Skip to content

Commit

Permalink
hadooken: Improve shell, python, and powershell dropper detection (#455)
Browse files Browse the repository at this point in the history
* Improve shell, python, and powershell dropper detection

* refresh-sample-testdata refactor (#450)

* Add shorter output format for 'scan' mode (#457)

* Bump step-security/harden-runner from 2.9.1 to 2.10.1 in the all group (#459)

Bumps the all group with 1 update: [step-security/harden-runner](https://github.com/step-security/harden-runner).


Updates `step-security/harden-runner` from 2.9.1 to 2.10.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@5c7944e...91182cc)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

* refresh testdata

* improve dropper detection output

* Update testdata

* Update testdata

* Improve linux_server_stealer targeting

* Update to use latest bincapz-samples

* update scan_archive sample

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
  • Loading branch information
3 people authored Sep 16, 2024
1 parent 8e760ba commit 0479dd7
Show file tree
Hide file tree
Showing 49 changed files with 336 additions and 34 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ fix: $(FIXERS)
# END: lint-install ../bincapz

SAMPLES_REPO ?= chainguard-dev/bincapz-samples
SAMPLES_COMMIT ?= bdcb8c2e9bf557a0abe3e2b0144f437d456299b7
SAMPLES_COMMIT ?= b112eaf9bc547b2d219dfa775e0eff2874b30b9f
OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp
out/samples-$(SAMPLES_COMMIT):
mkdir -p out
Expand Down
1 change: 1 addition & 0 deletions pkg/action/programkind.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ var extMap = map[string]string{
".md": "",
".php": "PHP file",
".pl": "PERL script",
".ps1": "Powershell",
".py": "Python script",
".pyc": "Python script (compiled)",
".rb": "Ruby script",
Expand Down
1 change: 1 addition & 0 deletions pkg/action/testdata/scan_archive
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ fs/directory/list
fs/directory/remove
fs/fifo/create
fs/file/delete
fs/file/delete/forcibly
fs/file/read
fs/file/stat
fs/file/write
Expand Down
8 changes: 5 additions & 3 deletions rules/combo/backdoor/remote_eval.yara
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,11 @@ rule remote_eval : critical {
hash_2024_analyze_me_1_0_0_setup = "ca9c74630ed814053220129ee6c43668e66898983d9be5e34b406bbd3ad95b1e"
strings:
$http = "http"
$eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,32}/
$exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
$eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
$eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,64}/
$exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
$eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
$eval_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
$exec_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
condition:
filesize < 65535 and $http and any of ($e*)
}
Expand Down
13 changes: 13 additions & 0 deletions rules/combo/dropper/powershell.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@

rule powershell_base64_dropper : critical {
meta:
description = "Powershell base64 dropper"
strings:
$base64 = "FromBase64String"
$write = "WriteAllBytes"
$io_file = "System.IO.File"
$start_proc = "Start-Process"
$file_path = "FilePath"
condition:
filesize < 2KB and all of them
}
47 changes: 47 additions & 0 deletions rules/combo/dropper/shell.yara
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,50 @@ rule fetch_chmod_execute : high {
condition:
any of them
}

rule possible_dropper : high {
meta:
description = "downloads and execute a program"
strings:
$http = "http://"
$https = "https://"
$tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
$tool_wget_q = "wget -"
$tool_lwp = "lwp-download"
$cmd_bash = "bash" fullword
$cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
$cmd_rm = "rm" fullword
$cmd_sleep = "sleep" fullword
$cmd_echo = "echo" fullword
$cmd_chmod = "chmod" fullword
condition:
filesize < 768 and any of ($http*) and any of ($tool*) and any of ($cmd*)
}

rule nohup_dropper : critical {
meta:
description = "downloads and executes a program with nohup"
strings:
$nohup = "nohup" fullword
condition:
possible_dropper and $nohup
}

rule obsessive_dropper : critical {
meta:
description = "invokes multiple tools to download and execute a program"
strings:
$http = "http://"
$https = "https://"
$tool_curl_s = "curl -"
$tool_wget_q = "wget -"
$tool_lwp = "lwp-download"
$cmd_bash = "bash" fullword
$cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
$cmd_rm = "rm" fullword
$cmd_sleep = "sleep" fullword
$cmd_echo = "echo" fullword
$cmd_chmod = "chmod" fullword
condition:
filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*)
}
17 changes: 14 additions & 3 deletions rules/combo/stealer/linux_server.yara
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,19 @@ rule linux_server_stealer : high {
hash_2022_services_api = "fe617c77d66f0954d22d6488e4a481b0f8fdc9e3033fa23475dcd24e53561ec7"
strings:
$bash_history = ".bash_history"
$root_ssh = "/root/.ssh"
$id_rsa = ".ssh/id_rsa"
$other_root_ssh = "/root/.ssh"
$other_id_rsa = ".ssh/id_rsa"
$other_shadow = "etc/shadow"
$term_crypto = "crypto" fullword
$term_echo = "echo" fullword
$term_chmod = "chmod" fullword
$term_find = "find" fullword
$term_scp = "scp" fullword
$term_tar = "tar" fullword
$term_crontab = "crontab" fullword
$term_http = "http" fullword
condition:
$bash_history and ($root_ssh or $id_rsa)
filesize < 10MB and $bash_history and any of ($other*) and any of ($term*)
}
3 changes: 2 additions & 1 deletion rules/combo/wiper/bash.yara
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,6 @@ rule sleep_rm_sh_pipe : high {
$s_pipe_sh = "| /bin/sh"
$s_rm_rf = "rm -rf"
condition:
all of them
filesize < 16KB and all of them
}

21 changes: 21 additions & 0 deletions rules/combo/wiper/sensitive_logs.yara
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,27 @@ rule system_log_references : high {
$btmp = "/var/log/btmp"
$lastlog = "/var/log/lastlog"
$run_log = "/run/log/"
$mail_log = "/var/spool/mail/root"
condition:
filesize < 67108864 and 3 of them
}

rule echo_log_wiper : critical {
meta:
description = "overwrites critical system logs"
strings:
$var_spool = /echo.{0,4}\> {0,2}\/var\/spool\/mail\/root/
$var_log = /echo.{0,4}\> {0,2}\/var\/log\/\w{0,8}/
condition:
filesize < 16KB and system_log_references and any of them
}

rule log_remover : critical {
meta:
description = "overwrites critical system logs"
strings:
$var_spool = /rm {1,2}-{0,4}\/var\/spool\/mail\/root/
$var_log = /rm {1,2}-{0,4}\/var\/log\/\w{0,8}/
condition:
filesize < 16KB and system_log_references and any of them
}
40 changes: 28 additions & 12 deletions rules/combo/worm/ssh.yara
Original file line number Diff line number Diff line change
@@ -1,20 +1,34 @@

rule ssh_snake_worm : high {
rule ssh_shell_worm : critical {
meta:
description = "possible SSH worm like SSH-Snake"
hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
description = "SSH worm implemented in shell"
hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
hash_2024_SSH_Snake = "b0a2bf48e29c6dfac64f112ac1cb181d184093f582615e54d5fad4c9403408be"
strings:
$s_dot_ssh = ".ssh"
$s_authorized_keys = "authorized_keys"
$h_etc_hosts = "/etc/hosts"
$h_getent = "getent ahostsv4"
$u_base64 = "base64"
$u_uname = "uname"
$strict_host = "StrictHostKeyChecking"
$user_known_hosts = "UserKnownHostsFile"
$dot_ssh = ".ssh" fullword
$key_pem = ".pem" fullword
$key_rsa = "id_rsa" fullword
$key_identity_file = "IdentityFile" fullword
$hosts_authorized_keys = "authorized_keys"
$hosts_etc_hosts = "/etc/hosts"
$hosts_getent = "getent ahostsv4"
$hosts_ssh_config = /grep.{1,8}HostName.{1,8}\/\.ssh\/config/
$hosts_bash_history = /(scp|ssh).{2,64}bash_history/
$hosts_known_hosts = "known_hosts"
$remote_base64 = "base64"
$remote_uname = "uname"
$remote_curl = "curl -"
$remote_wget = "wget"
$remote_lwp = "lwp-download"
$ssh_strict_host = "StrictHostKeyChecking"
$ssh_known_hosts = "UserKnownHostsFile"
$ssh_connect_timeout = "ConnectTimeout"
condition:
filesize < 67108864 and $strict_host and $user_known_hosts and all of ($s*) and any of ($h*) and any of ($u*)
filesize < 32KB and $dot_ssh and 2 of ($ssh*) and 1 of ($remote*) and 3 of ($hosts*) and any of ($key*)
}

rule ssh_worm_router : high {
Expand All @@ -34,3 +48,5 @@ rule ssh_worm_router : high {
condition:
all of ($s*) and any of ($h*) and any of ($p*)
}


9 changes: 9 additions & 0 deletions rules/crypto/mining/tls_dp_port.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@

rule tls_dp_port : critical {
meta:
description = "contains cryptominer command-line"
strings:
$ref = /-p \d+ -tls -dp \d+/
condition:
any of them
}
2 changes: 1 addition & 1 deletion rules/evasion/base64-decode.yara
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ rule powershell_decode : medium {
description = "decode base64 strings"
ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0"
strings:
$ref = "[System.Convert]::FromBase64String" ascii
$ref = /System\.Convert[\]: ]+FromBase64String/ ascii
condition:
any of them
}
18 changes: 18 additions & 0 deletions rules/evasion/copy_run_delete.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@

rule copy_run_delete : critical {
meta:
description = "copy executable, run, and delete"
strings:
$cp = "cp -f"
$rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
$null = "/dev/null"
$path_tmp = "/tmp"
$path_bin = "/bin"
$path_var = "/var/"
$path_dev_shm = "/dev/shm"
$run_quoted = /\"\$[\w\-\/\$]{1,12}\"/ fullword
$run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
condition:
filesize < 256 and $cp and $rm and $null and any of ($path*) and any of ($run*)
}

9 changes: 9 additions & 0 deletions rules/evasion/fake-process-name.yara
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,12 @@ rule fake_syslogd : critical {
condition:
any of them
}

rule fake_bash_val : high {
meta:
description = "Pretends to be a bash process"
strings:
$bash = "-bash" fullword
condition:
filesize < 8KB and $bash
}
18 changes: 17 additions & 1 deletion rules/evasion/run_sleep_delete.yara
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

rule run_and_delete : critical {
rule run_sleep_delete : critical {
meta:
description = "run executable, sleep, and delete"
hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
Expand All @@ -14,3 +14,19 @@ rule run_and_delete : critical {
filesize < 64KB and all of them
}

rule fetch_run_sleep_delete : critical {
meta:
description = "fetch, run executable, sleep, and delete"
strings:
$url = /https*:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
$sleep = /sleep \d{1,2}/ fullword
$rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
$path_tmp = "/tmp"
$path_var = "/var/"
$path_dev_shm = "/dev/shm"
$run_quoted = /\"\$[\-\w\/\$]{1,12}\"/ fullword
$run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
condition:
filesize < 1KB and $url and $sleep and $rm and any of ($path*) and any of ($run*)
}

1 change: 1 addition & 0 deletions rules/fd/write.yara
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,4 @@ rule py_fd_write {
condition:
any of them
}

16 changes: 16 additions & 0 deletions rules/fs/file-copy.yara
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
rule file_copy : medium {
meta:
description = "copy files using cp"
strings:
$ref = /cp [-\w ]{0,2}[ \$\w\/\.\-]{0,32}/ fullword
condition:
any of them
}
rule file_copy_force : medium {
meta:
description = "forcibly copy files using cp -f"
strings:
$ref = /cp [-\w ]{0,2}f [ \$\w\/\.\-]{0,32}/ fullword
condition:
any of them
}
6 changes: 3 additions & 3 deletions rules/fs/file-delete-forcibly.yara
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@

rule rm_force {
meta:
description = "Forcibly deletes files using rm"
description = "Forcibly deletes files"
strings:
$ref = /rm [\-\w ]{0,4}-f[ \$\w\/\.]{0,32}/
$ref = /rm [\-\w ]{0,4}-[f[ \$\w\/\.]{0,32}/
condition:
$ref
}

rule rm_recursive_force : medium {
meta:
description = "Forcibly recursively deletes files using rm -R"
description = "Forcibly deletes files recursively"
hash_2023_anarchy = "1a6f8d758c6e569109a021c01cc4a5e787a9c876866c0ce5a15f07f266ec8059"
hash_2019_test_compass_test = "6647a368750892a379bb483096910fc3729312e6b2eb6bb964da8062013e300a"
hash_2019_test_sass_test = "fdcb3a53bb071031a5c44d0a7d554a085dceb9ed393a5e3940fda4471698c186"
Expand Down
11 changes: 11 additions & 0 deletions rules/fs/file-write.yara
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,14 @@ rule python_file_write {
condition:
any of them
}


rule powershell_fs_write {
meta:
description = "writes content to disk"
syscall = "pwrite"
strings:
$write_val = "System.IO.File]::WriteAllBytes"
condition:
any of them
}
1 change: 1 addition & 0 deletions rules/fs/tempdir.yara
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ rule tempdir {
$tempdir = "TEMPDIR" fullword
$tmpdir = "TMPDIR" fullword
$cocoa = "NSTemporaryDirectory" fullword
$powershell = "GetTempPath" fullword
condition:
any of them
}
2 changes: 1 addition & 1 deletion rules/net/fetch.yara
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ rule curl_download_val : medium {
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
strings:
$ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/
$ref = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
condition:
$ref
}
Expand Down
1 change: 1 addition & 0 deletions rules/process/chdir-unusual.yara
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ rule unusual_cd_val : high {
strings:
$d_mnt = "cd /mnt"
$d_root = "cd /root"
$d_bin = "cd /bin"
$d_tmp = "cd /tmp"
$d_usr = /cd \/usr[\/\w\.]{0,16}/
$d_var_log = "cd /var/log"
Expand Down
2 changes: 1 addition & 1 deletion rules/ref/path/dev-shm.yara
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@

rule dev_shm : medium {
meta:
description = "references /dev/shm (world writeable)"
description = "references path within /dev/shm (world writeable)"
strings:
$ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/
condition:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@

rule github_comment_attachment : high {
rule github_attachment : high {
meta:
ref = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/"
description = "references a GitHub comment attachment, sometimes used to distribute malware"
description = "references a GitHub comment attachment"
hash_2024_synthetic_github_attach_fetch = "fd2f0e9cf4288d2be6b22bd0c6e8a5eb99777939c9b2278ecf89f5b8ad536719"
strings:
$ref = /github\.com\/\w{0,32}\/\w{0,32}\/files\/\d{0,16}\/[\w\.\-]{0,64}/
Expand Down
Loading

0 comments on commit 0479dd7

Please sign in to comment.