](https://github.com/search?q=origin_port&type=code)
[pIp](https://github.com/search?q=pIp&type=code)
[parentPort](https://github.com/search?q=parentPort&type=code)
[parent_port](https://github.com/search?q=parent_port&type=code)
[peerPort](https://github.com/search?q=peerPort&type=code)
[peer_port](https://github.com/search?q=peer_port&type=code)
[publicPort](https://github.com/search?q=publicPort&type=code)
[public_ip](https://github.com/search?q=public_ip&type=code)
[quic_port](https://github.com/search?q=quic_port&type=code)
[quiche_ip](https://github.com/search?q=quiche_ip&type=code)
[received_ip](https://github.com/search?q=received_ip&type=code)
[relatedPort](https://github.com/search?q=relatedPort&type=code)
[remotePort](https://github.com/search?q=remotePort&type=code)
[requestPort](https://github.com/search?q=requestPort&type=code)
[required_ip](https://github.com/search?q=required_ip&type=code)
[seq_port](https://github.com/search?q=seq_port&type=code)
[serial_port](https://github.com/search?q=serial_port&type=code)
[server_ip](https://github.com/search?q=server_ip&type=code)
[set_port](https://github.com/search?q=set_port&type=code)
[simple_port](https://github.com/search?q=simple_port&type=code)
[sourcePort](https://github.com/search?q=sourcePort&type=code)
[source_port](https://github.com/search?q=source_port&type=code)
[stun_port](https://github.com/search?q=stun_port&type=code)
[target_ip](https://github.com/search?q=target_ip&type=code)
[tcp_port](https://github.com/search?q=tcp_port&type=code)
[turn_port](https://github.com/search?q=turn_port&type=code)
[udp_port](https://github.com/search?q=udp_port&type=code)
[uv_ip](https://github.com/search?q=uv_ip&type=code)
[validatePort](https://github.com/search?q=validatePort&type=code)
[xIp](https://github.com/search?q=xIp&type=code)
[yoIp](https://github.com/search?q=yoIp&type=code) |
@@ -79,7 +79,7 @@
| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) |
| MEDIUM | [net/socket/listen](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/socket-listen.yara#listen) | generic listen string | [accept](https://github.com/search?q=accept&type=code)
[listen](https://github.com/search?q=listen&type=code)
[socket](https://github.com/search?q=socket&type=code) |
| MEDIUM | [net/socket/reuseport](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/socket/reuseport.yara#reuseport) | reuse TCP/IP ports for listening and connecting | [SO_REUSEADDR](https://github.com/search?q=SO_REUSEADDR&type=code) |
-| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Uses SSH (secure shell) service | [SSH](https://github.com/search?q=SSH&type=code) |
+| MEDIUM | [net/tcp/ssh](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/ssh.yara#ssh) | Supports SSH (secure shell) | [SSH](https://github.com/search?q=SSH&type=code) |
| MEDIUM | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url_with_php) | contains hardcoded PHP endpoint | [-//WcardshillsteamsPhototruthclean.php?saintmetallouismeantproofbriefro](https://github.com/search?q=-%2F%2FWcardshillsteamsPhototruthclean.php%3Fsaintmetallouismeantproofbriefro&type=code)
[examplepersonallyindex.php?](https://github.com/search?q=examplepersonallyindex.php%3F&type=code)
[http://autocomplete.nigma.ru/complete/query_help.php?suggest=true](http://autocomplete.nigma.ru/complete/query_help.php?suggest=true)
[http://search.incredibar.com/search.php?q=](http://search.incredibar.com/search.php?q=)
[http://searchfunmoods.com/results.php?q=](http://searchfunmoods.com/results.php?q=)
[https://m.so.com/index.php?ie=](https://m.so.com/index.php?ie=)
[https://search.privacywall.org/suggest.php?q=](https://search.privacywall.org/suggest.php?q=)
[ofpluginspage/index.php?remained](https://github.com/search?q=ofpluginspage%2Findex.php%3Fremained&type=code) |
| MEDIUM | [net/url/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/encode.yara#url_encode) | encodes URL, likely to pass GET variables | [urlencode](https://github.com/search?q=urlencode&type=code) |
| MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [http.request](https://github.com/search?q=http.request&type=code)
[net/url](https://github.com/search?q=net%2Furl&type=code)
[request(url,](https://github.com/search?q=request%28url%2C&type=code) |
diff --git a/tests/linux/clean/slirp4netns.simple b/tests/linux/clean/slirp4netns.simple
index f64d4c66c..c86847565 100644
--- a/tests/linux/clean/slirp4netns.simple
+++ b/tests/linux/clean/slirp4netns.simple
@@ -6,11 +6,11 @@ credential/os/gshadow: medium
credential/os/shadow: medium
credential/password: low
credential/sniffer/bpf: medium
+data/builtin/glibc: medium
discover/group/lookup: medium
discover/network/interface_list: medium
discover/network/mac_address: medium
discover/process/parent: low
-discover/system/dev_full: low
discover/system/platform: low
discover/system/sysinfo: medium
discover/user/HOME: low
@@ -103,4 +103,3 @@ process/multithreaded: low
process/namespace_set: low
process/unshare: low
process/userid_set: low
-sus/exclamation: medium
diff --git a/tests/linux/clean/trivy.simple b/tests/linux/clean/trivy.simple
index 9326e86ed..a8bd9a840 100644
--- a/tests/linux/clean/trivy.simple
+++ b/tests/linux/clean/trivy.simple
@@ -30,7 +30,6 @@ crypto/ecdsa: low
crypto/ed25519: low
crypto/tls: low
data/base64/decode: medium
-data/builtin/openssl: medium
data/compression/bzip2: low
data/compression/lzma: low
data/compression/xz: medium
@@ -179,7 +178,6 @@ os/time/tzinfo: low
privesc/sudo: medium
process/chdir: low
process/chroot: low
-process/executable_path: low
process/groupid_set: low
process/groups_set: low
process/multithreaded: low
diff --git a/tests/linux/clean/wolfictl.simple b/tests/linux/clean/wolfictl.simple
index fcd4a019a..d58936b43 100644
--- a/tests/linux/clean/wolfictl.simple
+++ b/tests/linux/clean/wolfictl.simple
@@ -169,7 +169,6 @@ persist/pid_file: medium
process/chdir: low
process/chroot: low
process/create: low
-process/executable_path: low
process/groupid_set: low
process/groups_set: low
process/multithreaded: low