|
1 | 1 | { |
2 | 2 | "Files": { |
3 | | - "bpfdoor_2022.x86_64": { |
4 | | - "Meta": { |
5 | | - "compiler": "gcc" |
6 | | - }, |
| 3 | + "./Linux/bpfdoor_2022.x86_64": { |
7 | 4 | "Syscalls": [ |
8 | 5 | "accept", |
9 | 6 | "chroot", |
| 7 | + "connect", |
10 | 8 | "execve", |
11 | | - "getpid", |
12 | | - "getuid", |
13 | | - "ioctl", |
14 | | - "prctl", |
| 9 | + "fork", |
| 10 | + "select", |
15 | 11 | "sendmsg", |
16 | 12 | "sendto", |
17 | | - "setsid", |
18 | | - "setsockopt", |
19 | 13 | "unlink", |
20 | 14 | "utimes", |
21 | 15 | "vhangup" |
|
24 | 18 | "exec", |
25 | 19 | "fattr", |
26 | 20 | "inet", |
27 | | - "proc", |
28 | | - "rpath", |
| 21 | + "stdio", |
29 | 22 | "wpath" |
30 | 23 | ], |
31 | | - "Capabilities": [], |
32 | 24 | "Behaviors": { |
| 25 | + "3P/elastic/linux/bpfdoor": { |
| 26 | + "Description": "Detects Linux Trojan Bpfdoor (Linux.Trojan.BPFDoor)", |
| 27 | + "Strings": [ |
| 28 | + "$a1" |
| 29 | + ], |
| 30 | + "RiskScore": 4, |
| 31 | + "RiskLevel": "CRIT", |
| 32 | + "RuleAuthor": "Elastic Security", |
| 33 | + "RuleLicense": "https://github.com/elastic/protections-artifacts//blob/6d54ae289b290b1d42a7717569483f6ce907200a/LICENSE.txt" |
| 34 | + }, |
| 35 | + "3P/signature_base/redmenshen/bpfdoor": { |
| 36 | + "Description": "Detects BPFDoor implants used by Chinese actor Red Menshen", |
| 37 | + "Strings": [ |
| 38 | + "$op1", |
| 39 | + "$op2", |
| 40 | + "$op3", |
| 41 | + "$op4" |
| 42 | + ], |
| 43 | + "RiskScore": 4, |
| 44 | + "RiskLevel": "CRIT", |
| 45 | + "RuleAuthor": "Florian Roth (Nextron Systems)", |
| 46 | + "RuleLicense": "https://github.com/Neo23x0/signature-base/blob/cd7651d2ccf4158a35a8d1cc0441928f7d92818f/LICENSE" |
| 47 | + }, |
| 48 | + "combo/backdoor/linux/listen_terminal_exec": { |
| 49 | + "Description": "Listens, provides a terminal, runs program", |
| 50 | + "Strings": [ |
| 51 | + "/dev/ptmx", |
| 52 | + "execve", |
| 53 | + "grantpt", |
| 54 | + "listen" |
| 55 | + ], |
| 56 | + "RiskScore": 3, |
| 57 | + "RiskLevel": "HIGH" |
| 58 | + }, |
| 59 | + "combo/backdoor/linux/multiple_sys_commands": { |
| 60 | + "Description": "multiple sys commands", |
| 61 | + "Strings": [ |
| 62 | + "auditd", |
| 63 | + "systemd/systemd" |
| 64 | + ], |
| 65 | + "RiskScore": 3, |
| 66 | + "RiskLevel": "HIGH" |
| 67 | + }, |
33 | 68 | "device/pseudo_terminal": { |
34 | 69 | "Description": "pseudo-terminal access functions", |
35 | 70 | "Strings": [ |
36 | 71 | "grantpt", |
37 | 72 | "ptsname", |
38 | 73 | "unlockpt" |
39 | 74 | ], |
40 | | - "Risk": 1 |
| 75 | + "RiskScore": 2, |
| 76 | + "RiskLevel": "MED" |
41 | 77 | }, |
42 | 78 | "exec/program": { |
43 | | - "Description": "calls other programs", |
| 79 | + "Description": "executes another program", |
44 | 80 | "Strings": [ |
45 | 81 | "execve" |
46 | 82 | ], |
47 | | - "Risk": 1 |
| 83 | + "RiskScore": 2, |
| 84 | + "RiskLevel": "MED" |
48 | 85 | }, |
49 | 86 | "exec/program/background": { |
50 | 87 | "Description": "Waits for a process to exit", |
51 | 88 | "Strings": [ |
52 | 89 | "waitpid" |
53 | 90 | ], |
54 | | - "Risk": 1 |
| 91 | + "RiskScore": 1, |
| 92 | + "RiskLevel": "LOW" |
| 93 | + }, |
| 94 | + "exec/shell_command": { |
| 95 | + "Description": "execute a shell command", |
| 96 | + "Strings": [ |
| 97 | + "system" |
| 98 | + ], |
| 99 | + "RiskScore": 2, |
| 100 | + "RiskLevel": "MED" |
| 101 | + }, |
| 102 | + "fd/multiplex": { |
| 103 | + "Description": "monitor multiple file descriptors", |
| 104 | + "Strings": [ |
| 105 | + "select" |
| 106 | + ], |
| 107 | + "RiskScore": 1, |
| 108 | + "RiskLevel": "LOW" |
55 | 109 | }, |
56 | 110 | "fs/file/delete": { |
57 | 111 | "Description": "deletes files", |
58 | 112 | "Strings": [ |
59 | 113 | "unlink" |
60 | 114 | ], |
61 | | - "Risk": 1 |
| 115 | + "RiskScore": 1, |
| 116 | + "RiskLevel": "LOW" |
| 117 | + }, |
| 118 | + "fs/file/times/set": { |
| 119 | + "Description": "change file last access and modification times", |
| 120 | + "Strings": [ |
| 121 | + "utimes" |
| 122 | + ], |
| 123 | + "RiskScore": 2, |
| 124 | + "RiskLevel": "MED" |
| 125 | + }, |
| 126 | + "net/ip/byte/order": { |
| 127 | + "Description": "convert values between host and network byte order", |
| 128 | + "Strings": [ |
| 129 | + "htons" |
| 130 | + ], |
| 131 | + "RiskScore": 2, |
| 132 | + "RiskLevel": "MED" |
| 133 | + }, |
| 134 | + "net/ip/string": { |
| 135 | + "Description": "converts IP address from byte to string", |
| 136 | + "Strings": [ |
| 137 | + "inet_ntoa" |
| 138 | + ], |
| 139 | + "RiskScore": 2, |
| 140 | + "RiskLevel": "MED" |
| 141 | + }, |
| 142 | + "net/socket/connect": { |
| 143 | + "Description": "initiate a connection on a socket", |
| 144 | + "Strings": [ |
| 145 | + "connect" |
| 146 | + ], |
| 147 | + "RiskScore": 1, |
| 148 | + "RiskLevel": "LOW" |
62 | 149 | }, |
63 | 150 | "net/socket/listen": { |
64 | 151 | "Description": "listen on a socket", |
|
67 | 154 | "listen", |
68 | 155 | "socket" |
69 | 156 | ], |
70 | | - "Risk": 1 |
| 157 | + "RiskScore": 1, |
| 158 | + "RiskLevel": "LOW" |
71 | 159 | }, |
72 | 160 | "net/socket/receive": { |
73 | 161 | "Description": "receive a message from a socket", |
74 | 162 | "Strings": [ |
75 | 163 | "recvfrom" |
76 | 164 | ], |
77 | | - "Risk": 1 |
| 165 | + "RiskScore": 1, |
| 166 | + "RiskLevel": "LOW" |
78 | 167 | }, |
79 | 168 | "net/socket/send": { |
80 | 169 | "Description": "send a message to a socket", |
81 | 170 | "Strings": [ |
82 | 171 | "sendto" |
83 | 172 | ], |
84 | | - "Risk": 1 |
| 173 | + "RiskScore": 1, |
| 174 | + "RiskLevel": "LOW" |
| 175 | + }, |
| 176 | + "process/create": { |
| 177 | + "Description": "Create a new child process using fork", |
| 178 | + "Strings": [ |
| 179 | + "fork" |
| 180 | + ], |
| 181 | + "RiskScore": 1, |
| 182 | + "RiskLevel": "LOW" |
85 | 183 | }, |
86 | | - "proc/chroot": { |
| 184 | + "process/current/chroot": { |
87 | 185 | "Description": "change the location of root for the process", |
88 | 186 | "Strings": [ |
89 | 187 | "chroot" |
90 | 188 | ], |
91 | | - "Risk": 1 |
| 189 | + "RiskScore": 1, |
| 190 | + "RiskLevel": "LOW" |
92 | 191 | }, |
93 | 192 | "random/insecure": { |
94 | 193 | "Description": "generate random numbers insecurely", |
95 | 194 | "Strings": [ |
96 | 195 | "srand" |
97 | 196 | ], |
98 | | - "Risk": 1 |
| 197 | + "RiskScore": 1, |
| 198 | + "RiskLevel": "LOW" |
99 | 199 | }, |
100 | 200 | "ref/path/usr/sbin": { |
101 | 201 | "Description": "References paths within /usr/sbin", |
102 | 202 | "Strings": [ |
103 | 203 | "/usr/sbin/console-kit-daemon" |
104 | 204 | ], |
105 | | - "Risk": 1 |
| 205 | + "RiskScore": 1, |
| 206 | + "RiskLevel": "LOW" |
106 | 207 | }, |
107 | | - "service/daemon": { |
108 | | - "Description": "Run as a background daemon", |
| 208 | + "ref/program/ancient_gcc": { |
| 209 | + "Description": "built by archaic gcc version", |
109 | 210 | "Strings": [ |
110 | | - "daemon" |
| 211 | + "GCC: (GNU) 4.4.7" |
111 | 212 | ], |
112 | | - "Risk": 1 |
| 213 | + "RiskScore": 3, |
| 214 | + "RiskLevel": "HIGH" |
113 | 215 | }, |
114 | 216 | "tty/vhangup": { |
115 | 217 | "Description": "virtually hangup the current terminal", |
116 | 218 | "Strings": [ |
117 | 219 | "vhangup" |
118 | 220 | ], |
119 | | - "Risk": 1 |
| 221 | + "RiskScore": 1, |
| 222 | + "RiskLevel": "LOW" |
120 | 223 | } |
121 | | - }, |
122 | | - "FilteredBehaviors": 8 |
| 224 | + } |
123 | 225 | } |
124 | | - }, |
125 | | - "Filter": "harmless" |
| 226 | + } |
126 | 227 | } |
0 commit comments