Reduce false positives/increase signal for various languages, tools, and packages (#838)

egibs · web-flow · commit 648b547b3a9d · 2025-03-26T13:16:28.000-05:00
* Reduce false positives/increase signal for various languages, tools, and packages

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Fix false positive for jitsu package

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Address PR comments

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Address psutil test_windows.py false positive

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

* Run make yara-x-fmt

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;

---------

Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -36,6 +36,7 @@ var badRules = map[string]bool{
 	"SECUINFRA_SUSP_Powershell_Base64_Decode":             true,
 	"SIGNATURE_BASE_SUSP_ELF_LNX_UPX_Compressed_File":     true,
 	"DELIVRTO_SUSP_SVG_Foreignobject_Nov24":               true,
+	"CAPE_Eternalromance":                                 true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,
diff --git a/rules/anti-behavior/blocklist/user.yara b/rules/anti-behavior/blocklist/user.yara
@@ -37,6 +37,7 @@ rule common_username_block_list: critical {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
+    $not_jitsu     = "jitsu.com"
     $not_redpanda  = "redpanda"
     $not_wireshark = "wireshark.org"
 
diff --git a/rules/anti-static/base64/obfuscated_caller.yara b/rules/anti-static/base64/obfuscated_caller.yara
@@ -14,6 +14,8 @@ rule obfuscated_caller_base64_str_replace: critical {
     $i = "'b'.'ase'.'6'.'4"
     $j = "'bas'.'e'.'6'.'4"
 
+    $not_unrelated1 = "_bias_eb604"
+
   condition:
-    any of them
+    any of them and none of ($not*)
 }
diff --git a/rules/anti-static/obfuscation/python.yara b/rules/anti-static/obfuscation/python.yara
@@ -1,3 +1,5 @@
+import "hash"
+
 private rule probably_python {
   strings:
     $import   = "import "
@@ -349,6 +351,10 @@ rule rename_base64: critical {
   strings:
     $ref = /import base64 as \w{0,64}/
 
+    $not_numcodecs1 = "Codec providing base64 compression via the Python standard library."
+    $not_numcodecs2 = "codec_id = \"base64\""
+    $not_numcodecs3 = "# normalise inputs"
+    $not_numcodecs4 = "# do compression"
     $not_open_clip1 = "class ResampledShards2(IterableDataset)"
     $not_open_clip2 = "class SyntheticDataset(Dataset)"
 
@@ -494,7 +500,9 @@ rule import_manipulator: critical {
     $def     = "def "
 
   condition:
-    filesize < 10MB and all of them
+    // a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6 is the sha256 hash
+    // for https://github.com/pypy/pypy/blob/main/lib-python/2.7/pickle.py
+    filesize < 10MB and (hash.sha256(0, filesize) != "a91160135598f3decc8ca9f9b019dcc5e1d73e79ebe639548cd9ee9e6d007ea6") and all of them
 }
 
 rule bloated_hex_python: high {
@@ -518,5 +526,4 @@ rule bloated_hex_python: high {
 
   condition:
     filesize > 512KB and filesize < 10MB and 90 % of ($f*) and none of ($not*)
-
 }
diff --git a/rules/evasion/mimicry/fake-process.yara b/rules/evasion/mimicry/fake-process.yara
@@ -3,11 +3,13 @@ rule fake_kworker: critical linux {
     description = "Pretends to be a kworker kernel thread"
 
   strings:
-    $kworker  = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/
-    $kworker3 = "[kworker"
+    $kworker1 = /\[{0,1}kworker\/[\w\%:\-\]]{1,16}/
+    $kworker2 = "[kworker"
+
+    $not_rescue = "kworker/R-%s"
 
   condition:
-    filesize < 100MB and any of ($k*)
+    filesize < 100MB and any of ($kworker*) and none of ($not*)
 }
 
 rule kworker: medium linux {
diff --git a/rules/exfil/stealer/wallet.yara b/rules/exfil/stealer/wallet.yara
@@ -30,6 +30,9 @@ rule crypto_stealer_names: critical {
     $not_js          = /\"js\": \{[^}]{0,64}/
     $not_scriptsrc   = /\"scriptSrc\": "([^"]{0,64})"/
     $not_website     = /\"website\": "([^"]{0,64})"/
+    $not_clef1       = "These data types are defined in the channel between clef and the UILedger"
+    $not_clef2       = "The `transaction` (on input into clef) can have either `data` or `input`"
+    $not_geth_site   = "https://geth.ethereum.org"
 
   condition:
     filesize < 100MB and $http and 2 of ($w*) and none of ($not*)
diff --git a/rules/false_positives/gitlab.yara b/rules/false_positives/gitlab.yara
@@ -0,0 +1,15 @@
+rule exec_regex: override {
+  meta:
+    description                         = "csv_builder_spec.rb"
+    SEKOIA_Technique_Csv_Dde_Exec_Regex = "low"
+
+  strings:
+    $example1 = "shared_examples 'excel sanitization' do"
+    $example2 = "'sanitizes dangerous characters at the beginning of a column'"
+    $example3 = "'does not sanitize safe symbols at the beginning of a column'"
+    $example4 = "'when dangerous characters are after a line break'"
+    $example5 = "'does not append single quote to description'"
+
+  condition:
+    filesize < 8192 and all of them
+}
diff --git a/rules/false_positives/nmap.yara b/rules/false_positives/nmap.yara
@@ -13,3 +13,16 @@ rule nmap_fingerprints: override {
   condition:
     filesize < 512KB and $description and $license and #fingerprint > 0
 }
+
+rule nping_bin: override {
+  meta:
+    description               = "/usr/bin/nping"
+    SEKOIA_Tool_Nping_Strings = "medium"
+
+  strings:
+    $nping = "Usage: nping [Probe mode] [Options] {target specification}"
+    $site  = "https://nmap.org/nping"
+
+  condition:
+    filesize < 1MB and all of them
+}
diff --git a/rules/false_positives/psutil.yara b/rules/false_positives/psutil.yara
@@ -0,0 +1,17 @@
+rule test_windows: override {
+  meta:
+    description                                    = "test_windows.py"
+    SIGNATURE_BASE_Powershell_Susp_Parameter_Combo = "low"
+
+  strings:
+    $cext     = "cext = psutil._psplatform.cext"
+    $class    = "class WindowsTestCase(PsutilTestCase)"
+    $comment1 = "\"\"\"Windows specific tests.\"\"\""
+    $comment2 = "\"\"\"Currently not used, but available just in case. Usage:"
+    $comment3 = ">>> powershell("
+    $comment4 = "Get-CIMInstance Win32_PageFileUsage | Select AllocatedBaseSize\")"
+    $import   = "import psutil"
+
+  condition:
+    filesize < 40KB and all of them
+}
diff --git a/rules/impact/remote_access/py_setuptools.yara b/rules/impact/remote_access/py_setuptools.yara
@@ -106,8 +106,10 @@ rule setuptools_exec: medium {
   strings:
     $f_exec = /exec\([\"\'\/\w\,\.\ \-\)\(]{1,64}\)/ fullword
 
+    $not_hopper = "with open(\" hopper /__version__.py\") as fp:"
+
   condition:
-    remote_access_pythonSetup and any of ($f*)
+    remote_access_pythonSetup and any of ($f*) and none of ($not*)
 }
 
 rule setuptools_exec_high: high {
diff --git a/rules/impact/remote_access/reverse_shell.yara b/rules/impact/remote_access/reverse_shell.yara
@@ -56,10 +56,12 @@ rule perl_reverse_shell: critical {
     $redir_single = "'>&"
     $sh_i         = "sh -i"
 
-    $not_yarn1 = "If the package is not specified, Yarn will default to the current workspace."
-    $not_yarn2 = "yarn npm"
-    $not_yarn3 = "@yarnpkg"
-    $not_yarn4 = "YARN_"
+    $not_comment1 = "Upgrade all instances of lodash to the latest release, but ask confirmation for each"
+    $not_comment2 = "$0 up lodash -i"
+    $not_yarn1    = "If the package is not specified, Yarn will default to the current workspace."
+    $not_yarn2    = "yarn npm"
+    $not_yarn3    = "@yarnpkg"
+    $not_yarn4    = "YARN_"
 
   condition:
     $socket and $open and any of ($redir*) and $sh_i and none of ($not*)

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,8 @@ rule obfuscated_caller_base64_str_replace: critical {`
`14`	`14`	`$i = "'b'.'ase'.'6'.'4"`
`15`	`15`	`$j = "'bas'.'e'.'6'.'4"`
`16`	`16`
	`17`	`+ $not_unrelated1 = "_bias_eb604"`
	`18`	`+`
`17`	`19`	`condition:`
`18`		`- any of them`
	`20`	`+ any of them and none of ($not*)`
`19`	`21`	`}`