Reduce "HIGH" rule hits based on initial Wolfi analysis (#118)

tstromberg · web-flow · commit 9073a9aacb5f · 2024-04-12T16:24:41.000-04:00
* Decrease rate of HIGH alert triggers

* Fix base64_decode rule

* Revert ignoreTagsFlag change

* Split package_install, improve ssh auth key

* More rule cleanup

* Minor tweaks

* More risk score lowering
diff --git a/rules/admin/package-install.yara b/rules/admin/package-install.yara
@@ -1,4 +1,4 @@
-rule yum_installer : suspicious {
+rule yum_installer : notable {
   meta:
 	description = "Installs software using yum"
   strings:
@@ -7,7 +7,7 @@ rule yum_installer : suspicious {
 	$val
 }
 
-rule dnf_installer : suspicious {
+rule dnf_installer : notable {
   meta:
 	description = "Installs software using dnf"
   strings:
@@ -16,7 +16,7 @@ rule dnf_installer : suspicious {
 	$val
 }
 
-rule rpm_installer : suspicious {
+rule rpm_installer : notable {
   meta:
 	description = "Installs software using rpm"
   strings:
@@ -25,7 +25,7 @@ rule rpm_installer : suspicious {
 	$val
 }
 
-rule apt_installer : suspicious {
+rule apt_installer : notable {
   meta:
 	description = "Installs software using apt"
   strings:
@@ -34,7 +34,7 @@ rule apt_installer : suspicious {
 	$val
 }
 
-rule apt_get_installer : suspicious {
+rule apt_get_installer : notable {
   meta:
 	description = "Installs software using apt-get"
   strings:
@@ -45,7 +45,7 @@ rule apt_get_installer : suspicious {
 	$val and not $foo
 }
 
-rule apk_installer : suspicious {
+rule apk_installer : notable {
   meta:
 	description = "Installs software using APK"
   strings:
@@ -62,18 +62,3 @@ rule pip_installer_regex : notable {
   condition:
 	any of them
 }
-
-rule pip_installer : suspicious {
-  meta:
-	description = "Installs software using pip from python"
-  strings:
-    $pip_install = "os.system('pip install"
-    $pip_install_spaces = "'pip', 'install'"
-    $pip_install_args = "'pip','install'"
-    $pip3_install = "os.system('pip3 install"
-    $pip3_install_spaces = "'pip3', 'install'"
-    $pip3_install_args = "'pip3','install'"
-  condition:
-	any of them
-}
-
diff --git a/rules/admin/pip_install.yara b/rules/admin/pip_install.yara
@@ -0,0 +1,14 @@
+rule pip_installer : suspicious {
+  meta:
+	description = "Installs software using pip from python"
+  strings:
+    $pip_install = "os.system('pip install"
+    $pip_install_spaces = "'pip', 'install'"
+    $pip_install_args = "'pip','install'"
+    $pip3_install = "os.system('pip3 install"
+    $pip3_install_spaces = "'pip3', 'install'"
+    $pip3_install_args = "'pip3','install'"
+  condition:
+	any of them
+}
+
diff --git a/rules/admin/shutdown.yara b/rules/admin/shutdown.yara
@@ -1,5 +1,5 @@
 
-rule shutdown_s : suspicious {
+rule shutdown_val : notable {
   meta:
 	description = "calls shutdown command"
   strings:
diff --git a/rules/combo/backdoor/php.yara b/rules/combo/backdoor/php.yara
@@ -9,7 +9,7 @@ rule php_possible_backdoor : critical {
     hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
     hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
   strings:
-    $php = "php"
+    $php = "<?php"
     $php_or = "<? "
     $f_base64_decode = "base64_decode"
     $f_strrev = "strrev"
@@ -77,6 +77,7 @@ rule php_bin_hashbang : critical {
 
 rule php_urlvar_recon_exec : critical {
   meta:
+	description = "Runs programs, gets URL data, and looks up system info"
     ref = "Backdoor.PHP.Llama"
     hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3"
     hash_2023_PHP_Backdoor_PHP_Llama = "8de0f8ef54bff5e3b694b7585dc66ef9fd5a4b019a6650b8a2211db888e59dac"
@@ -87,6 +88,8 @@ rule php_urlvar_recon_exec : critical {
     hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
     hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
   strings:
+    $php = "<?php"
+
     $e_popen = "popen("
     $e_exec = "exec("
     $f_uname = "uname("
@@ -96,7 +99,7 @@ rule php_urlvar_recon_exec : critical {
 
 	$not_php = "PHP_VERSION_ID"
   condition:
-    any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
+    any of ($p*) and any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
 }
 
 rule php_system_to_perl {
diff --git a/rules/combo/recon/capabilities.yara b/rules/combo/recon/capabilities.yara
@@ -1,6 +1,6 @@
-rule hostinfo_collector : suspicious {
+rule process_capabilities_val : notable {
   meta:
-	description = "enumerates process capabilities"
+	description = "enumerates Linux capabilities for process"
   strings:
 	$capsh = "capsh" fullword
 	$self_status = "/proc/self/status"
diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara
@@ -54,10 +54,13 @@ rule multiple_browser_credentials_2 {
 }
 
 
-rule multiple_browser_refs : suspicious {
+rule multiple_browser_refs : notable {
   meta:
 	description = "Uses HTTP, archives, and references multiple browsers"
   strings:
+	$d_config = ".config" fullword
+	$d_app_support = "Application Support" fullword
+
 	$h_http = "http" fullword
 	$h_POST = "POST" fullword
 
@@ -72,5 +75,5 @@ rule multiple_browser_refs : suspicious {
 	$b_Safari = "Safari"
 	$b_Chrome = "Chrome"
   condition:
-    any of ($h*) and any of ($z*) and 2 of ($b*)
+    any of ($d*) and any of ($h*) and any of ($z*) and 2 of ($b*)
 }
diff --git a/rules/combo/stealer/telegram.yara b/rules/combo/stealer/telegram.yara
@@ -2,8 +2,7 @@ rule discord_password_post_chat : suspicious {
   meta:
 	description = "gets passwords, makes HTTP requests, and uses Telegram"
   strings:
-	$c3 = "api.telegram"
-	$c4 = "Telegram"
+	$c3 = "api.telegram.org"
 
 	$h1 = "get("
 	$h2 = "post("
diff --git a/rules/combo/wiper/crypto.yara b/rules/combo/wiper/crypto.yara
@@ -1,6 +1,7 @@
 
 rule uname_hostname_encrypt_wipe_kill : suspicious {
   meta:
+	description = "May encrypt, wipe files, and kill processes"
     hash_2023_Royal = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"
     hash_2023_blackcat_x64 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f"
     hash_2021_miner_gkqjh = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a"
diff --git a/rules/combo/worm/ssh.yara b/rules/combo/worm/ssh.yara
@@ -10,8 +10,10 @@ rule ssh_snake_worm : suspicious {
 
 	$u_base64 = "base64"
 	$u_uname = "uname"
+
+	$strict_host = "StrictHostKeyChecking"
   condition:
-	all of ($s*) and any of ($h*) and any of ($u*)
+	$strict_host and all of ($s*) and any of ($h*) and any of ($u*)
 }
 
 rule ssh_worm_router : suspicious {
diff --git a/rules/crypto/file-encrypter.yara b/rules/crypto/file-encrypter.yara
@@ -1,4 +1,4 @@
-rule file_crypter : suspicious {
+rule file_crypter : notable {
 	meta:
 		description = "Encrypts files"
 	strings:
diff --git a/rules/device/pseudo_terminal.yara b/rules/device/pseudo_terminal.yara
@@ -11,9 +11,9 @@ rule pty : notable {
 		2 of them
 }
 
-rule go_pty : suspicious {
+rule go_pty : notable {
 	meta:
-		description = "pseudo-terminal access"
+		description = "pseudo-terminal access from Go"
 	strings:
 		$ref = "creack/pty"
 	condition:
diff --git a/rules/evasion/base64-decode.yara b/rules/evasion/base64-decode.yara
@@ -1,8 +1,16 @@
-rule base64_decode : suspicious python {
+rule base64_decode : notable python {
   meta:
 	description = "decodes base64 strings"
   strings:
 	$b64decode = "b64decode"
+  condition:
+	any of them
+}
+
+rule urlsafe_decode64 : notable ruby {
+  meta:
+	description = "decodes base64 strings"
+  strings:
 	$urlsafe_decode64_ruby = "urlsafe_decode64"
   condition:
 	any of them
diff --git a/rules/evasion/fake-library.yara b/rules/evasion/fake-library.yara
@@ -1,4 +1,4 @@
-rule libnetresolv_fake : suspicious {
+rule libnetresolv_fake_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references fake library - possible dynamic library hijacking"
@@ -8,7 +8,7 @@ rule libnetresolv_fake : suspicious {
     any of them
 }
 
-rule libs_fake : suspicious {
+rule libs_fake_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references fake library, possible dynamic library hijacking"
@@ -19,7 +19,7 @@ rule libs_fake : suspicious {
 }
 
 
-rule libc_fake_number : suspicious {
+rule libc_fake_number_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references a non-standard libc library (normally libc.so.6)"
@@ -29,7 +29,7 @@ rule libc_fake_number : suspicious {
     any of them
 }
 
-rule hardcoded_usr_local_lib : suspicious {
+rule hardcoded_usr_local_lib_val : suspicious {
   meta:
     ref = "https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/"
 	description = "hardcodes /usr/local/lib path, possible dynamic library hijacking"
diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara
@@ -1,4 +1,4 @@
-rule fake_kworker : critical {
+rule fake_kworker_val : critical {
   meta:
 	description = "Pretends to be a kworker kernel thread"
   strings:
@@ -18,12 +18,12 @@ rule fake_syslogd : critical {
 	any of them
 }
 
-rule bash_sets_name : critical {
+rule bash_sets_name_val : critical {
   meta:
 	description = "uses 'exec -a' to set a process name"
 	ref = "https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/"
   strings:
-	$ref = "exec -a"
+	$ref = /exec -a[ \w\/\.]{0,64}/
   condition:
 	any of them
 }
diff --git a/rules/evasion/fake-user-agent.yara b/rules/evasion/fake-user-agent.yara
@@ -71,9 +71,9 @@ rule elf_faker_val : high {
   meta:
 	description = "Fake user agent inside ELF binary"
   strings:
-	$ref = /Mozilla\/5[\.\w ]{0,32}/
+	$val = /Mozilla\/5[\.\w ]{0,64}/
   condition:
-    uint32(0) == 1179403647 and $ref
+    uint32(0) == 1179403647 and $val
 }
 
 
diff --git a/rules/exfil/telegram.yara b/rules/exfil/telegram.yara
@@ -1,4 +1,3 @@
-
 rule telegram_bot : suspicious {
   meta:
     ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L676"
diff --git a/rules/net/fetch-suspicious.yara b/rules/net/fetch-suspicious.yara
@@ -30,7 +30,7 @@ rule suspicious_fetch_command_val : suspicious {
     hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05"
     hash_2021_trojan_Gafgyt_23DZ = "b34bb82ef2a0f3d02b93ed069fee717bd1f9ed9832e2d51b0b2642cb0b4f3891"
   strings:
-    $c_curl_d = /curl [\- \w]{0,16}-[ALCdOok][\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
+    $c_curl_d = /curl [\- \w]{0,16}-[dOok][\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
     $c_curl_insecure = /curl [\- \w]{0,128}--insecure[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
     $c_kinda_curl_silent_insecure = "--silent --insecure"
     $c_kinda_curl_silent_k = "-k --insecure"
diff --git a/rules/net/syncookie.yara b/rules/net/syncookie.yara
@@ -1,4 +1,7 @@
-rule syn_cookie : suspicious {
+rule syn_cookie : notable {
+  meta:
+	description = "references SYN cookies, used to resist DoS attacks"
+	ref = "https://en.wikipedia.org/wiki/SYN_cookies"
   strings:
     $syncookie = "syncookie"
     $syn_cookie = "syn_cookie"
diff --git a/rules/persist/ssh_authorized_keys.yara b/rules/persist/ssh_authorized_keys.yara
@@ -1,11 +1,12 @@
-rule ssh_authorized_key : suspicious {
+rule ssh_authorized_key_val : notable {
   meta:
     ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/"
 	description = "Accesses SSH authorized_keys"
   strings:
 	$ssh_ = ".ssh" fullword
 	$ssh2 = "authorized_keys"
 	$not_ssh_client = "SSH_AUTH_SOCK"
+	$not_example = "/home/user/.ssh/authorized_keys"
   condition:
      all of ($ssh*) and none of ($not*)
 }
diff --git a/rules/privesc/sudo.yara b/rules/privesc/sudo.yara
@@ -10,7 +10,7 @@ rule unusual_sudo_commands_value : suspicious {
   strings:
     $sudo_echo = /sudo echo[\"\%@\-\$\w]{0,32}/
     $sudo_u_echo = /sudo -u [\%@\-\$\w]{2,32} echo/
-    $sudo_u_args = /sudo -u [\%\$\{]{1,2}[ \%\$\w\/]{0,32}/
+    $sudo_u_args = /sudo -u [\%\$\{\}]{1,2}[ \%\$\w\/]{0,32}/
     $sudo_args =/sudo %@\"\%@\-\$\w]/
     $sudo_no_sleep = /[\|\"\w\-]{0,16}sudo -S[ \%\$\w\/]{1,32}/
     $sudo_bash = /sudo bash[\"\%@\-\$\w]{1,64}/
diff --git a/rules/ref/ip_port.yara b/rules/ref/ip_port.yara
@@ -1,9 +1,13 @@
-rule hardcoded_hostport2 : high {
+rule hardcoded_ip_port : high {
   meta:
 	description = "hardcoded IP:port destination"
   strings:
     $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword
 	$not_ssdp = "239.255.255.250:1900"
+	$not_2181 = "10.101.203.230:2181"
+	$not_meta = "169.254.169.254:80"
+	$not_vnc = "10.10.10.10:5900"
+	$not_azure_pgsql = "20.66.25.58:5432"
   condition:
     any of ($ip*) and none of ($not*)
 }
diff --git a/rules/ref/path/var-log.yara b/rules/ref/path/var-log.yara
@@ -12,6 +12,7 @@ rule elf_var_log_path : suspicious {
 		description = "references paths within /var/log"
 	strings:
 		$ref = /\/var\/log\/[\%\w\.\-\/]{4,32}/ fullword
+		$not_amazon = "/var/log/amazon/"
 	condition:
-		uint32(0) == 1179403647 and $ref
+		uint32(0) == 1179403647 and $ref and none of ($not*)
 }
diff --git a/rules/ref/site/unusual.yara b/rules/ref/site/unusual.yara
@@ -14,6 +14,7 @@ rule unusual_http_hostname : suspicious {
     $not_electron = "ELECTRON_RUN_AS_NODE"
     $not_mail_ru = "go.mail.ru"
     $not_rambler = "novarambler.ru"
+	$not_localhost_app = "localhostapplication"
   condition:
     any of ($http*) and none of ($not_*)
 }
diff --git a/rules/ref/site/url-unusual.yara b/rules/ref/site/url-unusual.yara
@@ -1,7 +1,7 @@
 
 rule unusual_nodename {
   meta:
-	description = "Contains HTTP hostname with a long node namhe"
+	description = "Contains HTTP hostname with a long node name"
   strings:
     $ref = /https*:\/\/\w{16,}\//
   condition:
diff --git a/rules/ref/words/exploit.yara b/rules/ref/words/exploit.yara
@@ -10,6 +10,7 @@ rule exploiter : suspicious {
 		$ref6 = "Exploit" fullword
 		$ref7 = "Exploiting" fullword
 		$ref8 = "exploiting" fullword
+		$not_ms_example = "Drive-by Compromise"
 	condition:
-		any of them
+		any of ($ref*) and none of ($not*)		
 }
diff --git a/rules/ref/words/implant.yara b/rules/ref/words/implant.yara
@@ -5,6 +5,8 @@ rule implant : suspicious {
 		$ref = "implant" fullword
 		$ref2 = "IMPLANT" fullword
 		$ref3 = "Implant"
+
+		$not_ms_example = "Drive-by Compromise"
 	condition:
-		any of them
+		any of ($ref*) and none of ($not*)
 }
diff --git a/rules/secrets/firefox-cookies.yara b/rules/secrets/firefox-cookies.yara
diff --git a/rules/secrets/firefox-formhistory.yara b/rules/secrets/firefox-formhistory.yara
diff --git a/rules/secrets/keychain.yara b/rules/secrets/keychain.yara
diff --git a/rules/service/systemd.yara b/rules/service/systemd.yara
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-rule file_crypter : suspicious {`
	`1`	`+rule file_crypter : notable {`
`2`	`2`	`meta:`
`3`	`3`	`description = "Encrypts files"`
`4`	`4`	`strings:`