search

chainguard-dev / bincapz

detect malicious program behaviors
Apache License 2.0
378 stars 24 forks source link

Tweak password_finder_mimipenguin rule #303

Closed egibs closed 1 day ago

egibs commented 3 days ago

Closes: #273

There are a lot of Finder and Password strings in /usr/bin/coredns.

This PR adds additional strings (sourced from here and tweaks the conditions to hopefully avoid false positives.

Before:

/bincapz # go run . --min-risk 3 /usr/bin/coredns
/usr/bin/coredns [🚨 CRITICAL]
---------------------------------------------------------------------------------------------------
RISK  KEY                          DESCRIPTION                                      EVIDENCE
---------------------------------------------------------------------------------------------------
HIGH  combo/backdoor/payload       load agent with payload                          loadAgent
                                                                                    payload
HIGH  combo/stealer/linux_server   linux server stealer                             .bash_history
                                                                                    .ssh/id_rsa
HIGH  device/hardware/enumeration  linux dmidecode hardware profiler                dmidecode
HIGH  secrets/bash_history         access .bash_history file                        .bash_history
HIGH  shell/bash_dev_tcp           uses /dev/tcp for network access (bash)          /dev/tcp
HIGH  shell/bash_dev_udp           uses /dev/udp for network access (bash)          /dev/udp
HIGH  shell/nohup                  Runs command that is protected from termination  nohup
CRIT  combo/stealer/password       Password finder/dumper, such as MimiPenguin      /etc/shadow
                                                                                    Finder
                                                                                    apache2.conf
                                                                                    password
                                                                                    sshd_config
                                                                                    vsftpd
---------------------------------------------------------------------------------------------------

After:

/bincapz # go run . --min-risk 3 /usr/bin/coredns
/usr/bin/coredns [🚨 CRITICAL]
---------------------------------------------------------------------------------------------------
RISK  KEY                          DESCRIPTION                                      EVIDENCE
---------------------------------------------------------------------------------------------------
HIGH  combo/backdoor/payload       load agent with payload                          loadAgent
                                                                                    payload
HIGH  combo/stealer/linux_server   linux server stealer                             .bash_history
                                                                                    .ssh/id_rsa
HIGH  device/hardware/enumeration  linux dmidecode hardware profiler                dmidecode
HIGH  secrets/bash_history         access .bash_history file                        .bash_history
HIGH  shell/bash_dev_tcp           uses /dev/tcp for network access (bash)          /dev/tcp
HIGH  shell/bash_dev_udp           uses /dev/udp for network access (bash)          /dev/udp
HIGH  shell/nohup                  Runs command that is protected from termination  nohup
---------------------------------------------------------------------------------------------------

@tstromberg -- do you think the password string(s) still need to be tweaked a bit?

egibs commented 2 days ago

With the addition of https://github.com/chainguard-dev/bincapz/pull/304, I'll remove the duplicate additions and go back to the original strings.

egibs commented 2 days ago

With the addition of #304, I'll remove the duplicate additions and go back to the original strings.

Addressed in 6836394 (#303).