diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
index e69de29b..e0ab537d 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
@@ -0,0 +1,51 @@
+## Changed: macOS/2023.3CX/libffmpeg.dylib [😈 CRITICAL → 🟡 MEDIUM]
+
+### 22 removed behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | |
+| -CRITICAL | [3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_xor_hunting.yar#L2-L25) | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | |
+| -CRITICAL | [3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50) | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | |
+| -CRITICAL | [anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla) | XOR'ed user agent, often found in backdoors, by Florian Roth | |
+| -CRITICAL | [impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl) | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |
+| -HIGH | [exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null_quoted) | runs quoted templated commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
+| -MEDIUM | [evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path) | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| -MEDIUM | [exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen) | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)<br>[_popen](https://github.com/search?q=_popen&type=code) |
+| -MEDIUM | [fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod) | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| -MEDIUM | [net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary) | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)<br>[Accept](https://github.com/search?q=Accept&type=code) |
+| -MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| -MEDIUM | [net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls) | requests resources via URL | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code) |
+| -LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| -LOW | [data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| -LOW | [discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| -LOW | [discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME) | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)<br>[HOME](https://github.com/search?q=HOME&type=code) |
+| -LOW | [fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock) | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| -LOW | [net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type) | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| -LOW | [os/kernel/dispatch_semaphore](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/dispatch-semaphore.yara#dispatch_sem) | [Uses Dispatch Semaphores](https://developer.apple.com/documentation/dispatch/dispatch_semaphore) | [dispatch_semaphore_signal](https://github.com/search?q=dispatch_semaphore_signal&type=code) |
+| -LOW | [os/sync/semaphore_user](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/sync/semaphore-user.yara#semaphore_user) | uses semaphores to synchronize data between processes or threads | [semaphore_create](https://github.com/search?q=semaphore_create&type=code)<br>[semaphore_signal](https://github.com/search?q=semaphore_signal&type=code)<br>[semaphore_wait](https://github.com/search?q=semaphore_wait&type=code) |
+
+### 17 consistent behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
+| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)<br>[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)<br>[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)<br>[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)<br>[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)<br>[http://www.apple.com/appleca0](http://www.apple.com/appleca0)<br>[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[http://](http://)<br>[x86](https://github.com/search?q=x86&type=code) |
+| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
index e69de29b..1493b6cb 100644
--- a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff
@@ -0,0 +1,51 @@
+## Changed: macOS/2023.3CX/libffmpeg.dirty.dylib [🟡 MEDIUM → 😈 CRITICAL]
+
+### 22 new behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | |
+| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | |
+| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | |
+| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | |
+| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |
+| +HIGH | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null_quoted)** | runs quoted templated commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)<br>[_popen](https://github.com/search?q=_popen&type=code) |
+| +MEDIUM | **[fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod)** | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| +MEDIUM | **[net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary)** | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)<br>[Accept](https://github.com/search?q=Accept&type=code) |
+| +MEDIUM | **[net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie)** | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code) |
+| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)<br>[HOME](https://github.com/search?q=HOME&type=code) |
+| +LOW | **[fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock)** | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| +LOW | **[net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type)** | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| +LOW | **[os/kernel/dispatch_semaphore](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/dispatch-semaphore.yara#dispatch_sem)** | [Uses Dispatch Semaphores](https://developer.apple.com/documentation/dispatch/dispatch_semaphore) | [dispatch_semaphore_signal](https://github.com/search?q=dispatch_semaphore_signal&type=code) |
+| +LOW | **[os/sync/semaphore_user](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/sync/semaphore-user.yara#semaphore_user)** | uses semaphores to synchronize data between processes or threads | [semaphore_create](https://github.com/search?q=semaphore_create&type=code)<br>[semaphore_signal](https://github.com/search?q=semaphore_signal&type=code)<br>[semaphore_wait](https://github.com/search?q=semaphore_wait&type=code) |
+
+### 17 consistent behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
+| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)<br>[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)<br>[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)<br>[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)<br>[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)<br>[http://www.apple.com/appleca0](http://www.apple.com/appleca0)<br>[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[http://](http://)<br>[x86](https://github.com/search?q=x86&type=code) |
+| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[NSURL](https://github.com/search?q=NSURL&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
index e69de29b..1493b6cb 100644
--- a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff
@@ -0,0 +1,51 @@
+## Changed: macOS/2023.3CX/libffmpeg.dirty.dylib [🟡 MEDIUM → 😈 CRITICAL]
+
+### 22 new behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | |
+| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | |
+| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | |
+| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | |
+| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |
+| +HIGH | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null_quoted)** | runs quoted templated commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)<br>[_popen](https://github.com/search?q=_popen&type=code) |
+| +MEDIUM | **[fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod)** | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| +MEDIUM | **[net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary)** | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)<br>[Accept](https://github.com/search?q=Accept&type=code) |
+| +MEDIUM | **[net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie)** | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code) |
+| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)<br>[HOME](https://github.com/search?q=HOME&type=code) |
+| +LOW | **[fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock)** | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| +LOW | **[net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type)** | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| +LOW | **[os/kernel/dispatch_semaphore](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/dispatch-semaphore.yara#dispatch_sem)** | [Uses Dispatch Semaphores](https://developer.apple.com/documentation/dispatch/dispatch_semaphore) | [dispatch_semaphore_signal](https://github.com/search?q=dispatch_semaphore_signal&type=code) |
+| +LOW | **[os/sync/semaphore_user](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/sync/semaphore-user.yara#semaphore_user)** | uses semaphores to synchronize data between processes or threads | [semaphore_create](https://github.com/search?q=semaphore_create&type=code)<br>[semaphore_signal](https://github.com/search?q=semaphore_signal&type=code)<br>[semaphore_wait](https://github.com/search?q=semaphore_wait&type=code) |
+
+### 17 consistent behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
+| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)<br>[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)<br>[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)<br>[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)<br>[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)<br>[http://www.apple.com/appleca0](http://www.apple.com/appleca0)<br>[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[http://](http://)<br>[x86](https://github.com/search?q=x86&type=code) |
+| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[NSURL](https://github.com/search?q=NSURL&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+
diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
index e69de29b..1493b6cb 100644
--- a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
+++ b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff
@@ -0,0 +1,51 @@
+## Changed: macOS/2023.3CX/libffmpeg.dirty.dylib [🟡 MEDIUM → 😈 CRITICAL]
+
+### 22 new behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | |
+| +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/7f13b425aac90a00c208de8e3b28751b5aba3c45/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | |
+| +CRITICAL | **[3P/volexity/iconic](https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30%203CX/indicators/rules.yar#L32-L50)** | [Detects the MACOS version of the ICONIC loader.](https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/), by threatintel@volexity.com | |
+| +CRITICAL | **[anti-static/xor/user_agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/xor/xor-user_agent.yara#xor_mozilla)** | XOR'ed user agent, often found in backdoors, by Florian Roth | |
+| +CRITICAL | **[impact/remote_access/net_exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/net_exec.yara#lazarus_darwin_nsurl)** | executes programs, sets permissions, sleeps, makes HTTP requests | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code)<br>[gethostname](https://github.com/search?q=gethostname&type=code)<br>[localtime](https://github.com/search?q=localtime&type=code)<br>[sprintf](https://github.com/search?q=sprintf&type=code)<br>[strncpy](https://github.com/search?q=strncpy&type=code)<br>[pclose](https://github.com/search?q=pclose&type=code)<br>[chmod](https://github.com/search?q=chmod&type=code)<br>[flock](https://github.com/search?q=flock&type=code)<br>[popen](https://github.com/search?q=popen&type=code)<br>[sleep](https://github.com/search?q=sleep&type=code)<br>[rand](https://github.com/search?q=rand&type=code) |
+| +HIGH | **[exec/shell/arbitrary_command_dev_null](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/arbitrary_command-dev_null.yara#cmd_dev_null_quoted)** | runs quoted templated commands, discards output | ["%s" >/dev/null](https://github.com/search?q=%22%25s%22+%3E%2Fdev%2Fnull&type=code) |
+| +MEDIUM | **[evasion/file/prefix](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/prefix/prefix.yara#dynamic_hidden_path)** | [hidden path generated dynamically](https://objective-see.org/blog/blog_0x73.html) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code) |
+| +MEDIUM | **[exec/cmd/pipe](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/cmd/pipe.yara#popen)** | [launches program and reads its output](https://linux.die.net/man/3/popen) | [_pclose](https://github.com/search?q=_pclose&type=code)<br>[_popen](https://github.com/search?q=_popen&type=code) |
+| +MEDIUM | **[fs/permission/modify](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/permission/permission-modify.yara#chmod)** | [modifies file permissions](https://linux.die.net/man/1/chmod) | [chmod](https://github.com/search?q=chmod&type=code) |
+| +MEDIUM | **[net/http/accept](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept.yara#http_accept_binary)** | accepts binary files via HTTP | [application/octet-stream](https://github.com/search?q=application%2Foctet-stream&type=code)<br>[Accept](https://github.com/search?q=Accept&type=code) |
+| +MEDIUM | **[net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie)** | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
+| +MEDIUM | **[net/url/request](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls)** | requests resources via URL | [NSMutableURLRequest](https://github.com/search?q=NSMutableURLRequest&type=code) |
+| +LOW | **[data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip)** | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
+| +LOW | **[data/random/insecure](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/random/insecure.yara#bsd_rand)** | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)<br>[srand](https://github.com/search?q=srand&type=code) |
+| +LOW | **[discover/system/hostname](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname.yara#gethostname)** | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) |
+| +LOW | **[discover/user/HOME](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/HOME.yara#HOME)** | [Looks up the HOME directory for the current user](https://man.openbsd.org/login.1#ENVIRONMENT) | [getenv](https://github.com/search?q=getenv&type=code)<br>[HOME](https://github.com/search?q=HOME&type=code) |
+| +LOW | **[fs/lock_update](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/lock-update.yara#flock)** | apply or remove an advisory lock on a file | [flock](https://github.com/search?q=flock&type=code) |
+| +LOW | **[net/http/accept_encoding](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/accept-encoding.yara#content_type)** | [set HTTP response encoding format (example: gzip)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding) | [Accept-Encoding](https://github.com/search?q=Accept-Encoding&type=code) |
+| +LOW | **[os/kernel/dispatch_semaphore](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/kernel/dispatch-semaphore.yara#dispatch_sem)** | [Uses Dispatch Semaphores](https://developer.apple.com/documentation/dispatch/dispatch_semaphore) | [dispatch_semaphore_signal](https://github.com/search?q=dispatch_semaphore_signal&type=code) |
+| +LOW | **[os/sync/semaphore_user](https://github.com/chainguard-dev/malcontent/blob/main/rules/os/sync/semaphore-user.yara#semaphore_user)** | uses semaphores to synchronize data between processes or threads | [semaphore_create](https://github.com/search?q=semaphore_create&type=code)<br>[semaphore_signal](https://github.com/search?q=semaphore_signal&type=code)<br>[semaphore_wait](https://github.com/search?q=semaphore_wait&type=code) |
+
+### 17 consistent behaviors
+
+| RISK | KEY | DESCRIPTION | EVIDENCE |
+|--|--|--|--|
+| MEDIUM | [crypto/encrypt](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/encrypt.yara#encrypt) | encrypts data | [Encryption initializati](https://github.com/search?q=Encryption+initializati&type=code)<br>[Encryption info](https://github.com/search?q=Encryption+info&type=code) |
+| MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
+| MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
+| MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) |
+| MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) |
+| MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
+| LOW | [c2/addr/url](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#binary_with_url) | binary contains hardcoded URL | [http://www.apple.com/certificateauthority/0](http://www.apple.com/certificateauthority/0)<br>[http://www.apple.com/DTDs/PropertyList](http://www.apple.com/DTDs/PropertyList)<br>[http://crl.apple.com/timestamp.crl0](http://crl.apple.com/timestamp.crl0)<br>[https://www.apple.com/appleca/0](https://www.apple.com/appleca/0)<br>[http://crl.apple.com/root.crl0](http://crl.apple.com/root.crl0)<br>[http://www.apple.com/appleca0](http://www.apple.com/appleca0)<br>[http://ocsp.apple.com/ocsp03](http://ocsp.apple.com/ocsp03) |
+| LOW | [c2/tool_transfer/arch](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/arch.yara#arch_ref) | references a specific architecture | [https://](https://)<br>[http://](http://)<br>[x86](https://github.com/search?q=x86&type=code) |
+| LOW | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref) | references a specific operating system | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://) |
+| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) |
+| LOW | [crypto/rc4](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa) | RC4 key scheduling algorithm, by Thomas Barabosch | |
+| LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
+| LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
+| LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) |
+| LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) |
+| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code)<br>[NSURL](https://github.com/search?q=NSURL&type=code) |
+| LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) |
+