From 914d5f37ce4ec742a55554b790f82418ce1190d5 Mon Sep 17 00:00:00 2001 From: egibs Date: Tue, 7 May 2024 08:09:58 -0500 Subject: [PATCH 01/11] Preserve original path for archives; add to output --- pkg/action/scan.go | 35 +++++++++++------ pkg/bincapz/bincapz.go | 5 ++- pkg/render/markdown.go | 22 +++++++++-- pkg/render/simple.go | 3 ++ pkg/render/terminal.go | 38 ++++++++++++++----- pkg/report/report.go | 18 ++++++--- samples/Windows/2024.Sharp/sharpil_RAT.exe.md | 2 +- .../SpectralBlur-macshare.md | 1 - 8 files changed, 90 insertions(+), 34 deletions(-) diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 483d522f..03e5179e 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -56,7 +56,13 @@ func findFilesRecursively(ctx context.Context, root string, c Config) ([]string, return files, err } -func scanSinglePath(ctx context.Context, c Config, yrs *yara.Rules, path string) (*bincapz.FileReport, error) { +func scanSinglePath( + ctx context.Context, + c Config, + yrs *yara.Rules, + path string, + aPath string, +) (*bincapz.FileReport, error) { logger := clog.FromContext(ctx) var mrs yara.MatchRules logger = logger.With("path", path) @@ -70,10 +76,10 @@ func scanSinglePath(ctx context.Context, c Config, yrs *yara.Rules, path string) if err := yrs.ScanFile(path, 0, 0, &mrs); err != nil { logger.Info("skipping", slog.Any("error", err)) - return &bincapz.FileReport{Path: path, Error: fmt.Sprintf("scanfile: %v", err)}, nil + return &bincapz.FileReport{Path: path, AlternatePath: aPath, Error: fmt.Sprintf("scanfile: %v", err)}, nil } - fr, err := report.Generate(ctx, path, mrs, c.IgnoreTags, c.MinResultScore) + fr, err := report.Generate(ctx, path, aPath, mrs, c.IgnoreTags, c.MinResultScore) if err != nil { return nil, err } @@ -128,7 +134,7 @@ func recursiveScan(ctx context.Context, c Config) (*bincapz.Report, error) { return nil, err } } else { - err = processFile(ctx, c, yrs, r, p, logger) + err = processFile(ctx, c, yrs, r, p, "", logger) if err != nil { return nil, err } @@ -153,22 +159,25 @@ func processArchive( logger *clog.Logger, ) error { var err error - p, err = archive(ctx, p) + var ap string + ap, err = archive(ctx, p) if err != nil { return fmt.Errorf("failed to prepare archive for scanning: %w", err) } - var ap []string - ap, err = findFilesRecursively(ctx, p, c) + var af []string + af, err = findFilesRecursively(ctx, ap, c) if err != nil { return fmt.Errorf("find files: %w", err) } - for _, a := range ap { - err = processFile(ctx, c, yrs, r, a, logger) + for _, a := range af { + // a is the scan path (within the temp directory) + // p is the original path to the archive file + err = processFile(ctx, c, yrs, r, a, p, logger) if err != nil { return err } } - if err := os.RemoveAll(p); err != nil { + if err := os.RemoveAll(ap); err != nil { logger.Errorf("remove %s: %v", p, err) } return nil @@ -176,12 +185,14 @@ func processArchive( func processFile( ctx context.Context, - c Config, yrs *yara.Rules, + c Config, + yrs *yara.Rules, r *bincapz.Report, p string, + a string, logger *clog.Logger, ) error { - fr, err := scanSinglePath(ctx, c, yrs, p) + fr, err := scanSinglePath(ctx, c, yrs, p, a) if err != nil { logger.Errorf("scan path: %v", err) return nil diff --git a/pkg/bincapz/bincapz.go b/pkg/bincapz/bincapz.go index 4121a5cf..8d58f093 100644 --- a/pkg/bincapz/bincapz.go +++ b/pkg/bincapz/bincapz.go @@ -24,8 +24,9 @@ type Behavior struct { } type FileReport struct { - Path string - SHA256 string + Path string + AlternatePath string + SHA256 string // compiler -> x Error string `json:",omitempty" yaml:",omitempty"` Skipped string `json:",omitempty" yaml:",omitempty"` diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index 3194d8db..5f8477c4 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -42,19 +42,31 @@ func matchFragmentLink(s string) string { } func (r Markdown) File(ctx context.Context, fr bincapz.FileReport) error { - markdownTable(ctx, &fr, r.w, tableConfig{Title: fmt.Sprintf("## %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))}) + tableCfg := tableConfig{Title: fmt.Sprintf("## Scanned Path: %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))} + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + } + markdownTable(ctx, &fr, r.w, tableCfg) return nil } func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Removed { fr := fr - markdownTable(ctx, &fr, r.w, tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffRemoved: true}) + tableCfg := tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffRemoved: true} + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + } + markdownTable(ctx, &fr, r.w, tableCfg) } for f, fr := range rep.Diff.Added { fr := fr - markdownTable(ctx, &fr, r.w, tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffAdded: true}) + tableCfg := tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffAdded: true} + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + } + markdownTable(ctx, &fr, r.w, tableCfg) } for f, fr := range rep.Diff.Modified { @@ -129,6 +141,10 @@ func markdownTable(_ context.Context, fr *bincapz.FileReport, w io.Writer, rc ta fmt.Fprintf(w, "%s\n\n", rc.Title) } + if fr.AlternatePath != "" { + fmt.Fprintf(w, "%s\n\n", rc.SubTitle) + } + sort.Slice(kbs, func(i, j int) bool { if kbs[i].Behavior.RiskScore == kbs[j].Behavior.RiskScore { return kbs[i].Key < kbs[j].Key diff --git a/pkg/render/simple.go b/pkg/render/simple.go index 767757c1..6151438a 100644 --- a/pkg/render/simple.go +++ b/pkg/render/simple.go @@ -22,6 +22,9 @@ func NewSimple(w io.Writer) Simple { func (r Simple) File(_ context.Context, fr bincapz.FileReport) error { fmt.Fprintf(r.w, "# %s\n", fr.Path) + if fr.AlternatePath != "" { + fmt.Fprintf(r.w, "## Original Path: %s\n", fr.AlternatePath) + } bs := []string{} for k := range fr.Behaviors { diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 6a96f54f..19175ba6 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -28,6 +28,7 @@ type KeyedBehavior struct { type tableConfig struct { Title string + SubTitle string ShowTitle bool DiffRemoved bool DiffAdded bool @@ -92,29 +93,42 @@ func ShortRisk(s string) string { } func (r Terminal) File(ctx context.Context, fr bincapz.FileReport) error { - renderTable(ctx, &fr, r.w, - tableConfig{ - Title: fmt.Sprintf("%s %s", fr.Path, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), - }, - ) + tableCfg := tableConfig{ + Title: fmt.Sprintf("Scanned Path: %s %s", fr.Path, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), + } + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + } + + renderTable(ctx, &fr, r.w, tableCfg) return nil } func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Removed { fr := fr - renderTable(ctx, &fr, r.w, tableConfig{ + tableCfg := tableConfig{ Title: fmt.Sprintf("Deleted: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffRemoved: true, - }) + } + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + } + + renderTable(ctx, &fr, r.w, tableCfg) } for f, fr := range rep.Diff.Added { fr := fr - renderTable(ctx, &fr, r.w, tableConfig{ + tableCfg := tableConfig{ Title: fmt.Sprintf("Added: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffAdded: true, - }) + } + if fr.AlternatePath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + } + + renderTable(ctx, &fr, r.w, tableCfg) } for f, fr := range rep.Diff.Modified { @@ -182,6 +196,7 @@ func darkenText(s string) string { func renderTable(ctx context.Context, fr *bincapz.FileReport, w io.Writer, rc tableConfig) { title := rc.Title + subtitle := rc.SubTitle path := fr.Path if fr.Error != "" { @@ -295,7 +310,10 @@ func renderTable(ctx context.Context, fr *bincapz.FileReport, w io.Writer, rc ta } if title != "" { - fmt.Fprintf(w, "%s", title) + fmt.Fprintf(w, "%s\n", title) + } + if subtitle != "" { + fmt.Fprintf(w, "%s\n", subtitle) } fmt.Fprintf(w, "\n") diff --git a/pkg/report/report.go b/pkg/report/report.go index 1af399fa..b878592c 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -271,7 +271,14 @@ func fixURL(s string) string { return strings.ReplaceAll(s, " ", "%20") } -func Generate(ctx context.Context, path string, mrs yara.MatchRules, ignoreTags []string, minScore int) (bincapz.FileReport, error) { +func Generate( + ctx context.Context, + path string, + aPath string, + mrs yara.MatchRules, + ignoreTags []string, + minScore int, +) (bincapz.FileReport, error) { ignore := map[string]bool{} for _, t := range ignoreTags { ignore[t] = true @@ -283,10 +290,11 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, ignoreTags } fr := bincapz.FileReport{ - Path: path, - SHA256: ptCheck, - Meta: map[string]string{}, - Behaviors: map[string]bincapz.Behavior{}, + Path: path, + AlternatePath: aPath, + SHA256: ptCheck, + Meta: map[string]string{}, + Behaviors: map[string]bincapz.Behavior{}, } pledges := []string{} diff --git a/samples/Windows/2024.Sharp/sharpil_RAT.exe.md b/samples/Windows/2024.Sharp/sharpil_RAT.exe.md index 7d9df14c..8dbfae55 100644 --- a/samples/Windows/2024.Sharp/sharpil_RAT.exe.md +++ b/samples/Windows/2024.Sharp/sharpil_RAT.exe.md @@ -1,4 +1,4 @@ -## Windows/2024.Sharp/sharpil_RAT.exe [🚨 CRITICAL] +## Scanned Path: Windows/2024.Sharp/sharpil_RAT.exe [🚨 CRITICAL] | RISK | KEY | DESCRIPTION | EVIDENCE | |----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md index 8c93d521..c3d45ee1 100644 --- a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md +++ b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md @@ -23,4 +23,3 @@ | LOW | [process/multithreaded](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | | LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | | LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | - From dcfdfd8ee63ba8605fa63fd5f302293b6624fa90 Mon Sep 17 00:00:00 2001 From: egibs Date: Thu, 2 May 2024 20:16:52 -0500 Subject: [PATCH 02/11] Display scanned file next to original path --- pkg/render/markdown.go | 9 ++++++--- pkg/render/terminal.go | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index 5f8477c4..b4b3a3ab 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -44,7 +44,8 @@ func matchFragmentLink(s string) string { func (r Markdown) File(ctx context.Context, fr bincapz.FileReport) error { tableCfg := tableConfig{Title: fmt.Sprintf("## Scanned Path: %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))} if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) return nil @@ -53,18 +54,20 @@ func (r Markdown) File(ctx context.Context, fr bincapz.FileReport) error { func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Removed { fr := fr + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffRemoved: true} if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } for f, fr := range rep.Diff.Added { fr := fr + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffAdded: true} if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s", fr.AlternatePath) + tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 19175ba6..8adebfe2 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -93,11 +93,12 @@ func ShortRisk(s string) string { } func (r Terminal) File(ctx context.Context, fr bincapz.FileReport) error { + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{ Title: fmt.Sprintf("Scanned Path: %s %s", fr.Path, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), } if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) @@ -107,12 +108,13 @@ func (r Terminal) File(ctx context.Context, fr bincapz.FileReport) error { func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Removed { fr := fr + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{ Title: fmt.Sprintf("Deleted: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffRemoved: true, } if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) @@ -120,12 +122,13 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Added { fr := fr + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{ Title: fmt.Sprintf("Added: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffAdded: true, } if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s", fr.AlternatePath) + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) From 66637ea598b53c26c58a8ba1cdd1a557460bbf0a Mon Sep 17 00:00:00 2001 From: egibs Date: Thu, 2 May 2024 20:36:32 -0500 Subject: [PATCH 03/11] Add original path of moved file to diff output --- pkg/action/diff.go | 8 +++++--- pkg/render/terminal.go | 20 ++++++++++++++++---- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/pkg/action/diff.go b/pkg/action/diff.go index dd82d1e3..f5d5fbac 100644 --- a/pkg/action/diff.go +++ b/pkg/action/diff.go @@ -75,6 +75,7 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { rbs := bincapz.FileReport{ Path: tr.Path, + AlternatePath: tr.AlternatePath, Behaviors: map[string]bincapz.Behavior{}, PreviousRiskScore: fr.RiskScore, PreviousRiskLevel: fr.RiskLevel, @@ -109,12 +110,12 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { abs := bincapz.FileReport{ Path: tr.Path, + AlternatePath: tr.AlternatePath, Behaviors: map[string]bincapz.Behavior{}, PreviousRiskScore: fr.RiskScore, PreviousRiskLevel: fr.RiskLevel, - - RiskScore: tr.RiskScore, - RiskLevel: tr.RiskLevel, + RiskScore: tr.RiskScore, + RiskLevel: tr.RiskLevel, } // if destination behavior is not in the source @@ -153,6 +154,7 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { // We think that this file moved from rpath to apath. abs := bincapz.FileReport{ Path: tr.Path, + AlternatePath: tr.AlternatePath, PreviousRelPath: rpath, PreviousRelPathScore: score, diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 8adebfe2..324d88e6 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -136,19 +136,31 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Modified { fr := fr + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] var title string + var subtitle string if fr.PreviousRelPath != "" { - title = fmt.Sprintf("Moved: %s -> %s (score: %f)", fr.PreviousRelPath, f, fr.PreviousRelPathScore) + title = fmt.Sprintf("Moved: %s -> %s (score: %f)\n", fr.PreviousRelPath, f, fr.PreviousRelPathScore) + if fr.AlternatePath != "" { + subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) + } } else { - title = fmt.Sprintf("Changed: %s", f) + title = fmt.Sprintf("Changed: %s\n", f) + subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) } if fr.RiskScore != fr.PreviousRiskScore { title = fmt.Sprintf("%s %s\n\n", title, - darkBrackets(fmt.Sprintf("%s %s %s", decorativeRisk(fr.PreviousRiskScore, fr.PreviousRiskLevel), color.HiWhiteString("→"), decorativeRisk(fr.RiskScore, fr.RiskLevel)))) + darkBrackets(fmt.Sprintf("%s %s %s\n", decorativeRisk(fr.PreviousRiskScore, fr.PreviousRiskLevel), color.HiWhiteString("→"), decorativeRisk(fr.RiskScore, fr.RiskLevel)))) + if fr.AlternatePath != "" { + subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) + } } - fmt.Fprint(r.w, title) + fmt.Fprintf(r.w, "%s\n", title) + if subtitle != "" { + fmt.Fprintf(r.w, "%s\n", subtitle) + } added := 0 removed := 0 for _, b := range fr.Behaviors { From 7e1659911ea2dea959f0b9522e2f0516dcb27f9e Mon Sep 17 00:00:00 2001 From: egibs Date: Thu, 2 May 2024 20:53:00 -0500 Subject: [PATCH 04/11] Add from/to original paths to diff output --- pkg/action/diff.go | 1 + pkg/bincapz/bincapz.go | 1 + pkg/render/markdown.go | 15 ++++++++++++--- pkg/render/terminal.go | 4 ++-- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/pkg/action/diff.go b/pkg/action/diff.go index f5d5fbac..54629f7b 100644 --- a/pkg/action/diff.go +++ b/pkg/action/diff.go @@ -156,6 +156,7 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { Path: tr.Path, AlternatePath: tr.AlternatePath, PreviousRelPath: rpath, + PreviousAbsPath: fr.AlternatePath, PreviousRelPathScore: score, Behaviors: map[string]bincapz.Behavior{}, diff --git a/pkg/bincapz/bincapz.go b/pkg/bincapz/bincapz.go index 8d58f093..22511dec 100644 --- a/pkg/bincapz/bincapz.go +++ b/pkg/bincapz/bincapz.go @@ -39,6 +39,7 @@ type FileReport struct { // The relative path we think this moved from. PreviousRelPath string `json:",omitempty" yaml:",omitempty"` + PreviousAbsPath string `json:",omitempty" yaml:",omitempty"` // The levenshtein distance between the previous path and the current path PreviousRelPathScore float64 `json:",omitempty" yaml:",omitempty"` PreviousRiskScore int `json:",omitempty" yaml:",omitempty"` diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index b4b3a3ab..0433b345 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -45,7 +45,7 @@ func (r Markdown) File(ctx context.Context, fr bincapz.FileReport) error { tableCfg := tableConfig{Title: fmt.Sprintf("## Scanned Path: %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))} if fr.AlternatePath != "" { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) return nil @@ -57,7 +57,7 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffRemoved: true} if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } @@ -67,7 +67,7 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffAdded: true} if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path: %s > %s", fr.AlternatePath, fileName) + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } @@ -75,10 +75,18 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { for f, fr := range rep.Diff.Modified { fr := fr var title string + var subtitle string + fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] if fr.PreviousRelPath != "" { title = fmt.Sprintf("## Moved: %s -> %s (similarity: %0.2f)", fr.PreviousRelPath, f, fr.PreviousRelPathScore) + if fr.AlternatePath != "" { + subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + } } else { title = fmt.Sprintf("## Changed: %s", f) + if fr.AlternatePath != "" { + subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + } } if fr.RiskScore != fr.PreviousRiskScore { title = fmt.Sprintf("%s [%s → %s]", @@ -88,6 +96,7 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { } fmt.Fprint(r.w, title+"\n\n") + fmt.Fprintf(r.w, subtitle+"\n\n") added := 0 removed := 0 for _, b := range fr.Behaviors { diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 324d88e6..772e7b43 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -142,7 +142,7 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { if fr.PreviousRelPath != "" { title = fmt.Sprintf("Moved: %s -> %s (score: %f)\n", fr.PreviousRelPath, f, fr.PreviousRelPathScore) if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) + subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) } } else { title = fmt.Sprintf("Changed: %s\n", f) @@ -153,7 +153,7 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { title = fmt.Sprintf("%s %s\n\n", title, darkBrackets(fmt.Sprintf("%s %s %s\n", decorativeRisk(fr.PreviousRiskScore, fr.PreviousRiskLevel), color.HiWhiteString("→"), decorativeRisk(fr.RiskScore, fr.RiskLevel)))) if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) + subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) } } From bf2e861554bb6dfa7ce2461550fbe9bfd8fe3506 Mon Sep 17 00:00:00 2001 From: egibs Date: Tue, 7 May 2024 08:10:29 -0500 Subject: [PATCH 05/11] Fix tests --- samples/macOS/2023.3CX/libffmpeg.dirty.mdiff | 4 +++- samples/macOS/clean/ls.mdiff | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff index 2471b60e..e52b0098 100644 --- a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff +++ b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff @@ -1,6 +1,8 @@ ## Changed: . [⚠️ MEDIUM → 🚨 CRITICAL] -### 19 new behaviors + + +### 20 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/samples/macOS/clean/ls.mdiff b/samples/macOS/clean/ls.mdiff index 0c8066b8..cc967317 100644 --- a/samples/macOS/clean/ls.mdiff +++ b/samples/macOS/clean/ls.mdiff @@ -1,5 +1,7 @@ ## Changed: . + + ### 1 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | From 8cb6eff7b27fc2e33cee6b5c5996b5fd7a8628a9 Mon Sep 17 00:00:00 2001 From: egibs Date: Fri, 3 May 2024 07:44:55 -0500 Subject: [PATCH 06/11] Formatting fix --- pkg/render/markdown.go | 4 +++- samples/macOS/2023.3CX/libffmpeg.dirty.mdiff | 2 -- samples/macOS/clean/ls.mdiff | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index 0433b345..2398824c 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -96,7 +96,9 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { } fmt.Fprint(r.w, title+"\n\n") - fmt.Fprintf(r.w, subtitle+"\n\n") + if subtitle != "" { + fmt.Fprintf(r.w, subtitle+"\n\n") + } added := 0 removed := 0 for _, b := range fr.Behaviors { diff --git a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff index e52b0098..103f3e8a 100644 --- a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff +++ b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff @@ -1,7 +1,5 @@ ## Changed: . [⚠️ MEDIUM → 🚨 CRITICAL] - - ### 20 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | diff --git a/samples/macOS/clean/ls.mdiff b/samples/macOS/clean/ls.mdiff index cc967317..0c8066b8 100644 --- a/samples/macOS/clean/ls.mdiff +++ b/samples/macOS/clean/ls.mdiff @@ -1,7 +1,5 @@ ## Changed: . - - ### 1 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | From b8eb7eb737dbbf585a6a8f174bbbc5384279ecc7 Mon Sep 17 00:00:00 2001 From: egibs Date: Sun, 5 May 2024 08:26:34 -0500 Subject: [PATCH 07/11] Address PR comments --- pkg/action/diff.go | 8 +++--- pkg/action/scan.go | 2 +- pkg/bincapz/bincapz.go | 11 +++++--- pkg/render/markdown.go | 24 ++++++++--------- pkg/render/simple.go | 4 +-- pkg/render/terminal.go | 24 ++++++++--------- pkg/report/report.go | 10 +++---- .../third_party/YARAForge/yara-rules-full.yar | 2 +- samples/Windows/2024.Sharp/sharpil_RAT.exe.md | 2 +- .../SpectralBlur-macshare.md | 27 ++++++++++++++++++- 10 files changed, 72 insertions(+), 42 deletions(-) diff --git a/pkg/action/diff.go b/pkg/action/diff.go index 54629f7b..699cb31c 100644 --- a/pkg/action/diff.go +++ b/pkg/action/diff.go @@ -75,7 +75,7 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { rbs := bincapz.FileReport{ Path: tr.Path, - AlternatePath: tr.AlternatePath, + OriginalAbsPath: tr.OriginalAbsPath, Behaviors: map[string]bincapz.Behavior{}, PreviousRiskScore: fr.RiskScore, PreviousRiskLevel: fr.RiskLevel, @@ -110,7 +110,7 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { abs := bincapz.FileReport{ Path: tr.Path, - AlternatePath: tr.AlternatePath, + OriginalAbsPath: tr.OriginalAbsPath, Behaviors: map[string]bincapz.Behavior{}, PreviousRiskScore: fr.RiskScore, PreviousRiskLevel: fr.RiskLevel, @@ -154,9 +154,9 @@ func Diff(ctx context.Context, c Config) (*bincapz.Report, error) { // We think that this file moved from rpath to apath. abs := bincapz.FileReport{ Path: tr.Path, - AlternatePath: tr.AlternatePath, + OriginalAbsPath: tr.OriginalAbsPath, PreviousRelPath: rpath, - PreviousAbsPath: fr.AlternatePath, + PreviousAbsPath: fr.OriginalAbsPath, PreviousRelPathScore: score, Behaviors: map[string]bincapz.Behavior{}, diff --git a/pkg/action/scan.go b/pkg/action/scan.go index 03e5179e..6e6d1e55 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -76,7 +76,7 @@ func scanSinglePath( if err := yrs.ScanFile(path, 0, 0, &mrs); err != nil { logger.Info("skipping", slog.Any("error", err)) - return &bincapz.FileReport{Path: path, AlternatePath: aPath, Error: fmt.Sprintf("scanfile: %v", err)}, nil + return &bincapz.FileReport{Path: path, OriginalAbsPath: aPath, Error: fmt.Sprintf("scanfile: %v", err)}, nil } fr, err := report.Generate(ctx, path, aPath, mrs, c.IgnoreTags, c.MinResultScore) diff --git a/pkg/bincapz/bincapz.go b/pkg/bincapz/bincapz.go index 22511dec..f29ea019 100644 --- a/pkg/bincapz/bincapz.go +++ b/pkg/bincapz/bincapz.go @@ -24,9 +24,8 @@ type Behavior struct { } type FileReport struct { - Path string - AlternatePath string - SHA256 string + Path string + SHA256 string // compiler -> x Error string `json:",omitempty" yaml:",omitempty"` Skipped string `json:",omitempty" yaml:",omitempty"` @@ -49,7 +48,13 @@ type FileReport struct { RiskLevel string `json:",omitempty" yaml:",omitempty"` PackageRisk []string `json:",omitempty" yaml:",omitempty"` +<<<<<<< HEAD IsBincapz bool `json:",omitempty" yaml:",omitempty"` +======= + // The original path for scanned archive files + // When not scanning archives, this will be empty + OriginalAbsPath string +>>>>>>> bf5a1eb (Address PR comments) } type DiffReport struct { diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index 2398824c..7c8cd286 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -42,10 +42,10 @@ func matchFragmentLink(s string) string { } func (r Markdown) File(ctx context.Context, fr bincapz.FileReport) error { - tableCfg := tableConfig{Title: fmt.Sprintf("## Scanned Path: %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))} - if fr.AlternatePath != "" { + tableCfg := tableConfig{Title: fmt.Sprintf("## %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))} + if fr.OriginalAbsPath != "" { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] - tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) return nil @@ -56,8 +56,8 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { fr := fr fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Deleted: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffRemoved: true} - if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } @@ -66,8 +66,8 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { fr := fr fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{Title: fmt.Sprintf("## Added: %s [%s]", f, mdRisk(fr.RiskScore, fr.RiskLevel)), DiffAdded: true} - if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + tableCfg.SubTitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } markdownTable(ctx, &fr, r.w, tableCfg) } @@ -79,13 +79,13 @@ func (r Markdown) Full(ctx context.Context, rep bincapz.Report) error { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] if fr.PreviousRelPath != "" { title = fmt.Sprintf("## Moved: %s -> %s (similarity: %0.2f)", fr.PreviousRelPath, f, fr.PreviousRelPathScore) - if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } } else { title = fmt.Sprintf("## Changed: %s", f) - if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + subtitle = fmt.Sprintf("### Original Path (From): %s > %s\n### Original Path (To): %s > %s", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } } if fr.RiskScore != fr.PreviousRiskScore { @@ -155,7 +155,7 @@ func markdownTable(_ context.Context, fr *bincapz.FileReport, w io.Writer, rc ta fmt.Fprintf(w, "%s\n\n", rc.Title) } - if fr.AlternatePath != "" { + if fr.OriginalAbsPath != "" { fmt.Fprintf(w, "%s\n\n", rc.SubTitle) } diff --git a/pkg/render/simple.go b/pkg/render/simple.go index 6151438a..98a0fd95 100644 --- a/pkg/render/simple.go +++ b/pkg/render/simple.go @@ -22,8 +22,8 @@ func NewSimple(w io.Writer) Simple { func (r Simple) File(_ context.Context, fr bincapz.FileReport) error { fmt.Fprintf(r.w, "# %s\n", fr.Path) - if fr.AlternatePath != "" { - fmt.Fprintf(r.w, "## Original Path: %s\n", fr.AlternatePath) + if fr.OriginalAbsPath != "" { + fmt.Fprintf(r.w, "## Original Path: %s\n", fr.OriginalAbsPath) } bs := []string{} diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 772e7b43..76326354 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -95,10 +95,10 @@ func ShortRisk(s string) string { func (r Terminal) File(ctx context.Context, fr bincapz.FileReport) error { fileName := fr.Path[strings.LastIndex(fr.Path, "/")+1:] tableCfg := tableConfig{ - Title: fmt.Sprintf("Scanned Path: %s %s", fr.Path, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), + Title: fmt.Sprintf("%s %s", fr.Path, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), } - if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.OriginalAbsPath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) @@ -113,8 +113,8 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { Title: fmt.Sprintf("Deleted: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffRemoved: true, } - if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.OriginalAbsPath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) @@ -127,8 +127,8 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { Title: fmt.Sprintf("Added: %s %s", f, darkBrackets(decorativeRisk(fr.RiskScore, fr.RiskLevel))), DiffAdded: true, } - if fr.AlternatePath != "" { - tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + tableCfg.SubTitle = fmt.Sprintf("Original Path: %s > %s", fr.OriginalAbsPath, fileName) } renderTable(ctx, &fr, r.w, tableCfg) @@ -141,19 +141,19 @@ func (r Terminal) Full(ctx context.Context, rep bincapz.Report) error { var subtitle string if fr.PreviousRelPath != "" { title = fmt.Sprintf("Moved: %s -> %s (score: %f)\n", fr.PreviousRelPath, f, fr.PreviousRelPathScore) - if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } } else { title = fmt.Sprintf("Changed: %s\n", f) - subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.AlternatePath, fileName) + subtitle = fmt.Sprintf("Original Path: %s > %s\n", fr.OriginalAbsPath, fileName) } if fr.RiskScore != fr.PreviousRiskScore { title = fmt.Sprintf("%s %s\n\n", title, darkBrackets(fmt.Sprintf("%s %s %s\n", decorativeRisk(fr.PreviousRiskScore, fr.PreviousRiskLevel), color.HiWhiteString("→"), decorativeRisk(fr.RiskScore, fr.RiskLevel)))) - if fr.AlternatePath != "" { - subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.AlternatePath, fileName) + if fr.OriginalAbsPath != "" { + subtitle = fmt.Sprintf("Original Path (From): %s > %s\nOriginal Path (To): %s > %s\n", fr.PreviousAbsPath, fileName, fr.OriginalAbsPath, fileName) } } diff --git a/pkg/report/report.go b/pkg/report/report.go index b878592c..fb8c23a3 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -290,11 +290,11 @@ func Generate( } fr := bincapz.FileReport{ - Path: path, - AlternatePath: aPath, - SHA256: ptCheck, - Meta: map[string]string{}, - Behaviors: map[string]bincapz.Behavior{}, + Path: path, + OriginalAbsPath: aPath, + SHA256: ptCheck, + Meta: map[string]string{}, + Behaviors: map[string]bincapz.Behavior{}, } pledges := []string{} diff --git a/rules/third_party/YARAForge/yara-rules-full.yar b/rules/third_party/YARAForge/yara-rules-full.yar index d2481910..411f9ec6 100644 --- a/rules/third_party/YARAForge/yara-rules-full.yar +++ b/rules/third_party/YARAForge/yara-rules-full.yar @@ -295054,7 +295054,7 @@ rule SIGNATURE_BASE_Empire_Powerup_Gen : FILE hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c" strings: - $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii + $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalAbsPath" fullword ascii $s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii condition: diff --git a/samples/Windows/2024.Sharp/sharpil_RAT.exe.md b/samples/Windows/2024.Sharp/sharpil_RAT.exe.md index 8dbfae55..7d9df14c 100644 --- a/samples/Windows/2024.Sharp/sharpil_RAT.exe.md +++ b/samples/Windows/2024.Sharp/sharpil_RAT.exe.md @@ -1,4 +1,4 @@ -## Scanned Path: Windows/2024.Sharp/sharpil_RAT.exe [🚨 CRITICAL] +## Windows/2024.Sharp/sharpil_RAT.exe [🚨 CRITICAL] | RISK | KEY | DESCRIPTION | EVIDENCE | |----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md index c3d45ee1..127658d0 100644 --- a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md +++ b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md @@ -1,4 +1,29 @@ -## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🔥 HIGH] +## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🚨 CRITICAL] + +| RISK | KEY | DESCRIPTION | EVIDENCE | +|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CRITICAL | [third_party/mthcht_thk_yara_rules](https://github.com/chainguard-dev/bincapz/blob/main/rules/third_party/mthcht_thk_yara_rules.yar#RDPassSpray_offensive_tool_keyword) | [Detection patterns for the tool 'RDPassSpray' taken from the ThreatHunting-Keywords github project](https://github.com/mthcht/ThreatHunting-Keywords), by @mthcht | [D](https://github.com/search?q=D&type=code)
[d](https://github.com/search?q=d&type=code) | +| HIGH | [combo/backdoor/net_term](https://github.com/chainguard-dev/bincapz/blob/main/rules/combo/backdoor/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [_uname](https://github.com/search?q=_uname&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[execve](https://github.com/search?q=execve&type=code)
[shell](https://github.com/search?q=shell&type=code)
[tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[upload](https://github.com/search?q=upload&type=code) | +| MEDIUM | [device/pseudo_terminal](https://github.com/chainguard-dev/bincapz/blob/main/rules/device/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [grantpt](https://github.com/search?q=grantpt&type=code)
[posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [kernel/uname/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/kernel/uname-get.yara#uname) | [system identification (uname)](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/download.yara#download) | download files | [_proc_download_content](https://github.com/search?q=_proc_download_content&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-parse.yara#inet_addr) | parses IP address | [inet_addr](https://github.com/search?q=inet_addr&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | +| MEDIUM | [net/upload](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/upload.yara#upload) | uploads files | [upload](https://github.com/search?q=upload&type=code) | +| MEDIUM | [shell/exec](https://github.com/chainguard-dev/bincapz/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | +| LOW | [env/SHELL](https://github.com/chainguard-dev/bincapz/blob/main/rules/env/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | +| LOW | [fs/symlink/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [_recv](https://github.com/search?q=_recv&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | +| LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From ad7f455361156f0d974c25c1bc9d624a616c2f38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Str=C3=B6mberg?= Date: Mon, 6 May 2024 22:11:32 -0400 Subject: [PATCH 08/11] Improve rules based on LightSpy + add Huntress to third_party (#169) * improve heartbeat detection * Update testdata, include 3rd party rules * shorter ref link --- samples/macOS/2023.3CX/libffmpeg.dirty.mdiff | 2 +- .../SpectralBlur-macshare.md | 49 +++++++++---------- 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff index 103f3e8a..2471b60e 100644 --- a/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff +++ b/samples/macOS/2023.3CX/libffmpeg.dirty.mdiff @@ -1,6 +1,6 @@ ## Changed: . [⚠️ MEDIUM → 🚨 CRITICAL] -### 20 new behaviors +### 19 new behaviors | RISK | KEY | DESCRIPTION | EVIDENCE | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md index 127658d0..f16ec671 100644 --- a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md +++ b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md @@ -1,29 +1,28 @@ -## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🚨 CRITICAL] +## macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare [🔥 HIGH] -| RISK | KEY | DESCRIPTION | EVIDENCE | -|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| CRITICAL | [third_party/mthcht_thk_yara_rules](https://github.com/chainguard-dev/bincapz/blob/main/rules/third_party/mthcht_thk_yara_rules.yar#RDPassSpray_offensive_tool_keyword) | [Detection patterns for the tool 'RDPassSpray' taken from the ThreatHunting-Keywords github project](https://github.com/mthcht/ThreatHunting-Keywords), by @mthcht | [D](https://github.com/search?q=D&type=code)
[d](https://github.com/search?q=d&type=code) | -| HIGH | [combo/backdoor/net_term](https://github.com/chainguard-dev/bincapz/blob/main/rules/combo/backdoor/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [_uname](https://github.com/search?q=_uname&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[execve](https://github.com/search?q=execve&type=code)
[shell](https://github.com/search?q=shell&type=code)
[tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[upload](https://github.com/search?q=upload&type=code) | -| MEDIUM | [device/pseudo_terminal](https://github.com/chainguard-dev/bincapz/blob/main/rules/device/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [grantpt](https://github.com/search?q=grantpt&type=code)
[posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [kernel/uname/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/kernel/uname-get.yara#uname) | [system identification (uname)](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/download.yara#download) | download files | [_proc_download_content](https://github.com/search?q=_proc_download_content&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-parse.yara#inet_addr) | parses IP address | [inet_addr](https://github.com/search?q=inet_addr&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | -| MEDIUM | [net/upload](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/upload.yara#upload) | uploads files | [upload](https://github.com/search?q=upload&type=code) | -| MEDIUM | [shell/exec](https://github.com/chainguard-dev/bincapz/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| LOW | [env/SHELL](https://github.com/chainguard-dev/bincapz/blob/main/rules/env/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | -| LOW | [fs/symlink/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [_recv](https://github.com/search?q=_recv&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | -| LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|--------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HIGH | [combo/backdoor/net_term](https://github.com/chainguard-dev/bincapz/blob/main/rules/combo/backdoor/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [_uname](https://github.com/search?q=_uname&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[execve](https://github.com/search?q=execve&type=code)
[shell](https://github.com/search?q=shell&type=code)
[tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[upload](https://github.com/search?q=upload&type=code) | +| MEDIUM | [device/pseudo_terminal](https://github.com/chainguard-dev/bincapz/blob/main/rules/device/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [grantpt](https://github.com/search?q=grantpt&type=code)
[posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code) | +| MEDIUM | [exec/program](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | +| MEDIUM | [net/download](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/download.yara#download) | download files | [_proc_download_content](https://github.com/search?q=_proc_download_content&type=code) | +| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-parse.yara#inet_addr) | parses IP address | [inet_addr](https://github.com/search?q=inet_addr&type=code) | +| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | +| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | +| MEDIUM | [net/upload](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/upload.yara#upload) | uploads files | [upload_content](https://github.com/search?q=upload_content&type=code) | +| MEDIUM | [shell/exec](https://github.com/chainguard-dev/bincapz/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | +| LOW | [env/SHELL](https://github.com/chainguard-dev/bincapz/blob/main/rules/env/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | +| LOW | [exec/program/background](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | +| LOW | [fs/file/delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | +| LOW | [fs/symlink/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | +| LOW | [kernel/platform](https://github.com/chainguard-dev/bincapz/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | +| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | +| LOW | [net/socket/receive](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [_recv](https://github.com/search?q=_recv&type=code) | +| LOW | [net/socket/send](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) | +| LOW | [process/create](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | +| LOW | [process/multithreaded](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | +| LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | | RISK | KEY | DESCRIPTION | EVIDENCE | |--------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From 3e5926c9c413c47713ea14467a013a200fe42457 Mon Sep 17 00:00:00 2001 From: egibs Date: Tue, 7 May 2024 07:13:42 -0500 Subject: [PATCH 09/11] Make --ignore-self more precise (#194) * Make --ignore-self more precise * update flag description --- pkg/bincapz/bincapz.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/bincapz/bincapz.go b/pkg/bincapz/bincapz.go index f29ea019..23ec053f 100644 --- a/pkg/bincapz/bincapz.go +++ b/pkg/bincapz/bincapz.go @@ -48,13 +48,11 @@ type FileReport struct { RiskLevel string `json:",omitempty" yaml:",omitempty"` PackageRisk []string `json:",omitempty" yaml:",omitempty"` -<<<<<<< HEAD IsBincapz bool `json:",omitempty" yaml:",omitempty"` -======= + // The original path for scanned archive files // When not scanning archives, this will be empty OriginalAbsPath string ->>>>>>> bf5a1eb (Address PR comments) } type DiffReport struct { From c7ca09d29054f76753681415f45721791ed1e849 Mon Sep 17 00:00:00 2001 From: egibs Date: Tue, 7 May 2024 08:12:29 -0500 Subject: [PATCH 10/11] Fix errant change --- rules/third_party/YARAForge/yara-rules-full.yar | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/third_party/YARAForge/yara-rules-full.yar b/rules/third_party/YARAForge/yara-rules-full.yar index 411f9ec6..d2481910 100644 --- a/rules/third_party/YARAForge/yara-rules-full.yar +++ b/rules/third_party/YARAForge/yara-rules-full.yar @@ -295054,7 +295054,7 @@ rule SIGNATURE_BASE_Empire_Powerup_Gen : FILE hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c" strings: - $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalAbsPath" fullword ascii + $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii $s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii condition: From cd28a2815ec2044d5f98fdebfe34fe65b51ffc42 Mon Sep 17 00:00:00 2001 From: egibs Date: Tue, 7 May 2024 08:14:21 -0500 Subject: [PATCH 11/11] More rebase fixes --- .../SpectralBlur-macshare.md | 23 ------------------- 1 file changed, 23 deletions(-) diff --git a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md index f16ec671..8c93d521 100644 --- a/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md +++ b/samples/macOS/2024.SpectralBlur.DPRK/SpectralBlur-macshare.md @@ -24,26 +24,3 @@ | LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | | LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) | -| RISK | KEY | DESCRIPTION | EVIDENCE | -|--------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HIGH | [combo/backdoor/net_term](https://github.com/chainguard-dev/bincapz/blob/main/rules/combo/backdoor/net_term.yara#spectralblur_alike) | uploads, provides a terminal, runs program | [_uname](https://github.com/search?q=_uname&type=code)
[_unlink](https://github.com/search?q=_unlink&type=code)
[_waitpid](https://github.com/search?q=_waitpid&type=code)
[execve](https://github.com/search?q=execve&type=code)
[shell](https://github.com/search?q=shell&type=code)
[tcsetattr](https://github.com/search?q=tcsetattr&type=code)
[upload](https://github.com/search?q=upload&type=code) | -| MEDIUM | [device/pseudo_terminal](https://github.com/chainguard-dev/bincapz/blob/main/rules/device/pseudo_terminal.yara#pty) | [pseudo-terminal access functions](https://man7.org/linux/man-pages/man3/grantpt.3.html) | [grantpt](https://github.com/search?q=grantpt&type=code)
[posix_openpt](https://github.com/search?q=posix_openpt&type=code)
[ptsname](https://github.com/search?q=ptsname&type=code)
[unlockpt](https://github.com/search?q=unlockpt&type=code) | -| MEDIUM | [exec/program](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program.yara#execve) | executes external programs | [execve](https://github.com/search?q=execve&type=code) | -| MEDIUM | [net/download](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/download.yara#download) | download files | [_proc_download_content](https://github.com/search?q=_proc_download_content&type=code) | -| MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-parse.yara#inet_addr) | parses IP address | [inet_addr](https://github.com/search?q=inet_addr&type=code) | -| MEDIUM | [net/ip/string](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntoa](https://github.com/search?q=inet_ntoa&type=code) | -| MEDIUM | [net/socket/connect](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-connect.yara#_connect) | [initiate a connection on a socket](https://linux.die.net/man/3/connect) | [_connect](https://github.com/search?q=_connect&type=code) | -| MEDIUM | [net/upload](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/upload.yara#upload) | uploads files | [upload_content](https://github.com/search?q=upload_content&type=code) | -| MEDIUM | [shell/exec](https://github.com/chainguard-dev/bincapz/blob/main/rules/shell/exec.yara#calls_shell) | executes shell | [/bin/sh](https://github.com/search?q=%2Fbin%2Fsh&type=code) | -| LOW | [env/SHELL](https://github.com/chainguard-dev/bincapz/blob/main/rules/env/SHELL.yara#SHELL) | [path to active shell](https://man.openbsd.org/login.1#ENVIRONMENT) | [SHELL](https://github.com/search?q=SHELL&type=code) | -| LOW | [exec/program/background](https://github.com/chainguard-dev/bincapz/blob/main/rules/exec/program-background.yara#waitpid) | [wait for process to exit](https://linux.die.net/man/2/waitpid) | [waitpid](https://github.com/search?q=waitpid&type=code) | -| LOW | [fs/file/delete](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/file-delete.yara#unlink) | [deletes files](https://man7.org/linux/man-pages/man2/unlink.2.html) | [unlink](https://github.com/search?q=unlink&type=code) | -| LOW | [fs/symlink/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/fs/symlink-resolve.yara#realpath) | [resolves symbolic links](https://man7.org/linux/man-pages/man3/realpath.3.html) | [realpath](https://github.com/search?q=realpath&type=code) | -| LOW | [kernel/platform](https://github.com/chainguard-dev/bincapz/blob/main/rules/kernel/platform.yara#uname) | [system identification](https://man7.org/linux/man-pages/man1/uname.1.html) | [uname](https://github.com/search?q=uname&type=code) | -| LOW | [net/hostname/resolve](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/hostname-resolve.yara#gethostbyname) | [resolve network host name to IP address](https://linux.die.net/man/3/gethostbyname) | [gethostbyname](https://github.com/search?q=gethostbyname&type=code) | -| LOW | [net/socket/receive](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-receive.yara#recvmsg) | [receive a message from a socket](https://linux.die.net/man/2/recvmsg) | [_recv](https://github.com/search?q=_recv&type=code) | -| LOW | [net/socket/send](https://github.com/chainguard-dev/bincapz/blob/main/rules/net/socket-send.yara#sendmsg) | [send a message to a socket](https://linux.die.net/man/2/sendmsg) | [_send](https://github.com/search?q=_send&type=code) | -| LOW | [process/create](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/create.yara#_fork) | [create child process](https://man7.org/linux/man-pages/man2/fork.2.html) | [_fork](https://github.com/search?q=_fork&type=code) | -| LOW | [process/multithreaded](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| LOW | [process/username/get](https://github.com/chainguard-dev/bincapz/blob/main/rules/process/username-get.yara#getlogin) | [get login name](https://linux.die.net/man/3/getlogin) | [getlogin](https://github.com/search?q=getlogin&type=code) | -| LOW | [random/insecure](https://github.com/chainguard-dev/bincapz/blob/main/rules/random/insecure.yara#bsd_rand) | [generate random numbers insecurely](https://man.openbsd.org/rand) | [_rand](https://github.com/search?q=_rand&type=code)
[srand](https://github.com/search?q=srand&type=code) |