search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
387 stars 24 forks source link

Add ThreatHunting-Keywords-yara-rules #160

Closed egibs closed 2 months ago

egibs commented 3 months ago

Closes: https://github.com/chainguard-dev/bincapz/issues/61

This PR adds the YARA rules from https://github.com/mthcht/ThreatHunting-Keywords-yara-rules and adds an additional RuleProject field to better attribute third-party rules.

The major caveat with these rules is that they trigger macOS' malware protections which sudo xattr -d ..., and sudo spctl --master-disable cannot bypass. I did test csrutil disable but that is neither a solution nor advisable.

Once the image is updated with these changes, it should be trivial for macOS users to run the containerized version of bincapz if --third-party rules are needed. Related to this, I set --third-party to false by default so that macOS users aren't hit with the will damage your computer prompt.

Example output:

$ go run . --third-party samples/Windows/2024.GitHub.Clipper/main.exe
samples/Windows/2024.GitHub.Clipper/main.exe [🚨 CRITICAL]
------------------------------------------------------------------------------------------------------------------------------------------------------
RISK  KEY                               DESCRIPTION                                             EVIDENCE
------------------------------------------------------------------------------------------------------------------------------------------------------
LOW   compression/gzip                  works with gzip files                                   gzip
LOW   crypto/aes                        Supports AES (Advanced Encryption Standard)             crypto/aes
LOW   crypto/ecdsa                      Uses the Go crypto/ecdsa library                        crypto/ecdsa
LOW   crypto/ed25519                    Elliptic curve algorithm used by TLS and SSH            ed25519
LOW   crypto/tls                        tls                                                     TLS13
                                                                                                TLSVersion
                                                                                                crypto/tls
LOW   encoding/base64                   Supports base64 encoded strings                         base64
LOW   encoding/json                     Supports JSON encoded objects                           encoding/json
LOW   encoding/json/decode              Decodes JSON messages                                   json.Unmarshal
LOW   encoding/json/encode              encodes JSON                                            MarshalJSON
LOW   env/TEMP                          tmpdir                                                  TEMP
                                                                                                getenv
LOW   env/TERM                          Look up or override terminal settings                   TERM
LOW   fs/directory/list                 Uses Go functions to list a directory                   .ReadDir
LOW   fs/file/read                      reads files                                             os.(*File).Read
LOW   kernel/cpu/info                   gets number of processors                               nproc
LOW   net/dns                           Uses DNS (Domain Name Service)                          CNAMEResource
                                                                                                SetEDNS0
                                                                                                dnsmessage
LOW   net/dns/txt                       Uses DNS TXT (text) records                             TXT
                                                                                                dns
LOW   net/hostname/resolve              Uses Go to resolve network hosts                        net.hostLookup
LOW   net/http/accept/encoding          Able to decode multiple forms of HTTP responses         Accept-Encoding
                                        (example: gzip)
LOW   net/http/auth                     makes HTTP requests with basic authentication           www-authenticate
LOW   net/http/request                  makes HTTP requests                                     HTTP/1.
                                                                                                Referer
                                                                                                User-Agent
LOW   net/http2                         Uses the HTTP/2 protocol                                HTTP/2
LOW   net/http_proxy                    Able to use an HTTP proxy that requires authentication  Proxy-Authorization
LOW   net/sendfile                      transfer data between file descriptors                  sendfile
LOW   net/socket/listen                 listen on a socket                                      accept
                                                                                                listen
                                                                                                socket
LOW   net/socket/local/address          get local address of connected socket                   getsockname
LOW   net/socket/peer/address           get peer address of connected socket                    getpeername
LOW   net/socket/receive                receive a message to a socket                           recv
                                                                                                socket
LOW   net/socket/send                   send a message to a socket                              send
                                                                                                socket
LOW   net/udp/receive                   Listens for UDP responses                               ReadFromUDP
LOW   net/udp/send                      Sends UDP packets                                       DialUDP
                                                                                                WriteMsgUDP
LOW   net/url                           Handles URL strings                                     RequestURI
LOW   ref/path/etc                      path reference within /etc                              /etc/hosts.localhost
                                                                                                /etc/mdns.allowunknown
                                                                                                /etc/nsswitch.confinvalid
                                                                                                /etc/resolv.confnon-
LOW   ref/path/etc/resolv.conf          accesses DNS resolver configuration                     /etc/resolv.conf
LOW   ref/site/url                      contains embedded HTTPS URLs                            https://api.gofile.io/getServerhttps
                                                                                                https://api.ipify.org/-DisableIOAVProtection-Disabl…
                                                                                                https://avatars.githubusercontent.com/u/145487845?v…
                                                                                                https://cdn.discordapp.com/avatars/executable
                                                                                                https://discord.com/api/v8/guilds/NoDefaultCurrentD…
                                                                                                https://discord.com/api/v9/users/@me/billing/paymen…
                                                                                                https://discord.com/api/v9/users/@me/guilds?with_co…
                                                                                                https://discord.com/api/v9/users/@me/relationshipsc…
                                                                                                …
LOW   ref/words/password                references a 'password'                                 EncryptedPassword string
                                                                                                SetPassword
                                                                                                UserPassword
                                                                                                ZipWithPassword
                                                                                                encryptedPassword
                                                                                                of encrypted password less than block
                                                                                                password string
                                                                                                passwordFn
                                                                                                …
LOW   secrets/private_key               References private keys                                 privateKey
MED   archives/zip                      Works with zip files                                    archive/zip
MED   combo/net/scan_tool               may scan networks                                       Probe
                                                                                                connect
                                                                                                gethostbyname
                                                                                                port
                                                                                                probe
                                                                                                scan
                                                                                                socket
                                                                                                target
                                                                                                …
MED   combo/stealer/office              office crypt archive                                    Documents
                                                                                                Encrypt
                                                                                                Upload
                                                                                                base64
                                                                                                cipher
                                                                                                csv
                                                                                                decrypt
                                                                                                docx
                                                                                                …
MED   databases/leveldb                 accesses LevelDB databases                              leveldbexec
                                                                                                leveldbhttps
MED   databases/sqlite                  accesses SQLite databases                               sqlite3
MED   exec/program                      executes external programs                              exec.(*Cmd).Run
MED   fs/permission/chown               Changes file ownership                                  Chown
MED   fs/permission/modify              modifies file permissions                               Chmod
                                                                                                chmod
MED   net/download                      download files                                          Download here
                                                                                                DownloadPage string
                                                                                                GetDownloads
                                                                                                combrowsers-tempdownloads
                                                                                                downloadPage
                                                                                                path FROM downloadsAppData
MED   net/http/cookies                  Able to access HTTP resources using cookies             Cookie
                                                                                                HTTP
MED   net/http/post                     Able to submit form content via HTTP POST               HTTP
                                                                                                POST
                                                                                                http
MED   net/ip/parse                      parses IP address (IPv4 or IPv6)                        IsLinkLocalUnicast
MED   net/mac/address                   Retrieves network MAC address                           MAC address
MED   net/upload                        Uploads files                                           Upload
MED   net/url/request                   requests resources via URL                              http.request
                                                                                                net/url
MED   net/vnc                           vnc user                                                :5900
MED   process/list                      accesses process list                                   shirou/gopsutil
MED   ref/extensions/office             References multiple Office file extensions (possible    docx
                                        exfil)                                                  ppt
                                                                                                xlsx
MED   ref/path/dev                      path reference within /dev                              /dev/stderr
                                                                                                /dev/stdinexecerrdotS
                                                                                                /dev/stdout/dev/stder
MED   ref/path/etc/hosts                references /etc/hosts                                   /etc/hosts
MED   ref/site/github_raw               github raw user                                         github.com
                                                                                                raw/main
MED   ref/site/http/dynamic             URL that is dynamically generated                       https://%s.gofile.io/uploadFilefmt
MED   ui/clipboard                      access clipboard contents                               golang.design/x/clipboard
HIGH  combo/stealer/browser             multiple browser credentials 2                          OperaGX
                                                                                                cookies.sqlite
                                                                                                moz_cookies
HIGH  combo/stealer/creds               suspected data stealer                                  Binance
                                                                                                Chrome
                                                                                                Chromium
                                                                                                Discord
                                                                                                Electrum
                                                                                                Exodus
                                                                                                Firefox
                                                                                                History
                                                                                                …
HIGH  combo/stealer/discord             gets passwords, makes HTTP requests, and uses Discord   GET
                                                                                                POST
                                                                                                Password
                                                                                                credentials
                                                                                                discordapp.com
                                                                                                https://
                                                                                                password
HIGH  exfil/discord                     Uses the Discord webhooks API                           discord.com/api/webhooks
HIGH  net/geoip                         public service for IP geolocation                       ip-api.com
HIGH  net/public_ip                     public service to discover external IP address          ipify.org
HIGH  privesc/uac_bypass                may bypass UAC (User Account Control)                   uacbypass
HIGH  ref/site/download                 References known file hosting site                      cdn.discordapp.com
HIGH  secrets/chromium_credit_cards     Gets Chromium credit card information                   Chrome
                                                                                                Chromium
                                                                                                Web Data
                                                                                                credit_cards
HIGH  secrets/chromium_master_password  Decrypts Chromium master password                       Local State
                                                                                                encrypted_key
                                                                                                os_crypt
HIGH  secrets/firefox/cookies           access Firefox cookies                                  Firefox
                                                                                                cookies.sqlite
HIGH  secrets/firefox/master_password   Decrypts Firefox master password                        Firefox
                                                                                                nssPrivate
CRIT  3P/ditekshen/exe/discordurl       Detects executables Discord URL observed in first       https://discord.com/api/webhooks/
                                        stage droppers, by ditekSHen
CRIT  3P/ditekshen/exe/rawgithub/url    Detects executables containing URLs to raw contents of  /raw/
                                        a Github gist, by ditekSHen                             https://raw.githubusercontent.com/
CRIT  3P/ditekshen/vm/evasion/          Detects executables referencing virtualization MAC      00:0c:29
      macaddrcomb                       addresses, by ditekSHen                                 00:50:56
                                                                                                08:00:27
CRIT  combo/stealer/wallet              makes HTTPS connections and references multiple         Coinbas
                                        wallets                                                 Coinomi
                                                                                                Exodus
                                                                                                Iridium
                                                                                                Metamask
                                                                                                Ronin
                                                                                                http
CRIT  malware/family/skuld              Skuld stealer: https://github.com/hackirby/skuld/blob   skuld
                                                                                                walletsinjection
CRIT  third_party/                      Detection patterns for the tool 'RDPassSpray' taken     /github.com/hackirby/wallets-injection/raw/main/ato…
      mthcht_thk_yara_rules             from the ThreatHunting-Keywords github project, by      raw.githubusercontent.com/hackirby/discord-injectio…
                                        @mthcht
------------------------------------------------------------------------------------------------------------------------------------------------------

JSON with additional details:

"third_party/mthcht_thk_yara_rules": {
                    "Description": "Detection patterns for the tool 'RDPassSpray' taken from the ThreatHunting-Keywords github project",
                    "MatchStrings": [
                        "/github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallets-injection/raw/main/exodus.as",
                        "raw.githubusercontent.com/hackirby/discord-injection/main/injection.js115792089210356248762697446949407573530086143415290314195533631308867097853951115792089210356248762697446949407573529996955224135760342422259061068512044369x509: signature check attempts limit reached while verifying certificate chaincannot convert slice with length %y to array or pointer to array with length %xtls: client certificate private key of type %T does not implement crypto.Signerhttp: RoundTripper implementation (%T) returned a"
                    ],
                    "RiskScore": 4,
                    "RiskLevel": "CRITICAL",
                    "RuleAuthor": "@mthcht",
                    "RuleProject": "https://github.com/mthcht/ThreatHunting-Keywords"
                },
vaikas commented 2 months ago

@egibs would you mind rebasing and ping me so we can get this merged.

egibs commented 2 months ago

@vaikas done!

vaikas commented 2 months ago

Amazing! Thank you so much @.****!!!!! ❤️

On Tue, Apr 30, 2024 at 12:28 PM mthcht @.***> wrote:

@.**** commented on this pull request.

In Makefile https://github.com/chainguard-dev/bincapz/pull/160#discussion_r1585425668 :

@@ -56,3 +56,7 @@ update-yaraforge: mkdir -p out curl -sL -o out/yaraforge.zip https://github.com/YARAHQ/yara-forge/releases/latest/download/yara-forge-rules-full.zip unzip -o -j out/yaraforge.zip packages/full/yara-rules-full.yar -d rules/third_party/ + +.PHONY: update-threathunting-keywords +update-threathunting-keywords:

Hello @egibs https://github.com/egibs @vaikas https://github.com/vaikas FYI i put the first release here https://github.com/mthcht/ThreatHunting-Keywords/releases, it will be updated every month or every two months with more details in the next releases

— Reply to this email directly, view it on GitHub https://github.com/chainguard-dev/bincapz/pull/160#discussion_r1585425668, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWB45FVZCAOFQZYTUV6IY3Y77WHHAVCNFSM6AAAAABGV3KMA2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMZSGM2TMOBSHE . You are receiving this because you were mentioned.Message ID: @.***>

mthcht commented 2 months ago

Amazing! Thank you so much @.**!!!!! ❤️ … On Tue, Apr 30, 2024 at 12:28 PM mthcht **@.> wrote: @*.*** commented on this pull request. ------------------------------ In Makefile <#160 (comment)> : > @@ -56,3 +56,7 @@ update-yaraforge: mkdir -p out curl -sL -o out/yaraforge.zip https://github.com/YARAHQ/yara-forge/releases/latest/download/yara-forge-rules-full.zip unzip -o -j out/yaraforge.zip packages/full/yara-rules-full.yar -d rules/third_party/ + +.PHONY: update-threathunting-keywords +update-threathunting-keywords: Hello @egibs https://github.com/egibs @vaikas https://github.com/vaikas FYI i put the first release here https://github.com/mthcht/ThreatHunting-Keywords/releases, it will be updated every month or every two months with more details in the next releases — Reply to this email directly, view it on GitHub <#160 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWB45FVZCAOFQZYTUV6IY3Y77WHHAVCNFSM6AAAAABGV3KMA2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMZSGM2TMOBSHE . You are receiving this because you were mentioned.Message ID: @.>

np :) the correct page for the yara project https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/releases