Merge pull request #46 from tstromberg/main

Improve rules through laysound PyPi analysis
chainguard-dev · Mar 12, 2024 · 1f2cece · 1f2cece
2 parents e443221 + 2d41e6a
commit 1f2cece
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/rules/combo/dropper/python.yara b/rules/combo/dropper/python.yara
@@ -1,8 +1,24 @@
 
-rule python_eval_or_exec {
+rule python_eval_or_exec : critical {
   strings:
     $exec_requests = "exec(requests.get"
     $eval_requests = "eval(requests.get"
   condition:
-    filesize < 1048576 and any of them
+    filesize < 16384 and any of them
+}
+
+
+rule http_open_write_system : suspicious {
+  strings:
+	$http = "http"
+	$h_rget = "requests.get"
+
+	$open = "open("
+
+	$write = "write("
+
+	$system = "os.system("
+	$sys_popen = "os.popen"
+  condition:
+    filesize < 16384 and any of ($h*) and $open and $write and any of ($sys*)
 }
diff --git a/rules/env/get.yara b/rules/env/get.yara
@@ -1,10 +1,21 @@
 rule getenv : harmless {
   meta:
-	description = "Retrieve the value of an environment variable"
+	description = "Retrieve environment variables"
   strings:
 	$getenv = "getenv" fullword
 	$go_Getenv = "Getenv" fullword
 	$secure_getenv = "secure_getenv" fullword
+	$python_val = "os.environ"
+  condition:
+	any of them
+}
+
+rule get_env_val {
+  meta:
+	description = "Retrieve environment variable values"
+  strings:
+	$node_val = /env\.[A-Z]{3,16}/
+	$python_val = /os\.environ\[[\'\"][a-zA-Z]{1,32}[\'\"]\]/
   condition:
 	any of them
 }
diff --git a/rules/net/ip-external_address-query.yara → rules/net/public_ip.yara b/rules/net/ip-external_address-query.yara → rules/net/public_ip.yara
@@ -1,4 +1,4 @@
-rule iplookup_website : suspicious {
+rule iplookup_website_value : suspicious {
   meta:
     hash_2023_stealer_hashbreaker = "016a1a4fe3e9d57ab0b2a11e37ad94cc922290d2499b8d96957c3ddbdc516d74"
     hash_2022_CloudMensis_WindowServer_2 = "b8a61adccefb13b7058e47edcd10a127c483403cf38f7ece126954e95e86f2bd"