Skip to content

Commit b195a51

Browse files
tstrombergtstromberg
committed
Update testdata
1 parent df12068 commit b195a51

File tree

5 files changed

+393
-0
lines changed

5 files changed

+393
-0
lines changed

testdata/Linux/libnss_db.so.json

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
{
2+
"Files": {
3+
"./Linux/libnss_db.so": {
4+
"Behaviors": {
5+
"group/lookup": {
6+
"Description": "get entry from group database",
7+
"Strings": [
8+
"endgrent",
9+
"getgrent",
10+
"setgrent"
11+
],
12+
"RiskScore": 2,
13+
"RiskLevel": "MED"
14+
},
15+
"ref/path/var": {
16+
"Description": "References paths within /var",
17+
"Strings": [
18+
"/var/db/ethers.db",
19+
"/var/db/group.db",
20+
"/var/db/gshadow.db",
21+
"/var/db/netgroup.db",
22+
"/var/db/passwd.db",
23+
"/var/db/protocols.db",
24+
"/var/db/rpc.db",
25+
"/var/db/services.db",
26+
"/var/db/shadow.db"
27+
],
28+
"RiskScore": 1,
29+
"RiskLevel": "LOW"
30+
}
31+
}
32+
}
33+
}
34+
}

testdata/Linux/roothelper_uselvjf23.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
{
2+
"Files": {
3+
"./Linux/roothelper_uselvjf23": {
4+
"Syscalls": [
5+
"execve"
6+
],
7+
"Pledge": [
8+
"exec"
9+
],
10+
"Behaviors": {
11+
"evasion/packer/shc": {
12+
"Description": "Binary generated with SHC (Shell Script Compiler)",
13+
"Strings": [
14+
"argv[0] nor $_"
15+
],
16+
"RiskScore": 3,
17+
"RiskLevel": "HIGH"
18+
},
19+
"exec/program": {
20+
"Description": "executes another program",
21+
"Strings": [
22+
"execvp"
23+
],
24+
"RiskScore": 2,
25+
"RiskLevel": "MED"
26+
}
27+
}
28+
}
29+
}
30+
}

testdata/Python/valryian_debug_setup.py.json

Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
{
2+
"Files": {
3+
"./Python/valryian_debug_setup.py": {
4+
"Syscalls": [
5+
"execve",
6+
"getuid",
7+
"pipe",
8+
"sysctl"
9+
],
10+
"Pledge": [
11+
"exec",
12+
"sysctl"
13+
],
14+
"Behaviors": {
15+
"combo/router/recon": {
16+
"Description": "recon commands",
17+
"Strings": [
18+
"hostname",
19+
"ifconfig",
20+
"uname -a",
21+
"whoami"
22+
],
23+
"RiskScore": 3,
24+
"RiskLevel": "HIGH"
25+
},
26+
"exec/pipe": {
27+
"Description": "Uses popen to launch a program and pipe output to/from it",
28+
"Strings": [
29+
"os.popen"
30+
],
31+
"RiskScore": 2,
32+
"RiskLevel": "MED"
33+
},
34+
"exec/program": {
35+
"Description": "executes another program",
36+
"Strings": [
37+
"system("
38+
],
39+
"RiskScore": 2,
40+
"RiskLevel": "MED"
41+
},
42+
"exec/shell_command": {
43+
"Description": "execute a shell command",
44+
"Strings": [
45+
"system"
46+
],
47+
"RiskScore": 2,
48+
"RiskLevel": "MED"
49+
},
50+
"fs/file/times/set": {
51+
"Description": "change file timestamps",
52+
"Strings": [
53+
"touch /tmp/.ttp-python-ran"
54+
],
55+
"RiskScore": 2,
56+
"RiskLevel": "MED"
57+
},
58+
"kernel/uname/get": {
59+
"Description": "get system identification (uname)",
60+
"Strings": [
61+
"uname"
62+
],
63+
"RiskScore": 2,
64+
"RiskLevel": "MED"
65+
},
66+
"net/fetch": {
67+
"Description": "executable calls fetch tool",
68+
"Strings": [
69+
"curl -"
70+
],
71+
"RiskScore": 1,
72+
"RiskLevel": "LOW"
73+
},
74+
"net/interface/list": {
75+
"Description": "list network interfaces and their associated addresses",
76+
"Strings": [
77+
"ifconfig"
78+
],
79+
"RiskScore": 1,
80+
"RiskLevel": "LOW"
81+
},
82+
"net/ip/external_address/query": {
83+
"Description": "public service to discover external IP address",
84+
"Strings": [
85+
"ifconfig.me"
86+
],
87+
"RiskScore": 3,
88+
"RiskLevel": "HIGH"
89+
},
90+
"process/current/whoami": {
91+
"Description": "returns the user name running this process",
92+
"Strings": [
93+
"whoami"
94+
],
95+
"RiskScore": 2,
96+
"RiskLevel": "MED"
97+
},
98+
"ref/path/hidden": {
99+
"Description": "Hidden file path in a system directory",
100+
"Strings": [
101+
"/tmp/.ttp-python-ran"
102+
],
103+
"RiskScore": 1,
104+
"RiskLevel": "LOW"
105+
},
106+
"ref/path/tmp": {
107+
"Description": "References paths within /tmp",
108+
"Strings": [
109+
"/tmp/.ttp-python-ran"
110+
],
111+
"RiskScore": 2,
112+
"RiskLevel": "MED"
113+
},
114+
"ref/site/url": {
115+
"Description": "contains embedded HTTPS URLs",
116+
"Strings": [
117+
"https://hooks.slack.com/services/__FAKE__/__TTP_BENCH__"
118+
],
119+
"RiskScore": 1,
120+
"RiskLevel": "LOW"
121+
}
122+
}
123+
}
124+
}
125+
}

testdata/does-nothing/does-nothing.go.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{
2+
"Files": {
3+
"./does-nothing/does-nothing.go": {}
4+
}
5+
}

testdata/macOS/SpectralBlur-macshare.json

Lines changed: 199 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,199 @@
1+
{
2+
"Files": {
3+
"./macOS/SpectralBlur-macshare": {
4+
"Syscalls": [
5+
"connect",
6+
"execve",
7+
"fork",
8+
"getlogin",
9+
"pthread_create",
10+
"recv",
11+
"send",
12+
"sendmsg",
13+
"sendto",
14+
"sysctl",
15+
"unlink"
16+
],
17+
"Pledge": [
18+
"exec",
19+
"id",
20+
"inet",
21+
"rpath",
22+
"sysctl",
23+
"wpath"
24+
],
25+
"Behaviors": {
26+
"combo/backdoor/generic/upload_terminal_exec": {
27+
"Description": "Uploads, provides a terminal, runs program",
28+
"Strings": [
29+
"_uname",
30+
"_unlink",
31+
"_waitpid",
32+
"execve",
33+
"shell",
34+
"tcsetattr",
35+
"upload"
36+
],
37+
"RiskScore": 3,
38+
"RiskLevel": "HIGH"
39+
},
40+
"device/pseudo_terminal": {
41+
"Description": "pseudo-terminal access functions",
42+
"Strings": [
43+
"grantpt",
44+
"posix_openpt",
45+
"ptsname",
46+
"unlockpt"
47+
],
48+
"RiskScore": 2,
49+
"RiskLevel": "MED"
50+
},
51+
"env/SHELL": {
52+
"Description": "SHELL",
53+
"Strings": [
54+
"SHELL"
55+
],
56+
"RiskScore": 1,
57+
"RiskLevel": "LOW"
58+
},
59+
"exec/program": {
60+
"Description": "executes another program",
61+
"Strings": [
62+
"execve"
63+
],
64+
"RiskScore": 2,
65+
"RiskLevel": "MED"
66+
},
67+
"exec/program/background": {
68+
"Description": "Waits for a process to exit",
69+
"Strings": [
70+
"waitpid"
71+
],
72+
"RiskScore": 1,
73+
"RiskLevel": "LOW"
74+
},
75+
"fs/file/delete": {
76+
"Description": "deletes files",
77+
"Strings": [
78+
"unlink"
79+
],
80+
"RiskScore": 1,
81+
"RiskLevel": "LOW"
82+
},
83+
"fs/symlink/resolve": {
84+
"Description": "resolves symbolic links",
85+
"Strings": [
86+
"realpath"
87+
],
88+
"RiskScore": 1,
89+
"RiskLevel": "LOW"
90+
},
91+
"kernel/uname/get": {
92+
"Description": "get system identification (uname)",
93+
"Strings": [
94+
"uname"
95+
],
96+
"RiskScore": 2,
97+
"RiskLevel": "MED"
98+
},
99+
"net/download": {
100+
"Description": "Downloads files",
101+
"Strings": [
102+
"download"
103+
],
104+
"RiskScore": 2,
105+
"RiskLevel": "MED"
106+
},
107+
"net/hostname/resolve": {
108+
"Description": "resolves network hosts via name",
109+
"Strings": [
110+
"gethostbyname"
111+
],
112+
"RiskScore": 1,
113+
"RiskLevel": "LOW"
114+
},
115+
"net/ip/parse": {
116+
"Description": "Parse an IP address",
117+
"Strings": [
118+
"inet_addr"
119+
],
120+
"RiskScore": 2,
121+
"RiskLevel": "MED"
122+
},
123+
"net/ip/string": {
124+
"Description": "converts IP address from byte to string",
125+
"Strings": [
126+
"inet_ntoa"
127+
],
128+
"RiskScore": 2,
129+
"RiskLevel": "MED"
130+
},
131+
"net/socket/connect": {
132+
"Description": "initiate a connection on a socket",
133+
"Strings": [
134+
"_connect"
135+
],
136+
"RiskScore": 1,
137+
"RiskLevel": "LOW"
138+
},
139+
"net/socket/receive": {
140+
"Description": "receive a message from a socket",
141+
"Strings": [
142+
"_recv"
143+
],
144+
"RiskScore": 1,
145+
"RiskLevel": "LOW"
146+
},
147+
"net/socket/send": {
148+
"Description": "send a message to a socket",
149+
"Strings": [
150+
"_send"
151+
],
152+
"RiskScore": 1,
153+
"RiskLevel": "LOW"
154+
},
155+
"net/upload": {
156+
"Description": "Uploads files",
157+
"Strings": [
158+
"upload"
159+
],
160+
"RiskScore": 2,
161+
"RiskLevel": "MED"
162+
},
163+
"process/create": {
164+
"Description": "Create a new child process using fork",
165+
"Strings": [
166+
"_fork"
167+
],
168+
"RiskScore": 1,
169+
"RiskLevel": "LOW"
170+
},
171+
"process/current/username/get": {
172+
"Description": "get login name",
173+
"Strings": [
174+
"getlogin"
175+
],
176+
"RiskScore": 1,
177+
"RiskLevel": "LOW"
178+
},
179+
"process/thread/create": {
180+
"Description": "create a new thread",
181+
"Strings": [
182+
"pthread_create"
183+
],
184+
"RiskScore": 2,
185+
"RiskLevel": "MED"
186+
},
187+
"random/insecure": {
188+
"Description": "generate random numbers insecurely",
189+
"Strings": [
190+
"_rand",
191+
"srand"
192+
],
193+
"RiskScore": 1,
194+
"RiskLevel": "LOW"
195+
}
196+
}
197+
}
198+
}
199+
}

0 commit comments

Comments
 (0)