critical false positive: mthcht_thk_yara_rules (RDPassSpray)

[tstromberg]

I was surprised to see that "/bin/ls" on my system now rates as CRITICAL:

go run . /bin/ls
/bin/ls [🚨 CRITICAL]
-------------------------------------------------------------------------------------------------
RISK  KEY                    DESCRIPTION                                          EVIDENCE       
-------------------------------------------------------------------------------------------------
LOW   env/TERM               Look up or override terminal settings                TERM           
LOW   fs/directory/traverse  traverse filesystem hierarchy                        _fts_children  
                                                                                  _fts_close     
                                                                                  _fts_open      
                                                                                  _fts_read      
                                                                                  _fts_set       
LOW   fs/link/read           read value of a symbolic link                        readlink       
CRIT  third_party/           Detection patterns for the tool 'RDPassSpray' taken  D              
      mthcht_thk_yara_rules  from the ThreatHunting-Keywords github project, by   d              
                             @mthcht                                                             
-------------------------------------------------------------------------------------------------

The rule isn't great: we should either blacklist it, or automatically ignore results from rules that rely on single-byte evidence.

[tstromberg]

I'm working on a PR that filters out this rule.

[tstromberg]

fixed in #169

[mthcht]

@tstromberg sorry this is an error, the string "d" is not a detection pattern, probably something overwritten by mistake. It'll be removed in the next release.