Address Kibana false positives

pkg/compile/compile.go

@@ -29,6 +29,7 @@ var badRules = map[string]bool{
 	"DELIVRTO_SUSP_HTML_WASM_Smuggling":                   true,
 	"SIGNATURE_BASE_FVEY_Shadowbroker_Auct_Dez16_Strings": true,
 	"ELASTIC_Macos_Creddump_Keychainaccess_535C1511":      true,
+	"SIGNATURE_BASE_Reconcommands_In_File":                true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,

rules/combo/backdoor/php.yara

@@ -116,8 +116,13 @@ rule php_eval_gzinflate_base64_backdoor : critical {
     $f_gzinflate = "gzinflate("
     $f_base64_decode = "base64_decode"
 
-    $not_php = "PHP_FLOAT_DIG" fullword
+    $not_js = " ?? "
+    $not_js2 = " === "
+    $not_js3 = "const"
+    $not_js4 = "this."
+    $not_js5 = "throw"
     $not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
+    $not_php = "PHP_FLOAT_DIG" fullword
     $not_workaround = "/* workaround for chrome bug "
   condition:
     all of ($f*) and none of ($not*)

rules/secrets/keychain-dump.yara

@@ -4,7 +4,9 @@ rule security_dump_keychain : critical {
     hash_2011_bin_kd = "8eb5ab5d71c84c9927b420948abedcf510369c8d566ee94c0cb5bc276d0d0a72"
   strings:
     $dump = "dump-keychain"
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $dump and not $ctkcard
+    $dump and none of ($not*)
 }

rules/secrets/keychain.yara

@@ -8,8 +8,10 @@ rule keychain : medium macos {
   strings:
     $ref = "Keychain"
     $ref2 = "keychain"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    any of them
+    any of ($ref*) and none of ($not*)
 }
 
 rule macos_library_keychains : medium {
@@ -20,26 +22,32 @@ rule macos_library_keychains : medium {
     hash_2023_Downloads_Brawl_Earth = "fe3ac61c701945f833f218c98b18dca704e83df2cf1a8994603d929f25d1cce2"
   strings:
     $ref = "/Library/Keychains"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    any of them
+    $ref and none of ($not*)
 }
 
 rule find_generic_password : high {
   meta:
     description = "Looks up a password from the Keychain"
   strings:
     $ref = /find-generic-passsword[ \-\w\']{0,32}/
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $ref and not $ctkcard
+    $ref and none of ($not*)
 }
 
 rule find_internet_password : high {
   meta:
     description = "Looks up an internet password from the Keychain"
   strings:
     $ref = /find-internet-passsword[ \-\w\']{0,32}/
-    $ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_ctkcard = "/System/Library/Frameworks/CryptoTokenKit.framework/ctkcard"
+    $not_elastic_author = { 22 61 75 74 68 6F 72 22 3A 20 5B 0A 20 20 20 20 22 45 6C 61 73 74 69 63 22 0A 20 20 5D }
+    $not_elastic_license = "\"license\": \"Elastic License v2\""
   condition:
-    $ref and not $ctkcard
+    $ref and none of ($not*)
 }

samples/Javascript/clean/php.js.simple

@@ -0,0 +1,59 @@
+# Javascript/clean/php.js
+combo/net/tunnel_proxy
+compression/gzip
+databases/mysql
+databases/sqlite
+encoding/base64
+encoding/reverse
+env/USER
+evasion/base64/decode
+exec/program
+exec/program/background
+exec/shell_command
+fs/directory/create
+fs/directory/remove
+fs/fifo/create
+fs/file/delete
+fs/file/truncate
+fs/link/read
+fs/lock/update
+fs/node/create
+fs/permission/modify
+fs/symlink/resolve
+fs/watch
+kernel/acct
+kernel/hostname/get
+kernel/platform
+net/hostname/resolve
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/ip/parse
+net/ip/resolve
+net/ip/string
+net/socket/connect
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/upload
+net/url/encode
+process/chroot
+process/effective/groupid/get
+process/groupid/set
+process/parent_pid/get
+process/userid/set
+process/username/get
+random/insecure
+ref/ip_port
+ref/path/etc
+ref/path/hidden
+ref/site/url
+ref/words/agent
+ref/words/password
+ref/words/plugin
+ref/words/spoof
+secrets/private_key
+techniques/code_eval
+tty/pathname

samples/Linux/clean/credential_access_dumping_keychain_security.json

@@ -0,0 +1,55 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.",
+  "from": "now-9m",
+  "index": [
+    "auditbeat-*",
+    "logs-endpoint.events.*"
+  ],
+  "language": "eql",
+  "license": "Elastic License v2",
+  "name": "Dumping of Keychain Content via Security Command",
+  "query": "process where event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n",
+  "references": [
+    "https://ss64.com/osx/security.html"
+  ],
+  "risk_score": 73,
+  "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c",
+  "severity": "high",
+  "tags": [
+    "Elastic",
+    "Host",
+    "macOS",
+    "Threat Detection",
+    "Credential Access"
+  ],
+  "threat": [
+    {
+      "framework": "MITRE ATT&CK",
+      "tactic": {
+        "id": "TA0006",
+        "name": "Credential Access",
+        "reference": "https://attack.mitre.org/tactics/TA0006/"
+      },
+      "technique": [
+        {
+          "id": "T1555",
+          "name": "Credentials from Password Stores",
+          "reference": "https://attack.mitre.org/techniques/T1555/",
+          "subtechnique": [
+            {
+              "id": "T1555.001",
+              "name": "Keychain",
+              "reference": "https://attack.mitre.org/techniques/T1555/001/"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "eql",
+  "version": 1
+}

samples/Linux/clean/credential_access_dumping_keychain_security.json.simple

@@ -0,0 +1,3 @@
+# Linux/clean/credential_access_dumping_keychain_security.json
+ref/site/url
+ref/words/password