hadooken: Improve shell, python, and powershell dropper detection (ch…

…ainguard-dev#455) * Improve shell, python, and powershell dropper detection * refresh-sample-testdata refactor (chainguard-dev#450) * Add shorter output format for 'scan' mode (chainguard-dev#457) * Bump step-security/harden-runner from 2.9.1 to 2.10.1 in the all group (chainguard-dev#459) Bumps the all group with 1 update: [step-security/harden-runner](https://github.com/step-security/harden-runner). Updates `step-security/harden-runner` from 2.9.1 to 2.10.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@5c7944e...91182cc) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Evan Gibler <[email protected]> * refresh testdata * improve dropper detection output * Update testdata * Update testdata * Improve linux_server_stealer targeting * Update to use latest bincapz-samples * update scan_archive sample --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Evan Gibler <[email protected]>
egibs · Sep 16, 2024 · 2007007 · 2007007
1 parent 8398179
commit 2007007
Show file tree

Hide file tree

Showing 49 changed files with 336 additions and 34 deletions.
diff --git a/Makefile b/Makefile
@@ -48,7 +48,7 @@ fix: $(FIXERS)
 # END: lint-install ../bincapz
 
 SAMPLES_REPO ?= chainguard-dev/bincapz-samples
-SAMPLES_COMMIT ?= bdcb8c2e9bf557a0abe3e2b0144f437d456299b7
+SAMPLES_COMMIT ?= b112eaf9bc547b2d219dfa775e0eff2874b30b9f
 OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp
 out/samples-$(SAMPLES_COMMIT):
 	mkdir -p out

diff --git a/pkg/action/programkind.go b/pkg/action/programkind.go
@@ -55,6 +55,7 @@ var extMap = map[string]string{
 	".md":      "",
 	".php":     "PHP file",
 	".pl":      "PERL script",
+	".ps1":     "Powershell",
 	".py":      "Python script",
 	".pyc":     "Python script (compiled)",
 	".rb":      "Ruby script",

diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
@@ -26,6 +26,7 @@ fs/directory/list
 fs/directory/remove
 fs/fifo/create
 fs/file/delete
+fs/file/delete/forcibly
 fs/file/read
 fs/file/stat
 fs/file/write

diff --git a/rules/combo/backdoor/remote_eval.yara b/rules/combo/backdoor/remote_eval.yara
@@ -7,9 +7,11 @@ rule remote_eval : critical {
     hash_2024_analyze_me_1_0_0_setup = "ca9c74630ed814053220129ee6c43668e66898983d9be5e34b406bbd3ad95b1e"
   strings:
     $http = "http"
-    $eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,32}/
-    $exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
-    $eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
+    $eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,64}/
+    $exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
+    $eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
+	$eval_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+	$exec_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
   condition:
     filesize < 65535 and $http and any of ($e*)
 }

diff --git a/rules/combo/dropper/powershell.yara b/rules/combo/dropper/powershell.yara
@@ -0,0 +1,13 @@
+
+rule powershell_base64_dropper : critical {
+  meta:
+    description = "Powershell base64 dropper"
+  strings:
+	$base64 = "FromBase64String"
+	$write = "WriteAllBytes"
+	$io_file = "System.IO.File"
+	$start_proc = "Start-Process"
+	$file_path = "FilePath"
+  condition:
+    filesize < 2KB and all of them
+}
diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara
@@ -102,3 +102,50 @@ rule fetch_chmod_execute : high {
   condition:
     any of them
 }
+
+rule possible_dropper : high {
+	meta:
+		description = "downloads and execute a program"
+	strings:
+		$http = "http://"
+		$https = "https://"
+	    $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
+		$tool_wget_q = "wget -"
+		$tool_lwp = "lwp-download"
+		$cmd_bash = "bash" fullword
+		$cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
+		$cmd_rm = "rm" fullword
+		$cmd_sleep = "sleep" fullword
+		$cmd_echo = "echo" fullword
+		$cmd_chmod = "chmod" fullword
+	condition:
+		filesize < 768 and any of ($http*) and any of ($tool*) and any of ($cmd*)
+}
+
+rule nohup_dropper : critical {
+	meta:
+		description = "downloads and executes a program with nohup"
+	strings:
+		$nohup = "nohup" fullword
+	condition:
+		possible_dropper and $nohup
+}
+
+rule obsessive_dropper : critical {
+	meta:
+		description = "invokes multiple tools to download and execute a program"
+	strings:
+		$http = "http://"
+		$https = "https://"
+		$tool_curl_s = "curl -"
+		$tool_wget_q = "wget -"
+		$tool_lwp = "lwp-download"
+		$cmd_bash = "bash" fullword
+		$cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
+		$cmd_rm = "rm" fullword
+		$cmd_sleep = "sleep" fullword
+		$cmd_echo = "echo" fullword
+		$cmd_chmod = "chmod" fullword
+	condition:
+		filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*)
+}
diff --git a/rules/combo/stealer/linux_server.yara b/rules/combo/stealer/linux_server.yara
@@ -7,8 +7,19 @@ rule linux_server_stealer : high {
     hash_2022_services_api = "fe617c77d66f0954d22d6488e4a481b0f8fdc9e3033fa23475dcd24e53561ec7"
   strings:
     $bash_history = ".bash_history"
-    $root_ssh = "/root/.ssh"
-    $id_rsa = ".ssh/id_rsa"
+
+    $other_root_ssh = "/root/.ssh"
+    $other_id_rsa = ".ssh/id_rsa"
+	$other_shadow = "etc/shadow"
+
+	$term_crypto = "crypto" fullword
+	$term_echo = "echo" fullword
+	$term_chmod = "chmod" fullword
+	$term_find = "find" fullword
+	$term_scp = "scp" fullword
+	$term_tar = "tar" fullword
+	$term_crontab = "crontab" fullword
+	$term_http = "http" fullword
   condition:
-    $bash_history and ($root_ssh or $id_rsa)
+    filesize < 10MB and $bash_history and any of ($other*) and any of ($term*)
 }
diff --git a/rules/combo/wiper/bash.yara b/rules/combo/wiper/bash.yara
@@ -8,5 +8,6 @@ rule sleep_rm_sh_pipe : high {
     $s_pipe_sh = "| /bin/sh"
     $s_rm_rf = "rm -rf"
   condition:
-    all of them
+    filesize < 16KB and all of them
 }
+
diff --git a/rules/combo/wiper/sensitive_logs.yara b/rules/combo/wiper/sensitive_logs.yara
@@ -17,6 +17,27 @@ rule system_log_references : high {
     $btmp = "/var/log/btmp"
     $lastlog = "/var/log/lastlog"
     $run_log = "/run/log/"
+	$mail_log = "/var/spool/mail/root"
   condition:
     filesize < 67108864 and 3 of them
 }
+
+rule echo_log_wiper : critical {
+	meta:
+		description = "overwrites critical system logs"
+	strings:
+		$var_spool = /echo.{0,4}\> {0,2}\/var\/spool\/mail\/root/
+		$var_log = /echo.{0,4}\> {0,2}\/var\/log\/\w{0,8}/
+	condition:
+		filesize < 16KB and system_log_references and any of them
+}
+
+rule log_remover : critical {
+	meta:
+		description = "overwrites critical system logs"
+	strings:
+		$var_spool = /rm {1,2}-{0,4}\/var\/spool\/mail\/root/
+		$var_log = /rm {1,2}-{0,4}\/var\/log\/\w{0,8}/
+	condition:
+		filesize < 16KB and system_log_references and any of them
+}
diff --git a/rules/combo/worm/ssh.yara b/rules/combo/worm/ssh.yara
@@ -1,20 +1,34 @@
 
-rule ssh_snake_worm : high {
+rule ssh_shell_worm : critical {
   meta:
-    description = "possible SSH worm like SSH-Snake"
-    hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
+    description = "SSH worm implemented in shell"
+	hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
     hash_2024_SSH_Snake = "b0a2bf48e29c6dfac64f112ac1cb181d184093f582615e54d5fad4c9403408be"
   strings:
-    $s_dot_ssh = ".ssh"
-    $s_authorized_keys = "authorized_keys"
-    $h_etc_hosts = "/etc/hosts"
-    $h_getent = "getent ahostsv4"
-    $u_base64 = "base64"
-    $u_uname = "uname"
-    $strict_host = "StrictHostKeyChecking"
-    $user_known_hosts = "UserKnownHostsFile"
+    $dot_ssh = ".ssh" fullword
+
+	$key_pem = ".pem" fullword
+	$key_rsa = "id_rsa" fullword
+	$key_identity_file = "IdentityFile" fullword
+
+    $hosts_authorized_keys = "authorized_keys"
+    $hosts_etc_hosts = "/etc/hosts"
+    $hosts_getent = "getent ahostsv4"
+	$hosts_ssh_config = /grep.{1,8}HostName.{1,8}\/\.ssh\/config/
+	$hosts_bash_history = /(scp|ssh).{2,64}bash_history/
+	$hosts_known_hosts = "known_hosts"
+
+    $remote_base64 = "base64"
+    $remote_uname = "uname"
+	$remote_curl = "curl -"
+	$remote_wget = "wget"
+	$remote_lwp = "lwp-download"
+
+    $ssh_strict_host = "StrictHostKeyChecking"
+    $ssh_known_hosts = "UserKnownHostsFile"
+	$ssh_connect_timeout = "ConnectTimeout"
   condition:
-    filesize < 67108864 and $strict_host and $user_known_hosts and all of ($s*) and any of ($h*) and any of ($u*)
+    filesize < 32KB and $dot_ssh and 2 of ($ssh*) and 1 of ($remote*) and 3 of ($hosts*) and any of ($key*)
 }
 
 rule ssh_worm_router : high {
@@ -34,3 +48,5 @@ rule ssh_worm_router : high {
   condition:
     all of ($s*) and any of ($h*) and any of ($p*)
 }
+
+
diff --git a/rules/crypto/mining/tls_dp_port.yara b/rules/crypto/mining/tls_dp_port.yara
@@ -0,0 +1,9 @@
+
+rule tls_dp_port : critical {
+  meta:
+    description = "contains cryptominer command-line"
+  strings:
+    $ref = /-p \d+ -tls -dp \d+/
+  condition:
+    any of them
+}
diff --git a/rules/evasion/base64-decode.yara b/rules/evasion/base64-decode.yara
@@ -42,7 +42,7 @@ rule powershell_decode : medium {
     description = "decode base64 strings"
     ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0"
   strings:
-    $ref = "[System.Convert]::FromBase64String" ascii
+    $ref = /System\.Convert[\]: ]+FromBase64String/ ascii
   condition:
     any of them
 }
diff --git a/rules/evasion/copy_run_delete.yara b/rules/evasion/copy_run_delete.yara
@@ -0,0 +1,18 @@
+
+rule copy_run_delete : critical {
+  meta:
+    description = "copy executable, run, and delete"
+  strings:
+	$cp = "cp -f"
+	$rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
+	$null = "/dev/null"
+	$path_tmp = "/tmp"
+	$path_bin = "/bin"
+	$path_var = "/var/"
+	$path_dev_shm = "/dev/shm"
+	$run_quoted = /\"\$[\w\-\/\$]{1,12}\"/ fullword
+	$run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
+  condition:
+    filesize < 256 and $cp and $rm and $null and any of ($path*) and any of ($run*)
+}
+
diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara
@@ -24,3 +24,12 @@ rule fake_syslogd : critical {
   condition:
     any of them
 }
+
+rule fake_bash_val : high {
+  meta:
+    description = "Pretends to be a bash process"
+  strings:
+    $bash = "-bash" fullword
+  condition:
+	filesize < 8KB and $bash
+}
diff --git a/rules/evasion/run_sleep_delete.yara b/rules/evasion/run_sleep_delete.yara
@@ -1,5 +1,5 @@
 
-rule run_and_delete : critical {
+rule run_sleep_delete : critical {
   meta:
     description = "run executable, sleep, and delete"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
@@ -14,3 +14,19 @@ rule run_and_delete : critical {
     filesize < 64KB and all of them
 }
 
+rule fetch_run_sleep_delete : critical {
+  meta:
+    description = "fetch, run executable, sleep, and delete"
+  strings:
+    $url = /https*:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
+	$sleep = /sleep \d{1,2}/ fullword
+	$rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
+	$path_tmp = "/tmp"
+	$path_var = "/var/"
+	$path_dev_shm = "/dev/shm"
+	$run_quoted = /\"\$[\-\w\/\$]{1,12}\"/ fullword
+	$run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
+  condition:
+    filesize < 1KB and $url and $sleep and $rm and any of ($path*) and any of ($run*)
+}
+
diff --git a/rules/fd/write.yara b/rules/fd/write.yara
@@ -34,3 +34,4 @@ rule py_fd_write {
 	condition:
 		any of them
 }
+
diff --git a/rules/fs/file-copy.yara b/rules/fs/file-copy.yara
@@ -0,0 +1,16 @@
+rule file_copy : medium {
+  meta:
+    description = "copy files using cp"
+  strings:
+    $ref = /cp [-\w ]{0,2}[ \$\w\/\.\-]{0,32}/ fullword
+  condition:
+    any of them
+}
+rule file_copy_force : medium {
+  meta:
+    description = "forcibly copy files using cp -f"
+  strings:
+    $ref = /cp [-\w ]{0,2}f [ \$\w\/\.\-]{0,32}/ fullword
+  condition:
+    any of them
+}
diff --git a/rules/fs/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara
@@ -1,16 +1,16 @@
 
 rule rm_force {
   meta:
-    description = "Forcibly deletes files using rm"
+    description = "Forcibly deletes files"
   strings:
-    $ref = /rm [\-\w ]{0,4}-f[ \$\w\/\.]{0,32}/
+    $ref = /rm [\-\w ]{0,4}-[f[ \$\w\/\.]{0,32}/
   condition:
     $ref
 }
 
 rule rm_recursive_force : medium {
   meta:
-    description = "Forcibly recursively deletes files using rm -R"
+    description = "Forcibly deletes files recursively"
     hash_2023_anarchy = "1a6f8d758c6e569109a021c01cc4a5e787a9c876866c0ce5a15f07f266ec8059"
     hash_2019_test_compass_test = "6647a368750892a379bb483096910fc3729312e6b2eb6bb964da8062013e300a"
     hash_2019_test_sass_test = "fdcb3a53bb071031a5c44d0a7d554a085dceb9ed393a5e3940fda4471698c186"

diff --git a/rules/fs/file-write.yara b/rules/fs/file-write.yara
@@ -16,3 +16,14 @@ rule python_file_write {
 	condition:
 		any of them
 }
+
+
+rule powershell_fs_write {
+	meta:
+		description = "writes content to disk"
+		syscall = "pwrite"
+	strings:
+		$write_val = "System.IO.File]::WriteAllBytes"
+	condition:
+		any of them
+}
diff --git a/rules/fs/tempdir.yara b/rules/fs/tempdir.yara
@@ -8,6 +8,7 @@ rule tempdir {
 		$tempdir = "TEMPDIR" fullword
 		$tmpdir = "TMPDIR" fullword
 		$cocoa = "NSTemporaryDirectory" fullword
+		$powershell = "GetTempPath" fullword
 	condition:
 		any of them
 }
diff --git a/rules/net/fetch.yara b/rules/net/fetch.yara
@@ -18,7 +18,7 @@ rule curl_download_val : medium {
     hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
   strings:
-    $ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/
+    $ref = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
   condition:
     $ref
 }

diff --git a/rules/process/chdir-unusual.yara b/rules/process/chdir-unusual.yara
@@ -8,6 +8,7 @@ rule unusual_cd_val : high {
   strings:
     $d_mnt = "cd /mnt"
     $d_root = "cd /root"
+	$d_bin = "cd /bin"
     $d_tmp = "cd /tmp"
     $d_usr = /cd \/usr[\/\w\.]{0,16}/
     $d_var_log = "cd /var/log"

diff --git a/rules/ref/path/dev-shm.yara b/rules/ref/path/dev-shm.yara
@@ -1,7 +1,7 @@
 
 rule dev_shm : medium {
   meta:
-    description = "references /dev/shm (world writeable)"
+    description = "references path within /dev/shm (world writeable)"
   strings:
     $ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/
   condition:

diff --git a/...s/ref/site/github_comment_attachment.yara → rules/ref/site/github_attachment.yara b/...s/ref/site/github_comment_attachment.yara → rules/ref/site/github_attachment.yara
@@ -1,8 +1,8 @@
 
-rule github_comment_attachment : high {
+rule github_attachment : high {
   meta:
     ref = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/"
-    description = "references a GitHub comment attachment, sometimes used to distribute malware"
+    description = "references a GitHub comment attachment"
     hash_2024_synthetic_github_attach_fetch = "fd2f0e9cf4288d2be6b22bd0c6e8a5eb99777939c9b2278ecf89f5b8ad536719"
   strings:
     $ref = /github\.com\/\w{0,32}\/\w{0,32}\/files\/\d{0,16}\/[\w\.\-]{0,64}/