2025/08/04 false positive reduction (#1072)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/compile/compile.go

@@ -38,6 +38,7 @@ var badRules = map[string]bool{
 	"DELIVRTO_SUSP_SVG_Foreignobject_Nov24":               true,
 	"CAPE_Eternalromance":                                 true,
 	"CAPE_Formhookb":                                      true,
+	"TELEKOM_SECURITY_Cn_Utf8_Windows_Terminal":           true,
 	// ThreatHunting Keywords (some duplicates)
 	"Adobe_XMP_Identifier":                       true,
 	"Antivirus_Signature_signature_keyword":      true,
@@ -72,7 +73,8 @@ var badRules = map[string]bool{
 	"malware_PlugX_config":   true,
 	"malware_shellcode_hash": true,
 	// bartblaze
-	"Rclone": true,
+	"Rclone":                        true,
+	"Extract_MachineKey_SharePoint": true,
 	// Rules that are incompatible with yara-x (unescaped braces in regex strings)
 	"RTF_Header_Obfuscation":    true,
 	"RTF_File_Malformed_Header": true,

pkg/report/report.go

@@ -821,8 +821,7 @@ func handleOverrides(original, override []*malcontent.Behavior, minScore int, sc
 		// append every behavior so we can handle filtering correctly
 		if scan && quantityIncreasesRisk && b.RiskScore >= HIGH {
 			modified = append(modified, b)
-		}
-		if b.RiskScore >= minScore {
+		} else if !scan && b.RiskScore >= minScore {
 			modified = append(modified, b)
 		}
 	}

rules/anti-behavior/blocklist/user.yara

@@ -37,6 +37,13 @@ rule common_username_block_list: high {
     $ = "test" fullword
     $ = "w0fjuOVmCcP5A" fullword
 
+    $not_gpt_tokenizer1 = "GPTTokenizer"
+    $not_gpt_tokenizer2 = "GPT-4"
+    $not_gpt_tokenizer3 = "const bpe = c0.concat();"
+    $not_gpt_tokenizer4 = "const bpe = c0.concat(c1);"
+    $not_gpt_tokenizer5 = "export default bpe;"
+    $not_vale           = "github.com/errata-ai/vale"
+
   condition:
-    12 of them
+    12 of them and none of ($not*)
 }

rules/anti-static/obfuscation/bitwise.yara

@@ -138,7 +138,9 @@ rule unsigned_bitwise_math_excess: high {
     $left  = /[a-z]\>\>\>\d{1,3}/
     $right = /[a-z]\>\>\>\d{1,3}/
 
-    $not_webpack = "webpack-api-runtime.js" fullword
+    $not_elastic1 = "/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements."
+    $not_elastic2 = "* Licensed under the Elastic License 2.0; you may not use this file except in compliance with the Elastic License 2.0. */"
+    $not_webpack  = "webpack-api-runtime.js" fullword
 
   condition:
     filesize < 5MB and $function and $charAt and (#left > 50 or #right > 50) and none of ($not*)

rules/c2/addr/ip.yara

@@ -56,13 +56,15 @@ rule http_hardcoded_ip: high exfil {
     description = "hardcoded IP address within a URL"
 
   strings:
-    $ipv4         = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.\=]{0,64}/
-    $not_metadata = "http://169.254.169.254"
-    $not_100      = "http://100.100.100"
-    $not_11       = "http://11.11.11"
-    $not_192      = "http://192.168"
-    $not_169      = "http://169.254"
-    $not_aria     = "http://210.104.33.10/ARIA/"
+    $ipv4             = /https*:\/\/([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}[:\/\w\-\?\.\=]{0,64}/
+    $not_metadata     = "http://169.254.169.254"
+    $not_100          = "http://100.100.100"
+    $not_11           = "http://11.11.11"
+    $not_192          = "http://192.168"
+    $not_169          = "http://169.254"
+    $not_aria         = "http://210.104.33.10/ARIA/"
+    $not_placeholder1 = "placeholder:\"e.g. https://192.168.99.200:443/api\""
+    $not_placeholder2 = "placeholder:\"e.g. http://138.68.74.142:7860\""
 
   condition:
     $ipv4 and none of ($not*)

rules/evasion/file/location/dev-shm.yara

@@ -40,6 +40,7 @@ rule dev_shm_file: high linux {
     $not_yarn3         = "@yarnpkg"
     $not_yarn4         = "YARN_"
     $not_yarn5         = "b.mkdir(\"/dev/shm/tmp\")"
+    $not_libheif       = "EA.mkdir(\"/dev/shm\"),EA.mkdir(\"/dev/shm/tmp\")"
 
   condition:
     $ref and none of ($not*) and not dev_shm_mkstemp

rules/evasion/mimicry/fake-process.yara

@@ -46,8 +46,10 @@ rule fake_bash: high {
   strings:
     $bash = "-bash" fullword
 
+    $not_kong_template = "name: {{ template \"kong.fullname\" . }}-bash-wait-for-postgres"
+
   condition:
-    filesize < 8KB and $bash
+    filesize < 8KB and $bash and none of ($not*)
 }
 
 rule fake_systemd: critical linux {

rules/evasion/rootkit/userspace.yara

@@ -58,6 +58,7 @@ rule readdir_dlsym_interceptor: high {
     $f_readlink_maybe_not_needed = "readlink"
     $f_proc                      = "/proc"
 
+    $not_j9   = "j9port_" fullword
     $not_sbcl = "SBCL_HOME" fullword
 
   condition:

rules/exec/remote_commands/code_eval.yara

@@ -75,8 +75,11 @@ rule js_eval_obfuscated_fromChar: high {
     $eval = /[\s\{]eval\(/
     $ref  = /fromCharCode\(\w{0,16}\s{0,2}[\-\+\*\^]{0,2}\w{0,16}/
 
+    $not_elastic1 = "/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements."
+    $not_elastic2 = "* Licensed under the Elastic License 2.0; you may not use this file except in compliance with the Elastic License 2.0. */"
+
   condition:
-    filesize < 5MB and all of them and math.abs(@eval - @ref) > 384
+    filesize < 5MB and all of them and math.abs(@eval - @ref) > 384 and none of ($not*)
 }
 
 rule js_anonymous_function: medium {

rules/exfil/stealer/creds.yara

@@ -3,34 +3,39 @@ rule suspected_data_stealer: high {
     description = "suspected data stealer"
 
   strings:
-    $e_atomic        = "Atomic" fullword
-    $e_bitcoin       = "Bitcoin" fullword
-    $e_chromium      = "Chromium"
-    $e_chrome        = "Chrome" fullword
-    $e_firefox       = "Firefox"
-    $e_openvpn       = "OpenVPN"
-    $s_bookmarks     = "Bookmarks"
-    $s_history       = "History"
-    $s_binance       = "Binance"
-    $s_discord       = "Discord"
-    $s_electrum      = "Electrum"
-    $s_electrum2     = "/.elect"
-    $s_exodus        = "Exodus"
-    $s_exodus_ext    = "aholpfdial"
-    $s_crypto        = "cfgodnhcel"
-    $s_obs           = "obs-studio"
-    $s_pidgin        = "Pidgin"
-    $s_snowflake     = "Snowflake"
-    $s_telegram      = "Telegram"
-    $s_zcash         = "Zcash"
-    $s_zip           = "zip -r"
-    $s_login         = "Login Data"
-    $not_electron    = "ELECTRON_RUN_AS_NODE"
-    $not_chromium    = "RasterCHROMIUM"
-    $not_descriptive = "Binance Pay is a contactless"
+    $e_atomic           = "Atomic" fullword
+    $e_bitcoin          = "Bitcoin" fullword
+    $e_chromium         = "Chromium"
+    $e_chrome           = "Chrome" fullword
+    $e_firefox          = "Firefox"
+    $e_openvpn          = "OpenVPN"
+    $s_bookmarks        = "Bookmarks"
+    $s_history          = "History"
+    $s_binance          = "Binance"
+    $s_discord          = "Discord"
+    $s_electrum         = "Electrum"
+    $s_electrum2        = "/.elect"
+    $s_exodus           = "Exodus"
+    $s_exodus_ext       = "aholpfdial"
+    $s_crypto           = "cfgodnhcel"
+    $s_obs              = "obs-studio"
+    $s_pidgin           = "Pidgin"
+    $s_snowflake        = "Snowflake"
+    $s_telegram         = "Telegram"
+    $s_zcash            = "Zcash"
+    $s_zip              = "zip -r"
+    $s_login            = "Login Data"
+    $not_chromium       = "RasterCHROMIUM"
+    $not_descriptive    = "Binance Pay is a contactless"
+    $not_electron       = "ELECTRON_RUN_AS_NODE"
+    $not_gpt_tokenizer1 = "GPTTokenizer"
+    $not_gpt_tokenizer2 = "GPT-4"
+    $not_gpt_tokenizer3 = "const bpe = c0.concat();"
+    $not_gpt_tokenizer4 = "const bpe = c0.concat(c1);"
+    $not_gpt_tokenizer5 = "export default bpe;"
 
   condition:
-    (8 of them and none of ($not*)) or 5 of ($s*)
+    (8 of them or 5 of ($s*)) and none of ($not*)
 }
 
 rule steal_creds: high {